This is pretty cool: Whilst searching for an alternative to HyperTerminal that supports Serial Port connections, I discovered that PuTTY now connects to Serial COM ports as well as the usual SSH/Telnet stuff 😀
As a business you can’t use HyperTerminal Private Edition unless you pay a licence fee; and now that Microsoft has removed HyperTerminal from Windows Vista, finding an Open Source, free-for-commercial-use, replacement for HyperTerminal is invaluable for budget constrained IT departments.
If your Powervault NAS loses network connectivity or won’t boot into the OS, you’ll need to physically access it via the console port at the back. From there you can edit and upgrade the BIOS, run a recovery boot (boots the OS from another drive) and perform hardware diagnostics.
Here’s the settings you’ll need for HyperTerminal:
Bits per second: 115200
Data bits: 8
Stop bits: 1
Flow Control: Xon / Xoff
As I will be leaving Crownhill at some point, I set up SWAT on our SAMBA server to reduce some of the technical and administrative burden on the company until a replacement is found. Whilst briefly showing the MD how to use it, we discovered a huge usability flaw – the Delete share button not only looks the same as any other button, but it also provides no “are you sure?” confirmation. Clicking the button instantly deletes the share you’re working on!
As a large part of the world reads from Left to Right, it makes sense that if you’re in a rush, your natural work flow goes left to right. If I was busy, and wanted to edit the public share, I’d probably click the button to the right without even thinking – and with no confirmation dialogue, I’d have instantly deleted the share that I actually wanted to edit. Not good design at all.
Every time you deploy a WEP Access Point, a fluffy kitty dies.
Recently a team of German cryptography researchers perfected methods to recover a WEP key faster than ever before. The older Weak IV attacks generally needed between 500,000 and 2,000,000 packets to recover a 128-bit WEP key. In contrast, the new PTW method needs a mere 85,000 packets to have a 95% chance of recovering the WEP key.
Unlike the Weak IV attack, instead of collecting weak IVs, the PTW method collects ARP requests and responses to attack the encryption. ARP requests can either be collected naturally, or can be generated via packet injection. Until recently, packet injection was only possible in Linux. With the advent of the AirPcap USB adapter, and some unsupported beta drivers, it’s possible to inject packets in Windows. Update: CACE have released AirPcap Tx, which features fully supported packet injection, for an added premium.
In this tutorial, I’ll guide you through the process of recovering a WEP key, via the PTW attack, in Windows. For this you’ll be using the AirPcap USB adapter, Cain, aircrack-ptw, and the aircrack-ng suite.
It’s important to point out that these methods should only be applied with permission from the owner of the target AP. You should either be auditing, penetration testing, or demonstrating the weaknesses of WEP in a Test Lab environment. You should not be using these methods to get “Free internet”!
An AP configured with WEP
At least one client associated with the Access Point (to give us an initial ARP request)
The primary counter measure to this WEP attack is to cease using WEP and switch your Access Points to WPA encryption. As you’ve seen in this video, WEP is just too easy to crack. For further reading, Wikipedia has an excellent entry on WPA.
Access Points are so cheap now that, if your AP doesn’t support WPA via a firmware upgrade, you can easily afford a new one with full WPA or WPA2 support.
Note 1: After recording this tutorial, I’ve become aware that, as of version 0.9, aircrack-ng.exe natively supports the PTW attack by using the -z switch. For example: aircrack-ng.exe -z mycapturefile.cap. If you want to use this attack, download aircrack-ng from the authors, and replace aircrack-ng.exe in c:\airpcap with the new one.
Note 2: The whole process from starting capture to recovering the WEP key takes about 10 minutes.
Note 3: It is important that you get the Packet Injection drivers and the aircrack-ng release specifically for the AirPcap adapter, or this will not work.
Note 4: Just to summarise the steps in the video:
Run Cain and passively scan for the target AP, making a note of the Channel number.
Using the channel number, tell AirPcap to inject packets once it has collected an ARP request. (You can sometimes force an ARP by sending Deauth. To do that, right click on the client. Otherwise, repair the Wireless connection on the client connected to the AP)
To use the PTW attack, you need to collect all packets. By running airodump-ng you can collect all the packets generated by Cain. The reason we use airodump-ng instead of Cain, is that Cain only collects WEP IVs.
Once you’ve collected enough packets, run aircrack-ptw against the capture file.
As of version 0.9, the aircrack-ng suite natively supports the PTW attack. Download it here. To invoke the PTW attack in aircrack-ng, run it with the -z switch: aircrack-ng.exe -z mycapturefile.cap.
A French chap has compiled Aircrack-PTW for Windows. This is great for anyone using the AirPcap adapter to inject packets in Windows, as the new PTW attack dramatically reduces the amount of packets you need to collect before attempting to crack the WEP key. Notice in the screenshot below, only 83,000 packets were needed to break a 128bit key; as opposed to around 400,000 with the KoreK attack.
The executable is in French but it’s still perfectly usable; All you’re looking for is the WEP key!