Tag Archives: tools

WEP Cracking 101

Posted by Jon Janego on September 23, 2010 No comments

It’s occured to me, many folks understand that WEP is easy to break, but don’t know all the steps and just how easy it is.  Here I hope to lay down the basic steps in one coherent post.. demonstrating how to crack into a wireless network using WEP, with a client attached to it.

Like always… only do this against your own networks.  The legal grounds are a bit grey here, but the ethical grounds are clear – you shouldn’t pick your neighbor’s doorlock.  Being a security professional also comes with the responsibility to use your skills for good, not evil.

Step 0: get the software.

I assume you’re using linux…. these tools do work on OSX but they require a bit of tweaking i think, and i haven’t done it myself.  so i’ll just write up linux.  you can use a VM of linux but the wireless card support is a bit flakier unless you’re using a USB card.

basically you only will need two packages, kismet, and aircrack-ng

So:
apt-get install kismet
apt-get install aircrack-ng

Step 1: Find a WEP network

Kismet is an amazingly powerful scanning tool and I could write much more about it than we need here.  It takes advantage of the feature in wireless cards to use “monitor mode”, which basically does passive listening for network traffic, and analyzes the traffic into a nice list.  It can do all sorts of other neat stuff like gps logging, etc, but that’s not totally necessary here.

If you don’t know it, you’ll need the interface name for your wireless card.  Check it by typing:

iwconfig
Then, just launch kismet (type ‘kismet‘) and then it will prompt you what your WLAN card is.  It will try and put it into monitor mode and is usually successful, even with built-in wireless.  If not theres some troubleshooting to be done….

Assuming it works, it will give you a list of networks it sees.  It ‘hops’ channels by switching the frequency the card is listening on and collects traffic on that frequency.  If there’s a WEP network in sight, kismet will highlight it in red, and you will need to pay attention to four things:

  • Its BSSID – similar to the MAC address of the access point
  • The ESSID – the ‘friendly name’ of the network
  • The MAC address of a client that is attached to it.
  • The channel the AP is broadcasting on

Kismet has a column that shows the amount of traffic it sees for both the AP in general and the client.  You want to target one with a client attached that is passing data… they’re the easiest targets.

An alternate path to WLAN monitor mode:

If kismet has a hard time putting your card into monitor mode, try running ‘airomon-ng start <interfacename>’ and it should attempt to do so.  If that still doesn’t work…. investigate getting a new card.  The Alfa AWUS306Hf is an excellent USB choice.

Step 2: prepare to attack

If it’s not setup yet, enable monitor mode:

airomon-ng start <interfacename>.

Begin a dump session – this logs traffic, sort of like a lightweight Wireshark.  You want to filter it to only the transactions we’re interested in:

airodump-ng –channel <c> –bssid <xx:xx:xx:xx:xx> –write <fileprefixname> <interfacename>

where c: the broadcast channel of the network
xx: BSSID of the network
<interfacename> – self explanatory (i.e. wlan0mon)

Keep this running and launch a new window for the next steps.

Step 3: do an ARP replay attack

This essentially looks for an ARP request from the attached client, and replays it many many times, enough to create a data set large enough to mount a cryptographic attack against WEP.

aireplay-ng –arpreplay -h <xx:xx:xx:xx:xx:xx> -b <yy:yy:yy:yy:yy:yy:> <interfacename>

where xx: the MAC address of the client
yy: BSSID of the network
<interfacename> – self explanatory (i.e. wlan0mon)

Once this has started, check out the other window.  You should see the data packets starting to increase rapidly.  When you’re at about 40k there is enough to crack a 104-bit WEP key.  The more the better, but no harm in starting early…

Step 4: mount the cryptographic attack

From the same directory you launched the dump process just run this:

aicrcrack-ng <fileprefixname>.cap -0

This will launch a window that shows progress.  if it’s successful, you’ll see the key!  if it’s not… keep waiting for more traffic.  40k+ data packets increases your odds tremendously but if it’s a simple WEP key it requires less.  This tool will actually keep trying as the packet capture increases in size so you can keep it running.  Or quit it (ctrl-c) and wait till you have more.

Step 5: connect!

If all went well you have broken the WEP key via the PTW attack method.  Now you can connect to the network.  Close down the dump sessions, etc etc and bring down your WLAN card – ifconfig wlan0 down

Then you’ve just gotta connect:
ifconfig <interface> up - bring up the wlan card

iwconfig <interface>mode managed key [WEP key]

iwconfig <interface> essid “[ESSID]” (Specify ESSID for the WLAN)

dhclient [interface] (to receive an IP address, netmask, DNS server and default gateway from the Access Point)

If all goes well you’ll get an IP and then you’re good to go, test by pinging or whatever else.

But if it didn’t work, they may have MAC filtering in place…

So change the MAC address of your wireless card to the same one that you just cracked with!  This is a bit messy and could freak out the DHCP server of the access point, but it’s worth a shot.

Bring the card down first:

ifconfig wlan0 down

Then change the MAC:

ifconfig wlan0 hw ether xx:xx:xx:xx:xx:xx

Bring it back up again and repeat.  You should be good to go.

This is a simplified walkthrough of a process that is documented many other places.  It should give you a taste of kismet, and the basics of the aircrack-ng suite, which has many many other great features.  I encourage you to read all about it over on their website.

Additionally, their site also contains a much more in-depth WEP crack tutorial.

Again, this is not ground-breaking, but it is always good to share the fundamentals in case someone hasn’t seen it before.  Good luck!

Quick and Easy Portable Media Encryption

Posted by Walter Goulet on February 25, 2010 1 comment

As part of my personal service delivery process, I have a need to store sensitive information for client engagements (vulnerability assessment results, network diagrams etc). To avoid having a dependency on specific test systems, I prefer to use portable USB drives to store data in the event that I need to switch to another system. However, I don’t want to risk losing this drive with confidential data on it. My solution is to create an encrypted partition on the disk in such a fashion that I can quickly mount the drive on another system without downtime.

To meet these requirements, I use a combination of Dropbox (http://www.dropbox.com), Keepass (http://keepass.info/), and Truecrypt (http://www.truecrypt.org/). I use Dropbox as a portable ‘Program Files’ directory where I install portable versions of Keepass and Truecrypt. This allows me to have my ‘Program Files’ directory replicated on all systems where the Dropbox client is installed (for backup purposes, I usually have my Dropbox account synchronized to 2 different systems).

I use Truecrypt to create an encrypted partition on the USB drive (using AES for encryption and HMAC-SHA-512 as a hash algorithm). The volume key used to encrypt/decrypt the partition is then stored as a password in my Keepass database (which is also stored in my Dropbox).

As long as the Dropbox is synchronized between my test systems, switching from one system to the other is as simple as plugging the USB drive in and launching Truecrypt/Keepass from my Dropbox.

Here’s my step by step instructions to replicating this setup on a Windows XP/Vista/7 system (I assume you already have Dropbox installed on your system):

  1. Create a ‘Programs’ directory in your Dropbox folder. In this folder, create 2 subdirectories, ‘Keepass’ and ‘Truecrypt’.
  2. Copy the portable versions of these programs into their respective folders (Truecrypt does not have an explicit ‘portable’ distribution, rather download the setup file here and choose the ‘Extract’ option when running the setup, Keepass on the other hand provides a portable version that can be downloaded here).
  3. Launch Keepass and create a new password entry for the portable drive. I suggest using the Password generator function to generate the password. Note that since this password is used as an encryption key, I recommend selecting all available characters for generating the password and using the maximum key length (64 characters).
  4. Plug in the portable USB drive that will contain the encrypted partition (note: this has only been tested with USB hard drives; I have not tested this with smaller USB flash drives).
  5. Launch TrueCrypt and use the ‘Create Volume’ button to launch the new volume creation wizard. I recommend writing down the path to the volume being created to make it easier to mount later. For my personal setup, I chose to create a regular (non-hidden) partition using AES and SHA-512 for encryption and as a hash algorithm. When prompted for the volume password, use the password entry created in Keepass.
  6. The volume is now created!

To actually mount the encrypted partition, start Truecrypt and select an available drive entry. Select the encrypted volume from the Volume list then click ‘Mount’. When prompted, enter the password from the Keepass password entry.

Note that regardless of which system was used to create the encrypted partition, you can mount it on any other system as long as you have access to Truecrypt and your volume password.

Putting Together a Wireless Security Toolkit for the Android OS

Posted by Jon Janego on February 25, 2009 1 comment

I’ve had the first commercially available Android mobile phone, the T-Mobile G1, since the platform launched last fall, and have been really happy with it so far.  As the platform is getting more mature, we are now starting to see a lot of new and useful applications out there – especially some useful for security!  Here’s a quick rundown of some of the tools that I’ve found and am using:

WifiScan – a great wireless discovery application for the platform.  It’s a powerful wireless audit tool that will log all of the discovered networks in range, and plot them to a KML file for visualization in Google Earth.  This application records information such as BSSID, Channel, Security Type, SSID, etc.  Tremendously useful for a discrete wireless network audit!

PortScandroid – a very basic port scanning application for the platform.  It’s not terribly useful for use over the cellular data network due to the filtering applied by T-Mobile, but when using 802.11, it gets the job done.  Doesn’t do any correlation of services to ports, but it performs the basic functions.

ConnectBot – this is a full-functioned SSH client for the platform.  Handy.

androidVNC – a VNC viewer for the Android platform that’s been forked from the tightVNC viewer development project.  Also a handy tool.  This is still in the beta phases and hasn’t been added to the Market yet, but it’s downloadable from the project page.  Easiest way to install it is to navigate to the project page within the phone’s browser and just download the APK package.

I am going to conduct a WarDriving contest between my little Android and a full-fledged laptop running Kismet and an external Wifi antenna to see how the signal discovery compares, but initial tests show the G1 to have a pretty remarkable Wifi range.  I’ll post a followup after I conduct the test.

The Android platform is showing a lot of promise, and for use on a pen-test, these tools could prove to be useful additions to your arsenal – and are certainly more discrete than using a laptop with a big ol’ antenna!

Thanks syn for inspiring me to investigate this – his post about the iPhone wireless toolkit made me wish we had these tools on the Android, and lo-and-behold – we do!