Tuesday 28 July 2009

Back on Track to Backtrack - WPA cracking

So, after having lived a couple of weeks without my eeepc, I could take it no longer and got myself a new toy.
A Samsung N110, pretty sweet, and actually did go for Windows XP OS, whatever you say about Windows, it is usually handy to have and when needing Linux, I'll just bootup the live USB.

Only small gripe I have is that the bios does now allow booting from SD card which is kinda annoying, but I have a tiny USB 8gig drive, so its OK. Its just that the eeePC seemed to be more versatile out of the box.. oh well, no worries, it works !

When BT4 is finalised I'll probably do a dual boot HDD install, but waiting with that for the moment :)

So anyway, back on track to backtrack ..

In previous posts I looked at wireless and WEP encrypted networks and how especially
the wep networks are dangerously weak.
This all done with BackTrack3 Final.

Important to note the below using BackTrack 4 Pre Final.

Now time to look at WPA and WPA2 protected networks which are normally the ones that
you will see the most.

I have setup a test network using my Asus router as follows ;

essid : default
Encryption : WPA-PSK
No MAC filtering
DHCP enabled

So the point of this is to demonstrate the problems with people using weak passwords for their WPA encrypted connections.

For this example we will use Cowpatty, which is a program made to crack WPA(2) passwords using either rainbow tables or simple wordlists.
Granted this does not catch all, but it can catch the uncautious.

The advantage of using rainbow tables is that it is much faster (when you actually have the tables that is..) just using a wordlist means the program has to combine the essid, with the passphrase, create a hash out of these two and see of it is OK.
Rainbow tables already have these hashes pre-computed, so saving time.

Some rainbow tables have already been made using of the some of the most commonly seen essids, using a 49 million word dictionary for use with Cowpatty; http://www.offensive-security.com/wpa-tables/

So what we need to do is the following
> Identify our target network
> Verify if any clients are associated to network
> If no clients associated.. wait..
> If clients associated, deauth and capture 4-way handshake
> Use this 4-way handshake to with cowpatty to crack network WPA password.

Identifying target

Start our interface in monitor mode and start up airodump, since I know my network will be a WPA network on channel 1, I start airodump with filters for those ;

airmon-ng start wlan0
airodump-ng mon0 -c 1 -t WPA

And then see the target we are looking to attack

So after having identified the network I am after I will re-start airodump identifying the bssid and start monitoring and writing data (in this case using 'default' as filename to write to)and wait for a client to connect.

airodump-ng mon0 -c 1 -t WPA --bssid 00:13:D4:09:32:60 -w default

When the 4-way handshake is captured after the client associates (see top right of the picture below) I no longer need airodump and can continue.

If there is already a client connected to the AP, we need to deauth the client and force it to reconnect, thus giving the 4-way handshake we need.
In a seperate console;
aireplay-ng mon0 -0 5 -a 00:13:D4:09:32:60 -c 00:1F:3C:8C:D9:71

Now we need to have the WPA rainbow table handy for this crack, so use the link above for rainbow tables or make your own..

Start up cowpatty and enter information as necessary.
(All below my specific info, change to suit your needs)

In this case (in cowpatty console);

./cowpatty -d /media/disk/WPA_tables/default.wpa -r ~/default-01.cap -s default

When starting;

When done;

So as you can see from the above pic, the passphrase is butterfly and the program managed to go through over 45000 passwords per second.. pretty good !

Doing the exact same crack, but then just using the dictionary file from which the rainbow tables were made, the situation only changes when starting up cowpatty.
You still need the handshake with the AP and the essid, then proceed as follows;(in my case my wordlist is on the drive-folder /media/disk/WORDLISTS/)

./cowpatty -f /media/disk/WORDLISTS/wpalist.txt -r ~/default-01.cap -s default

I didn't have the patience to let it run its course.. it was only doing 34 passphrases a second and that would have taken a looong time ! However given time and patience.. a lot can be done.
Remember this done on a Samsung N110 with 2gig ram, if the cracking were to be done on a different/better setup, speed would be better.

It is also possible to bruteforce the passphrase using crunch and piping the output through cowpatty.

For instance, there is a telecom provider here that issued a WPA key along with it's router that
was always a combination of numbers and upper case characters up to F of 8 characters in length.

In that case, if we were to feel patient.. we could run crunch using the known variables and pipe the outcome to cowpatty as follows ;

/pentest/passwords/crunch/./crunch 8 8 0123456789ABCDEF | /pentest/wireless/cowpatty/./cowpatty -f - -r ~/capfile.cap -s essid

I can do something similar in my case using buterfly as character set (since I know those are all the characters in the passphrase) and to speed things up fixing the first 5 characters;

/pentest/passwords/crunch/./crunch 9 9 buterfly -t butte@@@@ | /pentest/wireless/cowpatty/./cowpatty -f - -r ~/default-01.cap -s default -v

Monday 6 July 2009

Disaster strikes !

Argh !

My lovely Asus eeepc took a dive to the floor and has fractured the screen :(

I am blaming my wife, she is blaming my uncontrolled movements after having
a few beers too many.. which of course is ludicrous seeing as how I still move
with the grace of a ballet dancer no matter the quantity of alcohol containing
beverages I consume..
So I have one-sidedly decided to put the blame close to the middle.. closer to her..
(pics will be posted when I find the charger.. incidently I blame the wife for losing that as well)

OK, found the charger.. it might not have been the better half's fault after all..
Still undecided on the damage sustained to my eeepc though !

In any case the netbook is toast now and am unable to practice the joys of BackTrack
which is a nuisance as the new BT4PreFinal is out and looks pretty sweet.. and I want to get to grips with all the goodness on it !

So to bide the time, a short summary of the excitement on holiday.. yeah.. its kinda quiet there, but great for a rest.

Arrived and found there was a large bee's nest between the windows and the shutters.. yikes..
Got the bee man round and he smoked them with a mixture of straw and cattle feed (?!) which
seems to calm them down a bit, then cut off the combs and put the ones with bee larvae in them
in a new slot for his box..

I was hoping to see the queen, but never did, and even the bee man didn't see her either, all in all
though pretty damn sweet to see.

The beehive;

The dude getting ready;

Starting the removal of the combs one by one ;

Scraping off the bees into his make-shift hive ;

Actually got about a quarter of a jar of honey as well, can't complain I suppose !
Google Analytics Alternative