Hi fellow reader! *I'm still not used to writing 2011 yet!*
I know I haven't posted anything for a while until now. Life was/is busy, and what free time I had, was limited to other things. Anyway. I'm back (for now at least!).
During my “silent” period, I have still been active script wise as I've been working on “wiffy” and recently started work on “evilGrade” so expect an update soon! Afterwards I plan to complete “SITM” (Script In The Middle), and “wordlists” (After which I'll push out some new dictionaries/wordlists).
Video wise, I've had a few ideas and some people have given me suggestions – so over the next couple of weeks I'll be working on recording/editing them!
Anyway, to kick start this year I'm going to share:
> Script: “wiffy v0.2” – this is what has been done so far... (Any feedback would be welcomed!)
> Video: First of a series about using metasploit and attacking different OSs
> Update: Fixed De-ICE (Level 1 - Disk 1 & Level 1 - Disk 2) as I got confused with the numbering when creating them.
Over the last year I keep getting asked a "few" common questions, so I'm going to answer most of them, here and now.
[Q] Something along the lines of “path/file can't be found: /root/tools/wordlists/g0tmi1k.lst”.
[A] This is a VERY SMALL wordlist (7-10 words) which I made so I didn't have to wait for a larger wordlist to process.
[Q] Fine. Where can I get my own wordlists from then?
[A] If you're using backtrack, depending on your version you can find a collection of them here: /pentest/passwords/wordlists
By doing a quick search on the BackTrack forums found threads by -=Xploitz=- & Huegel
Due to the size to which wordlists can grow, torrents are a popular method of sharing them, Example 1, Example 2, Example 3 and Example 4
[Q] I waited "xyz" hours; my wordlists didn't work for me. Where can I find new ones?
[A] Instead of using “general” wordlists, you can create “custom” wordlists. Check pauldotcom to understand more.
A different spin on it all is to use Wikipedia to generate your lists, click here for more details.
[Q] Okay, I found some files (e.g. wordlists) which I want to use in backtrack. How do I do them?
[A] It depends on your setup. Are you using a live version of backtrack from DVD/USB? Are you using persistent changes via HDD, USB or VM?
If it's a live version, when you power off backtrack, you will lose every change that you made, so you will need to store the file(s) out of the OS. Example, copy the files to USB or burn to DVD.
If it's persistent, you'll need to make sure you have space to save them! Getting the files to the OS could be done via transferring via SSH (start-network ; dhclient eth0 ; setup-sshd), or why not create/download when you're using backtrack?!
[Q] Is there a faster way to capture the WPA handshake, as I waited "xyz" hours?
[A] First off, check that your setup is working correctly; check aircrack-ng and drivers are functioning as they should be.
If connected client(s) are visible then try a “deauthentication” attack (either to each client and or broadcast it) else wait for a new client to connect.
If you can see clients are connected and deauthing isn't working then:
> Move closer
> Improve your signal by purchasing a better/stronger WiFi card and/or antenna (For example, ALFA Networks have a USB series which ranges from “AWUS036H 500mW” to “AWUS036NH 2000mW”)
> Check you are using the same mode as the AP (A, B, G or N etc.)
You need to transmit enough power so that the packets reach and are heard by the clients. If there isn't an “ack” packet received back then chances are the client didn't receive the deauth packet.
If there isn't a connect client there isn't much you can do! You can't “FakeAuth” like with WEP, so either wait for someone else to connect or turn on a device yourself.
[Q] I've got the WPA handshake and I've waited "xyz" hours for my "abc" GB wordlist but that didn't work. What can I do next?
[A] Check here or here. I'm not saying they WILL crack it – but they will do a good job at trying to.
[Q] I've got the WPA handshake and don't want to wait "xyz" hours. Is there a quicker way?
[A] See above
[Q] I've got the WPA handshake don't want to wait "xyz" hours AND I don't want to pay.
[A] Then you need to either download or pre-calculate rainbow tables for THAT SSID. You can't use rainbow table for “SSID_A” with “SSID_B”. However, it's going to take time to search and download a pre-done table, or time to create the rainbow table yourself.
[Q] Okay, I've cracked the WiFi now what?
[A] If you're asking this, it sounds a little “fishy” to me.
I would like to point out: I do not support, condone, endorse, nor promote ANY illegal services. So, what do you have permission to do?
[Q] How do I connect to a WiFi network without them knowing?
[A] See above
If the target's network speed is slow/doesn't work after doing an ARP attack is because of a "bottleneck effect" as all the traffic is being routed though the attackers PC and is unable to handle all of the data being pass though it.
There are other methods and I do plan to cover those methods but utill then, see here.
[Q] Can you please hack "xyz" for me?
[A] See above[Q] Can I MITM "xyz" computers / Why is it slow for my target when I MITM?
[A] If you are on the same subnet has the target then yes, you can ARP poison them.If the target's network speed is slow/doesn't work after doing an ARP attack is because of a "bottleneck effect" as all the traffic is being routed though the attackers PC and is unable to handle all of the data being pass though it.
There are other methods and I do plan to cover those methods but utill then, see here.
[Q] Your videos are too fast. - Okay, its not really a question - but people do comment on it!
[A] These videos are demonstrative NOT tutorial videos, meaning that they are “proof” of the attack NOT a “step-by-step-guide-how-to-tutorial”. The reasoning being the idea that most people don't want to watch me type out commands – that’s not fun! Watching an attack happen, well personally I find slightly more interesting!
I would like to point out, you can find all the commands that I use in the post that matches the video, as well finding download links for the video – so you can download an offline copy if you need to, which you then can pause it.
Personally I've found version 6 buggy, however version 7 is ALOT better with alot of extra features. It's worth the money.
Because it's "Windows/Mac only" piece of software (and I couldn't get WINE to work with it), I run the attacker and it's target(s) in a Virtual Machine, VirtualBox.
[Q] Do you know of any software that is free/works on linux?
[A] No. Otherwise I would be using it myself. (=
If you know of any, please let me know.
[Q] How do you create/edit your videos?
[A] I record and edit all my videos using Camtasia.Personally I've found version 6 buggy, however version 7 is ALOT better with alot of extra features. It's worth the money.
Because it's "Windows/Mac only" piece of software (and I couldn't get WINE to work with it), I run the attacker and it's target(s) in a Virtual Machine, VirtualBox.
[Q] Do you know of any software that is free/works on linux?
[A] No. Otherwise I would be using it myself. (=
If you know of any, please let me know.
[Q] What’s that song in "xyz" video?
[A] At the end of each of the videos, it will say. Incase you missed it then, it's also at the bottom of each post.
...and before you ask "Can you send me it? No.
<rant> I've been made aware that my work is being spread around – which I haven't got an issue with... HOWEVER! What I do have a problem with, is that I've seen people using my (badly) coded scripts/Videos – removed my name – and posting it as their own.
I'm not going to name names, or link to them as that would just promote them ripping me off...Now... I don't mind people using my work, or even using it in their projects – but people claiming what I spend time working on as theirs – just isn't fair. </rant>
If you're crazy enough to like what I'm putting out, you can find my stuff here, on the BackTrack-Linux forum, Blip.TV and GoogleCode. Other than that, anywhere else is a mirror copy of my work (=
If you are wanting to ask a question or three, either reply in the comments, catch me on IRC (irc.freenode.net), PM me on the backtrack forum or twitter me – As always, with the username of “g0tmi1k”.
~g0tmi1k
Welcome back!
ReplyDeleteGlad you're back !
ReplyDeletewelcome back mate and we will help you to finish your script.
ReplyDeleteJust keep going!
welcome back :) i love this blog i had to thank you.. Peace from france
ReplyDeleteYo g0tmi1k - like your work man - drop me a mail sometime - d3m0n35 - http://defensive-attack-formation.net
ReplyDeleteYEAH welcom back, little typo tho:
ReplyDeleteScript: “wiffy v0.2” – this is what has been done so far... (Any feedback would be welcomed!)
THIS is the same link as wify v0.2!
@Casey & @madis & @vmicovic & @Sineffect & @1of.d3m.0n35 & @Nivong
ReplyDeleteThanks for the warm welcome back guys. It is appreciated. (=
I have got a few things plan, which I plan to start next week!
@vmicovic
Thanks for the offer!
@1of.d3m.0n35
Nice looking blog!
@Nivong
Thanks for pointing it out. Been fixed ;)
hey g0tm1lk !! You did a genious work with that wiffy script... it works pretty good =)! Could yo please give me some words about karma ?? What does it exactly ?? I´m pretty newbish =( !
ReplyDeletehello g0tm1lk,
ReplyDeleteDirty filthy linux and backtrack newbie, at the age of 40 can you believe. Loving the blogs, really cool. Question for you I'm busy trying to hack away at my AP and thought I'd try your wiffy 0.2 bash script. I downloaded to USB which I then mount in BT4r2. When I run the script it doesn't actually crack the WPA password even with it in the wordllist and noticed an error (in red) "Something went wrong [6]". Not that experienced in these types of script but I went into debug mode and broke it down and it seems the failure is when the script moves the .cap file from the /tmp area to the /cap area. I tried this manually and get an error cannot move to a sibdirectory of iteself . Any ideas why?
ah ok, strange looks like if may be file name related if I manually do a mv -f "/mnt/usbstuff/tmp/wiffy-01.cap" "/mnt/usbstuff/cap/wiffy-01.cap" all works fine. Maybe something wrong with the name generated by the script? name was - "WPA--.cap"...?
ReplyDeleteok, sorry for the blog spamming - changed pathCap so = "$capFolder/wiffy-01.cap" removing $command.cap and now working! :D nice!
ReplyDeleteI've found what seems to be bugs in the 0.2 BETA. Overall it seems to be running great but I am getting a strange error. When attempting to run a WEP crack I've noticed FakeAuth not working as intended. Here is the output from the shell.
ReplyDeletegrep: such: No such file or directory
grep: BSSID: No such file or directory
grep: available": No such file or directory
grep: "/root/tmp/wiffy.tmp": No such file or directory
grep: is: No such file or directory
grep: on: No such file or directory
grep: channel": No such file or directory
grep: "/root/tmp/wiffy.tmp": No such file or directory
grep: successful": No such file or directory
grep: "/root/tmp/wiffy.tmp": No such file or directory
I'm sure this is a minor bug and something that can be fixed easily. I've attempted to fix it myself without much success. Just thought I'd let you know.
Another bug I am having is when attempting to auto crack networks. I told wiffy to hack all WEP networks in range and it works just fine. Gathers all the info and soon gets the keys one by one. However, after examining the Keys.txt file I only get a key for one network listed 3 times. (3 networks in my test area.) I looked a little closer and it seems wiffy is running the same .cap file each time it collects enough data even if it has moved onto the next network on the list. Thanks again for the great script and keep up the good work.
first i want say Welcome back and second Thanks alot to g0tmi1k for these Cut Answers and Great Job :) i have one question . Would you please teach me how can i make my own Rainbow table and use it with coWPatty ?
ReplyDeleteThanks Bro .
Hi G0tm1lk, loving the blogs, vids and scripts keep up the great work... Just a couple of ideas and stuff about wiffy.sh which I love btw!!! As well as the issues I originally had posted above I also woundered a couple of things. It seems when it runs thru doing the aircrack with the wordlists for wpa and you get a % complete on the dictionaries I never have one run thru to 100% they seem to drop out before at various stages (different stages probably due to size??). Other thing I've done to my copy is to create a BAK folder that doesn't clear down after the crack attempt so I can go back after and try different dictionaries against it, thoughts? On anothe note when I try and use airlib-ng I can't get any of my dictionaries to load in the DB any ideas why I use BackTrack R2..
ReplyDeleteThanks fella, loving your work :D
Bob
Great work. Pretty serious work has gone into Wiffy, so hats off!
ReplyDeleteOne request/suggestion. Pyrit support is great (especially considering I have a fairly extensive database already), but I think a few more options might be beneficial. As of this beta#5, we have wordlist or bruteforce via crunch, both running through passthrough. It would be nice to have the option(s) to either use the database we already have built up (attack_db) or to attack while batching a new essid (attack_batch). Obviously, this is only really for people with lots of space for tables, but it might extend the functionality a bit!
Thanks again
@Christian
ReplyDeleteThanks for the thanks.
Karma works by creating a fake access point, in which you “social engineer” your target to connect to it. Once the target connects to it, karma then "interacts" with every service they try and used!
For example: DNS, POP3, IMAP and HTTP servers.
> DNS lookups
> Collecting cookie information - Comes with a load of "default populate sites"
> Password hashes - can lead to revealing the actual password or a meterpreter session!
Its worth reading:
http://www.metasploit.com/redmine/projects/framework/wiki/Karmetasploit
http://www.offensive-security.com/metasploit-unleashed/Karmetasploit
@bobmclane
You can never be too old to move to linux ;)
Thanks for the thanks and also for trying out wiffy. HUGE thanks for the feedback on it too.
Yes your right about the error. "Error code: [6]", is when its should start cracking, however it is unable to find the CAP file (for some reason).
After looking though your post - it looks like it didn't detect the SSID for some reason (What was the SSID called?).
Im glad you found out to hack it to make it work - well done!
I'm gonna start playing around with it again, so I can see if I can patch in a fix. If you could answer a few things, it would help out:
What version are you using? Beta 5 is the latest. Please note, it still is beta and I haven't tried running it yet from USB (Live or Persistent). Saying that, I not sure why either of those should be a issue...
Have you changed any of the default setting?
What commands line are you using?
Could you share the output (upload it to pastebin and post the link?)
@Keaton
Thanks for the feedback. I've found a fix for grep issues and already patch it into beta #6. =)
*From what I remember, it was due to a stupid typos - missing a \" somewhere....*
Arrr! I wasn't aware of the "auto-crack-wep wiffy.key" problem. I'm gonna look into that ASAP. BIG THANKS! =)
@Mary
Thanks for the warm welcome! Sorry for this delay tho! =P
I've done a video and blog post on that subject - creating rainbow tables. It covers both aircrack-ng and cowpatty (and compares results)
http://g0tmi1k.blogspot.com/2010/02/video-cracking-wifi-wpawpa2-aircrack-ng.html
@bobmclane
I've also had issues with the benchmarking. Not fully sure why its not function correctly. I will bump it up my todo list tho =)
I don't fully understand your "BAK" idea. Wiffy at the mo, already keeps all "caps" in the "cap" folder, if you have it enabled. Therefore you can run your wordlists on them from there.
Regarding "airlib-ng", its used to create rainbow tables. Wiffy yet doesn't support using rainbow tables. However it can create them. (Its also on the todo lits!)
@xprimnt
Thanks for the thanks!
Yes, I do plan to add more features and options to it. However, at the mo, I'm trying to sort out the bugs in whats it currently, before explaining it.
I'm planning to add Rainbow tables support in the near release (which I believe is your "attack_db").
I don't fully understand your "attack_batch", do you mean to create the rainbow tables then attack afterwords?
Any more ideas would be welcomed too!
Welcome Back ;)
ReplyDeleteYou mentioned 0.2 BETA #6 but when I try to do the automatic update feature it says BETA #5 is the most recent version is this correct?
ReplyDelete@Keaton
ReplyDeleteYes, beta #6 isn't ready to see the light of day... yet.
I just haven't had the time to complete it. =(
very good work gotmilk i am impressed with this scripot and how much time it can save...
ReplyDeletejust one thing though, in xterm is showing "tee invalid argument" while Deauth command on wep/wpa crack, is that normal?
thxxxx alot man good work i really like all the things u make and all ur video ,, can u add the filter -a option to the new update of wiffy thanks again
ReplyDeletehi g0tmilk how are u man
ReplyDeletewiffy dont work in bt5 ... im still useing bt4 its better for me is there any update for wiffy
this is some ideas maybe u will found anything good on it for the new update
in wiffy v2 the scan for all channels can u make an option like chouse channel or all channel
and when i attack web and i want to stop the attack the scan will start again maybe if u add an option like C stop N next attack B back to menu E Exit plus -a the filter
thxxx alot wating tell u back i hope you have a great life always thx for the job it helping me alot keep goin
@eskim
ReplyDeleteThanks for the thanks!
Cheers for the heads up - I'll have a look into it when I start scripting again.
*For the record, no - that isn't normal!*
What settings are you using? The default? And what version?
@SiLeNt
Thanks for the thanks!
It already had a update feature - I believe its "-u". You should be able to check by doing "bash wiffy.sh -h"
@SiLeNt
Ive only *just* moved to backtrack 5 last weekend - I haven't had the time yet to test any of my scripts on it yet.
Im sure thinks will be broken and updates will be needed! Its going to have wait tho as Ive got a bit on my plate at the mo - and I'm wanting to do videos before I get back into scripts.
Regarding the ideas:
> I like the idea of "scan specific channels" or "All channels" <- I'll try and add that in the next release
> There was a option at one stage that allowed you to skip WEP this attack method, however it was removed due a few bugs. I was planning to add it back in - but a few things need to be improved before this. I was aiming/hoping to do this for wiffy 3.
> The update feature - this is already added! *See first comment*
Thanks for the thanks! =)
Congratulations Got M1k continue. Some novice hackers Brazilian of thank you.
ReplyDeleteNow I wanted to know if you have a video that shows an attack with "screen shot" ne a PC.
do you have?
hug.
in bt5 it tries to install macchanger when its already installed and it errors out
ReplyDelete@sol_@
ReplyDeleteThanks for the thanks =)
I haven't done one... yet ;)
@bob
BackTrack 5 does have macchanger, however it is in a different location now, which is why a few of my script currently have error messages. I haven't yet updated them.
Open the script with a editor like Kwrite and change the location for macchanger.
ReplyDeleteIt should be in line 447 and line and 481 if edit with Kwrite.
You have to change the location from /usr/bin/macchanger to /usr/local/bin/macchanger.
Hi to all, I am using Backtrack4 as a Boot USB, I want to attack a Facebook account but however, my penetration engineering tools do not work in this environment. Is there any file such as Wiffy.sh which could work in shell environment as engineering tool.
ReplyDeleteI would be very grateful if anybody can help me in this regard.