#!/zitstif.no-ip.org/

The official tool is available here:

http://trifinite.org/trifinite_stuff_carwhisperer.html

It has also been ported to the Nokia N810:

http://talk.maemo.org/showthread.php?t=20780

I’ve downloaded it and installed it on my Nokia N810, but haven’t had a chance to test it since I don’t own any bluetooth headsets.

More to come as usual..

#Update 11/17/2015

It appears that video no longer works, this should suffice:

Eavesdropping on Bluetooth Headsets by DelwinWood

#Thanks Patryk

Securityemo writes “The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here’s the original research paper.” El Reg notes that “The technique works even when Windows is running under an account with limited privileges,” but “it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC.”

http://tech.slashdot.org/story/10/05/09/1343239/Critical-Flaw-Found-In-Virtually-All-AV-Software

If you’re a techie, you have to love /. 🙂

The threat of information leakage via unencrypted wireless networks is quite real and needs to be taken into consideration. Especially if you’re an organization/entity, who handles sensitive information.

Today I’ll be covering a simple demonstration that will have 3 hosts. The three hosts are as follows:

Host A (Attacker)
Host B (Client)
Host C (Server)

Host A will be running kismet, so it will not be connected to the network. The network will only have MAC filtering deployed. Host B and C will be wireless clients on the network, but I will set up netcat loops that will just simply print a string over the network.

Host B will be running this:

while true; do echo "CAPTURE THIS WHILE NOT CONNECTED" | nc -w2 hostC 8080; done

Host C will be running this:

while true; do nc -l -s hostCIP -p 8080 -vv; done

Host A which is the attacker, will simply be within close range of the network and will give the kismet log files a name as well by doing:

kismet -t capture-test

Once kismet has started to run, make sure to use ‘L’ to lock onto the channel that the wireless network is on. With this done, wait a few minutes and you should have captured the test string.

To view your captured information, you need to view the contents of the dump files. The dump files are located in/var/log/kismet.

Upon location of the dump file, what worked for me was using egrep to look for the captured string.

egrep 'CAP*' capture-test*.dump 

This may ‘bork’ your terminal, so just use reset. Per contra, you should see the captured text.

This simple demo demonstrates how real of a threat passive wireless sniffing devices are. If you’re curious, I actually used my Nokia N810 as the attacker. 🙂

I’ll have more to come as usual… (I’m back in school so I’m going to have less time to work on ettersploit 🙁 )

http://www.google.com/search?q=%22compatible%3B+MSIE+6.0%3B+Windows+NT+5.1%3B+SV1%22+inurl%3A%2Fvar%2Flog&btnG=Search&hl=en&

Ah google what can’t you do?? 🙂

More to come.. (Currently working on ettersploit, taking a break).

If you’re ever put in a situation where you need to assess the strength of passwords that may be stored in an md5sum, there are a few options you have:

There are numerous websites for cracking md5sums such as:

http://passcracking.com

The simple way I assess how these websites is by searching for a very simple md5sum that can be generated via:

echo password | md5sum -;

Also, you could just merely, google the md5sum and see if you can find the unciphered text. That being said, the point of this post though, is to generate an md5sum hash dictionary. Let’s look at a simple word list.

cat wordlist.txt | head 
aaaaa
aaaab
aaaac
aaaad
aaaae
aaaaf
aaaag
aaaah
aaaai
aaaaj

We will then, use a for loop and append the output of each iteration, to a file simply by doing:

for i in `cat wordlist.txt`; do echo ${i} >> hashdict.txt; echo ${i} | md5sum - >> hashdict.txt; done

Now in our hashdict.txt file, we have our unciphered text and then on the next line, it’s md5sum equivalent. Ergo, if we want to look up a hash some and find the unciphered text, we could do as follows:

egrep --before-context=1 '4ab36a961cd2198e4a49915f820db5c0' hashdict.txt
aaaae

We have now found out that ‘4ab36a961cd2198e4a49915f820db5c0’ is equivalent to ‘aaaae’.

Similarly, if we wanted to find md5sum equivalent of ‘aaaae’ , we could use the list, or just simply do:

echo aaaae | md5sum -

I’ll have more to come. In the next few days, I’m going to work on my ‘ettersploit’, idea.