Search This Blog

Tuesday, June 24, 2008

Reinstalling Ubuntu + Save bandwidth

If you want to save downloading bandwidth then copy /var/cache/apt folder and save it on a protable drive.

after reinstalling put the same folder back at this location and run update.

Monday, June 23, 2008

mkdtemp: private socket dir: Permission denied


/etc/gdm/Xsession: Beginning session setup... mkdtemp: private socket dir: Permission denied


A quick

sudo chmod a+w /tmp

fixed it.

Sunday, June 22, 2008

Ubuntu 8.04 \ Error not allowed to access the system configuration

If you have problem running :

System->Administration->Shared Folders
System->Administration->Time and Date
System->Administration->Users and Groups

If the 'gksu' solution doesn't work for you.

The bug is in the System Communication Bus (dbus) services

Open a terminal :

gksu synaptic
Re-install all packages with dbus
Now the services will started, everyting will work.


check System Communication Bus (dbus) services
since re-install packages only run services
and do not re-activate it when you restart my computer.

-Mihir Patel

sudo: must be setuid root solved in Ubuntu

Go to recovery console (reboot, and chose recovery console in case you didn't catch on to how to do that),

fire following commands .

chown root:root /usr/bin/sudo
chmod 4755 /usr/bin/sudo
and reboot the machine by

shutdown -r now

In case if you are getting a "Sudo: /etc/sudoers is mode 0777, should be 0440" message on startup then

go to recovery console and fire following command

chmod 0440 /etc/sudoers

-Mihir Patel

$HOME/.dmrc file is being ignored solved Ubuntu

Did you install something that screwed up the permissions of your $HOME or did you change it? Boot into recovery mode from GRUB menu and at the prompt, do, assuming your log in name is xx.

sudo chmod 644 /home/xx/.dmrc
sudo chown xx/home/xx/.dmrc
sudo chmod -R 700 /home/xx
sudo chown -R xx/home/xx
You Reboot and see if you can log in again.

In case if you are getting the sudo: must be setuid root then check out the next post.

-Mihir Patel

Saturday, June 21, 2008

Installing Gnome Do on Ubuntu

Get produvtive with GENOME Do

GNOME DoscreenshotWe’re all swamped with information: emails, documents, pictures and the hundreds of websites we visit every week. There are two ways to deal with the data overload: Get organised and file everything in its right pace. Or you can use GNOME Do, a desktop launcher for Ubuntu in the style of Launchy for Windows and Katapult for KDE, which acts as your humble servant and finds exactly what you’re looking for when you’re looking for it. Sounds too good to be true? GNOME Do is still in the early stages of development but is already showing signs of becoming a desktop essential.

Using GNOME Do is simple enough. Use the meta key (usually the Windows key on most keyboards) and the spacebar to bring the search box to the front, then type in what it is you’re looking for. Looking for a directory? Type in “home” (for example) and GNOME Do will pop up your home directory. Looking for a document? Type in the name and as you’re typing GNOME Do will find documents with a similar name. When you’ve found the one you want hit the enter key and it will launch. The same is true of website URLs.

GNOME DoscreenshotAs you type in your query GNOME Do will pop up the options available to you. There is also a drop-down menu for when there is more than just one possible answer. Click elsewhere on the screen and GNOME Do goes away.

When installed GNOME Do instantly has access to Firefox favourites, applications and configuration tools on the Ubuntu desktop. There are also a good handful of plugins available for doing things such as playing music, accessing instant messaging tools and more.

Ideally Gnome Do is designed for the Gnome desktop environment but there are good reports of it working on KDE and Xubuntu as well.

Installing GNOME Do is very simple in Ubuntu:

First, add the following lines to your /etc/apt/sources.list file

deb gutsy main deb-src gutsy main

If you’re running Hardy Heron then change gutsy to hardy.

$ sudo apt-get update && sudo apt-get install gnome-do

Once that is done you’re ready to go … or Do!

Launch GNOME Do from the Applications -> Accessories menu.


(source from : "" by Alastair Otter)

Friday, June 20, 2008

How to Reset Ubuntu 7.04 / 7.10 / 8.10 / Gnome Settings to Defaults without Re-installing

As a new user, there comes a time (or there will come a time) when you are playing around with Ubuntu/Gnome, trying different themes, different engines, different window managers, etc, and all of a sudden you run into a problem that you can’t seem to find a way to fix it.

Computer FrustrationMaybe some of your customized settings are causing your gnome-panel to crash all the time or causing your windows and applications to look ugly, even having window buttons (close, minimize) disappear. You start Googling and spending a lot of time - sometimes days - trying to find how you can fix it.

You are frustrated (sometimes hitting your monitor/tower yelling some vulgarities at it as if it understands and you will kill it if it doesn’t fix it… there’s no Valentine’s love there, that’s for sure) and are ready to go back to Microsoft Windows.

But wait!

You keep thinking, “I wish I could just reset it back to its defaults, like a clean install, without losing all my applications and data.”

Well, you’re in luck. There is a way to reset your Desktop settings back to their defaults. If you keep in mind that everything in Linux is a file, all of its settings are files. All of Gnome’s customizations are located in their own specific folders. And these settings are user specific; they are in your Home folder. If you would create another user and log in with that user, you wouldn’t have any of the problems you are having in your own account. If you remove all these folders, you essentially remove all the settings. Therefore, we will remove the folders needed to reset Ubuntu/Gnome back to its defaults.

UPDATE (2008.01.30): Keep in mind that this will only reset your Gnome-specific settings. If you are having problems with your video card, display, x-server, etc., this WILL NOT fix your problems.

If you don’t have access to your graphical (GUI) desktop to delete these folders in Nautilus or you’re stuck at the login screen, drop to a terminal by hitting CTRL + ALT + F1, login to your account, and run this command:

rm -rf .gnome .gnome2 .gconf .gconfd .metacity

Get back to your GUI desktop by hitting CTRL + ALT + F7.

Login and VOILĂ€! Just like the first time you ever logged into your Gnome desktop.

Wednesday, June 18, 2008

Microcontroller Crystals Basic

Processor Clock Crystals Microcontroller Crystals Basic

One of the most frequently asked questions about microcontrollers has to be
"What kind of crystal capacitors do I use on this chip."
Unfortunately, that's even the wrong question!
This also applies to any other common chip that uses an external crystal timebase.

  • First, the crystal determines the capacitor values, not the chip.
    Atmel's application notes correctly leave off the cap values, since they can't tell you what values to use!
  • There are two types of crystals. Series resonant, and Parallel resonant.
    Most microcontrollers use parallel resonant crystals.
  • If you use series resonant crystals in a circuit designed for parallel resonant crystals, you will never get the crystal to the right frequency.
    Because every crystal has two resonant points, the parallel point, and the series point.
    They are very close together, but they cannot ever be on the same frequency.
    Which one you use, depends on the circuit the crystal is used in.
    Crystals are sold as parallel or series resonant, depending on which of these two points is intended to be used.
    The other point is still there, but it may not perform well.
  • All parallel resonant crystals have a specification that tells you how much loading capacitance is expected to be in the final circuit. However, you can't use that value directly.
    First, there will be some amount of parasitic capacitance in the circuit, which we'll call "CP"
    This happens in the traces, wires, and sockets.
    Second, the chip itself will have some amount of input capacitance, which we'll call "CI"
    Finally, the specified load capacitance, which we'll call "CL"
  • A key point, is that from the crystal's point of view, the capacitors are in series.
    This means that the values you need would be twice the value specified for CL.
    If your crystal wants 22pF, then you would start out with an estimated value of 44pF for each cap.
    However, you must subtract a bit for the parasitic capacitance, and the chip's input capacitance.
    The final formula comes out as C=2(CL)-(CP+CI)
  • You can estimate (CP+CI) to be about 5pF as a starting point, so our C value becomes:
    C=(44)-(5) or 39pF.

If all you wanted is to get your project going, then this is what you needed.
However, if you'd also like to minimize your EMI output, then carry on to the next section.

Microcontroller Crystals, Advanced.

So we've got the right cap values, what more could there be?

  • As it turns out, it's not quite so simple, if you care about minimising your EMI output.
    The normal sort of crystal oscillator circuit has an input pin, and an output pin. The input pin is pretty simple-minded, it basically looks like a capacitor. But what's on the other side of that capacitor?
  • Answer: Ground, and VCC. So current into or out of this pin, ends up on Ground or VCC.
    When you think about it, it makes sense. That current has got to flow, and it has got to return to the source.
    This is a key point that's often missed, or not fully understood.
  • Also, the output pin is a pair of FETs that source current alternately, from VCC, and to Ground.
    Is this taking shape yet?
  • If you really want to get it as quiet as possible, you now split your caps (39pF from the previous example) into a pair of 19pF caps on each side, one to VCC, and one to ground!
  • It is critical that these caps connect directly, and only to the processor power pins, by a separate track.
    Don't dump the ground side caps into a plane, and don't connect the VCC side caps to any other point on the VCC tracks.
    If you do, you have just created a shunt-fed antenna, driven by the microcontroller, passing the higher order odd harmonics of the crystal frequency through the caps!
    If anything else is connected to these tracks, then it's an antenna!
  • So why don't you see this technique used more frequently?
    Probably because of the extra expense of two more capacitors.
    Also, because "The other guys don't do it that way."
    Remember, when you copy the other guy's answers, you also copy his mistakes.


The purpose in using capacitors with a crystal is two fold:

#1) The oscillator consists of the inverter inside the PIC, the crystal, and external capacitance (both parasitic and actual capacitors). The total phase shift around the loop (from one inverter terminal, through the inverter, across the crystal/capacitor network, back into the inverter) has to be either 0 or 360 (the same thing) degrees for oscillation. The capacitance adjusts the phase shift of the network to allow oscillation.

#2) Crystals are designed to "see" a certain type of load. Most are designed to see a certain, specified capacitance, referred to as the Load Capacitance. In order for your crystal to operate at the correct frequency, it must see this value of capacitance at its terminals.

The total value of capacitance at the crystal's terminals is (Ca+Cp)/2, where Ca is the actual value of capacitor, per pin, that you place at the OSC1 and OSC2 pins, and Cp is the per pin parasitic capacitance. Cp is usually about 8pF or so. So, if your crystal wants to see a 20pF load, you will need to put 32pF capacitors at both OSC1 and OSC2: (32+8)/2 = 20pF This is one of the very useful and neat things that I learned from the PICLIST :-)

In [many cases], it probably "just works" because the parasitic capacitance is enough to satisfy #1 and [the] oscillator is probably running with perhaps 0.1% frequency error, a few kHz with an xtal in the several MHz range.

[This] question is almost a FAQ, and every time it comes up, there is always a debate about the last point that you make: what is the difference between "series" and "parallel" crystals. Here is the usual consensus: there is no difference. Every crystal has a parallel resonant frequency and a series resonant frequency. They are separated by a few kHz and which one you get depends on what value of external capacitance you place on the crystal (I think it ultimately has to do with #2 and exactly what frequency gives the 0 deg phase shift through the whole network). Crystals sold as "parallel" crystals achieve their rated frequency when loaded with the recommended load capacitance. Those sold as "series" crystals achieve their rated frequency when operated in series resonant mode (determined by the external capacitance, but I'm not sure how to figure this one out numerically,since it isn't specified for xtals sold as "series").

If you need a rough frequency standard, just use the (Ca+Cp)/2 formula. If you need strict accuracy, you will have to use a trimmer cap for one of the caps and use it to adjust the frequency.

Ref: David VanHorn

Monday, June 16, 2008

how to use multiple display with one computer

MaxiVista turns any networked computer into an external monitor. MaxiVista's only
hardware requirement is that the two computers must connect to each
other across a network, so it's perfect if you can't add an extra video
adapter. I have a network adapter for my old laptop, so I connected it
to my network and installed the free MaxiVista demo. It worked and my
laptop's desktop was immediately spread across three displays, as shown
in Figure 1.

Figure 1

Figure 1: MaxiVista at work.

you don't have an old laptop lying around, you can buy a used laptop
for cheaper than an external monitor would cost. It doesn't need to be
fast—even very old hardware will work with MaxiVista.

Configure MaxiVista

To configure the MaxiVista demo, follow these steps:


your primary PC (the one to which you'll connect your keyboard and
mouse) and your secondary PC (the one that will act as an extra
monitor) to a network. If you don't have a network yet, connect the two
computers with an Ethernet cross-over cable.


Download MaxiVistaDemo.Zip and open the file in Windows Explorer.


Run MaxiVista_Setup_PrimaryPC.exe on the primary PC and follow the wizard's instructions.


Run MaxiVista_Setup_SecondaryPC.exe on the secondary PC and follow the wizard's instructions.


Right-click the MaxiVista icon in the notification area and then click Enable Secondary Display.

isn't quite as nice as having an external monitor directly attached to
my laptop, but it's close. I can't run any 3-D games on the MaxiVista
display nor can I watch DVDs on it. I can, however, keep my instant
messages, e-mail, Web browser, or word processor on the display. Though
it has its limitations, MaxVista gave me the desktop space I needed
without requiring me to buy any new hardware.

Ref :Tony Northrup

Sunday, June 15, 2008

How To Crack WPA / WPA2


Previously, we showed you how to secure your wireless with industrial strength RADIUS authentication via WPA-Enterprise. It turns out that there's a little back-story there. So, in traditional Tarentino fashion, now that we've already seen the ending, let's back up to the beginning: cracking WPA-PSK.

Wi-Fi Protected Access (WPA) was created to solve the gaping security flaws that plagued WEP. Perhaps the most predominant flaw in WEP is that the key is not hashed, but concatenated to the IV, allowing completely passive compromise of the network. With WEP, you can literally sit in your car listening for packets on a network. Once you have captured enough of them, you can extract the key and connect to the network.

WPA solves this problem by rotating the key on a per-packet basis, which renders the above method useless. However, nothing is perfectly secure, and WPA-PSK is particularly vulnerable during client association, during which the hashed network key is exchanged and validated in a "four-way handshake".

The Wi-Fi Alliance, creators of WPA, were aware of this vulnerability and took precautions accordingly. Instead of concatenating the key in the IV (the weakness of WEP), WPA hashes the key using the wireless access point's SSID as a salt. The benefits of this are two-fold.

First, this prevents the statistical key grabbing techniques that broke WEP by transmitting the key as a hash (cyphertext). It also makes hash precomputation via a technique similar to Rainbow Tables more difficult because the SSID is used as a salt for the hash. WPA-PSK even imposes a eight character minimum on PSK passphrases, making bruteforce attacks less feasible.

So, like virtually all security modalities, the weakness comes down to the passphrase. WPA-PSK is particularly susceptible to dictionary attacks against weak passphrases. In this How To, we'll show you how to crack weak WPA-PSK implementations and give you some tips for setting up a secure WPA-PSK AP for your SOHO.

  • Accessing or attempting to access a network other than your own (or have permissions to use) is illegal.
  • SmallNetBuilder, Pudai LLC, and I are not responsible in any way for damages resulting from the use or misuse of information in this article.

NOTE!Note: The techniques described in this article can be used on networks secured by WPA-PSK or WPA2-PSK. References to "WPA" may be read "WPA/WPA2".


To crack WPA-PSK, we'll use the venerable BackTrack Live-CD SLAX distro. It's free to download, but please consider donating, since this really is the Swiss Army knife of network security.

As you can see from my system specs in Table 1, it doesn't take much computing power to run WPA cracks.

Attacking System Specs
Model HP Compaq nx6310
Processor Intel Celeron M 410 (1.46 GHz)
Wireless Adapter Netgear WG511T (Atheros)
OS BackTrack v3 beta (build 12.14.07)
BackTrack v2 Final
Target Wireless Access Point Encore ENRXWI-G (SSID: snb)
Target AP MAC 00:18:E7:02:4C:E6
Target AP Client MAC 00:13:CE:21:54:14
Table 1: Attacking System Specs

The folks at Remote Exploit have just released a new beta, BackTrack version 3, which I'll use for this crack. But I've also included notes about relevant differences from BackTrack v2.

First, download, burn and boot the BackTrack ISO. BackTrack v3 now auto logs in as root; BackTrack v2 requires you to login as "root" with the password "toor".

Recon with Kismet

Open up Kismet, the venerable wireless surveillance tool (Backtrack > Radio Network Analysis > 80211 > Analyzer). Version 3 includes a nice little GUI to select the wireless interface, but it didn't work for me.

To fix this, or if you're using version 2, add a line in /usr/local/etc/kismet.conf to manually specify your source (as driver, interface, display name). This is what it looks like for my setup:

/usr/local/etc/kismet.conf -- Line 25:


Then start Kismet from a terminal.

bt ~ # kismet

Kismet is a great surveillance tool, but that is only one of its many talents. It captures raw packets while operating, which we can use later to attack weak PSKs, having captured a client connection while listening. It also has some interesting alerts built in, to warn you of potential evil-doers within wireless range. To top it off, Kismet is completely passive and therefore undetectable.

In Part 1 of our original WEP cracking series, Humphrey Cheung wrote a great introduction to recon with Kismet. Recon for WEP cracking and WPA cracking is largely very similar so I won't repeat that information here. Instead, I'll just point out a few settings and options that I find useful as well as explain a bit of the interface.

I would add, however, that Kismet is very versatile and customizable with great context-sensitive help menus. Pressing "h" just about any time will bring up a help menu with the relevant options for your situation.

In the main network list, access points are color coded. Most networks will show up green. Some, like the one in Figure 1, show up red, indicating that access point has no security mode employed (the "F" in the Flags column indicates that the AP is still configured with the factory defaults, as far as Kismet can tell).

Factory Settings

Figure 1: Factory Settings

The other interesting parts of the Network List display for our purposes include the "W", "Ch" and the "Packts" columns.

The "W" column displays a one-letter code representing the type of security implemented by the access point: None ("W"), WEP ("Y"), or WPA ("O" for Other).

The "Ch" column, as one might expect, is the channel of the access point. We'll need this information later if we employ an active attack.

The "Packts" column lists the number of packets captured by Kismet for a particular access point. While not completely relevant, it gives us a decent ball-park measurement of both network load and proximity. Higher network load usually translates to higher number of connected clients, which increases the chance that we could capture a client association passively.

Kismet defaults to autofit mode, where you can sort the networks and bring up the Network Details page by highlighting an AP and hitting enter. The Network Details page list all sorts of interesting information about the network most notably the WPA encryption scheme, BSSID and number of clients associated with the access point.

Pressing "c" while in the Network Details view will bring up the connected Clients List. The Client List shows all the nodes with traffic associated with the access point. Generally, we're looking for clients with a type (the "T" column) Established ("E") or To DS ("T").

Passive Attack

In a passive attack, all we need to do is listen on a specific channel and wait for a client to authenticate. Kismet is the weapon of choice here, although airodump-ng works too. Kismet gives you much more control and information than airodump-ng, but unfortunately doesn't provide notification to alert you of a successful WPA-PSK association four-way handshake. Airodump-ng does, but gives you less dynamic control of the capture card's behavior and very little information (compared to Kismet).

General Kismet recon and capture steps for a passive WPA-PSK attack are:

  • Start Kismet
  • Sort the networks (Ex: by channel, press "s" then "c")
  • Lock channel hopping onto the channel of interest (highlight the target AP and press "L")
  • Wait until a client connects to capture the association

Active Attack

Using the information we gathered with Kismet during the recon step, we can target associated clients of a certain AP with forged deauthentication packets, which should cause the client to disassociate from the AP. We then listen for the reassociation and subsequent authentication. This is a little trickier and also detectable, since we're sending out packets. But it's much quicker than waiting for a genuine association (in most cases).

After identifying our target AP with associated clients, we need to set up the wireless hardware for packet injection. The aircrack suite has a little bash script to do just that.

First bring down the managed VAP (Virtual Access Point) with:

airmon-ng stop ath0

Bringing down the managed interface
Click to enlarge image

Figure 2: Bringing down the managed interface

Next, start up a VAP in "Monitor" mode:

airmon-ng start wifi0

Creating a monitor mode interface
Click to enlarge image

Figure 3: Creating a monitor mode interface

Now we need to simultaneously deauthenticate a client and capture the resulting reauthentication. Open up two terminal windows. Start airodump-ng in one terminal:

General Form:

airodump-ng -w capture_file_prefix --channel channel_number interface


airodump-ng -w cap --channel 6 ath0

airodump-ng, up and running
Click to enlarge image

Figure 4: airodump-ng, up and running
You can check which interface is in monitor mode by using iwconfig.

Next, run the deathentication attack with aireplay-ng in the other terminal:

General Form:

aireplay-ng --deauth 1 -a MAC_of_AP -c MAC_of_client interface


aireplay-ng --deauth 1 -a 00:18:E7:02:4C:E6 -c 00:13:CE:21:54:14 ath0

A successfully sent deathentication packet
Click to enlarge image

Figure 5: A successfully sent deathentication packet

If all goes well, the client should be deauthenticated from the AP and will usually reauthenticate. I like to keep the number of deauthentication packets sent to a minimum (one, in this case). This helps keep you under the radar, since programs like Kismet can detect deauthentication floods.

If the deauthentication was successful, airodump-ng displays a notification of the captured reauthentication event (boxed in red in Figure 6).

Successful WPA handshake capture
Click to enlarge image

Figure 6: Successful WPA handshake capture

Finding the Four-way Handshake

To make sure we captured a authentication handshake, we can use the network protocol analyzer Wireshark (formerly Ethereal). Wireshark allows us to view packet contents and sort by type of packet captured to pull out the WPA handshake.

Open up Wireshark (Backtrack > Privilege Escalation > Sniffers) and open the Kismet capture "dump" file (Kismet-.dump) to view all the captured packets. The WPA four-way handshake uses the Extensible Authentication Protocol over LAN (EAPoL).

Using Wireshark, we can filter the captured packets to display only EAPoL packets by entering "eapol" in the filter field (Figure 7).

EAPoL filter applied to captured packets
Click to enlarge image

Figure 7: EAPoL filter applied to captured packets

Here, we're basically looking for four packets that alternate source, client-AP-client-AP (I've highlighted them in red in Figure 7).

Now that we've confirmed that we've captured a four-way handshake it's time to perform the crack.

Performing the Crack

The Wi-Fi Alliance was wise to implement an eight character minimum for WPA-PSK. Making the key that long essentially renders brute force methods useless. This is because the number of possible typeable character combinations for keys of an eight character length is just above six quadrillion (that's 948 or about 6 x 1015).

My poor little laptop can only crunch about 35 hashes a second, so it would take me about five-and-a-half million years (I'm not kidding here either, I did the math!) to create a hash table for an eight character hash table or to test all possible combinations when brute-forcing a key.

And what's more, since the hash is salted with the SSID of the AP, that hash table I just spent five million years creating, would be good only against APs with that exact SSID. So, clearly we're not going to be brute-forcing any WPA keys anytime soon.

What we can do, however, is limit the list of possible passphrases by making educated guesses, compute the hashes of those guesses and check them against our captured key. This technique is referred to as a dictionary attack.

BackTrack v2 comes bundled with a good offering of simple wordlists, as well as four lists of passwords common in the '90s, reverse-sorted by occurrence (more common passwords are at the top, less common passwords are at the bottom). The lists seem to be missing from Backtrack v3, but there are plenty of wordlists around the 'net.

Using the wordlists in Backtrack version 2, we can mount a dictionary attack on our captured WPA handshake using either aircrack-ng or coWPAtty. Aircrack-ng runs much faster on my attacking system (testing 3740 keys took 35 seconds), and has native optimization for multiple processors. coWPAtty, on the other hand, runs much slower (testing the same 3740 keys took almost 2 minutes) and can accept hash files precomputed by genpmk.

Some of the commands below have been formatted into multiple lines to fit our page. All commands should be entered on one line.

aircrack-ng attack

Start a dictionary attack against a WPA key with the following:

General Form:

aircrack-ng -e AP_SID -w dictionary_file capture_file

Example (BackTrack v3):

aircrack-ng -e snb -w /pentest/wireless
/cowpatty-4.0/dict Kismet-Jan-15-2008-1.dump

Aircrack-ng shows the hex hashes of the keys as it tries them, which is nice since some attacks can take a long time. Figure 8 shows that Aircrack-ng took 35 seconds to find the test key "dictionary".

Aircrack-ng, Key Found!
Click to enlarge image

Figure 8: Aircrack-ng, Key Found!


First move into the cowpatty directory, either by selecting it from the menu or by changing to /pentest/wireless/cowpatty-4.0. Then run:

General Form:

./cowpatty -s AP_SID -f dictionary_file -r capture_file


./cowpatty -s snb -f dict -r Kismet-Jan-15-2008-1.dump

coWPAtty doesn't say much about its run-time status, but prints updates every thousand keys. Figure 9 shows that coWPAtty took a little over two minutes to recover the test key "dictionary".

coWPAtty, Key Found!
Click to enlarge image

Figure 9: coWPAtty, Key Found!

Alternately, coWPAtty can use a precomputed hash file to attack a WPA key. Precomputed hash files use a technique similar to Rainbow Tables allowing you to trade the amount of time required to crack a given key for hash file size (and precomputation time).

Hashes are paired with their plain text precursor allowing the engine to simply look up the captured WPA key hash and read off its corresponding plain text key. Since WPA keys are salted, this technique only works against AP's with the same SSID used to compute the table.

Hash tables can be very effective but require disk space to store the tables that can get rather large, quickly. Even with these limitations, the Church of WiFi has computed hash tables for the 1000 most common SSID's against one million common passphrases.

You can generate a hash table from within the cowpatty directory with coWPAtty's genpmk:

General Form:

./genpmk -s AP_SID -f dictionary_file -d hash_output_file


./genpmk -s snb -f dict -d dict_hash

genpmk Hash Table Generation
Click to enlarge image

Figure 10: genpmk Hash Table Generation

Now, using the newly created hash table, the crack takes only a fraction of a second (0.11 to be precise). This is just shy of 1/1100th the time it took when not using a hash table.

General Form:

./cowpatty -s AP_SID -d hash_output_file -r capture_file


./cowpatty -s snb -d dict_hash -r Kismet-Jan-15-2008-1.dump

coWPAtty Hash Table Attack
Click to enlarge image

Figure 11: coWPAtty Hash Table Attack

Extending the Crack

The obvious limitation of these techniques is the existence of the key within the dictionary file used for the attack. I hope that I never see WPA keys like "dinosaur" or "dictionary", which will be easily cracked by coWPAtty or aircrack-ng.

But something like "dinosaur52" or "D1cti0nary" would seem pretty secure at this point, right? They would at least be missed by a plain-jane sweep through the dictionary and would take a couple million years to straight brute force.

To extend the list of possible keys, we can use the legendary *NIX password cracking tool John the Ripper's wordlist mangling rules to generate permutations and common password additions from a simple dictionary file. These are then fed into either coWPAtty or aircrack-ng on the fly.

When using dictionary attacks, we don't need to worry about short passphrases making it through; coWPAtty and aircrack-ng are both smart enough to drop passphrases shorter than eight characters. In fact, it's smart to leave them in the dictionary file in case they become long enough as a result of John's word mangling rules.

Use John's default word mangling rules, then pipe that list to either coWPAtty or aircrack-ng using (this is done from /usr/local/john-1.7.2 in BackTrack v3, and from /pentest/password/john-1.7.2 in v2):

Some of the commands below have been formatted into multiple lines to fit our page. All commands should be entered on one line.

With coWPAtty:

./john --wordlist=password_list --rules --stdout
| cowpatty -s ssid -f - -r capture_file

Or using aircrack-ng:

./john --wordlist=password_list --rules --stdout
| aircrack-ng -e ssid -w - capture_file


./john --wordlist=password.lst --rules --stdout
| aircrack-ng -e snb -w - Kismet-Jan-15-2008-1.dump

John comes with a built-in set of rules that is fairly limited, but uses a well documented "regex-esque" syntax that allows you to define your own rules.

For example, the default rules append only one number to the words in the dictionary. We can extend this by adding a couple of lines in john.conf to the end of the [List.Rules:Wordlist] section (line 262) that look like this:


This will append all numbers up to 999 onto the end of words in the dictionary file (so it'll now catch "dinosaur52").

Similarly, we can add a few lines to take care of the common letter-punctuation substitutions like substituting a "3" for "E" or a "1" for "l" (the third line applies both substitutions to the word).


We can take this one step further and add numbers to the end to catch things like "g1id355" with the following:



Obviously, these rules get pretty ugly and lengthy quickly, but they also transform a plain dictionary into a formidable weapon against supposedly secure passwords.

The Million Dollar Question

So, how long and cryptic does a passphrase really need to be? The straight answer is: as long and as cryptic as possible! With John's word mangling rules, we're systematically and intelligently attacking passphrases by incorporating common human substitutions and combinations with dictionary lists. Of course, there are some word-based passphrases that could slip through John's mangling rules. but all it takes is a combination of simple rules to catch that those as well.

The plane-jane wordlist that comes with coWPAtty contains 10,201 words. After default mangling with John, that number blossoms to 498,989. Adding our rules from above and that number climbs to 45,720,022. The more rules we add, the more the passphrase search space keeps expanding.

This is still a far-cry from the six quadrillion possible combinations out there. But what makes this dangerous is that we started with distinct set of possible passphrases and used a semi-human approach to making them more cryptic. So, chances are better that if we try 45 million intelligently generated passphrases, we might get lucky and find a winner.

It takes my system about five days to crank through 45 million passphrases. This isn't exactly lightning fast. But given the fact that I could have passively captured your key's hash, by the time you found out, it would be too late.

WPA-PSK Security Myths

Although not strictly related to WPA-PSK cracking, there are two security myths I've seen pop up here at SmallNetBuilder and around the web that I'd like to say a few words about.

Myth 1: Disabling the SSID Broadcast Secures your WLAN

"Cloaking" your SSID might sound good on the surface. But programs like Kismet that are capable of monitoring wireless network traffic are also able to "decloak" access points by listening to traffic between the clients and the access point.

For Kismet, this process takes only a few minutes of relatively light network traffic. Disabling the SSID broadcast really makes it only slightly harder for potential attackers to connect to your AP (they now have to type the SSID instead of clicking on it).

Myth 2: Filtering MAC Addresses Secures Your WLAN

This idea again sounds good on the surface: limit the computers that can connect by their MAC addresses. There are two problems with this technique.

1) Physically maintaining the table of acceptable MAC addresses becomes more burdensome as your network grows.

2) MAC addresses can be easily spoofed.

Chances are, if you are being attacked by someone who has the know-how to get past WPA, they will most likely spoof their MAC when they connect anyway, to avoid detection in your router's logs (by a possible failed MAC filter pass).

Kismet, in particular, excels at this with its AP "clients" view which lists, among other things, client MAC addresses.

Spoofing your MAC address (in Linux) is as simple as this:

bt ~ # ifconfig ath0 hw ether AA:BB:CC:DD:EE:FF
bt ~ # ifconfig ath0 up
bt ~ # ifconfig ath0
ath0 Link encap:Ethernet HWaddr AA:BB:CC:DD:EE:FF
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1092 (1.0 KiB) TX bytes:590 (590.0 b)

WPA-PSK Security Tips

You know how to break weak WPA-PSK keys. Now make sure that it doesn't happen to you by using two simple techniques.

Use long and strong passphrases!

The longer and more random the password, the better. A WPA key is a computer passphrase, and by that I mean that the computer is the one that has to remember it. All you have to do as the user is type it in once and you're ready to go.

So, generate a very long, random passphrase, write it down and put it in a not-so-obvious place. Writing down a passphrase is normally a cardinal sin for security. But in a SOHO setting, it's a reasonable tradeoff between security and convenience.

Frankly, you're much more susceptible to wireless pirates parked outside your apartment (or next door) using the tools I've just described than you are to someone socially-engineering your wife into giving out your wireless LAN key. And even then, wouldn't it be nice if the key took a half-hour for her to read over the phone, giving you a chance to step in and save the day?

So, generate a nasty, long computer passphrase, write it down on a sticky-note, enter it in your router and clients, then stick that sticky-note someplace secure (not to the top of the router!)

Change your SSID

Since the key is salted with the SSID, it makes sense to change your AP's SSID to render the precomputed hash tables useless (assuming you change it to something non-obvious). This forces the attacker to start from square one by either generating a hash table or using just a straight dictionary attack.


So, now you know how crackers can attack wireless networks that use weak WPA / WPA2 PSK keys and the simple countermeasures that you can take to ensure that it doesn't happen to you.

With a strong, long key and good security practices, a wireless LAN secured by WPA / WPA2 is definitely not an easy target.


Recover Lost Passwords with Free Tools


The information on this internet site has been made available for general personal use only and is provided without any express or implied warranty as to its accuracy or currency.

All access to, and use of, the information is at the user's risk.

ACCESS DENIED. Those two bone-chilling words are the last thing you want to see when you're trying to log into a system or open a file, but they're not necessarily a dead end. Several free tools can help you find lost passwords you can't remember or that your computer has saved but obscured. Let's take a look at a few free remedies for lost password panic when you're trying to log onto a computer, network, or just figure out what's behind that string of asterisks.

Before we start, two things: First, use the information and utilities below to recover your own passwords, or to help out your desperate relative or co-worker with their consent—not to snoop in other people's stuff. Second, to avoid these last-resort password recovery utilities forever, use an encrypted database to keep track of your passwords.


ophcrackthumb.png When you can't log into that old Windows PC you haven't touched in years, try booting up using the Ophcrack Live CD. Ophcrack will detect all the users set up on your Windows systems, and reveal their passwords—if the passwords are relatively easy to crack. See Adam's screenshot tour of how Ophcrack works, and which Windows passwords it was able to crack and which it wasn't.

Windows Applications

When you've saved a password in your FTP software, IM client, or any other application that boasts a password field filled with asterisks, you want a password reveal utility. Both Snadboy's Revelation (original post) and Nirsoft's Asterisk Logger can show you what's behind the ***** in most apps' password field.

Microsoft Outlook PST (Personal Folders) files: For that old email archive from three jobs ago that you locked with a password you can't remember, try PstPassword (original post). This free utility offers three possible passwords that can open the PST file.

messenpass.pngRecover instant messenger passwords: Lost your MSN Messenger, Google Talk, AIM, Yahoo Messenger, Trillian, Miranda, or Pidgin password but you're logged in and you've saved the password on your computer? MessenPass can unearth them for you.

Network and Wireless Router Passwords

See what passwords your computer is sending across the network to log into various services with SniffPass. The free SniffPass captures the passwords that pass through your network adapter, and displays them. SniffPass reveals passwords for POP3, IMAP4, SMTP, FTP, and HTTP (basic authentication passwords).

Reveal Wi-Fi network passwords: This one saved me when I arrived at Mom's newly wireless-enabled house, asked her what the password to log onto the network was, and got a blank look in response. The free WirelessKeyView (original post) reveals Wi-Fi passwords saved in Windows.

Default router passwords: Of course if you want to log onto a wireless router and think maybe the owner never changed the default, check out the router default password list to find the factory password for the router's model.

Mac OS X

While password crackers for the Mac are non-existent as far as I know (correct me if I'm wrong!), the Mac Keychain is the way to reveal many of the passwords you've saved on your system. Find the Keychain in your Applications/Utilities folder. You'll have to enter an admin password just to get into Keychain, but then you can click on any entry—like Wi-Fi networks or saved application passwords—to get details and see the passwords.

Firefox Saved Browser passwords

Finally, if you're saving web site passwords in Firefox, it's easy to reveal them as well. In Firefox, from the Tools menu, choose Options, and in the Security tab hit the "Saved Passwords" button. Then hit "Show Passwords." Alternately, if you're on a page with a password field filled in with asterisks, you can use the "View Passwords" bookmarklet to see them (#10 on that list). (Of course, here's how to secure your passwords in Firefox with a master password.)

Note: Much of the Windows software featured in this article is by Nirsoft, but the ones we mentioned are just the beginning. Check out Nirsoft's complete mother lode of freeware Windows password utilities.

What password recovery utilities have saved your bacon? Tell us about 'em in the comments.

Ref :

Sync Thunderbird with Google Contacts

zindus.pngAll platforms running Thunderbird: Thunderbird extension Zindus syncs your Google contacts with Thunderbird's address book. Just install the extension, give it your Gmail username and password (it supports both @gmail and Google Apps domains), and hit the Sync Now button to synchronize names, email addresses, phone numbers, IM handles, and more. Zindus does its best to handle any conflicts and walk you through resolutions, but you can also sync the contacts to a separate list if you just want to give it a try. The free, cross-platform Zindus is a fantastic solution for Thunderbird users jealous of Address Book's recent Google Contact Sync update.

GNOME Do 0.5

Do 0.5: “The Fighting 0.5″

Do 0.5: “The Fighting 0.5″. Without further ado, here are the main improvements and new features, accompanied by plenty of screen shots.

First off, the Open with… action has been re-enabled!

Open with...

The biggest new feature in GNOME Do 0.5 is our new preferences window and plugin manager. You can now browse, download, install, and enable or disable all available plugins from right within Do thanks to Mono.Addins:

Plugin manager

You can also visit a wiki page with information about each plugin, and you can do plugin-specific configuration. This means no more configuration files, and no more editing preferences through Configuration Editor (gconf). As an example, here is the configuration window for the Files and Folders plugin:
plugin config

We’ve added a plugin category called “community plugins” that contains cutting-edge plugins written by many different contributors. If a developer were to write a great new GNOME Do plugin today, we could have it in the community plugins repository and available to Do users everywhere by tomorrow. That being said, community plugins are not rigorously screened or held to the same quality standards as official plugins, so users beware.

community plugins

One of my favorite community plugins is the new Skype plugin, which allows you to make calls, initiate chats, change your status, and more. The Skype plugin is also fully integrated with Do’s contact system, so you can simply type a contact name, and then chose to send an instant message to that person with Pidgin, email them, or initiate a Skype chat or call:


There’s an awesome new plugin by Jason Smith called “WindowManager.” It lets you manipulate and rearrange windows on your desktop. You can focus, shade, minimize, maximize, tile, and cascade your windows. This plugin is so feature-packed, I don’t even know everything it does yet! Check out these screenshots, then try the plugin for yourself.

WindowManager plugin 3
Minimize all Firefox windows.
WindowManager plugin 2
Bring a GIMP window into focus by searching for its name.

Alex Launi has done some amazing plugin work, making great contributions to the Twitter, File and Folders, and Pidgin plugins to name a few. He also wrote new Flickr, Gmail contacts, and Google Calendar plugins. Here’s a preview of his work:

Twitter plugin now supports replying to Twitter friends.
Pidgin set status
Set Pidgin status (also searches saved statuses).
Upload to flickr
Upload images to Flickr
Google Calendar
Search and create events on Google Calendar

These are only a few of the new features and improvements in GNOME Do 0.5. We’ve also fixed tons of bugs, and we’re going to have some intensive wiki-updating sessions over the next couple weeks to bring documentation up to speed. There are a few more changes that just barely missed the cut, so you can expect to see a 0.5.1 release within a few weeks. Special thanks to Alex Launi, Jason Smith, Chris Halse Rogers, Jorge Castro, Jason Imison, Jason Jones, Jacob Andreas, Guillaume Beland, Ken Simon, Mathieu Cadet, Rick Harding, and all the rest. Ubuntu users may get 0.5 packages from our Launchpad PPA, and you can find source packages on our downloads page.

Finally, GNOME Do is free software

Compared Firefox, Internet Explorer, Opera 9.5, and Safari for speed, memory usage, script loading and startup time

Speed Testing the Latest Web Browsers

Read the hype on every new web browser released or due out this year, and you'll see claims that every one of them is "faster" than all the others. You could compare super-specific tests and decipher all the code-brain terminology, and you'd still be left wondering which browser starts quicker, uses less memory, and slides through dynamic interfaces like Gmail the fastest. Since our squadron of independent analysts had the week off, we ran the latest editions of Firefox, Internet Explorer, Opera 9.5, and Safari for Windows through some unscientific but highly geeky tests ourselves on a plain old Windows computer. Take a look at the full (and somewhat unexpected) results after the jump.

The testing system

For the sake of rating all four of the latest new-and-improved browsers in the same environment, I tested the most current releases of Internet Explorer 7, Opera 9.5, Safari for Windows 3.1.1, and the third Release Candidate of Firefox 3 (which is pretty darned close to the final version dropping Tuesday) on my Windows Vista laptop. Each browser was installed completely fresh, and, in the case of Internet Explorer 7, re-set to its new-install settings.

Here are the specs of my test system, for comparisons and curiosity:

  • OS: Windows Vista Home Premium (32-bit)
  • Processor: 2 GHz Intel Core 2 Duo processor
  • Memory: 2 GB
finger_trigger_cropped.jpgI looked far and wide for free, easy-to-grasp benchmarking software that could cover all four of the browsers I wanted to test, which covered every major aspect, and came up short. Instead, I tested the browsers the way most people experience them—click, wait, then watch each page load. Using Rob Keir's simple but millisecond-accurate timer, I launched every action with a dual tap of the enter and "\" keys (pictured at right) to set the timer, then tapped the "\" key again when what I wanted to load had arrived. I re-ran tests when I thought I'd been slow, and each score below is an average of three or more trials.

Scientific and precise? Heck no. Easy to understand and free from selective prejudice? Very much so. I did use two tests assembled by inquisitive programmers for the more technical stuff, and noted that below. Now, onto the results!

Test 1: Startup time—Winner: Opera!

Taking a page from Mark Wilton-Jones' oft-linked tests, I timed each browser loading "cold" (straight off a re-start, not having run already) and "warm" (having run at least once that session). Vista can be very fickle at boot-up (at least on my system) and slow things down considerably, so I used each browsers' best times from launching to loading a locally-saved Google home page (which both cuts out network variations and explains the speedier boot times):

A pleasant surprise that Firefox 3 boots faster than 2 (from deep-seated memory, at least), as well as how quick Opera moves in general, at least compared to Safari in this test.

Next, I opened each browser two times and headed to a random bookmark to jog it a little. Here's their speeds at their next "warm" boot-up:

Surprisingly consistent—note that Firefox's seeming lapse is less than 0.2 seconds, which could certainly fall under margin of error.

bookmark_list.jpgNow for the real test. I placed a folder of eight links—from the super-clean Google homepage to the image and Flash-heavy Gizmodo and YouTube sites, and a few familiar stops in-between—in each browser, ran to the Lifehacker page and back to "warm" it up, then timed each browser's version of "open all in tabs" from first click until the last little circle stopped spinning. Opera, unfortunately, uses a more subtle coloration change to indicate load speed, so I had to rely on the status bar as well. The results:

You probably won't cry over a two-second delay when loading eight tabs, but Safari and Opera were surprisingly swift at multi-tasking in general (and we'll see why later).

Test 2: JavaScript & CSS—Winner: Safari!

JavaScript loading times get a lot of attention from folks like, say, Steve Jobs these days. That's because with the increasing prominence of AJAX interfaces on sites like Gmail, Twitter, and other webapps, a browser's ability to perform multiple quick computations can be far more important than a nanosecond advantage at text and table rendering.

You'll never get every browser team agreeing on what's a fair JavaScript test, as each platform has its own quirks and rules of working with it. Sean Patrick Kane's JavaScript speed tests has pulled attention from all over, however, not least because he's worked to make it more fair to all comers.

Here's the stats from Sean's test (in miliseconds):

I also tested each browser's ability to render Cascading Style Sheets, the design templates of a page, using nontropp's downloadable form:

I'm thinking Safari's big lead in CSS rendering is how it creates that everything-snaps-at-once feel when loading pages. And, for a browser that somewhat auto-loads with my OS, Internet Explorer has yet to bring a worthwhile statistic to the table.

At this point, you might certainly wondering just where Firefox 3's vaunted speed/performance/stability improvements might actually, you know, matter. Follow along, then, to the other side of speed.

Test 3: Memory use—Winner: Firefox 3!

Unless you're rocking a workstation with more memory than you can spare, browsers shouldn't be using all your RAM and slowing other apps to a trickle. Firefox 2 was notorious for bloating far beyond its fighting weight after steady use, but developers' hard work seems to have paid off, at least by my tests:

The blue portion is each browsers' memory use when first started, and the red extensions their size (according to Windows Task Manager) with those same eight tabs above opened. Again, few people will have eight tabs open, but I scaled it to see where the differences lie. I wanted to double-check Firefox's night-and-day improvement, so I closed and launched it again. This time, it was using 117MB—not a slim amount, but a still marked improvement over its peers. Of course, if you do have memory to spare, both Safari and Opera, as seen higher up, can put it to quick-footed use.


Let's re-emphasize that this was far from a scientific study, and your mileage will certainly vary on different systems. With Opera and Firefox especially, running a like-new version is somewhat of a cheat—almost any enthusiast is going to have a must-have extensions, features, and add-ons running, which throw off the speed and memory scales. Still, it was gratifying to actually sit down and measure all the major browser options on a human level, just a timer, a spreadsheet, and a few cups of nerve-boosting coffee. Thanks to x40sw0n for inspiring this post!

What's your take on the battle for browser speed? What essential tricks and tips have you used to whip your web software into shape? Let's hear your takes on all this data in the comments.

Kevin Purdy, associate editor at Lifehacker, feels like he just got home from a seriously nerdy five-way date. His weekly feature, Open Sourcery, appears every Friday on Lifehacker.