Friday 26 October 2012

Manipulating wordlists with WLM (Wordlist Manipulator)

Wordlist Manipulator
=================

Post still to be fully completed






























WLM WIKI
http://code.google.com/p/wordlist-manipulator/w/list

Google Code main page ;
http://code.google.com/p/wordlist-manipulator/

Video using WLM (old version v0.5) on BackBox ; 



Wordlists are an integral part of many checks/audits and being able to ensure the wordlists meet your needs is imperative.
Of course when creating a wordlist you try to ensure that it is going to be as tailor made as possible, however sometimes you may want to adjust an existing wordlist to some extent.

WLM is a script which is basically bundling a whole load of text-processing commands into a menu structure to allow an easy overview of the most commonly used/requested wordlist alterations.

WLM was only made to work on linux based systems, it has been tested with good results on BackTrack and BackBox Linux but cannot advise whether it works on any other OS/Distro.


INSTALLATION
=============
BackBox Linux developer ZEROF has been kind enough to make a debian package for easy installation on BackBox Linux which can be installed on BackBox as below ;

Open terminal and type:

wget http://wordlist-manipulator.googlecode.com/files/wlm-0.8_all.deb
sudo dpkg -i wlm-0.8_all.deb
To use the tool type wlm in a terminal or open BackBox menu -> Auditing -> Miscellaneous -> wlm


For BackTrack, simply download the script to a directory of your choice.
After having downloaded the code and saved as 'wlm', the file needs to be made executable as follows ;
chmod +x wlm
The script can then be run from that same directory with ./wlm


The code can be reviewed here ;
http://code.google.com/p/wordlist-manipulator/source/browse/wlm


Script (v0.7) can also be downloaded here ;
http://www.mediafire.com/file/p1tn76qw95hobi4/wlm



BASIC USAGE
============

If you have installed on BackBox with the debian package, then no need to do anything else.

For use in BackBox when installed using the debian package, simply type 'wlm' followed by a word to give all possible permutations of that word ;

wlm one
wlm ten


































Or simply type wlm and hit Enter to get the main options menu.
wlm


























Or go to the BBox menu > Auditing > Miscellaneous > wlm 
which will also give you the main options menu.



















In BackBox you can also of course simply download the script, make it executable and run from the directory with ./wlm as well, same as you would in BackTrack ;

You can test all possible permutations of a word by typing ./wlm followed by a word (for instance 'one')
./wlm one

Or you can simply type ./wlm and hit Enter to get the main options menu.
./wlm


ALL OPTIONS
============

Each main option has a submenu and the full range of options are ; 

1. Case Options;
1.1 Change case of first letter of each word in the wordlist.
1.2 Change case of last letter of each word in the wordlist.
1.3 Change all lower case to upper case.
1.4 Change all upper case to lower case.
1.5 Invert case of each letter in each word.

2. Combination options;
2.1 Combine words from 1 list to all words in another list.
2.2 Combine all wordlists in a directory into 1 wordlist.

3. Prefix characters to wordlist;
3.1 Prefix numeric values in sequence (ie. 0-999)
3.2 Prefix fixed number of numeric values in sequence (ie. 000-999)
3.3 Prefix a word or characters to wordlist.

4. Append / Suffix characters to wordlist;
4.1 Suffix numeric values in sequence (ie. 0-999)
4.2 Suffix fixed number of numeric values in sequence (ie. 000-999)
4.3 Suffix a word or characters to wordlist.

5. Include characters;
5.1 Include characters from a certain postion from start of word.
5.2 Include characters from a certain postion from end of word.

6. Substitute/Replace characters;
6.1 Substitute/Replace characters from start of word.
6.2 Substitute/Replace characters from end of word.
6.3 Substitute/Replace characters at specified positions in list.

7. Optimize / tidy up wordlist;
7.1 Full optimization of wordlist.
7.2 Optimize for WPA (min 8 chars max 63 chars).
7.3 Sort words based on wordlength
(can help process speed with some programmes such as cRARk)

8. Split options;
8.1 Split wordlists based on a user defined max linecount in each slit file.
8.2 Split wordlists based on a user defined max size of each split file.

9. Removal / Deletion options;
9.1 Remove characters at a certain position from start of word.
9.2 Remove characters at a certain position before end of word.
9.3 Remove specific characters globally from words.
9.4 Removing words containing specific characters from wordlist.
9.5 Remove words with more than X number of identical adjacent characters from wordlist.
9.6 Remove words existing in 1 list from another list (test version only for small lists).
9.7 Remove words that do not have X number of numeric values.
9.8 Remove words that have X number of repeated characters.
9.9 Remove words of a certain length.

10. Miscellaneous fun;
10.1 Check possible wordlist sizes (with same min-max length only).
10.2 Create a wordlist from a range of dates (datelist).
10.3 Strip SSIDs from a kismet generated .nettxt file.
10.4 Basic leetify options for wordlist.
10.5 Leetify/Permute wordlist (Gitsnik's permute.pl script).

f. File information;
Gives information on aspects of selected file ;
- Filetype
- Wordcount of file
- Longest line
- File Size
- first 3 and last 3 lines of file

h. Version and help information.

u. Check for updates to the script.



GENERAL USAGE 
================

Choose the desired option and the submenu option as appropriate. 

You will be prompted to enter the /path/to/wordlist which you want to modify
There is no auto-complete on this, so the correct path syntax and correct spelling is imperative !

You will then be prompted to specify a filename for the resulting altered wordlist.
again, there is no auto-complete on this, so the correct path syntax and correct spelling is imperative !

(You can actually also browse to the wordlists in File Manager and drag and drop in the wlm terminal)

Depending on the option chosen, you may be prompted for more input. 

In the below example, have chosen Option 1 (Case Options) followed by Sub-Menu option 1 (Change case of first letter)


The principal for all other options from 1 - 9 is the same ; 
> Enter filename to be altered 
> Enter output filename
> Provide further input as prompted/required.

Should you risk overwriting an existing file, then wlm will warn you of this so you can cancel without making any changes. 




























!NOTE! 
If using BBox and if you may be overwriting files, then wlm may require to be run as root !

(BackTrack runs root as standard, so no special measures required when using in BackTrack)

If running BBox and possibly requiring to overwrite existing files, start wlm in terminal (not from menu) with;
sudo wlm





Sunday 1 April 2012

Vytautas Mineral Water

F*** Yeah ;)

Random post despite the after warning :D

This sh*t has to be legit, I wants it ;)

Tuesday 21 February 2012

Hashcat's Maskprocessor

Work in progress, post still to be fully completed.


Creating wordlists for piping through to oclHashcat.

Maskprocessor is a highly configurable, high performance wordlist generator which can be run under
either Linux or Windows (yay, I can continue to be lazy ;) )
It is blisteringly fast.

Output from maskprocessor can be piped to for instance oclHashcat+ for hash cracking.

Installing maskprocessor on BackTrack 5 ;
apt-get update
apt-get install maskprocessor
However at time of writing (21-02-2012) the version in the backtrack repositories is out of date and missing increment options.
(backtrack's version is v0.65 whereas latest version is v0.67)
With the recently released (01-03-2012) BT5R2 repositories however the latest version 
is included. 

cd /pentest/passwords/maskprocessor/
./mp32.bin --help
./mp32.bin -V






















Info and download latest version ;
http://hashcat.net/wiki/maskprocessor

So download and replace the .bin file in /pentest/passwords/maskprocessor/ directory with the downloaded version your system requires (either 32bit or 64bit).
With the latest version increment options are now available.
./mp32.bin --help
./mp32.bin -V































CREATING WORDLISTS WITH MASKPROCESSOR
As seen in the above help information, maskprocessor comes with several pre-defined charsets as in oclHashcat+, among which;

?l   -- lower case alpha values
?u  -- upper case alpha values
?d  -- numeric values
?s   -- special characters including space

Upto 4 custom charsets can be defined using the switches -1, -2, -3, -4,  for example ;
-1 ?dABCDEF   (0123456789ABCDEF)
-2 QWERTY     (just the letters QWERTY)
-3 ?u123          (uppercase alpha values & 123)
-4 ?l?u?d?s       (lower & upper alpha-numeric-special)

In the below examples I will not be writing to file and just showing the stdout of the command given. 
To actually write the output to file you would simply include the -o switch ; 
./mp32.bin ?d?d?d?d?d?d?d?d?d?d -o wordlist.txt 
Remember that wordlist sizes can quickly become large and impractical.

Creating an 8 character lower alpha wordlist
from aaaaaaaa to zzzzzzzz ;
./mp32.bin ?l?l?l?l?l?l?l?l 























Creating an 8 character upper alpha wordlist
from AAAAAAAA to ZZZZZZZZ ;
./mp32.bin ?u?u?u?u?u?u?u?u 























Creating an 8 character numeric wordlist
from 00000000 to 99999999 ;
./mp32.bin ?d?d?d?d?d?d?d?d 























The masks can be changed to what you may require to either fix certain character values at certain positions
or to have multiple charsets at given positions using custom charset masks.

To create a wordlist with the first 4 characters being numeric values and the last 4 characters being upper case alpha values
from 0000AAAA to 9999ZZZZ ;

./mp32.bin ?d?d?d?d?u?u?u?u























To create a wordlist with lower alpha and numeric values.
(note that the order in which you define the custom charset will define how the sequence of characters is printed to the wordlist, but will not change the final content of the total wordlist)
from aaaaaaaa to 99999999 ;

./mp32.bin -1 ?l?d ?1?1?1?1?1?1?1?1 























To create a wordlist with the first 4 characters being lower and upper case alpha values and the last 4 characters being numeric values
from aaaa0000 to ZZZZ9999 ;

./mp32.bin -1 ?l?u ?1?1?1?1?d?d?d?d























To create an 8 character wordlist with the 1st and 2nd characters being lower and upper case alpha values, the 3rd to 6th characters being (upper case) hexadecimal values and the last 2 characters being special characters (including space);

./mp32.bin -1 ?l?u -2 ?dABCDEF ?1?1?2?2?2?2?s?s 






















So wordlist output can be masked in numerous ways to best suit what you are trying to achieve.



CREATING WORDLISTS IN INCREMENTS
=====================================

All of the above can also be done directly in oclHashcat+ when specifying masks to use for
hash cracking, however maskprocessor comes into play when requiring to create wordlists
in increments.

Using the -i switch we tell maskprocessor to create the wordlist in increments, either from the first to the last masked character or  from -- to user-defined positions.


To create a wordlist from 1 character to 10 characters.
Starting from 0 and ending at 9999999999

./mp32.bin -i ?d?d?d?d?d?d?d?d?d?d 























If we want to create a wordlist for WPA/WPA2 then of course there is no point in creating wordlists shorter than 8 characters (minimum passphrase length for WPA/WPA2), so in such a case we would specify to have the increments start at the 8th character.

To create a wordlist with at least 8 numeric values and increment by 1 until it reaches 10 characters;
Starting at 00000000 (8 characters) and stopping at 9999999999 (10 characters)

./mp32.bin -i --increment-min=8 ?d?d?d?d?d?d?d?d?d?d 























As maskprocessor requires masks to be entered, there is no real need to specify the max wordlength as that is also done by the number of mask placeholders.
You could however for instance have 10 mask placeholders and specify to stop at the 9th position ;

./mp32.bin -i --increment-min=8 --increment-max=9 ?d?d?d?d?d?d?d?d?d?d 

Will start at 00000000 (8 characters) and stop at 999999999 (9 characters).



EMULATING INCREMENTAL BRUTEFORCE ATTACK
=============================================

So to put all this to practice together with cracking a hash with oclHashcat+, we could pipe output
from maskprocessor through to oclHashcat+
Note that although maskprocessor can create words of over 15 characters, oclHashcat+ will not process any passphrases with more than 15 characters.
So your hash cracking fun with oclHashcat+ is limited to max 15 characters.

Again I will switch to my Windows system for this.. ;)
I extracted the maskprocessor executable to the same directory as oclHashcat for sake of ease;
c:\oclHashcat\
As I am running a 64bit OS, I am using the mp64.exe


To start at aaaaaaaa (8 characters) and finish at zzzzzzzzzz (10 characters as there are only 10 mask placeholders) piping through to oclHashcat ;

mp64.exe -i --increment-min=8 ?l?l?l?l?l?l?l?l?l?l | cudaHashcat-plus64.exe -m 2500 fubar.hccap


































Using mixed case starting at aaaaaaaa (8 characters) and stopping at ZZZZZZZZZZ (10 characters)
(Using the ^ symbol to break the line for clarity's sake, in linux you would use the backslash \
to break the line)

mp64.exe -1 ?l?u -i --increment-min=8 --increment-max=10 ?1?1?1?1?1?1?1?1?1?1 | ^
cudaHashcat-plus64.exe -m 2500 -n 40 fubar.hccap


































If you were to expect that the first 4 characters were for instance '1234' then you can fix these characters
in the mask as follows ;

mp64.exe -i --increment-min=8 1234?d?d?d?d?d?d | ^
cudaHashcat-plus64.exe -m 2500 -n 80 fubar.hccap
so Maskprocessor would go through 12340000 -- 1234999999
































This however does not work the other way around, so if for instance knowing that the last 4 characters
are 6789 and using syntax ;
mp64.exe -i --increment-min=8 ?d?d?d?d?d??d6789 | oclHashcat-plus64.exe -m 2500 fubar.hccap
will not work as the syntax is of course passing on the first 8 characters as defined from left to right which
is cutting off the 2 last characters which we would want fixed.

So in such a case as above we would have to use a so-called rule to have the numeric values 6789 appended to each created passphrase.

To create such a rule we would need to create a file called append.rule for instance with the following entry;
$6$7$8$9
This rule would specify that each line fed into oclHashcat will have the numbers 6789 appended to it.

echo $6$7$8$9 > append.rule
In this case you could also specify the --increment-min=4 so that hashcat would always check a minimum
of 8 characters (as 4 characters appended to each generated line)  or just leave out the --increment-min
and let hashcat reject words with less than 8 characters.

mp64.exe -i ?d?d?d?d?d?d?d?d?d?d?d?d | cudaHashcat-plus64.exe -r append.rule -m 2500 fubar.hccap


































RULES

Will have to be my next area of focus..


BENEFITS OF MASKPROCESSOR OVER CRUNCH ;
==========================================
Not much to be honest if you are on a linux system, but what it
does allow is the specification of custom charsets for use in masks.

I have to say though, the more I play with it, the more I like it ;
Having an option which is nearly as versatile as crunch, yet able to
run easily on Windows, makes this a great tool for me.
In combination with Hashcat running on windows this really is a
must have in your toolkit.

I am sure there are other wordlist generators for windows,
but this to me definately seems like the one to have and a truly
inpressive tool.

Speedwise, Maskprocessor is (quite a bit) faster than Crunch, crunch is
of course fast as it is, and possibly better documented (by me ;) ) at time of writing,
but that does not take away from the fact that Maskprocessor is an awesome bit of kit.


There are other uses for Maskprocessor such as creating rules for use with
oclHashcat which I still need to dig into.
(promises.. promises.. ;) )


Linkage ;
http://hashcat.net/wiki/maskprocessor
http://hashcat.net/wiki/mask_attack
http://www.irongeek.com/i.php?page=videos/hack3rcon2/martin-bos-your-password-policy-sucks



Monday 6 February 2012

WPA Cracking with oclHashcat-plus

oclHashcat-plus is a CPU / GPU password cracker with a huge number of options able to
handle a myriad of hash types.

I will go through steps I took to test the cracking of a WPA2 .cap file from my test setup.

I will be using BackTrack5 R1 to capture the .cap file with 4-way handshake and to create the required
.hccap file but will carry out the actual cracking of the .hccap file on a Win7 PC.
This as I am still worried that my knack of fubarring things up could prove life-threatening  if I screw up a BTR1 HDD install on my main machine  ;) so I'll stick with using a VM image for the time being..
lols..


PREPARATION
===============
First things first, I want to use aircrack to create the .hccap file from a standard .cap file using the new
-J option in aircrack as oclHashcat does not work with the standard .cap files.
The aircrack version included on the stock install of BT5R1 does not yet have this option -J included, so we need to get the latest and greatest from the aircrack site and do the necessary to install.

Grab the latest build of aircrack here (last one in the list at time of writing 06-02-2012 was r2061);
http://nightly.aircrack-ng.org/aircrack-ng/trunk/
extract and cd to directory;
tar -xzf aircrack-ng-trunk-2012-02-05-r2061.tar.gz
cd aircrack-ng-trunk-2012-02-05-r2061

To be able to correctly install the latest aircrack some additional installs required before trying to install aircrack;
(reference; http://hashcat.net/forum/thread-816.html)
apt-get install libssl-dev
(I had previously installed this hence the mention already the newest version)
Then from within the aircrack directory install with ;
make
make install






















To update aircrack manually with previously downloaded files, there is a good detailed blogpost
brought to my attention by a reader here http://www.kknd.com.br/security/01/ on how to do that.

Using either of the above methods, you should be ready to rock and roll with the latest aircrack-ng.

Edit 10-02-2012
Backtrack repositories have been updated, the aircrack now included is
v1.1 r2076, so;
apt-get update 
apt-get upgrade
will also get you a current version of aircrack which includes the -J switch.


CAPTURING THE WPA HANDSHAKE
===============
To start the process of capturing the handshake first place the wireless interface in monitor mode using airmon-ng;

airmon-ng
airmon-ng start wlan0





















and then fire up airodump with options to focus only on your target AP, in my case ;

airodump-ng mon0  -c 11 -t wpa -d 98:FC:11:8E:0E:9C -w capture

When the handshake is captured, either by patiently waiting for a client to connect, or by forcing a
connected client to disconnect/reconnect with for instance aireplay-ng, this will be noted at the top right hand side of the airodump window.
We can then stop airodump and verify that the handshake is captured with aircrack ;

aircrack-ng capture-01.cap






















Now we have our .cap file with 4-way handshake, we need to convert it to .hccap format so that we
can use oclHashcat on it.
To do this we use the -J option in aircrack ;
(again, this option only available in the later aircrack builds, not in the stock install on BT5R1)

aircrack-ng capture-01.cap -J capture



























Now we have our .hccap file, I will be switching to my Win7 PC for the actual oclHashcat cracking.
(yeah yeah..I know.. a bit of a fail... ;) )


OCLHASHCAT-PLUS
===============
First of course to download the latest oclHashcat-plus (at time of writing 06-02-2012 v0.07)  if you haven't already done so and extract it to where you want, I extracted all files to ;
c:\oclHashcat\

Open up the command prompt ;
Start --> Run --> cmd
And move to the directory where you extracted the oclHashcat files to, in my case ;

cd c:\oclHashcat

I am running a 64bit Windows 7 system with an nVidia card (CUDA) so I need to run the cudaHashcat-plus64.exe file, with --help for further info ;

cudaHashcat-plus64.exe --help











































All the info may seem somewhat overwhelming, it certainly did to me, so herewith just a couple of
examples on how it can be used.

I copied the capture.hccap previously created to the oclHashcat directory on the Windows system as
'capture_fubar.hccap'


DICTIONARY ATTACK
===============
I will be using the rockyou dictionary as an example as it is a fairly large one, and copied the rockyou.txt file to the oclHashcat directory for easy access.

To start the crack, we need to specify ;
> The version of oclHashcat we need to use
    in my case the 64bit version for cuda enabled cards, for ATI cards, you would use the ocl version.
> -m [hash type #] (see number references for hash types at bottom of  help section)
    in this case '2500' which is used for WPA/WPA2.
> The path to the hash file / hccap file
    in this case 'capture_fubar.hccap' in the same directory.
> The path to the dictionary we are using for the attack
    in this case 'rockyou.txt' in the same directory.

cudaHashcat-plus64.exe -m 2500 capture_fubar.hccap rockyou.txt
Press 's' to get an updated status report (I hit enter first to create as space between status reports)











































oclHashcat went through over 11,5million passphrases in 2min15sec at around 54k passphrases a second..

Increasing the load on the GPU with the -n option can increase performance and the number of passphrases checked per second ;

cudaHashcat-plus64.exe -m 2500 -n 80 capture_fubar.hccap rockyou.txt











































So with the increased load on the GPU it went from around 54k passphrases/sec to around 64k passphrases/sec.



MASK (BRUTEFORCE) ATTACK
===============


From what I read oclHashcat-plus is not yet able to mask bruteforce in increments (so first testing 8 characters then 9, then 10 etc) so you need to test that manually.
However not completely sure on the bruteforce options to be honest as I see in the WIKI there are specific
bruteforce options mentioned, but I can't seem to get that working as of yet.
Reading up ;)

The masked bruteforce attack works by defining character sets to use (if custom character sets are required),
and then uses the masks to define in which position in the passphrase the charsets should be used.

There are various predefined charsets, among which ;
?l   -- lower case alpha
?u  -- upper case alpha
?d  -- numeric values
?s  -- special characters including space

To start a mask / bruteforce attack, you need to specify ;

> The version of oclHashcat you need to use
> -m [hash type #]  (-m 2500 for WPA/WPA2)
> -a [attack mode #] (-a 3 for bruteforce).
> The custom character sets (if any).
> The path to the hash file / hccap file.
> The mask to use.


The mask used has to match the length of the password, so if testing for a 8 digit password
you have to enter 8 mask entries.

If for instance testing all uppercase values for an 8 character password ;

cudaHashcat-plus64.exe -m 2500 -a 3 capture.hccap ?u?u?u?u?u?u?u?u



























If testing for numeric values only for an 8 character password ;

cudaHashcat-plus64.exe -m 2500 -a 3 capture.hccap ?d?d?d?d?d?d?d?d



























If we know that for an 8 digit password the 1st 4 digits of the password are numeric values and the last 4 digits are upper case values, then you would specify that as follows ;

cudaHashcat-plus64.exe -m 2500 -a 3 capture.hccap ?d?d?d?d?u?u?u?u




























CUSTOM CHARSETS

You can define upto 4 custom charsets to be used, this is done by using the switches ;
-1, -2, -3, -4

So thinking of our above dictionary crack, for the sake of argument, lets say we know the passphrase
used is a 4 digit number only containing the numbers 1 2 3 4  followed by 6 upper case values only containing the letters Y T R E W Q.

We could create a custom charset containing the numbers 1234 and specify these to be used for the
first 4 digits of the passphrase.
and also create a second custom charset containing YTREWQ and specify these to be used for the last 6 digits of the passphrase.
In the mask you would then specify where to use the 1st custom charset and where to use the 2nd custom charset with ?1 for the 1st custom charset and ?2 for the 2nd custom charset as follows ;
Of course this is not a terribly realistic scenario .. but hey, you get the idea.. 

cudaHashcat-plus64.exe -m 2500 -a 3 -1 1234 -2 YTREWQ capture_fubar.hccap ?1?1?1?1?2?2?2?2?2?2




























If you were to actually know that the first 4 digits of the passphrase are '1234' followed by 6 uppercase alpha values then you can define the 1st 4 values of '1234' directly in the mask ;

cudaHashcat-plus64.exe -m 2500 -a 3 -n 80 capture_fubar.hccap 1234?u?u?u?u?u?u




































Of course the above examples are for the purpose of explanation only and probably not realistic for real-world scenarios, but I hope it shows at least a small part of how oclHashcat-plus can work.


oclHashcat-plus is truly an awesome bit of kit, the speeds are certainly astonishing to me since I was used
to non-GPU speeds before ;) 30 minutes to get through an 8 digit numeric wordlist ?!! awesome..
And thats just on my nVidia GTX590 which sux big time compared with the benchmarks I see on hashcat's site for the ATI cards..

There are many, many other options I need to get my head around; rules, dictionary mangling, bruteforce, the list goes on and on ..  !
A lot more reading and testing required...

A good hint is to to also checkout the GUI for oclHashcat, it gives you a quick visual view of the commands
that you are using so that you can trouble shoot what you are doing wrong when trying just on the command line.



If I messed up anywhere on the above, please comment on it, have just started out trying hashcat so learning as I go !



Linkage/Credits; 

http://hashcat.net/oclhashcat-plus/

http://danielweis.wordpress.com/2011/10/13/gpu-password-cracking-of-wpa-using-airodump-oclhachcat-gui-a-basic-how-to/

d3ad0ne's awesomeness ;
http://ob-security.info/?p=31
http://pauldotcom.com/2010/10/your-password-cracking-system.html
http://ob-security.info/?p=274

Wednesday 18 January 2012

Cracking WPA using the WPS vulnerability with reaver v1.3

REAVER > WPS

WPS functionality leaves some routers at risk, even when WPS is 'not configured / disabled'..
=====================================================================

I am sure everyone has already seen by now, the WPS function, which is present on nearly
all current routers, has been proven to be vulnerable (on some routers) to a 2 stage bruteforce
attack on the router's 8 digit pin.
An extract from the readme from the author's google code page
http://code.google.com/p/reaver-wps/wiki/README ;

Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP's 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin
The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10^4 (10,000) possible values for the first half of the pin and 10^3 (1,000) possible values for the second half of the pin, with the last digit of the pin being a checksum.

Now as soon as I had heard about this tool, I immediately checked to make sure that WPS was not configured on my router.
As I always configure it manually, I was pretty sure WPS was disabled, and as I thought, WPS was not configured.


Router information ; Cisco Linksys E1000 v2.0, Firmware v. 2.0.01
I checked the router settings, made sure WPS was not configured then rebooted router ;






















Little did I know that even though I had chosen to not to use WPS, WPS was not in fact disabled and the router was still vulnerable, which I found out after seeing it was mentioned to be the case on the BackTrack forums and checking my own setup lateron ...
WTF..
In retrospect, the term "Configuration view" does not say whether it is, or is not configured/enabled....
Well played lawyers Linksys...

I could not find any other possibility to alter the WPS settings on the router or any way to disable the PIN.
(There is actually a firmware upgrade for the router; v2.1.02, issued on 25-05-2011, so although the update may  prevent the WPS vulnerability or give more options to REALLY disable WPS,  I haven't checked its possibilities as yet).


Fired up BackTrack and specified airodump to focus only on my AP and to capture packets.
airmon-ng start wlan0
airodump-ng mon0 -c 11 -t wpa -d 98:FC:11:8E:0E:9C -a -w wps_test

After just a few packets captured stopped capture and checked in Wireshark to see if any info on WPS..











lolwut ?!


Downloaded and installed reaver (as of this date 18-01-2012 reaver v1.3)
http://code.google.com/p/reaver-wps/

tar -xzf reaver-1.3 
cd reaver-1.3
cd src/
./configure
make && make install

 and used reaver's included  'walsh' to check my AP (walsh was later renamed to wash) ;


walsh




















Testing Walsh ;
walsh -i mon0 -c 11 -C -s
(just a simple walsh -i mon0 worked fine for me as well by the way, just limiting results with the above)













Damn..


OK, so decided to see whether it actually was still vulnerable and so started reaver and let it do its thing.

I got many warnings that 10 attempts failed in a row, receive timeout issues etc, so I basically did a few
hours 3 days in a row, reaver saves the previous session in any case, so you can do it as and
when you please..
Tested on a Samsung N110, Atheros chipset, ath5k drivers for the wireless.


reaver -i mon0 -f -c 11 -b 98:FC:11:8E:0E:9C -vv -x 60 




















Anyway, the final outcome.. BAH !




















damn.. hacked.. !
And here I was thinking I was nice and cosy in my "secure WPA2" world..
The time used as mentioned above is not completely accurate as I had split the crack over 3 days with
a few hours at a time, would imagine that in total it took between 10 - 12 hours in my case, possibly a couple of hours more.

I had better results (less errors) when using a wireless adapter with REALTEK RTL8187L chipset with
the rtl8187 driver.



So, what to do ?
Well, in my case, I bought a different/better router the day after I figured out that my router was still vulnerable.. screw it.. otherwise I was going to stay feeling uncertain ;)

Other cheaper options ;
> Check for firmware updates, possibly a revised firmware is available to counter the vulnerability.
> Use 3rd party firmware (if supported) such as the likes of Open WRT or DD-WRT.
   (DD-WRT for instance does not support WPS and is therefore not vulnerable to the reaver attack)

Edit 22-01-2012
--------
My previous remarks on MAC spoofing being an issue were incorrect.
RTFM TAPE .. :|
http://code.google.com/p/reaver-wps/wiki/FAQ
 The way reaver works with mac spoofing is to ensure that the Physical interface also has the mac spoofed.

Depends on your setup, however in my case
> wlan0 physical interface.
> mac address 00:11:22:33:44:55 as the mac address to be spoofed.
ifconfig wlan0 down 
macchanger -m 00:11:22:33:44:55 wlan0 
airmon-ng start wlan0

monitor mode then enabled on the created mon0 interface

ifconfig mon0 down
macchanger -m 00:11:22:33:44:55 mon0 
ifconfig wlan0 up 
ifconfig mon0 up
 
Then start up the reaver attack and it should all run as intended.
--------

Edit 28-01-2012
--------
I have been having issues with the latest version of reaver; v1.4, with it failing to associate
whereas v1.3 associated fine.
Apparently there are others also having issues when running it on BT5, some also seem
to report that an apt-get update && apt-get upgrade on the BT5 system is what caused
the problems for them.

http://code.google.com/p/reaver-wps/issues/detail?id=172

For the time being the author of reaver simply advises to stick with Ubuntu v10.4 which is
his testing platform.

So if you having trouble with reaver v1.4, perhaps try the previous version; reaver v1.3.

Would appreciate anyone's feedback on their experiences with v1.4 if there are any.
--------

Update 04-02-2012
--------

Well I have made some progress with reaver v1.4, the below done on a VMware BT5R1 image.

Installed reaver v1.4 from the BT repositories ;
apt-get update
apt-get install reaver

reaver v1.4 includes the new wash (formerly walsh)

wash
























Carried out a quick scan with wash to get the details of my (now committed to the shelf of shame..) router.
Using a wireless adapter with Realtek RTL8187L chipset with rtl8187 driver in this case.
Started the wireless interface on the channel of my AP (Channel 11)
(as was having issues with aireplay-ng when I had not specified the channel that should be used)
airmon-ng start wlan0 11
wash -i mon0 -C
























Now previously I was having trouble getting reaver v1.4 to associate to my router for some reason, so
I decided to try to associate with another application, and then use the -A switch in reaver so as to not
have reaver itself associate.

So started aireplay-ng with fake association options.
I found that having a longer delay resulted in a better performance with reaver, but you will have to play around to see what works best for your setup.

aireplay-ng mon0 -1 120 -a 98:FC:11:8E:0E:9C -e FUBAR
























Then fired up reaver v1.4 ;

reaver




























and started reaver v1.4 with the -A switch, to not have reaver associate with the router itself, in a separate terminal window ;

reaver -i mon0 -A -b 98:FC:11:8E:0E:9C -v
( there is a lot more output  with reaver v1.4, wherefor only the single -v )























The result ;
A continuous stream of 2 seconds per pin attempt, which is much better than previously encountered
with v1.3 to be honest.























So, at least there is a work around, however still strange that reaver v1.4 won't work 'out of the box'
for me on BT.. Oh well, maybe v1.5 will be released to straighten things out ;)
--------
Edit 26-02-2012
The latest upgrade to BT5 R2 seems to have helped with my association issues !
Yay !
So getting the latest and greatest on my HDD install of BT5 R1, doing an ;
apt-get update 
apt-get dist-upgrade
Did the trick for me in getting it working the way it was meant to.

A fresh install of BT5 R2 is recommended as I was having issues again after updating
to include the latest repositories as suggested in the BackTrack blogpost.

For me, with a fresh install of BT5 R2, reaver is working well and as intended, and with
the -d option set to 0 or 1 it really blasted through that router on the shelf of shame.
--------


This type of attack  is a real problem for many people and it would be more than foolish not to check your routers asap.


So .. check your routers asap !
 
Google Analytics Alternative