To build wget.exe with MinGW

wget is a useful command-line downloader. To build wget for the Windows platform, first install MinGW. Then, compile zlib, openssl and wget in that order. To compile zlib:

make -f win32/Makefile.gcc
cp -iv zlib1.dll /mingw/bin
cp -iv zconf.h zlib.h /mingw/include
cp -iv libz.a /mingw/lib
cp -iv libz.dll.a /mingw/lib

To compile openssl:

./Configure -DHAVE_STRUCT_TIMESPEC -DPTW32_STATIC_LIB -L/mingw/lib -lz -lpthreadGC2 -lws2_32 --prefix=/mingw threads zlib mingw
make
make test
make install

Now, build wget

./configure --prefix=/mingw --enable-threads=win32 --disable-nls --with-ssl=openssl
make
make install

Free Online Vietnamese Dictionary

Vietnamese is one of the foreign languages that I would like to study. I searched for a good online Vietnamese dictionary using Yahoo! search. The following is what I found to be good Vietnamese dictionary sites:

1. vndic.org
   
2. Tu Dien Online
   
3. Tu Dien Tim Nhanh
   
4. KOBE Online Dictionary
   
5. Tu Dien
   

Knowledge Is Power.

Knowledge is power. Accumulation of significant knowledge expands our understanding of solutions to our problems and enables us to better achieve our goals. Therefore, it deserves premium priority to gather significant knowledge and establish streamlined information system in order to strengthen our intellectual resources and better design our tactics.

Today, vast expanse of knowledge is easily accessible on the Internet. Not only does such knowledge include information of academic importance, but also includes facts of tactical significance. It would be highly rewarding if we could collect such vast information of great significance available on the open Internet and store such in a logical, organized and systematic manner.

Indeed, it takes a great skill to find and collect valuable information on the Internet. It is equally important to learn the art of Internet search. We can use various Internet search engines or browse many social bookmark sites to find what we want to learn. We can also use several Internet encyclopedia such as Wikipedia.

However, knowledge should be distinguished from wisdom. Knowledge mostly refers to factual information. It takes critical thinking and wise decision to make good use of such knowledge. Wisdom refers to such skills in making good use of available knowledge. Therefore, it is highly valuable to attain wisdom along with knowledge.

Hacking WEP with Backtrack 3

Today, we commonly find wireless networks around us. Most wireless networks are encrypted using WEP or WPA encryption methods. I covered the dictionary attack on WPA networks in a previous post. Compared to WPA, WEP has weak mechanism and is easy to crack.

Theory

At the time of conception, WEP, short for wired equivalent privacy, was believed to be secure. However, a security flaw was found in the IV headers of data packets that makes it possible to crack WEP if enough IV headers are collected. This tutorial takes advantage of this weakness in the initialization vectors of wireless packets to crack WEP. However, a problem may arise when there are multiple keys in use instead of just one.

What's Needed To Test Your Wireless Network

To crack WEP, you need a Backtrack CD and basic knowledge of Linux. Backtrack is a set of tools for testing network security. Download Backtrack and burn it onto a black CD with InfraRecorder or any other tool.

Then, boot your computer with the Backtrack CD. Hopefully, you'll be automatically presented with a nice and dark GUI screen of KDE.

Surveying Wireless Networks with Kismet

Launch Konsole which is located right next to the KDE Start menu. Open /usr/local/etc/kismet.conf in a text editor and edit the source= line to include your wireless device. For example, for Broadcom 43xx based card, put source=bcm43xx,eth1,bcm43xx. Save kismet.conf and start kismet.

Once kismet starts detecting wireless networks around, press s and P to sort the network list by packet counts in descending order. Press Up or Down key to move to the target network and press i for network information or c for client list. Write down such information as:

• ESSID (wireless network name)
  
• BSSID (MAC address of access point)
  
• channel of wireless network
  
• MAC address of clients
  

In Kismet, the flags for encryption are Y (WEP), N (No encryption), or O (WPA/WPA2). Press x to close popup windows and Q to exit Kismet.

Dumping Wireless Traffic with Airodump

To hack WEP, you need to use airodump-ng to sniff wireless traffic of the target network and collect good IV's (initialization vectors, a part of WEP encryption data). Type the following commands in a terminal window:

airmon-ng stop wlan0

airmon-ng start wlan0

airodump-ng -w logfile -c 9 --ivs wlan0

The commands above put the network device wlan0 in monitor mode and then use airodump-ng to log the wireless traffic. The -c option specifies the channel to listen to. The screen will show wireless networks and associated clients, if any, with a set of numbers increasing. Don't stop airodump-ng or close the terminal yet. Just leave the terminal open.

Using Aireplay-NG To Generate Traffic

Aireplay-ng is a handy tool that can be used to generate more wireless traffic in order to collect enough good IV's. It does so by injecting or replaying captured packets to fool the access point into giving us what we need.

To Force Association of Clients with Access Point

Open another terminal and enter the following command to associate the target wireless client with the access point:

aireplay-ng -1 30 -e belkin -a 00:11:22:33:44:55 -h 00:fe:21:83:f4:e5 wlan0

The -e option specifies the network name, the -a option specifies the MAC address of the AP, and the -h option specifies the MAC address of the wireless client.

You can use macchanger to view and change your MAC address, for example, macchanger -s wlan0. Then, you can associate your wireless adapter when there are no clients connected to the wireless network in the first place.

ARP Injection with Aireplay

ARP injection is slow but always works. While airodump-ng is listening, run the following command:

aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:fe:21:83:f4:e5 wlan0

Whereas the -b option specifies the MAC address of the AP and -h specifies MAC address of the associated client. Let it run and airodump-ng will pick up traffic. If no client is connected, we can create one by fake authentication described above.

Interactive Packet Replay

This attack generates traffic by asking the access point to resend data packets.

aireplay-ng -2 -b <AP> -h <Client MAC> -n 160 -p 0841 -c FF:FF:FF:FF:FF:FF wlan0

Aircrack in Action

After collecting enough IV packets, aircrack-ng can be used to crack the WEP key. The syntax of the aircrack-ng command to use is like:

aircrack-ng -a 1 -b A0:B1:C2:D3:E4:F5 -n 128 logfile-01.ivs

Replace the filename with your log file that was previously generated with airodump-ng. Also, specify the access point's MAC address with -b option. The -n option specifies whether the WEP strength is 64-bit or 128-bit. The -a 1 option specifies that we're cracking WEP.

Can't Crack?

If you still can't crack WEP with tons of IV's, increase the fudge factor with -f N option (N>=2). It'll take much longer to crack but you'll have a better chance at success.

Related Posts

• Hacking WPA/WPA2 with Backtrack 3
  

Hacking WPA/WPA2 with Backtrack 3

WPA is an encryption scheme designed to secure the wireless network of your home or office from intruders and eavesdroppers. It is reportedly safer than WEP. There have been numerous attempts to break WEP and WPA encryption with mixed results. This tutorial discusses currently available techniques for testing the wireless network security. Be aware that breaking into your neighbor's network without permission is wrong.

What You Need

To test security of wireless networks, you can use the live CD Linux distribution called Backtrack. You can download its latest ISO image from Remote-Exploit.org and burn it with any CD burner program like InfraRecorder or CDBurnerXP. Alternatively, you can try the SliTaz Aircrack-NG distribution which is lighter and simpler than Backtrack.

Here's a list of what you need to crack WPA/WPA2:

• a very powerful computer
  
• a wireless card/adapter supported by Aircrack-NG
  
• Backtrack or SliTaz Aircrack-ng Distro
  
• A little knowledge of Linux
  
• Optional: WPA-PSK Rainbow Tables (7 GB or 33 GB)
  
• Optional: coWPAtty program
  

Reboot your computer with a Backtrack CD and you'll be presented with the KDE environment.

Surveying Wireless Networks with Kismet

Launch Konsole which is located right next to the KDE Start menu. Open /usr/local/etc/kismet.conf in a text editor and edit the source= line to include your wireless device. For example, for Broadcom 43xx based card, put source=bcm43xx,eth1,bcm43xx. Refer to Kismet documentation section 12. Save kismet.conf and start kismet.

Once kismet starts detecting wireless networks around, press s and P to sort the network list by packet counts in descending order. Press Up or Down key to move to the target network and press i for network information or c for client list. Write down such information as:

• ESSID (wireless network name)
  
• BSSID (MAC address of access point)
  
• channel of wireless network
  
• MAC address of clients
  

Press x to close popup windows and Q to exit Kismet.

Brute-Force Dictionary Attack

This is the classic brute-force attack.

airmon-ng stop wlan0

airmon-ng start wlan0

The commands above put your wireless device in monitor mode. The monitor mode is the mode whereby your wireless card can listen to wireless traffic passively. Replace wlan0 with your wireless device name, such as eth1. Type iwconfig to make sure your card is in monitor mode.

airodump-ng -w test wlan0

Skip the step above if you used Kismet as in the previous section. Here airodump-ng is used to survey the wi-fi networks. Press Ctrl+C to stop airodump-ng. Copy BSSID (MAC address) of the target network.

airodump-ng -w logfile -c 3 --bssid A0:B1:C2:D3:E4:F5 wlan0

Sniff and log the target network (specified with --bssid option) on the specified channel (-c option) to the specified log file (-w option). Wait until WPA Handshake message appears on the screen. Then, stop airodump-ng by pressing Ctrl+C.

Optionally, if you see a client connected to the target network but no authentication handshake, then you can deauthenticate the client by running the following example command in a separate terminal:

aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 wlan0

where -a option specifies the access point and -c option specifies the client to deauthenticate. Hopefully, the command above will trick the client to renegotiate a 4-way authentication handshake with the access point. Otherwise, you'll have to wait until a handshake message shows up on airodump-ng outpout.

zcat /pentest/password/pico/cowpatty/final-wordlist.txt.gz > /tmp/wordlist.txt

aircrack-ng -a 2 -w /tmp/wordlist.txt logfile*.cap

Begin a brute-force dictionary attack using the saved log file(s) and the specified dictionary (-w option). Aircrack-ng will try every word in the dictionary until the correct passphrase is found. It may take hours or several days depending on the size of dictionary and the speed of your CPU to try every word in the dictionary. However, if the passphrase is not found in the dictionary or made up of random alphanumeric characters, then you are out of luck and just wasting your time. In this case, the dictionary attack won't be any good.

Finding a Good Dictionary

You need a good dictionary to crack WPA. Backtract 3 CD has wordlist files at the following locations:

/usr/local/john-1.7.2/password.lst

/pentest/fuzzers/spike/src/password.lst

/pentest/fuzzers/spike/src/wordlist

/pentest/password/pico/cowpatty/final-wordlist.txt.gz

/pentest/wireless/aircrack-ng/test/password.lst

/pentest/wireless/eapmd5pass/sample-wordlist.txt

/opt/windows-binaries/wordlist.txt.gz

Also, aircrack FAQ page has an extensive list of places where you can download good wordlists from. In addition, I found a good wordlist called 9-final-wordlist.zip here.

Further Readings

• More on WPA/WPA2
  
• Ars Technica: Battered, but not broken: understanding the WPA crack
  
• Practical Attacks against WEP and WPA, PDF
  
• Hacking WEP with Backtrack 3