ARPwner is a tool to do ARP poisoning and DNS poisoning attacks, with a simple GUI and a plugin system to do filtering of the information gathered, also has a implementation of sslstrip and is coded 100% in python and on Github, so you can modify according to your needs.

This tool was released by Nicolas Trippar at BlackHat USA 2012.

For the tool to work you need pypcap, so assuming are using a Debian derivative OS (like all sane people do) – you’ll need to do this first:

“apt-get install python-pypcap”

Download: ARPwner.zip

Read More: ARPwner @ GitHub

DNSChanger is malicious software (malware) that changes a user’s Domain Name System (DNS) settings, in order to divert traffic to unsolicited and potentially illegal sites.

Beginning in 2007, the cyber ring responsible for DNSChanger operated under the company name “Rove Digital” and used the malware to manipulate users’ Web activity by redirecting unsuspecting users to rogue DNS servers hosted in Estonia, New York, and Chicago. In some cases, the malware had the additional effect of preventing users’ anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.

FBI has since seized the rogue DNS servers and the botnet’s command-and-control (C&C) servers as part of “Operation Ghost Click” and the servers are now under their control. To assist victims affected by the DNSChanger, the FBI obtained a court order authorising the Internet Systems Consortium (ISC) to deploy and maintain temporary legitimate DNS servers, replacing the Rove Digital malicious network. As mentioned earlier, this is by no means a permanent solution and does not remove malware from infected systems; it just provides additional time for victims to clean affected computers and restore their normal DNS settings. According to the court order-which expired on 9 July 2012-the clean DNS servers will be turned off and computers still infected by DNSChanger malware may lose Internet connectivity.

To put this into perspective, DNS is an Internet service that converts user-friendly domain names into the numerical IP addresses that computers use to talk to each other. When you enter a domain name into your Web browser address bar, your computer contacts DNS servers to determine the IP address for the website you are intending to visit. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration.

DNS Work	DNSChanger Work

With the ability to change a computer’s DNS settings, malware authors can control what websites a computer connects to on the Internet and can force a compromised computer to connect to a fraudulent website or redirect the computer away from an intended website. To do that, a malware author needs to compromise a computer with malicious code, which in this case is DNSChanger. Once the computer is compromised, the malware modifies the DNS settings from the ISP’s legitimate DNS server’s address to the rogue DNS server’s address, in this case, advertisement websites.

A task force has been created, called the DNSChanger Working Group (DCWG), to help people determine if their computers have been compromised by this threat and to also help them remove the threat.

Several “activist hackers” appear to be using DNS poisoning and other attacks against the Domain Name System to divert users away from legitimate sites.

Instead of just launching distributed denial-of-service attacks, cyber-attackers have started hijacking domain names and redirecting traffic from legitimate sites to malicious ones.

The hacker group Anonymous recently managed to hijack the Domain Name System record for CBS.com and redirected all traffic to another Web server that displayed an empty directory structure. It appeared as if the contents of CBS.com had been wiped, but it was actually a different server altogether. CBS.com managed to regain control of its domain after the DNS poisoning attack.

A group of attackers called UGNazi, which may or may not have Anonymous sympathies, was behind a similar attack on the Website of the Ultimate Fighting Championship over the weekend. The UFC had supported the controversial Stop Online Piracy Act and Protect IP Act bills, which are now temporarily shelved in Congress. The same group hijacked two domains belonging to luxury handbag and leather goods retailer Coach and diverted the traffic.

“We arn’t done…not even close,” the attackers wrote on their Website. A short list of “targets” on the site explained the attacks were a result of the organizations’ support of SOPA.

Both Coach and UFC registered their domains through Network Solutions. It was evident the attackers had accessed Network Solutions’ domain management accounts. While it was unclear how they had done so, the cause is usually weak or compromised user passwords or a vulnerability in the registrar’s Website.

SOPA-related attacks continued this week and don’t appear to be abating. Anonymous attacked OnGuardOnline, a government-managed Website devoted to keeping users secure online. Some Anonymous members said the OnGuardOnline attack was in retaliation for SOPA and PIPA, as well as the proposed international agreement on combating online piracy, according to a message posted Jan. 23 on text-sharing site Pastebin,.

“If SOPA/PIPA/ACTA passes we will wage a relentless war against the corporate Internet, destroying dozens upon dozens of government and company Websites,” the message read.

Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf.

Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.

On average Reaver will recover the target AP’s plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

While Reaver does not support reconfiguring the AP, this can be accomplished with wpa_supplicant once the WPS pin is known.

Description:
Reaver targets the external registrar functionality mandated by the WiFi Protected Setup specification. Access points will provide authenticated registrars with their current wireless configuration (including the WPA PSK), and also accept a new configuration from the registrar.

In order to authenticate as a registrar, the registrar must prove its knowledge of the AP’s 8-digit pin number. Registrars may authenticate themselves to an AP at any time without any user interaction. Because the WPS protocol is conducted over EAP, the registrar need only be associated with the AP and does not need any prior knowledge of the wireless encryption or configuration.

Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP’s 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10^7 (10,000,000) possible values.

The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10^4 (10,000) possible values for the first half of the pin and 10^3 (1,000) possible values for the second half of the pin, with the last digit of the pin being a checksum.

Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts. The speed at which Reaver can test pin numbers is entirely limited by the speed at which the AP can process WPS requests. Some APs are fast enough that one pin can be tested every second; others are slower and only allow one pin every ten seconds. Statistically, it will only take half of that time in order to guess the correct pin number.

Installation:
Reaver is only supported on the Linux platform, requires the libpcap and libsqlite3 libraries, and can be built and installed by running:

$ ./configure
$ make
# make install

To remove everything installed/created by Reaver:

# make distclean

Usage:
Usually, the only required arguments to Reaver are the interface name and the BSSID of the target AP:

# reaver -i mon0 -b 00:01:02:03:04:05

Download: reaver-1.3.tar.gz

Reaver Home: http://code.google.com/p/reaver-wps/

The WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on many wireless routers makes this brute force attack that much more feasible.

Description:
WiFi Protected Setup (WPS) is a computing standard created by the WiFi Alliance to ease the setup and securing of a wireless home network. WPS contains an authentication method called “external registrar” that only requires the router’s PIN. By design this method is susceptible to brute force attacks against the PIN.

When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total.

It has been reported that many wireless routers do not implement any kind of lock out policy for brute force attempts. This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot.

Impact:
An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.

Solution:
We are currently unaware of a practical solution to this problem. Please consider the following workarounds:

Disable WPS
Within the wireless router’s configuration menu, disable the external registrar feature of WiFi Protected Setup (WPS). Depending on the vendor, this may be labeled as external registrar, router PIN, or WiFi Protected Setup.

Vendor Information:

Credit:
Stefan Viehböck

References:
– wi-fi-protected-setup-pin-brute-force-vulnerability
– Wi-Fi_Protected_Setup
– WCN-Netspec.doc
– wifi-protected-setup
– WPS Vulnerability Tesing – Google Docs
– disabling-wps-on-the-router