WIRELESS SECURITY AND PENTEST TUTORIAL USING BACKTRACK The tutorial about Network Security and Pentest using Backtrack...
WIRELESS SECURITY AND PENTEST TUTORIAL USING BACKTRACK The tutorial about Network Security and Pentest using Backtrack that covers Networking Basics, Wireless Networks Basics, Wireless Penetration and Securing Wireless Networks.
Independent Study by Nuno Freitas 27/05/2012
Nuno Freitas
Table of Contents
Executive Summary ………………………………………………………..……. 2 Before the fun part Start ……………………………………………………..…... 3 ARP Protocol …………………………………………………………………….. 4 Discovery of Networks ….……………………………………………………….. 6 Wireless Networks ….……………………………………………...…………….. 7 Software …………….……………………………………………...…………….. 11 Wireshark …..……….……………………………………………...…………….. 13 Wireless Deauthentication Attack ………………………………...…………….... 21 Fake Authentication ……………………………….………...…..……………….. 23 MAC Filtering ……………………………….………...…..………………….….. 27 Cracking WEP with a connected client (OPEN System) ……………….…….….. 29 Cracking WEP without a connected client (OPEN System) ……...…….…….….. 35 Cracking WEP (Shared Key Authentication) ……………….…….…….…….…. 41 Cracking WPA (Dictionary Mode) ……………….…….…….…………….….… 46 Cracking WPA (Database Mode) ……………….…….…….…………….…...…. 50 Hidden ESSID ……………….…….…….…….………………………….…...…. 55 Cracking WPA (Wi-Fi Protected Setup) ……………….………….…..............…. 57
1
Nuno Freitas
Executive Summary Over the past months I’ve been learning about Network Security. I’ve started reading documents like this and so I’m writing this tutorial not to teach anyone how to break into their neighbor’s network and get free internet or valuable information. No. I’m writing this because even not being an expert, I hope that this could be useful to those who don’t know where to begin learning about it. Backtrack, currently in it fifth version, Backtrack 5, is an operating system based on Ubuntu GNU/Linux distribution and it is aimed at digital forensics and penetration testing use. It is named after backtracking, a search algorithm. Backtrack have tons of tools that could be useful, I’ll be talking about some that already come with Backtrack and some other that you need to install if you are using an older version than Backtrack 5 R2. I’ll add to this document how to install those programs. Through the Document let’s imagine I’m an attacker, attacking Wireless Networks. In this tutorial I’ll be using one Computer, with Windows 7 and VMware installed with Backtrack 5 R2, the attacker computer. I will use two routers through the Tutorials because my old Router (Conceptronic c54brs4) doesn’t support WPS to use against Reaver so I’ll use a TP-LINK TLWR841ND.
Don’t forget, the attacker pc must be using a Wireless Card that supports “packet injection” in order to perform some attacks.
2
Nuno Freitas
My Setup
Router (Conceptronic C54BRS4)
Attacker Antenna (TP-LINK TLWN722N)
Router (TP-LINK TL-WR841ND)
Before the fun part start Before we start the fun part I would like to write about some network basics. Thus, this paper will be helpful even you don’t have a really good knowledge of what it is a network and how it works. Even if you know how a network works, you might find the texts bellow interesting anyway.
3
Nuno Freitas
The ARP Protocol In networks there are a variety of protocols. One of them is the ARP Protocol. ARP stands for Address Resolution Protocol.
Before we start with the ARP Protocol, let’s just remember what are Physical Addresses and Logical Addresses. Physical Addresses – It’s what we know as MAC (Media Access Control) which is associated to a device. This address is composed by 48 bits (12 hexadecimal characters) Logical Addresses – They are what we often call as IP Address. How does the ARP Protocol works? In a network when a computer wants to find another one it has to know the IP of that computer but the information inserted in the packets is the MAC Address of the destination computer. When you only know the IP you need to ask for the MAC. Using the ARP Protocol, that resolves IP Addresses into MAC Addresses. For example Imagine a computer, let’s just say Computer A, with an IP 192.168.2.105 and it wants to communicate with a computer with an IP 192.168.2.100, Computer B. 4
Nuno Freitas
Computer A will check its ARP Table and if it doesn’t possess Computer B’s MAC Address it will send a message to the Address FF:FF:FF:FF:FF:FF asking the ARP Address of Computer B. (ARP REQUEST) Then computer B will answer to Computer A sending him his Physical Address. Computer A will add an Entry in its ARP Table with that same MAC Address corresponding to Computers B’s IP. (ARP REPLY) You can check your ARP Table by typing in a Command Prompt: #arp -a
It is also possible to translate MAC Addresses into IP Addresses but the Protocol used in that translation is the RARP Protocol (Reverse Address Resolution Protocol). These are some of the most important Protocols in networking and some of the easiest Protocols to understand. Up ahead in this tutorial we will talk more about ARP Protocol.
5
Nuno Freitas
Discovery of Wireless Networks When you want to perform a wireless attack you need to identify the network you are attempting to access. Sometimes the attacker knows already what network he will attempt to break, sometimes it doesn’t so it is needed more time to figure it out. Well, I won’t talk about how to hack a corporation because the point of this tutorial is not “how to become a criminal or a hacktivist”, I just want to show you how easily someone can break through your network and get free internet or data and help you to avoid that. So I will get to the point with a general idea of scanning and not what it really is all about. For the next tutorials we will be scanning the airwaves in monitor mode or promiscuous mode which is a type of scan where you don’t send any beacons or probes, instead of that, you gather information from traffic that is already going on the air. Figuratively it's like if your computer just sits down and read the traffic going on the airwaves and interprets it. To perform a passive scan a wireless card must be on “monitor mode”. A card in monitor mode will read every wireless packet it can reach and try to extrapolate data. As all wireless networks operate on the same frequency, the air is usually flooded with packets from several different networks. The card picks up these packets and deduces what network they belong to. This is different than just only trying beacon or probe packets because there is always much more traffic than just those two types of packets. Not all wireless cards support monitor mode. The chipset of the card must support the mode as well as the driver being used. In the tutorials I’ll be using airmon-ng which is a program in aircrack-ng suite, to put the wireless card in monitor mode. Before we start the hacking process there are some things you should read about if you’re a beginner. For example what are WEP and WPA encryptions? How do they work? What is the 802.11n standard? Let’s find about that.
6
Nuno Freitas
Wireless Networks There are two types of encryption in Wireless Networks, we have WEP that stands for Wireless Equivalency Protocol and we have WPA which stands for Wi-Fi Protected Access. In spite that WPA is more secure than WEP, both are vulnerable to different types of attacks as we will see.
WEP (Wireless Equivalency Protocol) WEP is not the best protection, however it is better than nothing, though generally not as secure as the more sophisticated WPA/WPA2 encryption. A big problem is that if a Cracker can sniff packets on a WEP encrypted network, it is only a matter of time until the password is cracked. If enough traffic can be intercepted by an attacker, then it can be broken by brute force in a matter of minutes or even seconds. If that weren’t bad enough, the time it takes to crack WEP only grows linearly with key length, but a 104-bit key doesn’t provide any significant protection over a 40-bit key when faced against a determined cracker. There are several freely available programs that allow for the cracking of WEP that’s why it is indeed a broken solution, but it should be used over than nothing. With WEP there are two different forms of authentication, shared key and open system. In shared key, the client request authentication and the Wireless Access Point sends a text which the client has to encrypt using the WEP key and send it back, if it matches then the WAP (Wireless Access Point) authenticates and associates with the client. In open system authentication any client can associate with the WAP. The client is authenticated regardless of the key it possesses and begins to receive packets. The client would need the correct key at this point to read the packets. A WEP key is usually 128bit comprised of 26 hexadecimal values and a 24bit Initialization Vector (IV). Each packet is encrypted using RC4 algorithm with the 26 hexadecimal values and a random IV. The packet is sent along with the IV in plain text. The client then decrypts the packet using the hex key and the included IV.
7
Nuno Freitas
WPA (Wi-Fi Protected Access)
WPA Wi-Fi Protected Access (WPA) is a software/firmware improvement over WEP. All regular WLAN-equipment that worked with WEP are able to be simply upgraded and no new equipment needs to be bought. WPA is a trimmed-down version of the 802.11i security standard that was developed by the IEEE 802.11 to replace WEP. The TKIP (Temporal Key Integrity Protocol) encryption algorithm was developed for WPA to provide improvements to WEP that could be fielded as firmware upgrades to existing 802.11 devices. The WPA profile also provides optional support for the AESCCMP algorithm that is the preferred algorithm in 802.11i and WPA2. WPA Enterprise provides RADIUS based authentication using 802.1x. WPA Personal uses a pre-shared Shared Key (PSK) to establish the security using an 8 to 63 character passphrase. The PSK may also be entered as a 64 character hexadecimal string. Weak PSK passphrases can be broken using a dictionary attacks by capturing the “fourway handshake” when the client connects to the network or reconnects after being deauthenticated. WPA Personal is secure when used with ‘good’ passphrases or a full 64-character hexadecimal key. They should also not use WPS (Wireless Protected Setup) since a huge vulnerability was discovered and can be already exploited.
TKIP This stands for Temporal Key Integrity Protocol and the acronym is pronounced as “teekip”. This is part of the IEEE 802.11i standard. TKIP implements per-packet key mixing with a re-keying system and also provides a message integrity check. These avoid the problems of WEP.
EAP The WPA-improvement over the IEEE 802.1X standard already improved the authentication and authorization for access of wireless and wired LANs. In addition to this, extra measures such as the Extensible Authentication Protocol (EAP) have initiated an even greater amount of security. This, as EAP uses a central authentication server. Unfortunately, during 2002 a Maryland professor discovered some shortcomings.
8
Nuno Freitas
802.11i security The newest and most rigorous security to implement into WLAN's today is the 802.11i RSN-standard. This full-fledged 802.11i standard (which uses WPA2) does require the newest hardware (unlike WPA), thus potentially requiring the purchase of new equipment. This new hardware required may be either AES-WRAP (an early version of 802.11i) or the newer and better AES-CCMP-equipment.
WPA2 WPA2 is a Wi-Fi Alliance branded version of the final 802.11i standard. The primary enhancement over WPA is the inclusion of the AES-CCMP algorithm as a mandatory feature. Both WPA and WPA2 support EAP authentication methods using RADIUS servers and pre-shared key (PSK).
CCMP CCMP stands for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol also known as (CCM mode Protocol) is an encryption protocol designed for Wireless Networks products that implement the standards of the IEEE 802.11i amendment to the original IEEE 802.11 standard. CCMP is an enhanced data cryptographic encapsulation mechanism designed for data confidentiality and based upon the Counter Mode with CBC-MAC (CCM) of the AES standard. It was created to address the vulnerabilities presented by TKIP, a protocol in WPA, and WEP, a dated, insecure protocol.
802.11b 802.11b has a maximum raw data rate of 11 Mbit/s and uses the same media access method defined in the original standard. 802.11b products appeared on the market in early 2000, since 802.11b is a direct extension of the modulation technique defined in the original standard. The dramatic increase in throughput of 802.11b (compared to the original standard) along with simultaneous substantial price reductions led to the rapid acceptance of 802.11b as the definitive wireless LAN technology. 802.11b devices suffer interference from other products operating in the 2.4 GHz band. Devices operating in the 2.4 GHz range include: microwave ovens, Bluetooth devices, baby monitors and cordless telephones.
802.11g In June 2003, a third modulation standard was ratified: 802.11g. This works in the 2.4 GHz band (like 802.11b), but uses the same OFDM based transmission scheme as 9
Nuno Freitas
802.11a. It operates at a maximum physical layer bit rate of 54 Mbit/s exclusive of forward error correction codes, or about 22 Mbit/s average throughputs. 802.11g hardware is fully backwards compatible with 802.11b hardware and therefore is encumbered with legacy issues that reduce throughput when compared to 802.11a by 21%. The then-proposed 802.11g standard was rapidly adopted by consumers starting in January 2003, well before ratification, due to the desire for higher data rates as well as to reductions in manufacturing costs. By summer 2003, most dual-band 802.11a/b products became dual-band/tri-mode, supporting a and b/g in a single mobile adapter card or access point. Details of making b and g work well together occupied much of the lingering technical process; in an 802.11g network, however, activity of an 802.11b participant will reduce the data rate of the overall 802.11g network. Like 802.11b, 802.11g devices suffer interference from other products operating in the 2.4 GHz band, for example wireless keyboards.
802.11n 802.11n is an amendment which improves upon the previous 802.11 standards by adding multiple-input multiple-output antennas (MIMO). 802.11n operates on both the 2.4 GHz and the lesser used 5 GHz bands. The IEEE has approved the amendment and it was published in October 2009. Prior to the final ratification, enterprises were already migrating to 802.11n networks based on the Wi-Fi Alliance's certification of products conforming to a 2007 draft of the 802.11n proposal.
10
Nuno Freitas
Software During these next tutorials I’ll be using some programs under Backtrack 5, so let’s give a brief explanation about what are those programs all about and what type of tasks they can be used for.
Aircrack-ng Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11b, 802.11g and 802.11n traffic. The program runs under Linux and Windows. Features The aircrack-ng software suite includes: aircrack-ng - Cracks WEP and WPA (Dictionary attack) keys. airdecap-ng - Decrypts WEP or WPA encrypted capture files with known key. airmon-ng - Placing different cards in monitor mode. aireplay-ng - Packet injector (Linux, and Windows). airodump-ng - Packet sniffer: Places air traffic into PCAP or IVS files and shows information about networks. airtun-ng - Virtual tunnel interface creator. airolib-ng - Stores and manages ESSID and password lists; Increases the KPS of WPA attacks packetforge-ng - Create encrypted packets for injection. airbase-ng - Incorporates techniques for attacking client, as opposed to Access Points airdecloak-ng - removes WEP cloaking from pcap files airdriver-ng - Tools for managing wireless drivers tkiptun-ng - WPA/TKIP attack airserv-ng - allows you to access the wireless card from other computers. buddy-ng - the helper server for easside-ng, run on a remote computer easside-ng - a tool for communicating to an access point, without the WEP key wesside-ng - automatic tool for recovering WEP key
11
Nuno Freitas
Wireshark Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues. Wireshark is very useful since you can analyze every packet individually and understand what is going on the airwaves since that Wireshark distinguishes all types of packets travelling the wireless field. Wireshark is cross-platform, using the GTK+ widget toolkit to implement its user interface, and using pcap to capture packets; it runs on various Unix-like operating systems including Linux, Mac OS X, BSD, and on Microsoft Windows.
Pyrit Pyrit allows creating massive databases, pre-computing part of the IEEE 802.11 WPA/WPA2-PSK authentication phase in a space-time-tradeoff. Exploiting the computational power of Many-Core- and other platforms through ATI-Stream, Nvidia CUDA, OpenCL and VIA Padlock, it is currently by far the most powerful attack against one of the world’s most used security-protocols. Pyrit is free software. Everyone can inspect copy or modify it and share derived work under the GNU General Public License v3+. It compiles and executes on a wide variety of platforms including FreeBSD, MacOS X and Linux as operation-system and x86-, alpha-, arm-, hppa-, mips-, powerpc-, s390 and sparc-processors. Pyrit is a very good tool, although it’s not included in Backtrack 5. In pyrit attack tutorial I will also explain how to install it.
Reaver Reaver implements a brute force attack against Wifi Protected Setup (WPS) using PINs in order to recover WPA/WPA2 passphrases. Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations. On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.
12
Nuno Freitas
Wireshark So, as you might read before, Wireshark is a packet analyzer. Let’s learn how to work with that tool. Remember that Wireshark can work on every interface you have. For example you can create a monitor mode interface and use it on Wireshark, that way you will get every packet in the Wireless airwaves and get a big number of packets. As you already saw with airodump-ng in Aircrack-ng suite it is very easy to get thousands of packets in minutes or even seconds, it depends on the traffic of the network. It would be a trouble to find some data frames in the middle of all the beacon frames, but Wireshark have the ability to filter by type of packet or by MAC Address. With this we get comfortable when we are trying to find specifically types of packet and get to them faster. First let’s talk about WLAN frames, it will help is with Wireshark and with networking at all if we understand this. There are three types of frames: Management Frames, Control Frames and Data Frames. 1. Management frames: They are responsible for maintaining communication between the access points and wireless clients. There are ten types of Management Frames: -
Authentication - 802.11 authentication is a process whereby the access point either accepts or rejects the identity of a wireless card. The Wireless Card begins the process by sending an authentication frame containing its identity to the access point. With open system authentication (the default), the Wireless Card sends only one authentication frame, and the access point responds with an authentication frame as a response indicating acceptance (or rejection). With the optional shared key authentication, the Wireless Card sends an initial authentication frame, and the access point responds with an authentication frame containing challenge text. The Client must send an encrypted version of the challenge text (using its WEP key) in an authentication frame back to the access point. The access point ensures that the Client has the correct WEP key (which is the basis for authentication) by seeing whether the challenge text recovered after decryption is the same that was sent previously. Based on the results of this comparison, the access point replies to the Client with an authentication frame with the result of authentication.
-
De-Authentication - A station sends a deauthentication frame to another station if it wishes to terminate secure communications.
-
Association Request - 802.11 association enables the access point to allocate resources for and synchronize with a Wireless Card. The client begins the association process by sending an association request to an access point. This frame carries information about the Wireless Card (supported data rates, etc.) and the SSID of the network it wishes to associate with. After receiving the association request, the access point considers associating
13
Nuno Freitas
with the Client, and (if accepted) reserves him some memory space and establishes an association ID. -
Association Response - An access point sends an association response frame containing an acceptance or rejection notice to the Wireless Card requesting association. If the access point accepts the radio Wireless Card, the frame includes information regarding the association, such as association ID and supported data rates. If the outcome of the association is positive, the Client can utilize the access point to communicate with other Clients on the network and systems on the distribution (i.e., Ethernet) side of the access point.
-
Re-association Request - If a Wireless Card roams away from the currently associated access point and finds another access point having a stronger beacon signal, the Wireless Card will send a re-association frame to the new access point. The new access point then coordinates the forwarding of data frames that may still be in the buffer of the previous access point waiting for transmission to the radio NIC. This is when there are several Access Points broadcasting on the same network, not different Access points on different networks.
-
Re-association Response - An access point sends a re-association response frame containing an acceptance or rejection notice to the Wireless Card requesting re-association. Similar to the association process, the frame includes information regarding the association, such as association ID and supported data rates.
-
Disassociation - A station sends a disassociation frame to another station if it wishes to terminate the association. For example, a Wireless Card that is shut down gracefully can send a disassociation frame to alert the access point that the Wireless Card is powering off. The access point can then relinquish memory allocations and remove the Wireless Card from the association table.
-
Beacon - The access point periodically sends a beacon frame to announce its presence and relay information, such as timestamp, SSID, and other parameters regarding the access point to Wireless Cards that are within range. Wireless Cards continually scan all 802.11 radio channels and listen to beacons as the basis for choosing which access point is best to associate with.
-
Probe Request - A station sends a probe request frame when it needs to obtain information from another station. For example, a Wireless Card would send a probe request to determine which access points are within range.
-
Probe Response - A station will respond with a probe response frame, containing capability information, supported data rates, etc., when after it receives a probe request frame.
14
Nuno Freitas
2. Control frames: Control frames are responsible for ensuring a proper exchange of data between the access point and wireless clients. Control frames can have the following sub-types: - Request to Send (RTS) - Clear to Send (CTS) - Acknowledgement (ACK) – Since 802.11 stations are not able to transmit and receive at the same time, while a station is transmitting a frame, it is not able to determine whether the frame was received or whether there was a collision. Therefore, every time an 802.11 radio that received the frame will reply with a 14-octet acknowledgement (ACK) frame. 3. Data frames: Data frames carry the actual data sent on the wireless network. There are no sub-types for data frames. Now that it is explained the different types WLAN frames we are able to start with Wireshark. This previous explanation about frames is important since in Wireshark you will get hundreds of frames and you will need to filter them whether you need them or not to simplify the process. So, let’s start with Wireshark. To start Wireshark, type “wireskark&” in the console. But before we start sniffing the airwaves let’s create a monitor mode device to sniff every packet from every network in range. To do that just type: #airmon-ng start wlan0 Wlan0 depends on your device, it could be wlan0, wlan1… It depends on the number of Wireless cards you have connected and what you want to use. To get used to it type: #airmon-ng The output will get from the shell will show you how many cards you have and their Interface names. After you have your Wireless card in monitor mode you will get a new interface, named mon0, that new interface is a virtual interface which is nothing more than your wireless card working on monitor mode. That’s the interface we will use in Wireshark. After you get Wireshark started you will get this window:
15
Nuno Freitas
This is the start window of Wireshark, to get started click in “Interface List” in Capture below Wireshark’s logo.
You will get the list of available devices that you can use to analyze packets going on the network. Mon0 will monitor the airwaves on the available channels in your region and eth1 or eth0 will monitor your wired network. 16
Nuno Freitas
This is Wireshark getting packets from the air. As you can see we have some ACK frames, some data frames. You will get hundreds or even thousands of frames while you are sniffing the packets. Imagine that we need to search for data frames… well it would be very difficult to find data frames in the middle of all the other frames, because there are several types of frames and you are looking for only one type, that’s where Wireshark filter helps a lot.
17
Nuno Freitas
Wireshark Filters Filter by Destination, Source and Port eth.src – With this filter you can filter by the source MAC Address (Ethernet). Example: eth.src == 00:11:22:33:44:55 eth.dst – With this filter you can filter by destination MAC Address (Ethernet). Example: eth.dst == 00:11:22:33:44:55 wlan.addr – This filter will filter packets by the source or destination MAC Address (Wireless Card). Example: wlan.addr == 00:11:22:33:44:55 wlan.sa – With this filter you can filter by the source MAC Address (Wireless Card). Example: wlan.sa == 00:11:22:33:44:55 wlan.da – With this filter you can filter by destination MAC Address (Wireless Card). Example: wlan.da == 00:11:22:33:44:55 wlan.bssid – With this filter you can filter only the frames from an specific Access Point by using the MAC Address (bssid). Example: wlan.bssid == 00:11:22:33:44:55 ip.addr – With this filter you can filter by source or destination IPv4 Address. Example: ip.addr == 192.168.2.1 ip.dst – With this filter you can filter by destination IPv4 Address. Example: ip.addr == 192.168.2.1 ip.src – With this filter you can filter by source IPv4 Address. Example: ip.addr == 192.168.2.1 ipv6.addr – With this filter you can filter by source or destination IPv6 Address. Example: ipv6.addr == 2001::5 ipv6.src – With this filter you can filter by source IPv6 Address. Example: ipv6.addr == 2001::5 ipv6.dst – With this filter you can filter by destination IPv6 Address. Example: ipv6.dst == 2001::5 tcp.port – With this filter you can filter packets by source or destination TCP port. Example: tcp.port == 80 tcp.dstport – With this filter you can filter packets by destination TCP port. Example: tcp.dstport == 80
18
Nuno Freitas
tcp.srcport – With this filter you can filter packets by source TCP port. Example: tcp.srcport == 80 udp.port – With this filter you can filter packets by source or destination UDP port. Example: udp.port == 80 udp.dstport – With this filter you can filter packets by destination UDP port. Example: udp.dstport == 80 udp.srcport – With this filter you can filter packets by source UDP port. Example: udp.srcport == 80 Filter by Types of frames wlan.fc.type == 0 – With this filter you can filter only the Management frames. wlan.fc.type == 1 – With this filter you can filter only the Control frames. wlan.fc.type == 2 – With this filter you can filter only the Data frames. Filter by Subtypes of frames (wlan.fc.type == 0) && (wlan.fc.subtype == 1) – With this filter you can filter only the Authentication frames. (wlan.fc.type == 0) && (wlan.fc.subtype == 2) – With this filter you can filter only the De-Authentication frames. (wlan.fc.type == 0) && (wlan.fc.subtype == 3) – With this filter you can filter only the Association Request frames. (wlan.fc.type == 0) && (wlan.fc.subtype == 4) – With this filter you can filter only the Association Response frames. (wlan.fc.type == 0) && (wlan.fc.subtype == 5) – With this filter you can filter only the Re-Association Request frames. (wlan.fc.type == 0) && (wlan.fc.subtype == 6) – With this filter you can filter only the Re-Association Response frames. (wlan.fc.type == 0) && (wlan.fc.subtype == 12) – With this filter you can filter only the Dis-Association frames. (wlan.fc.type == 0) && (wlan.fc.subtype == 8) – With this filter you can filter only the Beacon frames. (wlan.fc.type == 0) && (wlan.fc.subtype == 9) – With this filter you can filter only the Probe Request frames. (wlan.fc.type == 0) && (wlan.fc.subtype == 10) – With this filter you can filter only the Probe Response frames. (wlan.fc.type == 1) && (wlan.fc.subtype == 1) – With this filter you can filter only “Request to Send” frames. 19
Nuno Freitas
(wlan.fc.type == 1) && (wlan.fc.subtype == 2) – With this filter you can filter only “Clear to Send” frames. (wlan.fc.type == 1) && (wlan.fc.subtype == 3) – With this filter you can filter only Acknowledgement frames. (wlan.fc.type == 2) – With this filter you can filter only Data frames. Filter Operators != - Exclude -With this operator you can exclude a filter option. Image that you want to get all the Management Frames except Beacon Frames, you can use (wlan.fc.type == 0) != (wlan.fc.subtype == 8) && - And- This operator can make a filter with two filter types. If you want to filter only Authentication and De-Authentication frames, use (wlan.fc.type == 0) == (wlan.fc.subtype == 1) && (wlan.fc.type == 0) == (wlan.fc.subtype == 2)
|| - Or – Does exactly the same then AND but it will show filter 1 OR filter 2.
20
Nuno Freitas
Wireless Deauthentication Attack Basically this attack sends disassociation packets to one or more clients which are currently associated with a particular access point which make them lose connection to the AP. There are many reasons to perform a Deauth Attack: -
Capturing WPA/WPA2 handshakes by forcing clients to re-authenticate. Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected) Recovering a hidden ESSID.
Well there is no practical way to avoid those attacks. However it is simple to confirm if you are being a victim of a Deauthentication Attack. To do that let’s use Wireshark. Well to get started I will use two computers in this example. One with Backtrack 5 and the other with Windows 7. The Windows 7 machine is already connected to the network, TP-LINK. The role that this machine is playing is simple, it will be the victim. On the other hand I will use a second machine running Backtrack and it will be the Attacker and the Monitor. I will be performing a Deauthentication attack and at the same time monitoring the Airwaves for Deauthentication packets with Wireshark. On your case, if you want to check if your being a victim of a Deauthentication attack you can use a machine running Wireshark, which runs on Windows and Linux… So let’s get started, first let’s put our wireless card in Monitor mode. #airmon-ng start wlan1 Then let’s check the networks we can reach. #airodump-ng mon0 Then attack your own network.
21
Nuno Freitas
#aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98 mon0
This command is sending deauthentication packets to the AP and making the AP to Deauthenticate the Client. Open Wireshark and start sniffing the airwaves. Add the following filter to get only Deauthentication packets: (wlan.fc.type == 0) && (wlan.fc.subtype == 12)
In Wireshark’s output we get a bunch of Deauthentication packets, and as we can see the Source Address of those packets is the AP’s Address and you can’t know who is performing the attack. This type of attack will be crucial in WPA Attacks as we will see further on this tutorial. 22
Nuno Freitas
Fake Authentication Fake Authentication is useful on WEP Attacks and it doesn’t work under WPA networks. In WEP Cracking Attacks we will face two types of WEP Networks, one with Open System Authentication and the other called Shared Key Authentication. Open system Authentication is simple to perform Fake Authentications and you can start whenever you want, however in Shared Key Authentication Networks you will always need a connected client. If the network doesn’t have a connected client just wait until someone connects to the network. We need someone from inside the network to show up because we will need a 140 bit keystream that will allow us to fake an authentication. Without that we cannot authenticate. Remember that Open System authentication and Shared Key works different. Open System Fake Authentication So, imagine that you already have your target figured it out.
In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated with the access point it will ignore the packet and sends out a "Deauthentication". In this state, no new initialization vectors are created because the access point is ignoring all the injected packets. The lack of association with the access point is the single biggest reason why packet injection fails. At this point you are just connecting to the access point and telling it you are here and want to talk to it, however this does not give you any ability to transfer data.
23
Nuno Freitas
aireplay-ng -1 10 -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 mon0 Where -1 means fake authentication, 10 means re-association timing in seconds, -a is the access point MAC address, and -h is the MAC address under which you act (either your own or the spoofed one). This is what the output should look like:
24
Nuno Freitas
Shared Key Fake Authentication First of all, as always, put your wireless card in monitor mode. #airmon-ng start wlan0 Then let’s search for our network, WLAN will be the target Network. #airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 -w wepska wlan0 Using this we will sniff all the packets from WLAN network and save them in files called wepska. We will need to perform a deauthentication on an authenticated client in order to capture the shared key 140 bit keystream. If you try to fake authenticate as you’ve learned before you will get an error like the following image shows… This means that the network you are attacking now uses Shared Key Authentication system.
So, to fake authenticate in a Shared Key network we need to deauthenticate a client. Run airodump-ng to sniff the target network: #airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 -w wepska wlan0 25
Nuno Freitas
With this you are only looking at the target’s network. As you saw before there was a connected client, its MAC is 00:15:AF:A2:8D:98. So let’s deauthenticate him: #aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 mon0
After you perform a deauthentication look to the top line in airodump-ng window there is now a text saying “140 bytes keystream: 00:80:5A:28:B5:AB” This means we have captured the .xor file we were looking for to perform a fake authentication. Use the following command: #aireplay-ng -1 0 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98 -y sharedkey-01-00:80:5A:28:B5:AB.xor wlan0
26
Nuno Freitas
With this we’ve managed to fake authenticate in a Shared Key network.
27
Nuno Freitas
Mac Filtering In some cases you might find some security barriers, like MAC Filtering, which is still easy to break. Imagine that you are trying to Fake Authenticate with an AP and you are getting an Error like this:
MAC Filtering is enabled on this network. To get through this security trick we need a legit MAC Address which have permission to connect with the AP. Run airodump-ng and wait until someone connects to that network or if someone’s already connected use it’s MAC Address to spoof your own.
As we can see there is one Client connected to WLAN, it’s MAC is 00:15:AF:A2:8D:98. Let’s turn it as our own MAC Address as well: 28
Nuno Freitas
#macchanger -m 00:15:AF:A2:8D:98 wlan1
This command will change Wlan1 device MAC Address into 00:15:AF:A2:8D:98. Even if the client keeps connected to the Network you can begin to fake authenticate. #aireplay-ng -1 10 -a 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 mon0 This time don’t forget to use the spoofed MAC in -h option.
This brief explanation on what is Fake Authentication will help you in WEP Cracking that we will see later in this tutorial. With this information you shouldn’t have any trouble by doing this trick and performing WEP Cracking.
29
Nuno Freitas
Cracking WEP with a client connected (OPEN System) The weakness of WEP resides in the IV. It is sent as plaintext with the packet which basically means that anyone who grabs the packet can see the first 24bits of the code that was encrypted. The RC4 encryption algorithm can only generate about 16 million different codes based on the IV, meaning if you gather enough of these IVs you can crack the code throughout a brute force attack. Also contributing to the WEP’s weakness is the discovery that some IVs are weaker than others and software can recognize “weak” IVs and then use them to crack the key even quicker. Once the theory of how to Crack WEP was proven possible, computer programs were written that streamlined the process. There are two steps involved that programs take. Once an encrypted wireless network is found and the client is in range, it begins to intercept packets and logging the IVs. The packets contain encrypted data and are worthless individually, but if enough IVs are logged the code can be cracked. Usually about 50 000 IVs are needed to crack WEP. The number of IVs traveling is related to network traffic, so if no one is connected to the network it will take days to get that many, that’s why you need to create artificial traffic, but in the other hand if someone is already connected you can get a lot of IVs fast without any problems. Of course there is a method of speeding up the collection of IVs, through a certain type of packet injection although this technique it’s not supported by all Wireless Cards. This type of packet injection is called ARP injection. With this technique the wireless card sends out an ARP request to the access point which then responds with an ARP response. This response contains an IV, which is then captured. This process is repeated rapidly to generate numerous IVs. To perform this injection, the origin of the ARP request must be associated with the AP, or else the AP will not respond. Software is able to spoof the origin to make the request look like it came from an associated client, not from the attacker’s computer. As I told you I will be using a wireless security suite called aircrack-ng that comes with Backtrack Linux distribution for WEP attacks. Aircrack-ng contains all the tools necessary for discovering and cracking wireless networks. First let’s try to break a network with a connected client. Once a network has been identified through any technique the basic steps to crack WEP encrypted networks, and the programs used to accomplish with are: 1) Put the wireless card in passive monitor mode (airmon-ng) 2) Begin capturing packets that contain unique IVs and save them to the disk (airodump-ng) 3) Inject ARP requests from an associated client to generate new packets (aireplayng)
30
Nuno Freitas
4) Once enough IVs have been captured, run a cryptographic attack to decipher the WEP key (aircrack-ng) In this case, I will attack my own network so it is like if the attacker, me, had already identified the WEP encrypted network he wants to crack. The information he will need to start collecting IVs is the BSSID of the access point and the channel it is operating on. This information is easy to get using airodump-ng and it will also be used to capture the IVs and save them into a file. In this case the BSSID of the network we are trying to crack 00:80:5A:28:B5:AB is, the channel is 11, and we will call the output file wepkey. Let’s put our card in monitor mode, but first you need to know the Interface to use: #airmon-ng
You have now a list of interfaces that you have on your machine. If you have only one wireless card you will have only one interface, if you have two wireless cards connected you have two interfaces. I might use different cards through all the tutorials, when you see wlan1 and your Interface is wlan0 you use wlan0 instead of wlan1. Remember I’m making the attacks on my machine and it could be different from yours. So I will use wlan0 for this tutorial. To put that Interface on monitor mode use: #airmon-ng start wlan0 By now you have the wlan1 Interface and the system created a new interface called mon0. Well this is a virtual interface, basically “mon” comes from monitor it means that the interface mon0 is monitoring traffic. Now let’s sniff traffic from the network that we will attack, so use: #airodump-ng wlan0
31
Nuno Freitas
As I told you before this network I’m attacking is mine. My network is called WLAN so by using airodump-ng I already know the BSSID, the Channel. Let’s get started: #airodump-ng --channel 11 --bssid 00:80:5A:28:B5:AB --write wepkey wlan0
As we can see the “#Data” means the number of unique IVs we caught so far and saved in wepkey.cap. It is possible that airodump-ng create some .cap files like wepkey01.cap, wepkey-02.cap, that’s why in the end we will use in aircrack-ng “wepkey*.cap”. The “#/s” is the number of Unique IVs that we get per second. As you can see there is no traffic at all in this network and doing the math if we will try to get 50 000 IVs, we would need to wait 25 000 seconds, almost 7 hours to get enough IVs, so why don’t we start a packet injection technique to speed up the unique IVs collection? We can do that using aireplay-ng:
32
Nuno Freitas
#aireplay-ng --arpreplay -b 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 wlan0 -b 00:80:5A:28:B5:AB is the access point MAC address -h 00:15:AF:A2:8D:98 is the MAC address of the client that we will use as the “arp requester” This command will wait for an ARP Request coming from the network and flood the airwaves with that ARP request but making it look like it is coming from the associated client. So if you are attacking a network that has only one client connected it could take a while until you get an Arp request. If there is traffic coming from the network you might have a chance to get it the simple way. Imagine the situation, there is a client connected but he is not doing anything like if it was on “stand-by” mode, you can make it the hard way by deauthenticating the client using the network forcing him to communicating with the router. Use the following command: #aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 wlan0 -0 means deauthentication attack 10 is the number of deauthentication packets it will send -a 00:80:5A:28:B5:AB is the access point MAC address -h 00:15:AF:A2:8D:98 is the MAC address of the client to be deauthenticated When the client gets back to the network you might get some ARP requests. Well this is a simple process. You get an Arp Request and you replay it. That’s what “aireplay-ng 3” or “aireplay-ng --arpreplay” is doing. It waits for an ARP Request and replay, it gets another one and Replay it again. And keeps doing it and consequently generating traffic on the network. Remember that the traffic we are collecting are nothing but packets collecting IVs that we will use to brute force the wep key.
33
Nuno Freitas
After you get the first Arp request you should be getting something like the image above. It’s just a matter of time until you get enough IVs to make a brute force attack. Once you get around 50 000 you have a good chance of crack the network. However if you fail, just repeat the process. Get more IVs and try again. You’ll need more IVs depending on how big is the key. There are 64-bit keys, 128-bit keys and 152bit keys, more bits means more password combinations possible and we might need more IVs to crack the password. So if you fail with 50 000 get more IVs and you will get the key. As you know the captured data packets containing IVs are stored in the file that I called wepkey outputted by airodump-ng. The program will write multiple files to the active directory in different formats, but the one we are interested is the .cap files. To perform the crack use wepkey*.cap since it could write more than one .cap file, for example wepkey-01.cap, wepkey-02.cap… The attack starts with this command: #aircrack-ng -b 00:80:5A:28:B5:AB wepkey*.cap wlan0
34
Nuno Freitas
So as you can see it found the WEP key of the network. The key I used for this example was “abcdef1234” and as you see in aircrack-ng output “KEY FOUND! [AB:CD:EF:12:34]” This was the example of how to break a WEP network with an already authenticated client. When you don’t have any clients connected to the network you want to break, you should do a different type of attack, let’s find out how we can do it.
The best way to avoid someone to get access to your network it’s definitely not using WEP Encryption. Use WPA.
35
Nuno Freitas
Cracking WEP without connected clients (OPEN System) Let’s see now how to get access if no one is connected to the Network. This type of attack is only successful when we get some packets from the wired side of the network. I mean it’s true that there are no clients connected over wireless, however the AP has RJ45 ports and we need to get some traffic from there. Why? Well, if there is no traffic there is no way possible to create traffic. You can try but the AP will deduce that anyone is broadcasting traffic, but the client it’s not connected to the network and the AP will throw away those packets and send a deauthentication packet to that fake client. However if we get some packets from the wired side and using either a chopchop attack or a fragmentation attack we can get a fragment, which is a .xor file that contains useful information that we could use to create an a packet to broadcast to the AP and it will provoke the AP to answer with new packets (IVs). That fake packet is received successfully by the AP because it sees that the information contained on that packet is valid. After we create that legit packet and injecting it in the air you will be able to resume the attack as we did before using a client connected. When we got enough IVs, it’s time to crack the password. So, let’s get started. First, put the wireless card in monitor mode. You know the drill: #airmon-ng start wlan0 Then use: #airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 wlan0 By now you don’t really need to use the “-w” parameter because you might get few packets. It’s up to you. Let’s now associate with an access point, using a fake authentication: #aireplay-ng -1 0 -e WLAN -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 wlan0 -1 means fake authentication attack 0 means the fake authentication attack won’t stop until its succeeded -e WLAN is the wireless SSID 36
Nuno Freitas
-a 00:80:5A:28:B5:AB is the access point MAC address -h 74:EA:3A:90:C7:21 is our card MAC address
So I succeeded to perform a fake authentication into the AP. Now I need to obtain the PRGA (Pseudo Random Generation Algorithm) file. To obtain it we will need to perform a chopchop attack or a fragmentation attack. This PRGA is not the WEP key and cannot be used to decrypt packets. However, it can be used to create new packets for injection. The creation of new packets will be covered later in the tutorial. Either chopchop or fragmentation attacks can be used to obtain the PRGA bit file. The result is the same, so use one of them, it doesn’t really matter which one you used. I will cover the chopchop technique. Start another console session and run: #aireplay-ng -4 -b 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 wlan0 -4 means the chopchop attack -b 00:80:5A:28:B5:AB is the access point MAC address -h 74:EA:3A:90:C7:21 is the MAC address of our card and must match the MAC used in the fake authentication wlan0 is the wireless interface name
37
Nuno Freitas
So after you perform a fake authentication you need to wait until you get a packet to perform an attack, I kept a console window performing fake authentications at every second as you can see, so I don’t get deauthenticated by any reason and another one with the chopchop attack waiting for a packet to start. When the console asks you “Use this packet?” press “y” and then ENTER to start the chopchop attack.
Wait a few seconds for the chopchop attack to make its magic. The file “replay_dec0917-223734.xor” as you can see above can now be used in the next step to generate an Arp packet.
38
Nuno Freitas
The objective is to have the access point rebroadcast the injected Arp packet. When it rebroadcasts it, a new IV is obtained. All these new IVs will ultimately be used to crack the WEP key. Use the following command: #packetforge-ng -0 -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -k 255.255.255.255 -l 255.255.255.255 -y replay_dec-0917-223734.xor -w arp-request
-0 means generate an arp packet -a 00:80:5A:28:B5:AB is the access point MAC address -h 74:EA:3A:90:C7:21 is MAC address of our card -k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255) -l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255) -y replay_dec-0917-223734.xor is file to read the PRGA from -w arp-request is name of file to write the arp packet to
The system will respond: “Wrote packet to: arp-request” Let’s close the console running airodump-ng and open a new one and start airodump-ng again. This time you need to add the “-w” parameter so we can save the IVs we will generate to a file. If you used it already in the first one then you don’t need to close it. So use airodump-ng like this: #airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 -w wepkey wlan0 Let’s call that file, wepkey. On the console window you used to create the packet use this command: #aireplay-ng -2 -b 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -r arp-request wlan0 After you start injecting arp requests from the packet you just created, the cracking process will be just like cracking WEP with a previous associated client. This will inject the packet we created in the air. After that the system will ask you if you want to use that packet, press “y” and ENTER to start injecting arp requests.
39
Nuno Freitas
As you can see now we are getting a lot of data (IVs). Remember once again, when you get around 50 000 IVs you have a good chance of crack the network. Don’t worry if you fail, try again with more IVs. Remember that you’ll need more IVs depending on how big is the key. There is no way to determine the size of the key so try with 50 000 if you fail try with 200 000 and if you fail get more, and you’ll get there. The point here is that you are doing it the right way if you fail is for bad luck and not because you’re doing it wrong. All of the captured data packets containing IVs are stored in the file that I called wepkey outputted by airodump-ng. The program will write multiple files to the active directory in different formats, but we are looking for .cap files. Airodump-ng creates more than one .cap file, I mean it creates wepkey-01.cap, wepkey02.cap… So, when you’re ready, use the command: #aircrack-ng -b 00:80:5A:28:B5:AB wepkey*.cap
40
Nuno Freitas
So as you can see it found the WEP key of the network. The key I used for this example was “1234567890” and as you see in aircrack-ng output “KEY FOUND! [12:34:56:78:90]”
As I told you before do not use WEP, although it is better than nothing it is an unsecure method to protect your network.
41
Nuno Freitas
Cracking WEP (Shared Key) So, now let’s crack a WEP network using Shared Key system. For this example we will always need a connected client. If the network doesn’t have a connected client just wait until someone connects to the network. We need someone from inside the network to show up because we will need a 140 bit keystream that will allow us to fake an authentication. Without that we cannot authenticate. Remember that Open System authentication and Shared Key works different. So after we authenticate we need to perform a fragmentation or a chopchop attack to get a fragment to create a packet to inject in the airwaves. After that is like cracking WEP with Open System. Wait and get enough IVs to crack the password. First of all, as always, put your wireless card in monitor mode. #airmon-ng start wlan0 Then let’s search for our network, WLAN will be the target Network. #airodump-ng -c 11 --bssid 00:80:5A:28:B5:AB -w wepska wlan0
Using this we will sniff all the packets from WLAN network and save them in files called wepska. We will need to perform a deauthentication on an authenticated client in order to capture the shared key 140 bit keystream.
42
Nuno Freitas
After you perform a deauthentication look to the top line in airodump-ng window there is now a text saying “140 bytes keystream: 00:80:5A:28:B5:AB” This means we have captured the .xor file we were looking for to perform a fake authentication. Use the following command: #aireplay-ng -1 0 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98 -y wepska-01-00:80:5A:28:B5:AB.xor wlan0 Remember to always change the packets name from what I have to what you get. They might be different.
Now we will perform a fragmentation attack. Use the next command: #aireplay-ng -5 -a 00:80:5A:28:B5:AB wlan0 43
Nuno Freitas
Wait until you get a packet to use in the attack. When the system asks you “Use this packet?” press “y” and then ENTER to use it, and you will get a fragment that we will use to create an Arp Request. Basically this is the same that we did before on WEP Open System without connected clients.
As you can see in the output of the fragmentation attack you got now a file called fragment-0921-140138.xor or something similar. Let’s now create an arp-request. Use the following command:
44
Nuno Freitas
#packetforge-ng -0 -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -k 255.255.255.255 -l 255.255.255.255 –y fragment-0921-140138.xor -w arp-request
This command will create an arp-request based in that fragment. Now we need to inject that packet in the airwaves and it will provoke the AP to respond to it with new IVs. #aireplay-ng -2 -b 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -r arp-request wlan0 You should have the “airodump-ng” window sniffing them and saving the files, as I used above those packets are being saved in the file “wepska*.cap”. When we got enough IVs we will crack the WEP key. When we get around 50000 IVs use the following command:
Ok, when you got enough IVs let’s perform the bruteforce attack: #aircrack-ng -b 00:80:5A:28:B5:AB wepska*.cap
45
Nuno Freitas
As you can see the key was successfully cracked. The key for this example as 1234567890 and as you can see in the image “KEY FOUND: [12:34:56:78:90]. So this is everything about WEP. Let’s see now the WPA part of this tutorial.
Even being trickier to hack, WEP using Shared Key encryption is still an unsecure Encryption to use on your network. WPA is the solution
46
Nuno Freitas
Cracking WPA with Dictionary Attack (Aircrack-ng) After WEP was proven to be completely breakable, WPA emerged as its successor, it uses a much more advanced algorithm and does not have IVs. It doesn’t matter if you collect a big amount of packets, you can’t crack it that way. Most consumers use what is called WPA Personal, which utilizes a pre-shared key (PSK), which is a common key shared across all devices used for authentication. When a client wants to associate with a WPA encrypted network, a four-way handshake takes place. Briefly what occurs is the client first seeks association with the AP, the AP sends the client a bit of data which the client encrypts using the passphrase, SSID and some other data. The client sends this back to the AP which then encrypts that. If it match up the AP installs the main key on the client which is successfully associated and able to decrypt the packets. The packets are encrypted with this key, not the passcode. This is known as the fourway handshake between a client and the AP. Unlike WEP, there is not enough information contained in the packets to find the key. No matter how long an attacker sniffs the network and intercepts packets, he will never be able to crack the passphrase. However, within the four-way handshake, there is enough information to brute-force the passphrase. The basic steps for cracking a WPA Personal encrypted network are: 1) Discover the network and be within range to intercept packets. 2) Start sniffing the network for the four way handshake and capture it when it arises. 3) Wait for a new client to authenticate or deauthenticate a current client. 4) Brute force the captured handshake file with a dictionary file.
So the first thing to do is to put your Wireless card on monitor mode: #airmon-ng start wlan0 So next you will search for networks within range to intercept and inject packets. #airodump-ng wlan0
47
Nuno Freitas
So let’s break into WLAN. WLAN’s BSSID it is 00:80:5A:28:B5:AB, it’s all that we need to start sniffing packets waiting for the four-way handshake. To begin sniffing use the following command: #airodump-ng --bssid 00:80:5A:28:B5:AB –w wpakey wlan0 So we are now sniffing packets from WLAN network and saving them (-w) into a file named wpakey. Just like for WEP networks we will need that file later and once again we are interested in the *.cap file. So, right now you either wait for a new client to connect to the network if no one is connected already or you can deauthenticate that client forcing him to authenticate again and by doing this you sniff the four-way handshake between the client and the Wireless AP. Let’s make it with an authenticated client already with the following MAC Address: 00:15:AF:A2:8D:98.
So let’s deauthenticate the client with the next command:
48
Nuno Freitas
#aireplay-ng --deauth 25 –a 00:80:5A:28:B5:AB –c 00:15:AF:A2:8D:98 wlan1 When the client connects again, you will get the four-way handshake, you can see in airodump-ng window that you got it in the top right side of the console window.
The number after --deauth is the number of deauthentication packets aireplay-ng will send. A higher number will increase the probability of it working, but is less stealthy. The deauthentication was done and now we have got the four-way handshake.
Once the handshake has been captured, the attacker can stop capturing all packets. The information contained in the handshake is all that is needed to crack to WPA passphrase. Once the attacker has the handshake it is possible to crack the passphrase with dictionary techniques. This technique uses a wordlist and goes through each word one at a time, encrypting it with the other data gathered (the SSID and others) to see if it matches. When a match occurs, the word from the list is the passphrase used. This can be extremely “time consuming” depending on the complexity of the passphrase, the size of the dictionary file and the speed of your CPU. An attacker is limited by his processor speed to how many passwords he can try per second. With dictionary files containing millions and millions of different combinations of letters, words and numbers, the process could take a very long time.
49
Nuno Freitas
Fortunately, most consumers choose simple, easy to remember passphrases that can be decrypted using smaller dictionary files containing common names and passwords. The program aircrack-ng can be used to crack the handshake. The attacker must have a word list on his system. Backtrack includes several wordlists of different sizes, and larger ones can be downloaded from the internet. To use a word list with aircrack-ng and our captured handshake use this command: #aircrack-ng -w /pentest/passwords/wordlists/wpa.txt wpakey*.cap The output will look like this when aircrack-ng gets the password:
It took a little bit more than 20 minutes to discover the Wireless AP passphrase. The attacker has now the ability to get inside the network. It took 954864 guesses to discover the password. The dictionary file that I used it could be considered as a big dictionary, you might not be able to avoid a successful attack by a determined attacker, but you sure can make his work a lot harder if you use a strong password.
50
Nuno Freitas
Cracking WPA using Pyrit’s Database Attack The next type of attack that I’ll cover is a type of attack where you can import many dictionaries to a database and then perform an attack with all the imported. So first let’s install a suite called pyrit because it is not included in Backtrack. Installing pyrit Do the following at the terminal: svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit_svn
Then do this: sudo apt-get install libssl-dev sudo apt-get install scapy sudo apt-get install python-dev Browse to pyrit directory: cd /pyrit_svn/pyrit And type: sudo python setup.py build sudo python setup.py install
Ok, now you have Pyrit installed and it should be up and running.
I will be use Pyrit with aircrack-ng. So first of all, put the wireless card in monitor. Let’s use aircrack-ng suite until we got the handshake. First use: #airmon-ng start wlan0 Then use: #airodump-ng wlan0
51
Nuno Freitas
So at this point you should get all the information about the network you will try to attack. For this example we will attack a WPA encrypted network with WLAN as the ESSID, 00:80:5A:28:B5:AB as the BSSID and working in channel 11. Now we should begin sniffing only this network by using the following command: #airodump-ng –bssid 00:80:5A:28:B5:AB –c 11 -2 wpahandshake wlan0 This will sniff the packets from WLAN and save them in a file called wpahandshake. Once again I remember that we will be looking for the *.cap file in the end. If a client is connected to the network make a deauthentication attack so the client needs to re-authenticate and you get the handshake or if no one is connected, wait for someone to do it. #aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98 wlan1 Now that you have the handshake, let’s use pyrit. Let’s analyze our handshake file, use the following command in the command line: #pyrit wpahandshake*.cap analyze Note that wpahandshake*.cap is the name of the files that airodump-ng save with packets sniffed from the “victims” network, they could be wpahandshake-01.cap, wpahandshake-02.cap… You should get a window like this:
52
Nuno Freitas
The output is that the Access Point have the mac 00:80:5A:28:B5:AB with WLAN as the ESSID. It also says that the file captured an handshake from the client with mac address 00:15:AF:A2:8D:98. So now let’s start working with Pyrit’s database. As you may know guessing the password used in WPA-PSK and WPA2-PSK is a computational intensive task. During this process, 100% of your CPU is being used to compute what is known as the Pairwise Master Key, a 256bit key derived from the ESSID and a Password using the PBKDF2-HMAC-SHA1 algorithm. One of the major weaknesses of the WPA-PSK is that the Pairwise Master Key has no elements that are unique to the moment of the key-negotiation between Access Point and Sation. It is therefore possible to pre-compute the Pairwise Master Key and store it for later use. This is where Pyrit’s database kicks in. It can store ESSIDs, passwords and their corresponding Pairwise Master Keys, possibly growing to the size of hundreds of millions of entries. Starting with a fresh installation of Pyrit, your database will most probably be empty. Issue the following command to get an overview: #pyrit eval And you will get this output:
root@bt:~# pyrit eval Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
53
Nuno Freitas This code is distributed under the GNU General Public License v3+ Connecting to storage at 'file://'... connected. Passwords available: 0
Let’s use a command to import some passwords to our database: #pyrit –i /pentest/passwords/wordlists/wordlist.txt import_passwords Note that “/pentest/passwords/wordlists/wordlist.txt” is the path where I have stored a wordlist, you can use dozens of dictionary files, pyrit ensures that duplicate passwords are not stored again in the database, it also doesn’t store passwords that are not suitable as a WPA/WPA2 password. After you imported the passwords to the database, use this command again: #pyrit eval You should get an output like this: Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+ Connecting to storage at 'file://'... connected. Passwords available: 989532
Now that we have some passwords in the database, we have to create an ESSID, for that, use the following command: #pyrit –e WLAN create_essid Note that WLAN is our “victims” ESSID Pyrit output will say that ESSID WLAN was created successfully and if you use the “eval” command again it will show you that WLAN’s ESSID don’t have any password pre-computed. So we have already some passwords in the database, and we have an ESSID created, we need to pre-compute the passwords to use with that ESSID. This process could take some minutes. It depends on how many passwords you have imported to the database. To pre-compute the passwords with the ESSID you just created use this command: #pyrit batch Pyrit will give the output “Batchprocessing done” when it completes the process. We can now use the Pairwise Master Keys stored in the database to attack the same handshake as in the example above. Instead of running a “passthrough-attack”, where the database is not touched at all, we issue a “database-attack” like the following: 54
Nuno Freitas
#pyrit –r wpahandshake*.cap attack_db Don’t forget that wpahandshake*.cap is the file where the handshake is stored and that “-r” parameter tells pyrit to read the file wpahandshake*.cap. So you should have the following output.
This process is much faster than a dictionary attack, as you can see the image above Pyrit was trying 515375 passwords per second and gave us in the output that the password is “security”. This process only takes more time pre-computing the passwords with the ESSID, but will be useful when you have to use many dictionaries at the same time.
Alright, I’ve been telling you to use WPA and still it got hacked. However it would take ages to hack a good PSK with a HUGE dictionary. So always use a strong password.
55
Nuno Freitas
Cracking a Network with Hidden ESSID (aircrack-ng + pyrit) Cracking a network with a hidden ESSID is pretty simple, you have done already all the steps in order to do it. It is possible to do it only with aircrack-ng, the reason I’ve made it with aircrack-ng and pyrit is because I’ve already have the ESSID WLAN, which is the ESSID I’ve been using in these tutorials, programmed in pyrit’s database, which makes the process faster than using aircrack-ng’s dictionary attack. So, do not think that it is only possible with pyrit. So, let’s get going… I’ll show it on a WPA network, if you will try on a WEP network it’s the same, but you need to perform the deauthentication and then go back to WEP’s method. The first step in all of our tutorials: #airmon-ng start wlan0 After this lets search for networks: #airodump-ng wlan0
As you can see there is a network with a strange ESSID, it is something like This is a hidden ESSID, and we’ll be able to get the real ESSID by performing a deauthentication to one of the connected clients. Let’s sniff only the hidden network’s packets: #airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 -w hiddenwpa wlan0 Let’s deauthenticate a client now: #aireplay-ng -0 10 –a 00:80:5A:28:B5:AB –c 00:15:AF:A2:8D:98 wlan0
So, now that you deauthenticated a client you should have something like this:
56
Nuno Freitas
As you can see the network ESSID now changed to WLAN, by doing this we also got a handshake so let’s now crack the password: #pyrit -e WLAN -r hiddenwpa-01.cap attack_db
This time we needed to add the “-e” parameter since it’s an hidden ESSID, pyrit can’t guess it. And we have the password, it is security.
Hiding the ESSID is not enough.
57
Nuno Freitas
Attacking WPA Networks using Wi-Fi Protected Setup Wi-Fi Protected Setup (WPS) is an optional certification program developed by the WiFi Alliance designed to ease set up of security-enabled Wi-Fi networks in home and small office environment. Wi-Fi Protected Setup supports methods (pushing a button or entering a PIN into a wizard-type application) that are familiar to most consumers to configure a network and enable security. Reaver is an application that exploits WPS that I will use to cover this attack. It implements a brute force attack against WPS entering PINs in order to recover WPA/WPA2 passphrases. The Pin is 8 digits long:
Doing the Math there would be 108 = (100 000 000) Pin combinations. However an attacker can derive information about the correctness of parts the PIN from the AP´s responses. 1. If the attacker receives an EAP-NACK message after sending M4, he knows that the 1st half of the PIN was incorrect. 2. If the attacker receives an EAP-NACK message after sending M6, he knows that the 2nd half of the PIN was incorrect. This form of authentication dramatically decreases the maximum possible authentication attempts needed from 108 = 100 000 000 to 104 + 104 = 20 000. As the 8th digit of the PIN is always a checksum of digit one to digit seven, there are at most 104 + 103 = 11 000 attempts needed to find the correct PIN. Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
58
Nuno Freitas
Below there is a flowchart that explains the method used by the Bruteforce attack to the WPS flaw:
On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 410 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase. I want to make it clear this will only work on networks with WPS enabled. Since the Router I’ve been using doesn’t have WPS I will use a new one with the same configurations (ESSID and Passphrase). 59
Nuno Freitas
But you don’t need to worry, I’ll cover how to check if an AP has WPS enabled or not. First of all, if you need, download Reaver. It doesn’t come with Backtrack older versions so you might have to install it, even though it is easy to do it. You can download Reaver at http://code.google.com/p/reaver-wps/downloads/list After you download extract Reaver folder to your desktop or whatever other folder you want. By the way Reaver is only supported on the Linux platform, requires the libpcap and libsqlite3 libraries. After you extracted the folder, browse to it. Let’s do it like if I extracted to my Desktop folder. In the shell, browse to the following directory: #cd /root/Desktop/reaver-1.3/src/ Within this directory you will find several files. Let’s start the installation, run the following command: # ./configure If you get this error: “bash: ./configure: Permission denied” Use the command: #chmod +x configure This will give execution permission to the file “configure” Try again, this time you won’t have any problems. # ./configure Let it install, when it finishes use the following command: # make And then: # make install Ok, Reaver is installed. Now we can have some fun with Reaver. Let’s start the attack.
The first thing to do is to put your Wireless card on monitor mode: 60
Nuno Freitas
#airmon-ng start wlan1 Then let’s sniff some beacon frames and save them in an output file: #airodump-ng -w beacons mon0 Let airodump-ng run for a while, 1 minute is enough. Don’t forget to use -w option to save the packets you’re getting in a file. What we want are Beacon frames, don’t worry about data packets. Then you will run the following command: # walsh -C -f beacons-*.cap Walsh will look at the cap files that airodump-ng created with the beacon frames and will give you a list of the networks that have WPS enabled. In Reaver 1.4 Walsh, changed the name to Wash, so if you’re getting any error, browse the Reaver Installation Folder and see if you find Walsh or Wash script.
Then run: #airodump-ng mon0
Check what channel is your target running Now launch reaver:
61
Nuno Freitas
#reaver -i mon0 -b 54:E6:FC:99:DC:98 -c 1 –vv -vv enables verbose mode, and you can see the progress and the warnings. -b is the bssid of the target network -c the channel that the network is broadcasting on
62
Nuno Freitas
You can use aircrack’s fake authentication while running reaver, it’s up to you. If you start getting blocked by the AP use macchanger command to change your mac and start again. After some hours running Reaver, you will get to the passphrase.
As you can see, we got the passphrase which in this case was “security”.
In this particular situation WPA is cracked even if you have a good password. Although by disabling WPS on your Router you will annul this flaw.
63
Nuno Freitas
Conclusions I hope you all enjoyed this paper as much as I enjoyed writing it. Hopefully, by now you understand better how insecure most of the Wireless Networks are in our days and you’ll be careful next time you configure a Wireless AP. When I started this Independent Study I had a rough idea of what I wanted to research/learn about and it was a very rewarding experience. I’ve learned more than I was expecting and I really enjoyed the time I took learning and practicing. I read books, websites watched videos from which I guided myself but still, I thought about writing my own paper as a second method of study. I took the leap after I found a paper like this one and I really wanted as retribution to write a paper of mine, so other that are in the same situation that I was some months ago could learn with a simple and pleasant reading since I wrote this paper as I was learning from zero.
Any feedback will always be appreciated. Feel free to contact me on
[email protected]
64