pentesting, pci, red team

PixieWPS – router WPS passwords in seconds

May 4th, 2015 by admin in cracking, Wireless

Pixiewps is a tool used for offline brute forcing of WPS pins. It dramatically speeds up the WPS brute force attack time from what was taking up to 12 hours to a a few seconds by exploiting the low or non-existing entropy of some wireless access points. It’s based on the pixie dust attack, discovered by Dominique Bongard (slides and video). Notes on how to install it are in the video below, if you are using Kali Linux then just apt-get update && apt-get upgrade.

ATT U-Verse VAP2500 vulns

November 25th, 2014 by admin in Privilege Escalation, Wireless

ATT U-Verse service includes the VAP2500 video access point as part of the installation,. From their guide “The VAP2500 enables you to transmit multiple standard- and high-definition video streams throughout your home wirelessly. You can enjoy a full range of video services and applications without having to run wires, lay cables, or drill holes. The U-verse Wireless Access Point operates only with authorized U-verse Wireless
Apparently it’s full of holes too:

1. Readable plain-text file, admin.conf, which holds the username and md5 encrypted passwords
(defaults are: ATTadmin : 1b12957d189cde9cda68e1587c6cfbdd MD5 : 2500!VaP
super : 71a5ea180dcd392aabe93f11237ba8a9 MD5 : M0torola!

2. They use the md5 hash of the username as a cookie for authentication

3. gui suppports command injection

More info:

similar report:

Cracking WPA/WPA2 with Reaver

January 24th, 2012 by admin in Linux, Privilege Escalation, Wireless

The WiFi Protected Setup (WPS) protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase, in just a matter of hours, using the open source tool called Reaver. Think your 32 character alpha-numeric password is uncrackable? If your wireless router is using WPS then your router may be spit back your password in plain-text to the attacker in less than 10 hrs. WPS allows users to enter an 8 digit PIN to connect to a secured network without having to enter a passphrase. When a user supplies the correct PIN the access point essentially gives the user the WPA/WPA2 PSK that is needed to connect to the network. Reaver will determine an access point’s PIN and then extract the PSK and give it to the attacker. When we tested Reaver in our labs we were able to recovery the WPA password in 1.5hrs and the longest run was 7.5hrs Reaver Test

Ncrack 0.3ALPHA released

September 20th, 2010 by admin in cracking, Wireless

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behavior based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.
Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s and many more.

Ncrack can now crack the Remote Desktop Protocol on all Windows versions from XP and above, with the introduction of the RDP module. Users are advised to read for cracking Windows XP machines since they can’t handle many concurrent RDP connections.

Download and more info:

WPA Cracking in the cloud

July 28th, 2010 by admin in cracking, Wireless

WPA Cracker is a WiFi security compromiser in the cloud, running on a high-performance cluster. Send them a dump of captured network traffic and $35, and they will try 136 million passwords in 40 minutes, tops (for $17, they’ll run the same attack at half speed) — the same crack would take five days on a “contemporary desktop PC.” They also have an extended, 284 million word dictionary that you can run for $55 in 40 minutes. They’ll also use the same process to crack the passwords on encrypted ZIP archives.

Time Warner Cable SMC8014 Modem/Router Remote Access

October 21st, 2009 by Dev Team in News, Privilege Escalation, Wireless

A backdoor vulnerability in a Time Warner cable modem and Wi-Fi router deployed to 65,000 customers would allow a hacker to remotely access the device’s administrative menu over the web, and potentially change the settings to intercept traffic, according to a blogger who discovered the issue.
David Chen, said he was trying to help a friend change the settings on his cable modem and discovered that Time Warner had hidden administrative functions from its customers with Javascript code. By disabling Javascript in his browser, he was able to see those functions, which included a tool to dump the router’s config file.

That file, it turned out, included the administrative login and password in cleartext. Chen investigated and found the same login and password could access the admin panels for every router in the SMC8014 series on Time Warner’s network , given that the routers also expose their web interfaces to the internet.


How to Crack a Wi-Fi Network’s WEP Password with BackTrack

July 2nd, 2009 by Dev Team in Linux, Wireless had an article the other day that pretty much held your hand on steps to crack a WEP password using BackTrack3. Check it out ::HERE::

WiFi password cracking with ATI and NVIDIA

January 15th, 2009 by admin in Wireless

ElcomSoft Co. Ltd. puts ATI and NVIDIA hardware to work accelerating the recovery of Wi-Fi passwords. The newly released Elcomsoft Wireless Security Auditor 1.0 benefits from the ability of
last-generation video cards manufactured by ATI and NVIDIA to munch numbers
faster, allowing its users to recover Wi-Fi passwords faster than ever before.

Password to Uninstall Symantec Antivirus Client

November 12th, 2008 by admin in News, Password Info, Wireless

We all know Norton can’t protect you , but also Norton is sometimes a pain in the ass to uninstall , sometimes it has files you cant remove etc. But even before you get to that point you’re prompted for an uninstall passowrd? wtf? sometimes you were the person who installed it sometimes you’re not either  way you don’t know the password. Here’s a simple way to bypass that problem.

The default password that should work for most of the Symantec uninstallation is “symantec“. Duh.

If the default password doesn’t work do this:
1) Go to Start -> Run and type regedit

2) Navigate to: 

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Administrator Only\Security\


3) Double click on the value name “UseVPUninstallPassword” and change the value from 1 to 0

4) Close the registry and retry the uninstall.

WPA Wi-Fi encryption is cracked

November 6th, 2008 by admin in News, Wireless

Security researchers say they’ve developed a way to partially crack the Wi-Fi Protected Access (WPA) encryption standard used to protect data on many wireless networks.

The attack, described as the first practical attack on WPA, will be discussed at the PacSec conference in Tokyo next week. There, researcher Erik Tews will show how he was able to crack WPA encryption, in order to read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router.

Next Article »