hack wi-fi card

operator RELIANCE COMMUNICATIONS
udalos popast v India
internet zdes tolko po cartam, wi-fi
I know format of LOGIN
but I dont know the type of Encripted
I think WEP
HOW can I get password? for card? example, for Month

NO, not WEP. internet ne zaparolennyi. prosto nujno posle logina vvodit` Username\password
I bought two cards. users-pohyn4 AND swaib8

 

ну неужели это сложная задача? почему нет ответа?

может описал неполностью..
интернет открытый, подключаешься, чтобы выйти на сторонние сайты нужно вводить логин\пасс
как можно получить список логинов\пассов

 

база логинов / пассов где то хранится.
похекать базу и готово )

по теме: никак вроде

 

Можно както так.

 

авторизация проходит по адресу http://172.16.0.254
любые манипуляции с адресом, like /phpmyadmin OR /admin перенаправляют на страницу авторизации

 

Помиотри, что там за хотспот, на чем крутится. Может там и нет никакого phpadmin, может там микротиковская ОСЬ, томатный хотспот или что еще стоит. Отсюда и плясать надо. Или хоть скрины страницы авторизации выложи.
p.s.
На прстых хотспотах катит подмена МАС адреса авторизованного клиента.

 

как я уже говорил - оператор
operator RELIANCE COMMUNICATIONS

скрин авторизации
http://s24.postimg.org/e1w2hgyhh/Screenshot_from_2013_10_02_00_04_03.png

 

Оператор это хорошо, а вот прозводитель хотспота это другое. Поробуй его через nmap посканить в режиме quick plus. Может покажет что это за фркут.

 

я могу самостоятельно погуглить по нему хелп, но инет здесь не безлимитный и будет проще если дашь команду нужную

 

Да пожалуйста вот вам Quick scan plus:

У nmap еще и GUI есть, если что.

 

я не нашел этот Квик плюс. вот что он выдал на простой скан

nmap -v -A http://172.16.0.254

Starting Nmap 6.00 ( http://nmap.org ) at 2013-10-02 07:12 IST
NSE: Loaded 93 scripts for scanning.
NSE: Script Pre-scanning.
Invalid host expression: http://172.16.0.254 -- colons only allowed in IPv6 addresses, and then you need the -6 switch
NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.45 seconds
sed@sed-ThinkPad-X120e:~$ nmap -v -A 172.16.0.254

Starting Nmap 6.00 ( http://nmap.org ) at 2013-10-02 07:13 IST
NSE: Loaded 93 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 07:13
Scanning 172.16.0.254 [2 ports]
Completed Ping Scan at 07:13, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:13
Completed Parallel DNS resolution of 1 host. at 07:13, 0.04s elapsed
Initiating Connect Scan at 07:13
Scanning 172.16.0.254 [1000 ports]
Discovered open port 443/tcp on 172.16.0.254
Discovered open port 80/tcp on 172.16.0.254
Discovered open port 22/tcp on 172.16.0.254
Completed Connect Scan at 07:13, 15.47s elapsed (1000 total ports)
Initiating Service scan at 07:13
Scanning 3 services on 172.16.0.254
Completed Service scan at 07:14, 46.06s elapsed (3 services on 1 host)
NSE: Script scanning 172.16.0.254.
Initiating NSE at 07:14
Completed NSE at 07:14, 9.22s elapsed
Nmap scan report for 172.16.0.254
Host is up (0.052s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 a3:a2:89:fe:2c:bd:5b:5c:ad:38:a4:0d:d8:17:7e:75 (DSA)
|_2048 de:18:3c:eb:de:c8:4d:93:10:be:f4:e9:d6:70:e6:d4 (RSA)
80/tcp open http Apache httpd 2.2.6 ((Fedora))
| http-methods: GET HEAD POST PUT DELETE TRACE OPTIONS
| Potentially risky methods: PUT DELETE TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: MSG: Please wait while you are redirected
443/tcp open ssl/https?
| ssl-cert: Subject: commonName=172.16.0.213/organizationName=Inventum/stateOrProvinceName=New Delhi/countryName=IN
| Issuer: commonName=172.16.0.213/organizationName=Inventum/stateOrProvinceName=New Delhi/countryName=IN
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2012-06-28 07:11:28
| Not valid after: 2022-06-26 07:11:28
| MD5: cd8d 82c8 c6a6 0f72 9da1 bb2f 5bfc 554b
|_SHA-1: 9e13 c962 07a7 ba93 1194 fa29 ad25 ee83 42e9 1128
| http-methods: GET HEAD POST PUT DELETE TRACE OPTIONS
| Potentially risky methods: PUT DELETE TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-favicon: Unknown favicon MD5: 2AFFE341A7CC6A0F97D7FA8804DB4A4E
|_http-title: MSG: Please wait while you are redirected
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port443-TCP:V=6.00%T=SSL%I=7%D=10/2%Time=524B7A43%P=i686-pc-linux-gnu%r
SFGetRequest,3BA,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Wed,\x2002\x20Oct\x
SF:202013\x2013:42:46\x20GMT\r\nSet-Cookie:\x20JSESSIONID=3D5E7E2B0B52F87A
SF:B89EA76C76A6A208;\x20Path=/;\x20Secure\r\nPragma:\x20no-cache\r\nCache-
SF:Control:\x20max-stale=0\r\nExpires:\x20Thu,\x2001\x20Jan\x201970\x2000:
SF:00:00\x20GMT\r\nContent-Type:\x20text/html;charset=ISO-8859-1\r\nConnec
SF:tion:\x20close\r\n\r\n<html>\n<head>\n\t<title>MSG:\x20Please\x20wait\x
SF:20while\x20you\x20are\x20redirected</title>\n\t<META\x20HTTP-EQUIV=\"CO
SF:NTENT-TYPE\"\x20CONTENT=\"text/html;\x20charset=iso-8859-1\">\n\t<META\
SF:x20HTTP-EQUIV=\"CACHE-CONTROL\"\x20CONTENT=\"NO-CACHE\">\n\t<META\x20HT
SF:TP-EQUIV=\"EXPIRES\"CONTENT=\"0\">\n\t<META\x20HTTP-EQUIV=\"PRAGMA\"\x2
SF:0CONTENT=\"NO-CACHE\">\n\t<script\x20language=\"JavaScript\"\x20type=\"
SF:text/JavaScript\">\t\x20\x20\n\tfunction\x20onLoad\(\)\n\t{\r\n\t\n\t\t
SF:window\.location=\"http://172\.16\.0\.254/userportal/\?callerIP=172\.16
SF:\.2\.186&requestURL=https%3A%2F%2Flocalhost\.localdomain%2F\";\r\n\t\n\
SF:t}\n\x20\x20\x20\x20\x20\x20\x20\x20</script>\n</head>\n<body\x20onLoad
SF:=\"setTimeout\('onLoad\(\)',\x201000\);\">\n<br>\r\n\n<center>Please\x2
SF:0wait\x20while\x20you\x20are\x20redirect")%r(HTTPOptions,BC,"HTTP/1\.1\
SF:x20200\x20OK\r\nDate:\x20Wed,\x2002\x20Oct\x202013\x2013:42:51\x20GMT\r
SF:\nAllow:\x20GET,\x20HEAD,\x20POST,\x20PUT,\x20DELETE,\x20TRACE,\x20OPTI
SF:ONS\r\nContent-Length:\x200\r\nConnection:\x20close\r\nContent-Type:\x2
SF:0text/plain;\x20charset=UTF-8\r\n\r\n");

NSE: Script Post-scanning.
Initiating NSE at 07:14
Completed NSE at 07:14, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.55 seconds

 

sudo nmap 172.16.0.254 -sV -T4 -O -F --version-light
[sudo] password for sed:

Starting Nmap 6.00 ( http://nmap.org ) at 2013-10-02 07:24 IST
Nmap scan report for 172.16.0.254
Host is up (0.047s latency).
Not shown: 95 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
53/tcp open domain
80/tcp open http?
443/tcp open https?
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
MAC Address: 00:90:0B:264:8B (Lanner Electronics)
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
No OS matches for host
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.38 seconds

 

1. судя по выводу nmap ось не определил, и попросил добавит команду -sSU
соответственно пробуйте:

2. по инфе того же nmap, хотспот настроен на сетевом оборудовании "Lanner Electronics", которое поддерживает предустановку таких программ, как например m0n0wall, zeroshell и pfSense. Можете в эту сторону капнуть. Кстати, при их настройке опционально предусмотрены настройки на доступ в интернет в обход странички авторизации пользователей, чей MAC-адрес внесен в список "Pass-through MAC"

3. Посмотрите снифером сам процесс авторизации пользователей. Можете выложить еще сюда CAP файл глянуть.

 

конечно выложу САР, но как его получить?

 

sudo nmap -sV -sSU -T4 -O -F --version-ligh 172.16.0.254
[sudo] password for sed:

Starting Nmap 6.00 ( http://nmap.org ) at 2013-10-03 03:17 IST
Warning: 172.16.0.254 giving up on port because retransmission cap hit (6).
Nmap scan report for 172.16.0.254
Host is up (0.014s latency).
Not shown: 161 closed ports, 32 open|filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
53/tcp open domain dnsmasq 2.47
80/tcp open http?
443/tcp open ssl/https?
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
53/udp open domain dnsmasq 2.47
161/udp open snmp net-snmp
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=6.00%I=2%D=10/3%Time=524C94C4%P=i686-pc-linux-gnu%r(GetReq
SF:uest,3B1,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Thu,\x2003\x20Oct\x202013\
SF:x2009:48:08\x20GMT\r\nSet-Cookie:\x20JSESSIONID=05F21D7238D2CCFB063F1E8
SF:63E984EAB;\x20Path=/\r\nPragma:\x20no-cache\r\nCache-Control:\x20max-st
SF:ale=0\r\nExpires:\x20Thu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nCo
SF:ntent-Type:\x20text/html;charset=ISO-8859-1\r\nConnection:\x20close\r\n
SF:\r\n<html>\n<head>\n\t<title>MSG:\x20Please\x20wait\x20while\x20you\x20
SF:are\x20redirected</title>\n\t<META\x20HTTP-EQUIV=\"CONTENT-TYPE\"\x20CO
SF:NTENT=\"text/html;\x20charset=iso-8859-1\">\n\t<META\x20HTTP-EQUIV=\"CA
SF:CHE-CONTROL\"\x20CONTENT=\"NO-CACHE\">\n\t<META\x20HTTP-EQUIV=\"EXPIRES
SF:\"CONTENT=\"0\">\n\t<META\x20HTTP-EQUIV=\"PRAGMA\"\x20CONTENT=\"NO-CACH
SF:E\">\n\t<script\x20language=\"JavaScript\"\x20type=\"text/JavaScript\">
SF:\t\x20\x20\n\tfunction\x20onLoad\(\)\n\t{\r\n\t\n\t\twindow\.location=\
SF:"http://172\.16\.0\.254/userportal/\?callerIP=172\.16\.2\.186&requestUR
SF:L=http%3A%2F%2Flocalhost\.localdomain%2F\";\r\n\t\n\t}\n\x20\x20\x20\x2
SF:0\x20\x20\x20\x20</script>\n</head>\n<body\x20onLoad=\"setTimeout\('onL
SFad\(\)',\x201000\);\">\n<br>\r\n\n<center>Please\x20wait\x20while\x20y
SFu\x20are\x20redirected\x20to\x20the")%r(HTTPOptions,BC,"HTTP/1\.1\x202
SF:00\x20OK\r\nDate:\x20Thu,\x2003\x20Oct\x202013\x2009:48:08\x20GMT\r\nAl
SF:low:\x20GET,\x20HEAD,\x20POST,\x20PUT,\x20DELETE,\x20TRACE,\x20OPTIONS\
SF:r\nContent-Length:\x200\r\nConnection:\x20close\r\nContent-Type:\x20tex
SF:t/plain;\x20charset=UTF-8\r\n\r\n")%r(RTSPRequest,BC,"HTTP/1\.1\x20200\
SF:x20OK\r\nDate:\x20Thu,\x2003\x20Oct\x202013\x2009:48:08\x20GMT\r\nAllow
SF::\x20GET,\x20HEAD,\x20POST,\x20PUT,\x20DELETE,\x20TRACE,\x20OPTIONS\r\n
SF:Content-Length:\x200\r\nConnection:\x20close\r\nContent-Type:\x20text/p
SF:lain;\x20charset=UTF-8\r\n\r\n")%r(FourOhFourRequest,3D4,"HTTP/1\.1\x20
SF:200\x20OK\r\nDate:\x20Thu,\x2003\x20Oct\x202013\x2009:48:13\x20GMT\r\nS
SF:et-Cookie:\x20JSESSIONID=E42549F192C1871565486B993673EE21;\x20Path=/\r\
SF:nPragma:\x20no-cache\r\nCache-Control:\x20max-stale=0\r\nExpires:\x20Th
SF:u,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nContent-Type:\x20text/htm
SF:l;charset=ISO-8859-1\r\nConnection:\x20close\r\n\r\n<html>\n<head>\n\t<
SF:title>MSG:\x20Please\x20wait\x20while\x20you\x20are\x20redirected</titl
SF:e>\n\t<META\x20HTTP-EQUIV=\"CONTENT-TYPE\"\x20CONTENT=\"text/html;\x20c
SF:harset=iso-8859-1\">\n\t<META\x20HTTP-EQUIV=\"CACHE-CONTROL\"\x20CONTEN
SF:T=\"NO-CACHE\">\n\t<META\x20HTTP-EQUIV=\"EXPIRES\"CONTENT=\"0\">\n\t<ME
SF:TA\x20HTTP-EQUIV=\"PRAGMA\"\x20CONTENT=\"NO-CACHE\">\n\t<script\x20lang
SF:uage=\"JavaScript\"\x20type=\"text/JavaScript\">\t\x20\x20\n\tfunction\
SF:x20onLoad\(\)\n\t{\r\n\t\n\t\twindow\.location=\"http://172\.16\.0\.254
SF:/userportal/\?callerIP=172\.16\.2\.186&requestURL=http%3A%2F%2Flocalhos
SF:t\.localdomain%2Fnice%2520ports%2C%2FTrinity\.txt\.bak\";\r\n\t\n\t}\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20</script>\n</head>\n<body\x20onLoad=\"se
SF:tTimeout\('onLoad\(\)',\x201000\);\">\n<br>\r\n\n<center>Please\x20w");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port443-TCP:V=6.00%T=SSL%I=2%D=10/3%Time=524C94CA%P=i686-pc-linux-gnu%r
SFGetRequest,3BA,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Thu,\x2003\x20Oct\x
SF:202013\x2009:48:14\x20GMT\r\nSet-Cookie:\x20JSESSIONID=2D2D350D88300865
SF:A63D39F98B6BA776;\x20Path=/;\x20Secure\r\nPragma:\x20no-cache\r\nCache-
SF:Control:\x20max-stale=0\r\nExpires:\x20Thu,\x2001\x20Jan\x201970\x2000:
SF:00:00\x20GMT\r\nContent-Type:\x20text/html;charset=ISO-8859-1\r\nConnec
SF:tion:\x20close\r\n\r\n<html>\n<head>\n\t<title>MSG:\x20Please\x20wait\x
SF:20while\x20you\x20are\x20redirected</title>\n\t<META\x20HTTP-EQUIV=\"CO
SF:NTENT-TYPE\"\x20CONTENT=\"text/html;\x20charset=iso-8859-1\">\n\t<META\
SF:x20HTTP-EQUIV=\"CACHE-CONTROL\"\x20CONTENT=\"NO-CACHE\">\n\t<META\x20HT
SF:TP-EQUIV=\"EXPIRES\"CONTENT=\"0\">\n\t<META\x20HTTP-EQUIV=\"PRAGMA\"\x2
SF:0CONTENT=\"NO-CACHE\">\n\t<script\x20language=\"JavaScript\"\x20type=\"
SF:text/JavaScript\">\t\x20\x20\n\tfunction\x20onLoad\(\)\n\t{\r\n\t\n\t\t
SF:window\.location=\"http://172\.16\.0\.254/userportal/\?callerIP=172\.16
SF:\.2\.186&requestURL=https%3A%2F%2Flocalhost\.localdomain%2F\";\r\n\t\n\
SF:t}\n\x20\x20\x20\x20\x20\x20\x20\x20</script>\n</head>\n<body\x20onLoad
SF:=\"setTimeout\('onLoad\(\)',\x201000\);\">\n<br>\r\n\n<center>Please\x2
SF:0wait\x20while\x20you\x20are\x20redirect")%r(SSLSessionReq,143,"<!DOCTY
SFE\x20HTML\x20PUBLIC\x20\"-//IETF//DTD\x20HTML\x202\.0//EN\">\n<html><h
SF:ead>\n<title>503\x20Service\x20Temporarily\x20Unavailable</title>\n</he
SF:ad><body>\n<h1>Service\x20Temporarily\x20Unavailable</h1>\n<p>The\x20se
SF:rver\x20is\x20temporarily\x20unable\x20to\x20service\x20your\nrequest\x
SF:20due\x20to\x20maintenance\x20downtime\x20or\x20capacity\nproblems\.\x2
SF:0Please\x20try\x20again\x20later\.</p>\n</body></html>\n");
MAC Address: 00:90:0B:264:8B (Lanner Electronics)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.00%E=4%D=10/3%OT=22%CT=7%CU=7%PV=Y%DS=1%DC=D%G=Y%M=00900B%TM=52
OS:4C94E1%P=i686-pc-linux-gnu)SEQ(SP=C8%GCD=1%ISR=D1%TI=Z%CI=Z%II=I%TS=7)OP
OS:S(O1=M5B4ST11NW9%O2=M5B4ST11NW9%O3=M5B4NNT11NW9%O4=M5B4ST11NW9%O5=M5B4ST
OS:11NW9%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)EC
OS:N(R=Y%DF=Y%T=41%W=16D0%O=M5B4NNSNW9%CC=Y%Q=)T1(R=Y%DF=Y%T=41%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=41%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW9%RD
OS:=0%Q=)T4(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=41%W=0%S
OS:=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R
OS:=Y%DF=Y%T=41%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=41%IPL=164%UN=0%
OS:RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=41%CD=S)

Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.68 seconds

 

CAP-файл получаем в запустив Wi-Fi адаптер в monitor mode со следующей командой:

Затем содержимое CAP - файла можно будет глянуть через тот же wireshark.

 

sudo airodump-ng --bssid 00:90:0B:264:8B -w CAP mon0
Interface mon0:
ioctl(SIOCGIFINDEX) failed: No such device

airodump следует запускать только когда ПОДКЛЮЧЕН к сети?

 

sudo airmon-ng start


Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID Name
974 avahi-daemon
975 avahi-daemon
1012 NetworkManager
1106 wpa_supplicant
17920 dhclient
Process with PID 17920 (dhclient) is running on interface wlan0


usage: airmon-ng <start|stop|check> <interface> [channel or frequency]


и он почемуто не стартует как монитор0

 

хотя
sudo airmon-ng check


Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID Name
974 avahi-daemon
975 avahi-daemon
1012 NetworkManager
1106 wpa_supplicant
20380 dhclient
Process with PID 20380 (dhclient) is running on interface wlan0

 

К сети не надо подключяться.
Выполните по порядку:
sudo airmon-ng start wlan0
airodump-ng --bssid 00:90:0B:264:8B -w CAP mon0