May 24, 2008

[Tutz] Make your Cursor run without Mouse

Ng...
a little bit difficult to do that
but i will try to share to all of you

how to used that ???
1. If you want entering to star => Press CTRL+ESC
2. If you want entering to RUN => Press windows+R
3. Type access.cpl
4. Press in "Mouse" tabs
5. Check "use mouse keys"
6. Press OK/Enter

another ways
Press alt + left shift + NUM Lock
Posted by Muhammad Rivai at Saturday, May 24, 2008 0 comments
Labels:

[Tutorial] How to Run Windows XP SP 2 from Flashdisk

Abstract
This tutorial just share how to run operating system Windows XP SP 2 direct from flash disk,
including how to operating office application, multimedia, internet browser, and reparation system error.

Microsoft said if booting from USB drive can't do that.
Flashdisk it is same function like media storage, ex: saving some document, .mp3, or .3gp

"USB-based mass storage devices cannot be the primary hard disk storage solution on a regular system..."
Code:
http://www.microsoft.com/whdc/device/storage/usbfaq.mspx
"Windows cannot boot from an USB drive. If your computer supports booting from such device,
you can load a boot loader to the USB device which starts Windows XP from the HDD."
Code:
http://groups.google.de/group/microsoft.public.windowsxp.basics/browse_thread/thread/5a5882d3391081b3/
But thats fact it is not true. So this tutorial i will wrote that ;p

----------------------------------------------------
Step 1: Are your computer can booting from USB?
----------------------------------------------------
How to know if your computer can booting from USB, ATTENTION from this ways:
1. Open from Setup BIOS => "Advanced BIOS Settings", usually has some choice "boot sequence menu" or another choice with same like that. Every one BIOS in motherboard has some different menu. You can reading from guide book from your motherboard from first time you buy it.
2. If your BIOS still not support, please update BIOS. Usually, from new motherboard usually support this feature "boot from USB".

-----------------------------------------------------
Step 2: Try connceting and booting that USB
-----------------------------------------------------
Do this test, are your computer can booting from USB:
1. Format flashdisk from Windows, with NTFS/FAT32 format
You can using tool HPFormatTool which is can format flashdisk fromi Start Menu.
3. Shutdown computer.
4. Relating USB drive without HUB. Put in flash disk direct from CPU, without using firewall cable or anoter cable.
5. Disconnect hardisk (Disconnect IDE/SATA and power from motherboard)
6. Now turn on your computer
7. Setup BIOS and try booting from USB Drive. If BIOS doesn't success found drive with AutoDetect, it is no problem. The important once is BIOS can booting from USB Drive.
8. Shutdown computer, connect againt hardisk like first time, and disconnect flashdisk from CPU
9. Restart computer

------------------------------------------------
Step 3: Dumping CD Windows XP SP 2 to be .ISO
------------------------------------------------
Open UltraISO > Create .ISO from CD Windows XP SP 2 > Save > giving name "WinUSBDrive.ISO"

---------------------
Step 4: Extract File
---------------------
1. Open file "WinUSBDrive.ISO" after you creating that file, using UltraISO
2. open folder \i386
3. Extract that files to %desktop% (To make you easy to find it)

TXTSETUP.SIF
DOSNET.INF
USB.IN_
USBPORT.IN_
USBSTOR.IN_

----------------------------------
Step 5 : Unpacking Files *.IN_
----------------------------------
1. Using CAB SDK (Cabinet SourceDevelopmentKit) from command-line (cmd.exe) to exstract content files .IN_ which is every file only has one file .INF
2. Copy file CAB SDK to desktop
3. Start > Run > write: cmd.exe /k cd desktop > OK/Enter
Command prompt will show you this:

C:\Documents and Settings\%username%\Desktop\>_

4. Write:

cabarc x USB.IN_
cabarc x USBPORT.IN_
cabarc x USBSTOR.IN_

you will get this file:

usb.inf
usbport.inf
usbstor.inf

5. Delete files *.IN_ in %desktop% but don't delete file TXTSETUP.SIF
6. Don't closing Command Prompt
---------------------
Step 6: Editing File
---------------------

For editing files code/text with Notepad:

1. Open File Notepad.
2. Drag-drop file which is will be edit to Notepad.
3. After finish, closed Notepad. If has confirmation to saving file, choose YES

Next, it is important ways to do, for Windows XP SP 2 can installing in flashdisk

-----------------------------------------------
6-A)--- TXTSETUP.SIF
-----------------------------------------------

This file must LOAD from first time instalation from CD Installer Windows XP SP 2.
Usually USB devices only regards "input device" during instalation.
I usually change it and add some supporting saving media driver in first time instalation.

Do it editing in file TXTSETUP.SIF Like this:

Attention from some places which is must add and another place must deleting.
Place which is giving sign ";insert this line" meaning, must giving additional which is before in original file is didn't has.
Place which is giving sign ";delete this line" meaning, that place must deleting
Place which is giving sign ";add/change like this line" meaning, must changed like this

[BootBusExtenders.Load]
pci = pci.sys
acpi = acpi.sys
isapnp = isapnp.sys
acpiec = acpiec.sys
ohci1394 = ohci1394.sys
usbehci = usbehci.sys ;insert this line
usbohci = usbohci.sys ;insert this line
usbuhci = usbuhci.sys ;insert this line
usbhub = usbhub.sys ;insert this line
usbstor = usbstor.sys ;insert this line

[InputDevicesSupport.Load]
usbehci = usbehci.sys ;delete this line

usbohci = usbohci.sys ;delete this line
usbuhci = usbuhci.sys ;delete this line
usbhub = usbhub.sys ;delete this line
usbccgp = usbccgp.sys
hidusb = hidusb.sys
serial = serial.sys
serenum = serenum.sys
usbstor = usbstor.sys ;delete this line

[BootBusExtenders]
pci = "PCI-Bustreiber",files.pci,pci
acpi = "ACPI Plug & Play-Bustreiber",files.acpi,acpi
isapnp = "ISA Plug & Play-Bustreiber",files.isapnp,isapnp
acpiec = "Integrierter ACPI-Controllertreiber",files.none,acpiec
ohci1394 = "IEEE-1394-Bus-OHCI-konformer Anschlusstreiber",files.ohci1394,ohci1394
usbehci = "Erweiterter Hostcontroller",files.usbehci,usbehci ;insert this line
usbohci = "Open Hostcontroller",files.usbohci,usbohci ;insert this line
usbuhci = "Universeller Hostcontroller",files.usbuhci,usbuhci ;insert this line
usbhub = "Standard-USB-Hubtreiber",files.usbhub,usbhub ;insert this line
usbstor = "USB-Speicherklassentreiber",files.usbstor,usbstor ;insert this line

[InputDevicesSupport]
usbehci = "Erweiterter Hostcontroller",files.usbehci,usbehci ;delete this line
usbohci = "Open Hostcontroller",files.usbohci,usbohci ;delete this line
usbuhci = "Universeller Hostcontroller",files.usbuhci,usbuhci ;delete this line
usbhub = "Standard-USB-Hubtreiber",files.usbhub,usbhub ;delete this line
hidusb = "HID-Parser",files.hidusb,hidusb
serial = "Treiber f?r seriellen Anschluss",files.none,serial
serenum = "Enumerator f?r seriellen Anschluss",files.none,serenum
usbstor = "USB-Speicherklassentreiber",files.usbstor,usbstor ;delete this line
usbccgp = "USB Generic Parent Driver",files.usbccgp,usbccgp

Some key Registry Must giving additional and (again and again Microsoft giving opportunity to creating piracy with permitted every people) to modification this command in file TXTSETUP.SIF

[HiveInfs.Fresh]
AddReg = hivedef.inf,AddReg
AddReg = hivesys.inf,AddReg
AddReg = hivesft.inf,AddReg
AddReg = hivecls.inf,AddReg
AddReg = hiveusd.inf,AddReg
AddReg = dmreg.inf,DM.AddReg
AddReg = usbboot.inf,usbservices ;insert this line

[SourceDisksFiles]
usbboot.inf = 1,,,,,,_x,3,,3 ;insert this line
bootvid.dll = 1,,,,,,3_,2,0,0,,1,2
kdcom.dll = 1,,,,,,3_,2,0,0,,1,2

Save and Close file "TXTSETUP.SIF"

-------------------------------------------------
6-B)--- DOSNET.INF
-------------------------------------------------

Open file DOSNET.INF and than do some editing like this:

[Files]
d1,usbboot.inf ;insert this line
d1,_default.pif
d1,12520437.cpx
d1,12520850.cpx

... and so on, let go on

Save and Close file "DOSNET.INF"

---------------------------------------------------
6-C)--- usb.inf
---------------------------------------------------

Do some changing in this section [StandardHub.AddService] and [CommonClassParent.AddService]

[StandardHub.AddService]
DisplayName = %StandardHub.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START ;StartType diganti menjadi StartType = 0
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbhub.sys
LoadOrderGroup = Boot Bus Extender ;add/change like this line

[CommonClassParent.AddService]
DisplayName = %GenericParent.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START ;StartType diganti menjadi StartType = 0
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbccgp.sys
LoadOrderGroup = Boot Bus Extender ;add/change like this line

Save and Close file "usb.inf"

-------------------------------------------------
6-E)--- usbstor.inf
-------------------------------------------------

Do some editing in this section [USBSTOR.AddService]

[USBSTOR.AddService]
DisplayName = %USBSTOR.SvcDesc%
ServiceType = 1
StartType = 0 ;add/change like this line
Tag = 3 ;add/change like this line
ErrorControl = 1
ServiceBinary = %12%\USBSTOR.SYS
LoadOrderGroup = Boot Bus Extender ;add/change like this line

Save and Close file "usbstor.inf"

----------------------------------------------------------------
6-F)--- Create file USBBOOT.INF
----------------------------------------------------------------

Create file with name "USBBOOT.INF" at %desktop%

[usbservices]

HKLM,"SYSTEM\CurrentControlSet\Services\USBSTOR"," DisplayName",0x00000000,"USB Mass Storage Driver"
HKLM,"SYSTEM\CurrentControlSet\Services\USBSTOR"," ErrorControl",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\USBSTOR"," Group",0x00000000,"System Reserved"
HKLM,"SYSTEM\CurrentControlSet\Services\USBSTOR"," ImagePath",0x00020000,"system32\DRIVERS\USBSTOR.SY S"
HKLM,"SYSTEM\CurrentControlSet\Services\USBSTOR"," Start",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\USBSTOR"," Type",0x00010001,1

HKLM,"SYSTEM\CurrentControlSet\Services\usbehci"," DisplayName",0x00000000,"USB 2.0 Enhanced Host Controller Miniport Driver"
HKLM,"SYSTEM\CurrentControlSet\Services\usbehci"," ErrorControl",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbehci"," Group",0x00000000,"System Reserved"
HKLM,"SYSTEM\CurrentControlSet\Services\usbehci"," ImagePath",0x00020000,"system32\DRIVERS\usbehci.sy s"
HKLM,"SYSTEM\CurrentControlSet\Services\usbehci"," Start",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\usbehci"," Type",0x00010001,1

HKLM,"SYSTEM\CurrentControlSet\Services\usbhub","D isplayName",0x00000000,"USB2 Enabled Hub"
HKLM,"SYSTEM\CurrentControlSet\Services\usbhub","E rrorControl",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbhub","G roup",0x00000000,"System Reserved"
HKLM,"SYSTEM\CurrentControlSet\Services\usbhub","I magePath",0x00020000,"system32\DRIVERS\usbhub.sys"
HKLM,"SYSTEM\CurrentControlSet\Services\usbhub","S tart",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\usbhub","T ype",0x00010001,1

HKLM,"SYSTEM\CurrentControlSet\Services\usbuhci"," DisplayName",0x00000000,"Microsoft USB Universal Host Controller Miniport Driver"
HKLM,"SYSTEM\CurrentControlSet\Services\usbuhci"," ErrorControl",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbuhci"," Group",0x00000000,"System Reserved"
HKLM,"SYSTEM\CurrentControlSet\Services\usbuhci"," ImagePath",0x00020000,"system32\DRIVERS\usbuhci.sy s"
HKLM,"SYSTEM\CurrentControlSet\Services\usbuhci"," Start",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\usbuhci"," Type",0x00010001,1

HKLM,"SYSTEM\CurrentControlSet\Services\usbohci"," DisplayName",0x00000000,"Microsoft USB Open Host Controller Miniport Driver"
HKLM,"SYSTEM\CurrentControlSet\Services\usbohci"," ErrorControl",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbohci"," Group",0x00000000,"System Reserved"
HKLM,"SYSTEM\CurrentControlSet\Services\usbohci"," ImagePath",0x00020000,"system32\DRIVERS\usbohci.sy s"
HKLM,"SYSTEM\CurrentControlSet\Services\usbohci"," Start",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\usbohci"," Type",0x00010001,1

Save and Close file "USBBOOT.INF"

-----------------------------------------------------
Step 7: Packing File which is get editing to Format IN_
-----------------------------------------------------
Open Command Prompt again
C:\Documents and Settings\%username%\Desktop\>_

Write:

cabarc n USB.IN_ usb.inf
cabarc n USBPORT.IN_ usbport.inf
cabarc n USBSTOR.IN_ usbstor.inf

Files IN_ will be one packet based on files INF which is your editing before.

------------------------------------------------------------------
Step 8: Injeksion Files IN_ from Desktop to "WinUSBDrive.ISO"
------------------------------------------------------------------

Open UltraISO and make sure (still) opening file "WinUSBDrive.ISO"

open folder \i386 from "WinUSBDrive.ISO"

deleting this files:

DOSNET.INF
TXTSETUP.SIF
USB.IN_
USBPORT.IN_
USBSTOR.IN_

Save file "WinUSBDrive.ISO"

Drag-drop files which is you edited in %desktop% to "WinUSBDrive.ISO" from folder \i386

USBBOOT.INF
DOSNET.INF
TXTSETUP.SIF
USB.IN_
USBPORT.IN_
USBSTOR.IN_

Save file "WinUSBDrive.ISO"

---------------------------------------
Step 9: Burning "WinUSBDrive.ISO" to CD
---------------------------------------
Only burning using Nero or burnatonce with slow speed.

----------------------------------------
Step 10: Install Windows XP SP 2 from CD
----------------------------------------
1. Shut down computer.
2. Disconnect hardisk internal or external
3. regulate BIOS for to be USB Drive for "first boot device"
4. Plug in USB drive without HUB (without cable, direct from flashdisk to CPU)
5. Restart
Windows usually will be showing message error:
1. "Driver not certified" <-- choose YES.
This is usually because files in CD instalation get changing
2. "PageFile not found"
6. Install.

----------------------------
Step 11: Try This Everywhere
----------------------------
After finish, shutdown your computer. plug in again USB drive. try in your home or office. He....

Postscript:
-----------
Now you can used that Flashdisk to be operating system Windows XP SP 2.
Eventhough not all motherboard can support "booting from USB Drive", but this flashdisk can run in Pentium 4.
Of course you are understand why flashdisk can make run Windows XP SP 2 and it is very helpful.
You can solving "system errors" which is usually can get it, like:
1. Password login can't open
2. Virus entered in %SystemDrive% and must cleaned
3. Want copying file from hardisk but system error
4. or want deleting file and make Windows in hardisk and can't booting, or want injection virus, or want put it some file without knowing the owner. he.... LOL
5. Want surfing in Internet without can get virus or trojan. because, if we get it, we can format hardisk and "refill" flashdisk with wrote "WinUSBDrive.ISO" to flashdisk (usually in 10 menit).
Posted by Muhammad Rivai at Saturday, May 24, 2008 0 comments
Labels:

[Tuts] Writing with MOUSE if didn't has keyboard

Just share a little bit info.

If your keyboard is error, or your computer didn't has keyboard but only has MOUSE, and you want wrote something but you can't do that, don't mad or cry first, using virtual keyboard, and wrote that using mouse.

How to used??

1. Go to c:\windows\system32\osk.exe
2. Copy Paste OSK
3. START => RUN => wrote: OSK => ENTER

Another ways....

Click Start + Program + Accessories + Accessibility + On Screen-Keyboard

tra... ta...

virtual keyboard now in your monitor, and now you can wrote anything what do you want.

he.......
Posted by Muhammad Rivai at Saturday, May 24, 2008 0 comments
Labels:

(Review) Total Training :Adobe Dreamweaver CS3: Essentials (2 DVD )

Total Training :Adobe Dreamweaver CS3: Essentials (2 DVD )

Title: Adobe Dreamweaver CS3 Essentials
Category: Web Design & Publishing
Presenter: Janine Warner

Janine Warner is the author of more than a dozen books about the Internet, including the best-selling Dreamweaver For Dummies (now in its seventh edition). She's a popular speaker at industry events and an experienced journalist whose articles have appeared in such diverse publications as The Miami Herald and The Point Reyes Light. She also writes a regular column about Dreamweaver for Layers Magazine.

Description:
Discover the power of Dreamweaver, an award-winning Web design program with this in-depth tutorial. From the basics of how to create Web pages, set links, and insert images, to more advanced techniques for creating page layouts with tables and CSS, you'll learn everything you need to create and publish a web site. You'll also learn how to use Dreamweaver's more advanced features to insert Flash, video, and audio files, and use Dreamweaver's JavaScript behaviors to create interactive effects, like rollovers and image swaps. With these easy to follow lessons, you'll get up to speed quickly with Dreamweaver CS3.

Highlights
* Janine's engaging lessons provide a great introduction to Dreamweaver with a focus on how to get your web site up and running quickly.
* Discover the advantages, and techniques, for designing with CSS, the best way to create standards-based, accessible web sites today.
* Add interactive features like rollovers and image swaps with Janine's advanced instructions for using the JavaScript behaviors in Dreamweaver.
* Make your pages sing and dance as you learn how to use the multimedia features to add audio, video, and Flash to your web pages.
* Discover how the template features can help you save time and create a better looking web site that's also easier to update and redesign in the future.


Available in Your Local Book Store, Online Book Store or External Link
Posted by Muhammad Rivai at Saturday, May 24, 2008 1 comments
Labels:

(Review) Tutororial Dreamweaver CS3 Bible



Learn to create dynamic, data-driven Web sites using the exciting enhancements in the Dreamweaver CS3 version. You get a thorough understanding of the basics and then progress to learning how to produce pages with pizzazz, connect to live databases, integrate with Flash and Photoshop, use advanced technologies like Spry and Ajax, incorporate Flash, Shockwave, QuickTime, and WAV files, import Photoshop files directly into Dreamweaver, and enjoy Web success.

TABLE OF CONTENT:
Part 1 - Laying the Groundwork in Dreamweaver CS3
Part 2 - Designing and Crafting Core Pages
Part 3 - Adding Advanced Design Features
Part 4 - Incorporating Dynamic Data
Part 5 - Including Multimedia Elements
Part 6 - Enhancing Productivity and Web Site Management
Part 7 - Extending Dreamweaver
Part 8 - Appendix

Available in Your Local Book Store, Online Book Store
Posted by Muhammad Rivai at Saturday, May 24, 2008 0 comments
Labels:

(Review) Visual Modeling with Rational Rose 2002 and Uml

Fully updated to cover Rational Rose 2002, this third edition of Quatrani’s classic besteller, retains the highly effective and simple approach to visual modeling
Thoroughly updated and fully compliant with Rational Rose 2002, the latest release of the industrys most popular software modeling tool.
Simplified, useful case study helps the reader understand the core concepts of modeling and how to use UML effectively.
Foreword by Grady Booch. The third edition of this popular book retains the practical approach to teaching visual modeling techniques and the industry standard Unified Modeling Language. Author Terry Quatrani, the Rose Evangelist from Rational Software Corporation, still uses the simplified case study (a course registration system for a fictional university) that has taught thousands of readers how to analyze and design an application using UML, and how to implement the application using Rational Rose. The screen shots and Rational Rose instructions have been updated to reflect the release of Rational Rose 2002. After a short history of the evolution of UML and a guide to the basic terms of software engineering, the book introduces the concept of requirements, use cases, and class diagrams. Further chapters move toward defining an architecture and even refining the design within the incremental methodology of Rational Rose.
Terry Quatrani is the Rose Evangelist at Rational Software Corporation, and author of the first two editions of this book. She is responsible for successfully training and transitioning Fortune 500 companies to object technology. Prior to joining Rational, she worked for General Electric, where she worked with Jim Rumbaugh and was one of the founding consultants of the GE Advanced Concepts Center.

Available in Your Local Book Store, Online Book Store or external link
Posted by Muhammad Rivai at Saturday, May 24, 2008 0 comments
Labels:

[Tutz] Change Your Computer Logo from System Properties

If we Click Right From My Computer -> Properties, In tabs General will be has computer logo. we can changing thats logo, with another picture, including our foto.

How to changed that??

1. Creating your pic or wallpaper or using your logo or pic from your computer with using "bmp" format with using 180x118 pixels size.
2. save / change file name to be " oemlogo.bmp "
3. open NOTEPAD and copy this command .

Code:
[General]
Manufacturer= (replace logo or pic which is what do you want)
Model= (replace logo or pic which is what do you want)
[Support Information]
Line1= (replace logo or pic which is what do you want)
Line2= (replace logo or pic which is what do you want)
4. Save and giving name oeminfo.ini
5. Copy file oeminfo.ini and oemlogo.bmp to c:\windows\system32
6. finish

Now, you can seeing the changing with Right Click from My Computer



gud luck
Posted by Muhammad Rivai at Saturday, May 24, 2008 0 comments
Labels:

May 3, 2008

Play With Registry (part 1)

Make it fast for Update Registry

Click tab Start > Log Off > Log Off.

Change Wallpaper

HKEY_CURRENT_USER/Control Panel/Desktop

Double click in wallpaper and entering picture path which we want in Value Data.

Changing name of Recycle Bin

HKEY_CLASSES_ROOT/CLSID/{645FF040-5081-101B-9F08-00AA002F954E}

Double click in option (Default value) and creating new name which is we want it in Value Data.

Showing Rename in Recycle Bin

HKEY_CLASSES_ROOT/CLSID/{645FF040-5081-101B-9F08-00AA002F954E}/ShellFolder

Double click in Attributes > Edit Binary Value. In Value Data, changing the number to be 0000 50 01 00 20.

Hide Recycle Bin

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Explorer/Desktop/NameSpace

Delete subkey {645FF040-5081-101B-9F08-00AA002F954E}, after that Restart computer to looking the result.

If you want showing again, you must creating combination number {645FF040-5081-101B-9F08-00AA002F954E}.

Add the folder Shortcut Menu on Recycle Bin

HKEY_CLASSES_ROOT/CLSID/{645FF040-5081-101B-9F08-00AA002F954E}/ShellFolder

Double click Attributes and changing the number Value Data with this number:

0000 50 01 00 20 > Rename

0000 60 01 00 20 > Delete

0000 70 01 00 20 > Rename & Delete

0000 41 01 00 20 > Copy

0000 42 01 00 20 > Cut

0000 43 01 00 20 > Copy & Cut

0000 44 01 00 20 > Paste

0000 45 01 00 20 > Copy & Paste

0000 46 01 00 20 > Cut & Paste

0000 47 01 00 20 > Cut, Copy & Paste

Posted by Muhammad Rivai at Saturday, May 03, 2008 0 comments
Labels:

[Tutorial] Hacking Wifi HotSpot With WEP/WPA Security

kracking WEP with Windows XP Pro SP2

This is part one in a two part paper on kracking WEP with Windows XP. This first part covers sniffing wireless traffic and obtaining the WEP key. Part Two will cover associating with a Wireless AP, spoofing your MAC address, trying to log on administratively to the AP and further things you can carry out on the WLAN once authenticated successfully.

What is WEP:

Wired Equivalent Privacy (WEP) is often mistakenly thought of as a protocol designed to 100% protect wireless traffic, when this is not the case.
As its name suggests it was designed to give wireless traffic the same level of protection as a wired LAN, which when you think about it is a very hard thing to set out to do.

LAN’s are inherently more secure than Wireless LAN’s (WLAN) due to physical and geographical constraints. For an attacker to sniff data on a LAN they must have physical access to it – which is obviously easier to prevent than to prevent access to traffic on a WLAN.

WEP works at the lower layers of the OSI model, layers One and Two to be exact, so it therefore does not provide total end to end security for the data transmission.

WEP can provide a level of security between a Wireless Client and an Access Point or between two wireless clients.

WEP Standards:

WEP is commonly implemented as a 64 bit or 128 bit encryption. These encryption strengths can sometimes be referred to as 40 bit or 104 bit due to the fact that each data packet is encrypted with an RC4 cipher stream which gets generated by an RC4 key. This RC4 key for say a 64 but WEP implementation is composed of a 40 bit WEP key and a 24 bit Initialization Vector (IV) – hence the 64 bit RC4 key, however the actual WEP part of it is only 40 bits long, the IV taking up the other 24 bits, which is why a 64 bit WEP key is sometime referred to as a 40 bit WEP key.

This resultant cipher is ‘XOR’d’ with the plain text data to encrypt the whole packet. To decrypt the packet the WEP key is used to generate an identical ‘key stream’ at the other end to decrypt the whole packet but more about this later on, I will also go over the IV’s in more detail later on as well.


Failures of WEP:

We have heard everyone say WEP is easy to krack and should not be used, can be kracked in 10 minutes etc but why is this?

Well in my opinion WEP is seriously flawed for the following reasons:

1) Initialization Vectors are reused with encrypted packets. As an IV is only 24 bits long it is only a matter of time before it is reused. Couple this with the fact you may have 50 + wireless clients using the same WEP key and the chances of it being reused improve even further.
An IV is sent in clear along with the encrypted part of the packet. The reuse of any encryption element is always a fundamental flaw to that particular encryption and as an IV is sent in clear this further exposes a significant weakness in WEP.

As more RC4 cipher steams are found and more IV’s are deciphered and the closer we get to discovering the WEP key.

This is what forms the foundation of WEP kracking.


2) The algorithm used to encrypt a WEP ‘hash’ is not intended for encryption purposes. The original purpose of the Cyclic Redundancy Check (CRC-32) was to detect errors in transmission, not to encrypt data.


3) The most significant flaw in my opinion is the mass use of the WEP key. Everything using that particular AP will need the same WEP key hence all the resultant traffic will be using the exact same WEP key as well.
The one not so obvious side-affect of this is when it comes to administering the network. If you have 60 wireless clients all using the same WEP key, do you really want to go and periodially change them all…..it is easier to leave it as it is. I am guilty of doing this on a network I used to administer a few years ago as I am sure others are who still use WEP.

Wireless Standards:

The Institute of Electrical and Electronic Engineers (IEEE) defined specifications for wireless traffic back in 1997. The protocol they came up with is the 802.11 standard.

Nowadays 802.11 has many different implementations for wireless traffic. The most common ones are:

1) 802.11 – this specifies that the wireless traffic will use the 2.4GHz frequency band utilizing either Frequency Hoping Spread Spectrum (FHSS) or Direct Sequence Spread Spectrum (DSSS). The FHSS is a protocol whereby the traffic ‘hops’ to pre-defined frequencies and is commonly used to reduce the effects of noise or interference in the transmission. DSSS is also a protocol used to reduce noise interference by combining the signal with a higher data rate bit sequence (commonly called a chipping code) which separates the data up in to a logical sequence and attaches a form of CRC to the packet before transmitting.

2) 802.11a – this provides data transmission in the 5GHz band at a rate of anything up to 54Mbps. Unlike the original 802.11 specification this uses Orthogonal Frequency Division Multiplexing (OFDM) to encode the traffic instead of FHSS or DSSS. OFDM is a method of transmitting digital data by splitting it up in to smaller ‘chunks’ and transmitting them at the same time but on different frequencies, which is why the data transfer rate is quite good.

3) 802.11b – came along in 1999 with the intention of allowing wireless functionality to be similar to that provided by Ethernet. It transmits data in the 2.4GHz band at 11Mbps using DSSS only. Is sometimes called Wi-Fi.

4) 802.11g – this works in the 2.4 GHz band at a rate of 20Mbps or more and came along in 2003. It uses OFDM like 802.11a and transmits data in a very similar way. However unlike 802.11a it is backward compatible with 802.11b.

A point worth noting here is if you have an 802.11b Wireless Adaptor you will not be able to receive 802.11g traffic. If you do want to get in to WEP kracking it is well worth your while investing in a dual band card. I will talk about Wireless Adaptors more later on.

How do we krack WEP:

Well kracking WEP is fairly easy to understand if you have followed what I explained above. We briefly touched on IV’s and WEP encryption and how they tie in together. To put it very simply, if you can decipher the IV algorithm you can decrypt or extract the WEP key.

As I stated before WEP very kindly transmits the IV in clear, so if we can run a mathematical equation against it we can find and decipher the RC4 stream that encrypted the whole packet in the first place.

The WEP ‘key’ is the missing value [key] from this mathematical equation. Remember the AP or the client has this key to use when decrypting the packet and is what we must find by running a complicated algorithm against the encrypted packet.

If you think about it like this it may become clearer:

You have an algorithm that is produced by concatenating a randomly generated 24 bit IV with your WEP Key – You also have an RC4 Key stream - the two are then ‘hashed’ together to encrypt the packet.

The IV is the hub of the whole process as this is they only thing that has used your WEP key. If we run a statistical anyalisis against the IV to try and decrypt the packet, we can find the key used at the begining of the process.

When you try to decrypt them, every time you krack a piece of the algorithm the corresponding plain text part of the packet is revealed, once the whole packet is decrypted you know the algorithm used to encrypt that particular packet – A crude way of describing it but as simple as I can make it.

Any attacker can passively collect encrypted data, after a while due to the limitations explained earlier; two IV’s that are the same will be collected. If two packets with the same IV are XOR’d, an XOR of the plain text data can be revealed. This XOR can then be used to infer data about the contents of the data packets.

The more identical IV’s collected the more plain text data can be revealed. Once all the plain text of a data packet is known, it will also been known for all data packets using the same IV.

So before any transmission occurs WEP combines the keystream with the payload using an XOR process, which produces ciphertext (data that has been encrypted). WEP includes the IV in clear in the first few bytes of the frame. The receiving AP / Client uses this IV along with the shared secret key (Your WEP Key) to decrypt the payload of the frame.

XOR is a mathematical algorithm which I am not even going to attempt to explain. This site explains it very well though, and you can click here:


So in short – the more identical IV’s we can get the more plain text data we can reveal and the closer we get to obtaining the key used to encrypt the data in the first place.

As it is not pre-determined when we are going to receive identical IV’s it is impossible to say how many IV’s need to be collected but more about that later.

Software Used:

For this attack I am going to use airkrack-ng for Windows which can be obtained from here .

Whilst here download cygwin1.dll and paste it in to the same folder as Airkrack-ng. There is a copy of cygwin1.dll included already but the one available from the tinyshell site is a later version of it.
The peek.dll and peek5.sys files also need to be in the same directory as airkrack. They are available here:
If you download Winairkrack - which is a GUI version of what I cover in this paper - copy the peek.dll and peek5.sys files across to where you have airkrack stored. You will get a peek driver not found message if you dont do this.

Once it has downloaded you have to option of pasting the directory path of it in to your Command Prompt path so you can start the application straight from the command line without having to ‘CD’ to the correct directory.
For example I copied this in to my path: C:\Documents and Settings\Nokia\Desktop\airkrack-ng-0.3-win\airkrack-ng-0.3-win\bin
In the bin folder is airodump and airkrack-ng – so now I can just type airodump straight in to the command prompt to run the application.

To add something to your path:

Right click My Computer > Properties > Advanced > Environment Variables > Under System Variables highlight PATH > Edit > enter the directory path using a ; to separate it from any existing entries.

You also need to go to Wild Packets to pick up a new driver for your card.

I have found that the most common cause of stress when trying to krack WEP is incompatible hardware. The Airopeek driver from Wild Packets is not compatible with all types of hardware. There is a list of supported adaptors and the relevant driver you need to use on the web site.

For this krack I am using an Atheros based NETGEAR WAG511 DUAL BAND adaptor which you can get from HERE for £35.99.

This card works with Whax, Auditor and BackTrack pretty much straight out of the box. It is also a dual band so you don’t have to worry about sniffing traffic on a ‘g’ WLAN when you have a ‘b’ wireless adaptor. It is my preferred Wireless Adaptor and has not let me down yet.
Most cards that are Atheros based will have the Atheros logo on the side of the box, use one of these if possible.

**Some people I know have confused the NETGEAR WG511 which does not work, with the NETGEAR WG511T which does work so try not to fall in to this trap**

Cards that I can 100% say to stay away from are ones that use the PrisimGT chipset. Connexant cards are also a complete waste of time (which I found out the hardway) so please do not even think about buying one of these if you want to krack WEP.

See this list to check what chipset your card uses click here


So you should now have:

Airkrack-ng
Cygwin1.dll – in the same directory as Airkrack
Peek.dll and Peek5.sys in the same directory as Airkrack
Relevant Drivers from Wild Packets for your Adaptor
Added airkrack-ng to your PATH
Got an Adaptor that works with all of the above!

So what’s next?

Now we need to install the driver you have downloaded.
**Warning – the next procedure will overwrite your existing Windows driver, so make sure you have the disc or a backup of it before carrying on.**

The peek driver will not let you use your Wireless Adaptor in the conventional way. You won’t be able to associate to an AP with it or browse the internet etc.

99% of Windows drivers a designed to make your Wireless Adaptor reject any 802.11 traffic not destined for it. The Peek driver puts your Adaptor in to a promiscuous mode to allow it to sniff all 802.11 traffic that is compatible with your adaptor.

To install the driver open up your Device Manager and right click on your wireless adaptor > Update Driver > Install from a Specific Location > Don’t Search, I will chose the driver to install > Have Disk > Browse to where you have downloaded the driver > Double Click.

Windows may display a prompt warning you that the driver is not digitally signed, if ths happens click continue anyway.

Once the driver is installed we are ready to krack WEP.

**If you get an error message saying ‘The specified destination contains no information about your device’, you have either downloaded the wrong driver or more likely your Wireless Adaptor is not compatible with what we need it to do.**

kracking WEP:

kracking WEP is by now means a skilful thing to do, as all the hard work was done by Chris Devine who is the excellent coder of Airkrack, all we need to do is collect the data and start the program. If you have questions about Airkrack a good place to post them is on the Netstumbler Linux Forums as I believe the author checks here quite often. Alternatively you can email the author at devine [at] iie [dot] cnam [dot] fr – whether he will reply or not I don’t know but I wouldn’t have thought he will appreciate you emailing him with stupid questions – use the forum for these!


Airodump

So open a command prompt and type Airodump – or if you have not added it to your PATH you will need to CD to the right directory.

A new window opens now which will search for all installed wireless adaptors, give it a numerical signature and display the following:

Code:

usage: airodump [ivs only flag]

Known network adapters:

14 NETGEAR WG511T 54 Mbps Wireless PC Card
22 NETGEAR WAG511 802.11a/b/g Dual Band Wireless PC Card

Network interface index number ->




Select the relevant ID for the card you want to use:

Code:

Network interface index number -> 22




You are then prompted to enter the type of chipset of your card:

Code:

Interface types: 'o' = HermesI/Realtek
'a' = Aironet/Atheros

Network interface type (o/a) ->




We are using an Atheros card so we enter 'a':

Code:

Network interface type (o/a) -> a




Then you are asked what channel you would like it to sniff traffic on:

Code:

Channel(s): 1 to 14, 0 = all ->




The USA only uses up to channel 11 and Europe use up to channel 14. Channel 11 in the UK is the most common one that wireless AP’s default to however, so I normally start off with channel 11. If you want to scan all channels use the 0 option.

We shall use channel 11:

Code:

Channel(s): 1 to 14, 0 = all -> 11




Now you are asked what you would like to save your capture file as:

Code:

(note: if you specify the same output prefix, airodump will resume the capture session by appending data to the existing capture file)

Output filename prefix ->




If you specify a file name that you have already used the resulting data will be added to the file – which is an excellent feature if it becomes apparent later on that you do not have enough IV’s as you won’t have to start all over again!

Code:

Output filename prefix ->WEP1




Now you are asked if you only want to save the IV’s or all packets that are sniffed.

Code:

(note: to save space and only store the captured WEP IVs, press y.The resulting capture file will only be useful for WEP kracking)

Only write WEP IVs (y/n) ->




As we know to krack a WEP key we only need IV’s so we can select yes to this question. The resultant file will be saved as an .IVS file.

Code:

Only write WEP IVs (y/n) -> y




So now we have told it everything it needs to know, let’s see what happens:

Code:


BSSID PWR Beacons # Data CH MB ENC ESSID

00:09:5B:FD:C6:52 10 3 6 11 54 OPN HOMEWIRELESS
00:30:F1:F5:A1:35 60 359 1234 11 54 WEP Stuart

BSSID STATION PWR Packets ESSID

00:09:5B:FD:C6:52 00:09:5B:B6:1D:2A 17 6 HOMEWIRELESS
00:30:F1:F5:A1:35 00:09:5B:84:A6:DF 87 1793 Stuart




This is the output from a successful Airodump start-up.

BSSID = The MAC address of the Wireless Access Point.
PWR = The strength of the signal being received
BEACONS = Every AP transmits around 10 beacons per second – these are not encrypted and are useless to us from a WEP kracking point of view – they basically say ‘ I’m an AP, come and associate with me’.
DATA = This is what we are interested in. DATA packets are our IV’s that we need and what we are most interested in.
ENC = Encapsulation – WEP / WPA / OPEN etc – speaks for itself
ESSID = The name of the wireless network. This is not always broadcasted by the AP but we will need it to associate with the AP later on.

The second part lists any associated clients that are talking to the AP. MAKE A NOTE OF THESE MAC ADDRESSES.

Some AP’s have MAC address filtering enabled. This is a table of MAC addresses stored on the AP – when you try to associate with the AP if MAC filtering is enabled the AP checks your MAC with the list of allowed MAC’s to see if you can associate with it. If it is not in the list, regardless of if you have the correct WEP key or not, you will not be allowed to associate with the AP. You will also leave an entry in the logs.
This is a very helpful feature of Airodump that informs us what we need to spoof our MAC to when associating with the AP.



DATA:

As I mentioned before it is impossible to give an exact number of IV’s that need to be collected to krack a WEP key. The more we can get the more chance we have of kracking the WEP key. From trial and error I have found that I can krack a 40 bit WEP key in a few seconds with around 250,000 – 400,00 IV’s. You may be able to do it with more IV’s or less IV’s, it is different every time.
For a 104 bit WEP key you will need anything up to 2000000 IV’s and maybe even more. The fewest amount of IV’s I have ever been able to use in one of my lessons for a 104 bit krack is 710,325 and this took just 4 minutes 31 seconds to krack but in other lessons I have had to collect in excess of 2 million.

This is where the very handy feature of Airodump amending to existing files is useful. If you have collected 500,000 and run a 64 bit attack on the file but are unsuccessful, simply start Airodump again and use the same file name, all the new IV’s will be added to the ones you already have, so you don’t have to start from the beginning all over again!

So now sit there and wait for the amount of IV’s that you decide on to be collected!


Airkrack-ng


So once you have decided you have enough IV’s press CTL + C to end Airodump. I have collected 413,994 IV’s for this krack.

You will still have the white command prompt open so just type Airkrack-ng at the prompt. (Or ‘CD’ to it)

You will now get a list of ‘usages’ for Airkrack that you can use.

Code:


Common options:

-a : force attack mode (1/WEP, 2/WPA-PSK)
-e : target selection: network identifier
-b : target selection: access point's MAC
-q : enable quiet mode (no status output)
-w : path to a dictionary file

Static WEP kracking options:

-c : search alpha-numeric characters only
-t : search binary coded decimal chr only
-d : debug - specify beginning of the key
-m : MAC address to filter usable packets
-n : WEP key length: 64 / 128 / 152 / 256
-i : WEP key index (1 to 4), default: any
-f : bruteforce fudge factor, default: 2
-k : disable one attack method (1 to 17)
-x : do bruteforce the last two keybytes
-y : experimental single bruteforce mode

Airkrack-ng 0.3 - (C) 2006 Thomas d'Otreppe
Original work: Christophe Devine


usage: airkrack-ng [options] <.cap / .ivs file(s)>




As this paper is getting a bit long I will just cover the options we need to krack a WEP key from a file. If you want to try the other options out..try them and see what you come up with. The helpful descriptions provided speak for themselves really.

So we have collected 413,994 IV’s which is not enough for a 104 bit WEP krack so we will try a 40 bit WEP krack instead (we can always add IV’s to the file later on if it does not work)

So we issue the following command to Airkrack:

Code:

C:\Docu~\nokia>airkrack-ng -n 64 WEP1.ivs




We use the –n 64 switch to tell it we think it is a 64 bit WEP key.

You can also use the –f switch, which is the fudge factor switch.
In the programmers own words:

“By default, this parameter [fudge factor] is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to increase the brute force level: kracking will take more time, but with a higher likelihood of success.

So if you have no joy kracking it you can try again with the –f 5 switch.


If you forget what you called the Airodump file it is saved in the following directory by default:

C:\Documents and Settings\%User Name%

If you selected to only save the IV’s it will be an .IVS file, if you said No and wanted to save everything it will be a .cap file.

Our scan only turned up one network so Airkrack will only krack those IV’s, if you have more than one network you will need to use the –m switch to tell it the BSSID of the AP whose packets you want to use,



The result of issuing our command is:

Code:

Airkrack-ng 0.3


[00:00:00] Tested 1231 keys (got 413994 IVs)

KB depth byte(vote)
0 0/ 4 A6( 68) 82( 40) EE( 20) E4( 15) 18( 5) 23( 5) 04( 3)
1 0/ 3 22( 75) 52( 19) 43( 15) 5A( 13) 21( 8) 8A( 5) B2( 4)
2 0/ 1 04( 76) 33( 8) 8B( 5) C8( 5) 47( 0) 62( 0) 63( 0)
3 0/ 1 09( 106) FB( 15) ED( 12) 58( 12) F0( 11) 29( 7) C8( 5)
4 0/ 1 EB( 153) 19( 27) 0E( 15) 38( 15) B8( 13) E0( 10) DC( 9)

KEY FOUND! [ A6:22:04:09:EB ]




There you have it our 40 bit WEP key is A6:22:04:09:EB.

With 413994 IV’s this key took Airkrack less than 1 second to krack. Which is an example of how good Airkrack truely is. With 250,000 ish IV's chances are it would only take a few seconds more to krack but I like to collect a few more IV's to be on the safe side.

Like I said the programmer has done all the hard work for us, we just need to tell it what to do. For an end users part WEP kracking is not a skilful hack in any way whatsoever (we just tell Airkrack what we want it to do) unless you want to write your own program for it!

Troubleshooting:

Common problems are:

Incompatible Wireless Card.

90% of my students who come to me complaining they can’t krack WEP and that Airkrack does not work are failing because they do not have a compatible Wireless Adaptor.
If you are giving the commands that I am giving here, or get an error message when installing the driver I can almost guarantee you that your card is not compatible. It is possible to flash the firmware of some Prisim2 Cards, this pages helps you do this


Can’t receive DATA / IV’s with Airodump:

To receive IV’s from an AP there has to be a client associated with it that is sending / receiving traffic. If you are not receiving IV’s the most likely causes of this are that there is no associated clients or you are too far away from the AP. As far as I know Aireplay does not work with Windows so you will have to use a Packet Injection application of your choosing. I will cover this in Part 2.

Finally, if you are just plain unlucky you may just not be able to krack the WEP with the IV’s you have. If this happens the only option is to start from the beginning again.

If you cant krack the 64 bit WEP collect more IV’s and try doing it as a 104 bit WEP key.

My thanks go to Chris Divine, KoreK and all who helped him, for writing such a helpful application and to Thomas d'Otreppe who I believe imported it on to Windows?


FAQ

The following FAQ has been put together from questions in this thread. Additionally the following link was found by Moo and has proved very helpful and you can open that place here


Can we ask that you look through the FAQ in that link and this FAQ before you post questions here, thanks

Q. I can't get the Wild Packet drivers to work for my xxxxx wireless card. After I install it says the card will not work properly now?

A. You won’t be able to connect to the internet / AP in the conventional way after you install the Wild Packet drivers - these drivers place your card in a promiscuous mode to enable you to receive traffic not destined for you.

If you fire Airodump up after installing the drivers it should work, if they have been installed correctly. There are two versions of the drivers. If it does not work then either the drivers either haven’t been installed properly, you have installed the wrong version, or they are incompatible with your card.

After you have finished go to your device manager in your control panel and 'roll back' the driver to revert back to the original one so you can get normal connectivity.
____________________________________________________________

Q. Can I have two different wireless cards installed, one for general internet surfing and another with the Wild Packet drivers installed for penetration testing?

A. Yes, this is a good solution; I do it most of the time when I need internet connectivity and a passive connection at the same time. If you have more than one PCMCIA slot on your laptop use the same slot for each card - this will prevent you having to constantly reinstall the relevant drivers!
____________________________________________________________

Q. When I load Airodump I get the following error "LoadLibrary(Peek.dll) failed, make sure this file is present in the current directory." what does this mean?

A. You will need to get the peek.dll and peek5.sys files and put them in the same directory as Airkrack.

The easiest way to get them is to go here
and download Winairkrack - which is a GUI version of Airkrack - copy and paste peek.dll and peek5.sys in to your directory.

You should have added cygwin1.dll, peek.dll and peek5.sys in to your directory before starting Airodump/Airkrack
____________________________________________________________

Q. When a click on (airdecap-ng,arpforge-ng.....),they quick open and close?

A. Read all of the paper......specifically the part about adding them to your path – once you have done this double clicking on the wont work any more.
____________________________________________________________

Q. I have it running fine, but the IV collection is really slow, can I speed it up at all?

A. If the wireless network does not have many clients, then IV collection will be very slow. If this is your own network open up a command prompt and type:

ping "ip address of AP" -l 65500 -t (That’s a small L not a |)

This will send a constant stream of ICMP packets 65500B big to the AP which should generate a good stream of IV's. This will only work if you are already associated with the AP and is for use to test YOUR OWN WEP KEY you cannot use it against somebody elses AP until you have associated with it.
____________________________________________________________

Q. How do I use Packet Injection to speed up collection of IV’s? / I can’t seem to get packet injection program xxxxxx to work properly, can you help?

A. Unfortunately Packet Injection is outside the scope of this tutorial and may be covered in a future one. For the time being you will have to do some research on Google.

Enjoy.
Posted by Muhammad Rivai at Saturday, May 03, 2008 0 comments
Labels:
Subscribe to: Posts (Atom)