Category Archives: hacking

Wifi Pineapple Mark V MR3020 – Bypass verify_pineapple LED pattern

wrong pattern entered during verify pineapple.

wrong pattern entered during verify pineapple.

Recently, I have a cool weekend project to do at home. Kinda spending a good time with my gadgets. 😀 I decided to install Wifi Pineapple Mark 5 version 2.2.0 on TP-Link MR3020 version 1.9. Its a straight forward step and you can follow that tutorial on my personal wiki at wiki.khairulazam.net.

After the installation finished, you need to go through the pineapple security measure as a part of setting up pineapple for the first time.

You need to select the correct pattern on that page to match with the blinking LED on your device. But… You know. Shit happen. Maybe because you installing the firmware on different hardware. 🙁

So, if you also have and facing the same problem, its okay. With a help from Mr. Fikri Fadzil, lets bypass the pattern verification. >_<

First, power off you device, which in my case, I’m using TP-Link MR3020.

After that, unplug the USB pendrive that contain pineapple firmware and plug in it to your computer. I use Ubuntu Desktop to make this step easier.

Go to this directory:

* /media/a7ac8712-5a08-49da-b9e1-2ede31828bda/ may be different as yours. take note what your USB drive mounted on your OS

And edit this file:

Go to line 199. Or search for keyword “array_search” in this “welcome.inc.php” file.

Edit the code from this:

to this:

Save this code. Unmount/eject your USB pendrive and plug in on your MR3020 back.

After that, just power on your device, and try to go through the verify pattern step back again. At this time, it will accept any pattern you like.

Then proceed to the next step. Happy hacking! 🙂

Geo-stalking with Bing Maps and the Twitter Maps App

Geo/Social stalking is fun. Bing Maps has the ability to add various “apps” to the map to enhance your bind maps experience. One of the cooler ones is the Twitter Map app which lets you map geotagged tweets.

Let’s start with somewhere fun, like at German-Malaysian Institute (GMi), Bangi and see who’s tweeting around there.. ;D

First, open www.bing.com/maps/

Then, you can change the view to Aerial View for more nicer look. ;D
You may change to other place you want to view e.g. your home, college, workplace

Then, select Map apps options..

Then, select Twitter Maps apps..

Wait for a while for the page to reload the necessary thing (loading tweet around the map you currently viewing) 

 Aaannndd.. Ta-Da! Happy Stalking. ;D

Thanks to carnal0wnage for this tips. 😉

Metasploit?

Korang pernah tak teringin nak guna metasploit?
Korang penah tak dapat buat satu session menggunakan metasploit?
Aku tak pernah dapat gune metasploit ni.. 🙁

Tapi aku tak pernah mengalah(kecuali perkara2 tertentu)..
Akhirnya aku dapat jugak guna..
Dan dapat jugak access ke PC tu.. 🙂

So, meh aku kongsikan macam mana aku dapat buat benda ni..
Pertama, korang install dulu Metasploit.
Tak kesahlah versi apa2 pun.
Nanti boleh update.

Lepas dah install, jangan lupa untuk update.
Supaya korang dapat menggunakan lebih banyak sumber exploit kelak.

Lepas dan install & update,
korang run kan Metasploit.
Run yang console punya tau.
Sebab orang selalu cakap,
yang pakai CLI ni lagi efektif.
So, korang patut cuba.. 😉

Lepas dah run,
korang taipkan macam ni..

Itu adalah exploit yang kita akan gunakan..
Exploit ni dia menggunakan browser(IE) untuk menjalankan kerja2 nya..

Lepas dah setkan exploit korang,
setkan pulak payload korang..

Lepas dah setkan payload tu,
korang assignkan/isikan apa2 yang patut macam LHOST, LPORT, SRVHOST, URL & lain2 yang berkenaan..

Lepas dah setkan suma,
taipkan show options untuk tengok balik semua setting2 korang tu..
Ngam ke tak. Apa yang dia require tu korang isikan la kalo tak isi lagi..

Lepas dah setel semua,
korang taipkan exploit..
Dia akan keluar lebih kurang macam ni..

So, korang kenalah buatkan mangsa korang tu pergi ke URL http://192.168.56.101:8080/asjKYXWBb3z tu..
Barulah menjadi..
Kalo tak memang sampai bila2 lah tak jalan exploit & payload tu.. :p

Lepas korang dah bagi mangsa korang bukak URL tu,
korang akan dapat tengok kat msfconsole korang tu flow yang exploit sedang dijalankan ke mangsa yang bukak URL tu..

Kalo exploit korang menjadi,
dia akan keluar lebih kurang macam ni..

Haa.. Dah kena! Korang dah ada 1 session ngan dia..
Bole la korang upload/download dan macam2 lagi kat PC dia..
Meh kita tengok..

Yeay! Saya dah berjaya. Haha..
Benda simple je kot..
Saya rasa orang lain tak pandang pun kalo saya dapat buat macam ni.. 🙁

Anyway, selamat mencuba la ye.
Ada pape, bole tanya saya.. 🙂

ESET Nod32 Taiwan pwn! :)

Today, another Nod32 website has been pwnd/hacked..

Here is the screenshot :

ESET NOD32 Taiwan

So, in this peaceful day, i have something give for you all.. 🙂

new_key=J112-mgf7f4r8u   org_key=J102-e4rdefyr5
new_key=J112-r6w87jwy2   org_key=J102-e5xzgsrfw
new_key=J112-spgbw2j5w   org_key=J102-e7tj8p3ww
new_key=J112-p94sfm3yt   org_key=J102-e83dteggq
new_key=J112-tm6v4yttt   org_key=J102-e9wwn8h4f
new_key=J112-uwwqk7vjy   org_key=J102-eax58prwg
new_key=J112-syw3wr7wp   org_key=J102-eb5c58mkj
new_key=J112-e4u6emunx   org_key=J102-ebcekvqed
new_key=J112-tsaudq3cy   org_key=J102-ecnf7u3ue
new_key=J112-ycbmr376x   org_key=J102-ecnhq856w

Brand new NOD32 key.. ahaha..

This thing really annoying me..

Why?

Because their website security is really low..

They dont manage their db very well..

I just wondering why they put important files like serial key, password, username, and others important files in their database without encrypting it..

Like some of the db that i found, mostly they dont encrypt their password..

Sound bad to me.. 🙂

Anyway, see you next time!

Assalamualaikum.. 🙂

darkMSSQL tutorial

Hari ini aku nak tunjukkan macam mana cara menggunakan darkMSSQL.py…

benda ni digunakan untuk MSSQL database yang ade error..
Aku jarang jumpa database MSSQL yang ada error..
Kalau jumpa pun, nasib2 je..

Tu agaknya pemalas sangat la tu Web Admin dia..
Server GMi pun pakai server jenis MSSQL jgk..
Oppss! Sori! :p

Apa2 pun, jom kita tengok macam mana aku gunakan darkMSSQL.py ni..

darkMSSQL.py journey… begin…

korang paham x bnd ni?

klu x paham, bole tny aku..

bukannya susah sgt pn.. 😀

p/s : thanks to rsauron from darkc0de for this script.. nice one mate ! 🙂

WiredEquivalentPrivacy 128-bit encryption key pwnd!

WEP 128-bit.. a long encryption key..
how can i get this key?
by using aireplay-ng – injecting the probe and replay the packet..
also dont forget to dump it! 🙂


hurmm.. not really good to secure your network..
although it is 128-bit key, still can get the key..

till next time dude!