Wednesday, 26 June 2013

Assembly Language starter

Hello to all, my wireless card still hasn't arrived, so i'm going to do a quick post on what i am currently working on.

Background

Although i do a lot of wireless, i still don't understand how it works, how one pulse of current travels from one device and ends up at the other, my eventual aim is to be able to create my own wireless communication device out of very basic parts using a arduino. As a result i have been looking into assembly programming, which is what i'm going to do some of today.

Take yourself back about 40 years, computers where at their births, for the first time there where teams of people striving to advance the technology within, but they still used machine code {0+1}, which is great to a computer because a computer only understands machine code, but what human can flawlessly and quickly? As a result, assembly language was born, now assembly language is the most basic of computer languages, there are no print commands and conditional statements like if statements and for loops.

Assembly language statements

Assembly language is key to every other language, it is the foundation stone, and it converts directly into machine code. By this i mean that every statement in assembly has a machine code equivalent that is run on the processor.
As a result it is the closest to machine code we have to understand today. All HLL (high level languages like C, C++, C#, Fortran, Pascal, VB, COBALT etc.) are converted into assembly by the compiler(this is not the only thing the compiler does, but it is all i am interested in in this post). But what are the statements?
Computers where created by mathematicians for solving complex maths in little time. A calculation which takes us about 5 minutes takes a computer nano-seconds. It is for this reason a lot of the commands are mathematics based.
  • ADD : This merely adds one memory address to another
  • MOV : This command moves the bits from one memory address to another
  • CMP : This compares two memory addresses.
  • JLE : This jumps if the address is less than or equal to.
  • INC : This increments the memory locations content.


These are just a few basic commands, if you wish to, there is a book i highly recommend from Jon Erickson called "Hacking: Art of exploitation" which is worth its weight in gold just for the sections on assembly, providing a very in depth, interactive look at assembly language.

Hopefully this post has made a few people think about learning assembly language (or at least partially). If nothing else it will look brilliant on a CV for a computer based job.
-Spectr3

Friday, 21 June 2013

Wireless Card Broke

Wireless card broke!



Okay, so first of all, apologies to everyone, this post was supposed to go up last Wednesday, but a very close friend of mine was involved in a very serious traffic collision on his way home from my house. As a result, I've been preoccupied
I was going to do a post on using aircrack-ng to break into a home made wireless WPA network, but my card appears to have died (it belongs in the bottom of my laptop rucksack and as a result endures alot of punishment. As a result, i will be taking some time away and will post again once my new card comes through the post (approx. 1week3days.)
Again, apologies all, this weeks feels like i have let you down alot, but do not despair, the next post will include the capture files i use so you can follow along aswell :).
-Spectr3

Wednesday, 12 June 2013

Wireless Part 6

4-Way handshake


So this week i thought i would continue on with handshakes, and more importantly the most important handshake in wireless you would ever learn which is the 4-Way handshake. Now the 4-way handshake is merely the connection between the wireless client and the wireless AP, but its incredibly important when we get into WPA (which will be done in more detail than WEP as it is seen more, making it more important to understand, it also gives the basis of WPA-Enterprise).

There are 5 parts of the handshake, that's 5 important bit sequences
  • ANounce
  • Snounce
  • MIC
  • GTK
  • Ack


These are absolutely key for our understanding, they are the main blocks of the handshake.
The handshake itself is just 4 EAPOL packets. The structure is as follows
  1. AP sends client ANounce
  2. Client uses this to construct the PTK (pairwise transient key), replying with a SNounce + MIC
  3. AP uses this to construct a PTK, replying with GTK + MIC
  4. Client replies with Ack
  5. Connection Made!


So what happened?
The client attempts to connect with the access point, and has a pre-shared key to use to connect.
The client can now send the pre-shared key it has been told. To do this, the client applys PBKDF2 to create a 256-bit pre-shared key. PDKDF2, is a hashing algorithm, using 4 inputs, the pre-shared key, SSID (and SSID length), then 2 numbers, 4096 + 256. The 4096 is important as the passphrase is hashed 4096 times, making it completely one way, and 256 is the size of the output. The AP already has its own version.

But this key cannot be sent yet, so first of all, ANounce, all the ANounce is, is the authenticator (AP) Nounce (Nounce being a large random value). This is sent by the AP to the client. The client, or supplicant, can then create a SNounce, which is just a Supplicant Nounce. These are both used to create a PTK (pair-wise transient key). This is a dynamic key (making this handshake more secure as it is not guessable).

Now the PTK must be derived. It is just a function using the 256-bit pre-shared key from before, the ANounce, the SNounce, the Authenticator MAC and the Supplicant MAC. This is kept for later.

Next is message 2, this is just the SNounce and MIC, being sent to the AP. The MIC is the message integrity check, which is basically a checksum on the PTK.

At this stage, both the client and the AP both know the 256-bit pre-shared key, the SNounce, the ANounce, the Authenticator (AP) MAC address and the Supplicant (Client) MAC address. As a result, both can create the exact same PTK. As a result, when the authenticator creates its own MIC (based on the Authenticators PTK), the resulting MIC should be the same if the connection is legitimate. Thus, the pre-shared key should be the same.

If the connection is legitimate, the key installation is done, and finally, the key install is acknowledged with a ACK.

I don't think that until now i have properly explained, that was the connection in a WPA environment. Its nothing complex. I personally like to imagine it like 2 spies talking to eachother, checking if the other has the same information without saying what that information is (but i'm abit strange like that).

Anyway, I think that that is enough for this week, so i shall see you all next week for another installment.
-Spectr3

Wednesday, 5 June 2013

Wireless Part 5

Hey all, welcome back to part 5 of my wireless hacking set. Last week we looked at breaking WEP, so today i thought i would show how the handshake worked. Handshakes are key, they are the agreement and connection between the AP and the client. Without them there would be no connection at all.

Ethernet Frames

First important thing to understand is Ethernet frames. In a Ethernet packet (either wireless or wired), you have a number of sections.
  • Preamble

    This is 7 bytes and is for bit synchronization.
  • Start frame delimiter

    A single byte, used as a flag, and is the start of the frame
  • Destination Address

    48-bits, this is the MAC address for the packet's end point, used by routers to determine exactly what device for the packet to end up at.
  • Source address

    48-bits, this is the MAC address for the packets start point, so the end point knows who sent it. Also this is used so if the packet is corrupted or the endpoint is not found, a message can be sent to the sender so the sender isn't waiting for a reply forever.
  • Length/Ethernet Type

    This gives the ethernet type (Ethernet or Ethernet II). In 802.3(Ethernet), this would give the length of the data section (maximum 1500 bytes).
  • Data

    Exactly what it sounds like, this is the data being sent, up to 1500 bytes, in WEP which we talked about over the last few weeks, this would be the WEP packet we spoke of, so the IV + cypher text.
  • Padding

    For reasons related to CSMA/CD (which i won't get into today), a packet must be at least 64 bytes in total. If the data field + other fields do not fulfill this requirement, the padding is used to make sure the packet meets it minimum required length.
  • Checksum

    The Checksum, the saving grace of any packet of data, this is the answer to a simple one way algorithm run on the data to ensure when it reaches its end point it is still correct, and there are no 1's becoming 0's and vice versa.


Now as part of the start frame delimiter, there are some flags, these are just little extra bits that are sent in the frame, each is just a 1 or 0, indicating yes or no, just a couple of flags are SYN, ACK, RST and FIN, today we will focus on SYN and ACK.

The basic TCP handshake

For short, SYN is synchronize and ACK for acknowledge.

The 3-way TCP handshake is very simple, as as a result i am leaving it as the first handshake we will cover, and is the basis i used to learn the 4-Way Handshake. The basis of the hand shake is as follows
SYN
SYN,ACK
ACK

All this is is a ask, a reply and a acknowledgement that the reply has been received.

I'm going to leave this here for this week as i am extremely tired from doing my CBT earlier today (british compulsory bike training, so i can get a motorbike, which of course will have a Yagi antenna strapped to it for a bit of war driving :) ).
-Spectr3