Clinically Awesome

projects:evilbitchanger:start - Added download link

jason — Thu, 17 Feb 2011 18:13:27 -0700

evilbitchanger

The intent of this tool is to simplify testing when it involves the evil bit. It will read packets from a .pcap file, set the IP reserved bit on each IP datagram, recalculates the header checksum, and forward the packet in a new Layer 2 frame.

This tool can also capture live traffic and forward it in the same manner. The cleanest way to do so is with two systems as follows:

The host generating the traffic is referred to as “S” (source).
The host running evilbitchanger is referred to as “E”.
The target IP is referred to as T.

Start evilbitchanger on E with a filter that identifies the traffic you want made evil. This filter is *very* important. If the filter is not specific enough, *all* packets E receives will be retransmitted (but evil). evilbitchanger will filter out packets sent by host E's mac address automatically to prevent looping.

On host S, set a static route that sends traffic destined for T to E. Something like this, assuming E is 1.2.3.4 and the targets are 9.8.7.0/24:

  route add -net 9.8.7.0/24 gw 1.2.3.4

Or for a single host:

  route add -host 9.8.7.6 gw 1.2.3.4

As S sends traffic, E will receive it. evilbitchanger will receive a copy of the packet because it is sniffing. The OS on E will see that IP destination is not one of E's IPs and drop the packet. evilbitchanger will manipulate the packet received and send out the new packet according to its routing table.

NOTE: firewall settings may cause malfunction. If something isn't working, use tcpdump to locate the problem and adjust firewall settings accordingly.

Limitations

In sniff mode evilbitchanger will only send on the interface it listens on
Only changes the evil bit. Could do other kooky stuff
Might be slow. It uses the incredible scapy and I hear scapy is slow

License

BSD License

Download

Download from Google Code

projects:start

jason — Sat, 05 Feb 2011 14:28:34 -0700

Projects

Crap I'm working on

AU on Android - Anonymizer Universal on Android
evilbitchanger - Set the evil bit on arbitrary traffic
wepwn - An automated WEP-cracking workflow in python

projects:au_on_android:start - created

jason — Tue, 08 Jun 2010 20:08:24 -0700

Anonymizer Universal on Android

While at Anonymizer I got to use Anonymizer Universal and I thought it was pretty sweet. It doesn't take long with a packet sniffer on a popular public wireless access point to see that you have little protection if any without some sort of VPN. Anonymizer Universal is a commercial VPN service that protects your traffic on the local network and allows it to exit through Anonymizer. I got it working on my Android phone using a little hand-configuration. This doesn't require the phone to be rooted/jailbroken; it's part of the standard functionality. Note that while it works, it's not a supported platform. If it works for you that's great. If not, technical support may not be able to help you.

Before you begin you'll need to have a subscription to Anonymizer Universal. It's a pay service but it's pretty cheap. With your subscription you should have received an email with a link to the Windows and Mac clients and to the iPhone configuration profile. Download the Mac configuration profile file on your desktop machine. Open it with your text editor and look for the SharedSecret section near the top. In there you'll find a Base64-encoded key that's essential for the setup.

Run the value through a Base64 decoder. If you're on a *nix type system (including Mac OS X) you can run either of the following:

perl -MMIME::Base64 -e 'print decode_base64("_BASE64_ENCODED_SECRET_STRING_GOES_HERE_") . "\n";'
# or
echo '_BASE64_ENCODED_SECRET_STRING_GOES_HERE_' | openssl enc -d -base64

The result will be another Base64 encoded value. If you aren't on a *nix system there are web-based Base64 decoders available.

On the home screen of your Android device, press Menu → Settings → Wireless & networks → VPN Settings → Add VPN → Add L2TP/IPSec PSK VPN.

Set the name to Anonymizer Universal.
Set the VPN server to universal.anonymizer.com
Set the IPSec pre-shared key to the value you recovered with the Base64 decoder. Note that this is an error-prone process and is made much easier by having someone read the key to you.
Ensure Enable L2TP secret is not checked
Hit your back button, you may be asked for your credentials storage password
Select Anonymizer Universal to connect.
It should ask for your Anonymizer account credentials

Win!

projects:wepwn:start

jason — Sat, 15 May 2010 21:37:44 -0700

wepwn

wepwn is an automated WEP-cracking workflow in python. It is built on top of the aircrack-ng suite and intended to be run on Backtrack Linux 4, although it may work on other Linux distributions. It's easy to use and seems pretty reliable if the target has a decent signal.

wepwn is release under the BSD License.

Download wepwn (beta)

News

20100515

First release of wepwn.

Usage

There are usually two stages using wepwn: target selection and attack.

Target Selection

Target selection involves listing targets and deciding which to attack. This is done with the -w or -a options. The -w option lists only nearby access points using WEP while the -a options lists all nearby access points. NOTE: Not all access points will show up in a given scan. This seems to be a limitation of the iwlist command used by wepwn and may be fixed in a future release of either tool. In the meantime it may take multiple scans to find a specific target:

: Screenshot

Attack

Attacking an access point is accomplished with the -e or -b options. The -e option allows the user to specify the target by the name or ESSID. The -b option allows the user to specify the target by hardware address or BSSID. These options are not mutually exclusive but specifying BSSID makes specifying ESSID redundant. Multiple access points may have the same ESSID but no two access points should have the same BSSID.

wepwn needs to determine more information about the target than what is provided so it scans for nearby access points. As mentioned above, not all access points will show up in a single scan. wepwn may not be able to extract the information for a target that the user knows is a valid target in a single scan. Trying again may be necessary.

: Screenshot

If all goes well, wepwn will proceed on to aircrack-ng and run until the key is recovered. The “IV” count in aircrack-ng should be increasing by at least a few hundred every few minutes. If it increases more slowly then range or the stability of the hardware may be a factor. If it doesn't increase at all, one of the commands wepwn launched may have failed.

If aircrack-ng succeeds in recovering the key it will be displayed on the screen by aircrack-ng, printed on the screen by wepwn, and saved to a text file named key.<BSSID>.

Documentation

FAQ

Does it do WPA? - No. Just WEP.
How long does it take to recover a key? - This depends on signal strength, processing speed, range, and quality of hardware. Under optimal conditions on a 1.6Ghz Atom netbook with an ALFA AWUS036H adapter, 64/40 bit would usually take about five minutes and 128/104 bit would take about 10-20 minutes. The process is statistical in nature and will give different results every time. There are adjustments that could be made to the commands to speed things up but I found settings that worked reliably for me and stuck with them.
Why do I have to specify my wireless driver? - I haven't figured out how to properly reset the wireless device after scanning, before starting the attack. My workaround is to unload the driver then reload it to reset the device. This is suboptimal and I've been told that rmmod is or is going to be deprecated. I haven't figured out a way of detecting the driver in use that works on all platforms. Hence, “Intended for Backtrack 4”.
Why does this look like it was written by a perl programmer? - Because it was. This was my first python project.

Command Line Usage

Python Module Usage

Known Issues

When wepwn completes successfully, command line keystrokes are not echoed. This can be remedied by the user running the reset shell command.

Changelog

20100515 - wepwn-0.9b.tgz - First release (beta)

start - created

jason — Sat, 20 Mar 2010 11:57:28 -0700

Clinically Awesome

http://www.clinicallyawesome.com/ - Blog and ephemeral output
Projects - Stuff I have done or am doing