zenmap a very useful network tracking utility

Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.

wpa cracker

WPA Cracker is a cloud cracking service for penetration testers and network auditors who need to check the security of WPA-PSK protected wireless networks.

WPA-PSK networks are vulnerable to dic tionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes.

what dictionary use:
The standard English dictionary is 136 million words, and there is also an "extended" dictionary that is an additional 284 million words. The "extended" dictionary is not a superset of the "standard" dictionary. This is to say that the words in the "standard" dictionary are not also in the "extended" dictionary. The former contains the 136 million words that we find are most likely for cracking success, so we recommend only trying the "extended" dictionary where the "standard" dictionary has failed.
The job costs the same whether we find your password or not. You're paying for either the recovery (which is most often the case), or the knowledge that if you were to build an exhaustive 135 million word dictionary file and run your handshake against it for five days, you'd find nothing.

Installing and using Kismet

If you believe your destiny is to discover wireless networks, then Kismet is
for you. Kismet is freeware 802.11b and g (and 802.11a with the right card)
wardriving software. Kismet can capture data from multiple packet sources
and can log in ethereal-, tcpdump-, and AirSnort-compatible log files. In addition,
Kismet can do the following:
Detect other scanning programs like NetStumbler
Channel hop
Highlight the detected default access point configurations
Discover “closed,” “hidden,” or “cloaked” SSIDs for access points where
SSID broadcast is disabled
Identify the manufacturers of discovered access points
Group and custom name SSIDs
Detect Cisco products by using CDP
Detect IP block
Passively monitor and record wireless network data packets, including
encrypted ones
Map access point locations using a GPS
Work with ethereal and AirSnort
Kismet runs on most UNIX-like systems, including Linux, Mac OS, and Cygwin,
and supports Hermes and Prism2 chipset cards with linux-wlan-ng drivers.
You can find information at the following Web sites:
You can find more about drivers at Jean Tourrilhes’ Web page:
www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Wireless.html
Mark Mathew’s AbsoluteValue Systems Web page offers information
about drivers as well.
www.linux-wlan.com/linux-wlan
If you feel adventurous, you can learn how to install Kismet on Cygwin:
www.renderlab.net/projects/wardrive/wrt54g/kismetonwindows.html
You can find Kismet at www.kismetwireless.net. You also can get Kismet
for handheld computers — that is, iPaq/ARM and Zaurus/ARM — with embedded
Linux. You need the ARM version from www.kismetwireless.net/
download.shtml.

Looking for General Client Vulnerabilities-

After you find out which wireless systems are alive on your network, you can
take your testing a step further and see which vulnerabilities really stand out.
There are various freeware, open source, and commercial tools to help you
along with your efforts including:
LanSpy (www.lantricks.com): LanSpy is a Windows-based freeware
tool for enumerating Windows systems.
Amap (http://thc.org/thc-amap): Amap is an open source Linuxand
Windows-based application mapping tool.
Nessus (www.nessus.org): This is an open source network and OS vulnerability-
assessment tool that runs on Linux and Windows.
GFI LANguard Network Security Scanner (www.gfi.com/lannetscan):
This is a Windows-based commercial tool for performing network and
OS vulnerability assessments.
QualysGuard (www.qualys.com): QualysGuard is an application service,
provider-based commercial tool for performing network and OS
vulnerability assessments.

WEP Weaknesses

Security researchers have discovered security problems that let malicious
users compromise the security of WLANs that use WEP — these, for instance:
Passive attacks to decrypt traffic: These are based on statistical
analysis.
Active attacks to inject new traffic from unauthorized mobile stations:
These are based on known plaintext.
Active attacks to decrypt traffic: These are based on tricking the access
point.
Dictionary-building attacks: These are possible after analyzing enough
traffic on a busy network.
The biggest problem with WEP is when the installer doesn’t enable it in the
first place. Even bad security is generally better than no security.
When people do use WEP, they forget to change their keys periodically.
Having many clients in a wireless network — potentially sharing the identical
key for long periods of time — is a well-known security vulnerability. If you
keep your key long enough, someone can grab all the frames he needs to
crack it.
Can’t blame most access-point administrators for not changing keys — after
all, the WEP protocol doesn’t offer any key management provisions. But the
situation is dangerous: When someone in your organization loses a laptop for
any reason, the key could become compromised — along with all the other
computers sharing the key. So it’s worth repeating . . .
Shared keys can compromise a wireless network. As the number of people
sharing the key grows, so does the security risk. A fundamental tenet of cryptography
is that the security of a system is largely dependent on the secrecy
of the keys. Expose the keys and you expose the text. Share the key, and a
cracker only has to crack it once. Moreover, when every station uses the
same key, an eavesdropper has ready access to a large amount of traffic for
analytic attacks.
As if key management problems weren’t enough, you have other problems
with the WEP algorithm. Check out these bugbears in the WEP initialization
vector:
The IV is too small and in cleartext. It’s a 24-bit field sent in the cleartext
portion of a message. This 24-bit string, used to initialize the key
stream generated by the RC4 algorithm, is a relatively small field when
used for cryptographic purposes.
The IV is static. Reuse of the same IV produces identical key streams for
the protection of data, and because the IV is short, it guarantees that
those streams will repeat after a relatively short time (between 5 and 7
hours) on a busy network.
The IV makes the key stream vulnerable. The 802.11 standard does not
specify how the IVs are set or changed, and individual wireless adapters
from the same vendor may all generate the same IV sequences, or some
wireless adapters may possibly use a constant IV. As a result, hackers
can record network traffic, determine the key stream, and use it to
decrypt the ciphertext.
The IV is a part of the RC4 encryption key. The fact that an eavesdropper
knows 24-bits of every packet key, combined with a weakness in the
RC4 key schedule, leads to a successful analytic attack that recovers the
key after intercepting and analyzing only a relatively small amount of
traffic. Such an attack is so nearly a no-brainer that it’s publicly available
as an attack script and as open-source code.
WEP provides no cryptographic integrity protection. However, the
802.11 MAC protocol uses a non-cryptographic Cyclic Redundancy Check
(CRC) to check the integrity of packets, and acknowledges packets that
have the correct checksum. The combination of non-cryptographic checksums
with stream ciphers is dangerous — and often introduces vulnerabilities.
The classic case? You guessed it: WEP.
There is an active attack that permits the attacker to decrypt any packet
by systematically modifying the packet, and CRC sending it to the AP
and noting whether the packet is acknowledged. These kinds of attacks
are often subtle, and it is now considered risky to design encryption protocols
that do not include cryptographic integrity protection, because of
the possibility of interactions with other protocol levels that can give
away information about ciphertext.
Only one of the problems listed above depends on a weakness in the cryptographic
algorithm. Therefore substituting a stronger stream cipher will not
help. For example, the vulnerability of the key stream is a consequence of a
weakness in the implementation of the RC4 stream cipher — and that’s
exposed by a poorly designed protocol.

wep Encryption

The popular press has done a lot to discourage organizations and individuals
from using wireless networks. If you’ve been paying attention to the brouhaha,
then you’re aware of all the negative articles about wireless security — especially
those dealing with encryption. Part of the problem is that the press and
others don’t understand the basis for WEP. As implied by its name, the developers
of Wired Equivalent Privacy intended for it to give clients the same level
of security found on a wired network — which, quite frankly, isn’t much.
with the exception of a fully switched environment, eavesdroppers can have their
way with frames traversing a wired network. WEP was never intended to
provide message integrity, non-repudiation, and confidentiality. And guess
what — it doesn’t.
WEP uses the symmetrical RC4 (Ron’s Code 4) algorithm and a PRNG
(Pseudo-Random Number Generator). The original standard specified 40 (in
practice, 64) and 128-bit key lengths with a 24-bit initialization vector (IV).
Then there’s the matter of incomplete coverage of network layers: WEP
encrypts Layers 3 through 7, but does not encrypt the MAC layer (that is,
Layer 2). Because it’s a symmetrical algorithm, WEP gives every client the
keys and other configuration data.
Okay, we know there’s nothing wrong with the RC4 algorithm per se — after
all, Web browsers use it for Secure Sockets Layer (SSL). The problem is in the
WEP implementation of the RC4 algorithm — and the false sense of security it
encourages.
The algorithm takes the IV, which is in plaintext, and sticks it on the front end
of the secret key (which the decrypter knows). WEP then plugs the result
into the RC4 to regenerate the key stream. Next, the algorithm XORs the key
stream with the ciphertext, which should give us the plaintext value. Finally,
WEP re-performs the CRC-32 checksum on the message and ensures that it
matches the integrity check value in our encrypted plaintext. Should the
checksums not match, WEP assumes that someone tampered with the
packet, and will discard it.
As mentioned earlier, access points generally have only three (namely, the
following) encryption settings available:
None: This setting represents the most serious risk because someone
can easily intercept, read, and alter unencrypted data traversing the
network.
40-bit shared key: A 40-bit shared key encrypts the network communications
data, but there is still a risk of compromise. The 40-bit encryption
has been broken by brute force cryptanalysis, using a high-end
graphics computer — and even low-end computers — so it has only
questionable value. We show you some tools in later sections that allow
you to easily recover 40-bit keys — and if you can, a bad guy can.
104-bit setting: In general, 104-bit (sometimes called 128-bit) encryption is
more secure than 40-bit encryption because of the significant difference in
the size of the cryptographic key space. Even though this better security
isn’t true for 802.11 WEP (because of poor cryptographic design in the
use of IVs), it is nonetheless recommended as a good practice. Again, you
should be vigilant about checking with the vendor regarding upgrades
to firmware and software — you may find some that overcome some of
the WEP problems. (Some vendors, for example, support 152-bit keys.)

Using Cain & Abel

Cain & Abel is a freeware password recovery tool that runs on a Microsoft
platform. It allows easy recovery of various kinds of passwords by sniffing
the network, cracking encrypted passwords using Dictionary, Brute-Force
and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled
passwords, revealing password boxes, uncovering cached passwords
and analyzing routing protocols. This tool covers some security weaknesses
present in the protocols, authentication methods and caching mechanisms.
Cain & Abel was developed for network administrators, security consultants
or professionals, forensic staff, security-software vendors, and professional
penetration testers.
Cain & Abel is actually two different programs. Cain has the following
features:
Protected Storage Password Manager: Reveals locally stored passwords
of Outlook, Outlook Express, Outlook Express Identities, Outlook
2002, Internet Explorer, and MSN Explorer.
Credential Manager Password Decoder: Reveals passwords stored in
Enterprise and Local Credential Sets on Windows XP/2003.
LSA Secrets Dumper: Dumps the contents of the Local Security
Authority Secrets.
Dialup Password Decoder: Reveals passwords stored by Windows “Dial-
Up Networking” component.
APR (ARP Poison Routing): Enables sniffing on switched networks and
Man-in-the-Middle attacks.
Route Table Manager: Provides the same functionality of the Windows
tool route.exe with a GUI front-end.
SID Scanner: Extracts usernames associated with Security Identifiers
(SIDs) on a remote system.
Network Enumerator: Retrieves, where possible, the user names,
groups, shares, and services running on a machine.
Service Manager: Allows you to stop, start, pause, continue, or remove
a service.
Sniffer: Captures passwords, hashes, and authentication information
during transmission on the network. Includes several filters for application
specific authentications and routing protocols. The VoIP filter
enables the capture of voice conversations transmitted with the SIP/RTP
protocol saved later as WAV files.
Routing Protocol Monitors: Monitors messages from various routing
protocols (HSRP, VRRP, RIPv1, RIPv2, EIGRP, OSPF) to capture authentications
and shared route tables.
Full SSH-1 sessions sniffer for APR (APR-SSH-1): Allows you to capture
all data sent in a HTTPS session on the network.
Full HTTPS sessions sniffer for APR (APR-HTTPS): Allows you to capture
all data sent in a HTTPS session on the network.
Certificates Collector: Grabs certificates from HTTPS Web sites and prepares
them for use by APR-HTTPS.
MAC Address Scanner with OUI fingerprint: Using OUI fingerprint,
makes an informed guess about the device based on the MAC address.
Promiscuous-mode Scanner based on ARP packets: Identifies sniffers
and network intrusion detection systems present on the LAN.
Wireless Scanner: Scans for wireless networks signal within range. This
feature is based on NetStumbler that we discuss in Chapter 9.
Access (9x/2000/XP) Database Passwords Decoder: Decodes the stored
encrypted passwords for Microsoft Access Database files.
Base64 Password Decoder: Decodes Base64 encoded strings.
Cisco Type-7 Password Decoder: Decodes Cisco Type-7 passwords used
in router and switches configuration files.
VNC Password Decoder: Decodes encrypted VNC passwords from the
registry.
Enterprise Manager Password Decoder: Decodes passwords used by
Microsoft SQL Server Enterprise Manager (SQL 7.0 and 2000 supported).
Remote Desktop Password Decoder: Decodes passwords in Remote
Desktop Profiles (.RPD files).
PWL Cached Password Decoder: Allows you to view all cached
resources and relative passwords in clear text either from locked or
unlocked password list files.
Password Crackers: Enables the recovery of clear text passwords
scrambled using several hashing or encryption algorithms. All crackers
support Dictionary and Brute-Force attacks.
Cryptanalysis attacks: Enables password cracking using the “Faster
Cryptanalytic time – memory trade off” method introduced by Philippe
Oechslin. This cracking technique uses a set of large tables of precalculated
encrypted passwords, called Rainbow Tables, to improve
the trade-off methods known today and to speed up the recovery of
cleartext passwords.
NT Hash Dumper + Password History Hashes (works with Syskey
enabled): Retrieves the NT password hash from the SAM file regardless
of whether Syskey is enabled or not.
Microsoft SQL Server 2000 Password Extractor via ODBC: Connects to
an SQL server via ODBC and extracts all users and passwords from the
master database.
Box Revealer: Shows passwords hidden behind asterisks in password
dialog boxes.
RSA SecurID Token Calculator: Calculates the RSA key given the tokens
.ASC file.
Hash Calculator: Produces the hash values of a given text.
TCP/UDP Table Viewer: Shows the state of local ports (like netstat).
TCP/UDP/ICMP Traceroute with DNS resolver and WHOIS client: An
improved traceroute that can use TCP, UDP and ICMP protocols and
provides whois client capabilities.
Cisco Config Downloader/Uploader (SNMP/TFTP): Downloads or
uploads the configuration file from/to a specified Cisco device (IP or
hostname) given the SNMP read/write community string.
Abel provides the following features:
Remote Console: Provides a remote system shell on the remote machine.
Remote Route Table Manager: Manages the route table of the remote
system.
Remote TCP/UDP Table Viewer: Shows the state of local ports (like netstat)
on the remote system.
Remote NT Hash Dumper + Password History Hashes (works with
Syskey enabled): Retrieves the NT password hash from the SAM file
regardless of whether Syskey is enabled or not; works on the Abel-side.
Remote LSA Secrets Dumper: Dumps the contents of the Local Security
Authority Secrets present on the remote system.