Wednesday, September 19, 2007

WifiZoo and cards without Prism headers

If you card does not output PrismHeaders, chances are WifiZoo is going to break, sorry, didn't bother to check that one :). The good news is that I already modified the code to check if prism headers are available or not, and if they are not, the code now can handle that situtation and everything will work fine.
This 'fix' is going to be included in the next version, but if anyone wants the fix right now, please send me an email (hernan [at] and I'll send you the version that supports cards that do not output prism headers.

Tuesday, September 18, 2007

New version of wifizoo v1.1

I fixed some bugs, probably added some new ones, and new functionality is also in the new version of WifiZoo. Some of the new functionality is that wifizoo now keeps track of probe requests and can also graph what SSIDs are being 'probe requested' from what SRCs. I find it useful or at least interesting, hope you do to :).

You can get it here:

The direct download link is the following:

(if you click the last link, you miss the graph samples :))

Friday, September 07, 2007

WifiZoo - playing with 802.11

I've been playing around with wireless, heard about Ferret from Errata Security which although is nothing spectacular, I do believe is a fun/useful tool to have.
I also wanted a tool to leave unattended, hopping thru all 802.11 channels, go read a book, come back, and get some useful information from it. I also wanted to make graphs of stuff, because everybody loves graph, and I do too :). I really believe data representation is very important and changes everything.

So I basically reinvented the wheel, added some stuff to it, everything using python, and came up with WifiZoo.

You can check it out at You can find a detailed description of the tool in the previous link.

Again, is nothing spectacular, but is a fun tool to use on wireless penetration tests, it works, still lots of functionality needs to be added, but again, it gets the job done. For now, I take the tool as a fun exercise to spend time on from time to time :).

Wednesday, September 05, 2007

New Pass-The-Hash info web page

I just added some more info about Pass-The-Hash here:

It includes scenarios, workarounds, possible issues etc.
I'll be adding more info from time to time, so check it out periodically if you are interested in the tool.

Tuesday, September 04, 2007

Pass-The-Hash Toolkit v1.1 Released

I just released Pass-The-Hash Toolkit v1.1. This release has support for more targets, including german/french versions of Windows XP SP2, and also Windows Server 2003. I added a -B switch that tells IAM.EXE and WHOSTHERE.EXE to look for the necessary memory addresses in runtime using some 'heuristics', this should also make it work on more targets.

I expect people to continue having issues on some platforms because the things the tool does are dependant on certain memory areas that vary from OS version to OS version, so, if you have issues, please let me know, most of the time is very easy to add support for your platform to the tool.

The source code is available here.

The binaries are available here


-Improved support for windows xpsp2 german/french, windows 2003 sp1/sp2, both for
-Added to IAM.EXE and WHOSTHERE.EXE the -B switch. If IAM.EXE or WHOSTHERE.EXE is
not working in your configuration, please run the tools again specifying -B at the end.
The -B option will try to find, using 'heuristics', the addresses the tools need
to do what they do. If you are still having issues, please let me know, I expect people
to have issues because the addresses vary from OS version to OS version.

Note for Windows Server 2003 users:

-if you run IAM.EXE and it ends as expected, as If it had worked, but then you run
WHOSTHERE.EXE and the credentials did not change, do the following:

-start a cmd.exe using runas, for example:

runas /user:administrator cmd.exe

-and in the new console run IAM.EXE, and then WHOSTHERE.EXE to verify. And now
it should work.

It seems that sometimes you need a new session different than the interactive
session for LSASS.EXE to accept the modifications to the credentials in memory. If
you are logging to the machine remotely using psexec/Remote Desktop etc this does
not to occur (at least, this is what I observed), I had troubles like this when
logging interactively to the server. Also after you run 'runas', running IAM.EXE
in a regular CMD.EXE shell will start working. Don't take any of this as
a precise explanation of what's going on, this is just what I observed and a way
to work around it. I'll analyze what's really going on in the future..