Hacking teaser 2013

8/10/2019 Hacking teaser 2013

1/13

March, 26th 2013

01/2013

1


2/13


3/13


4/13

Why BackTrack ?

BackTrack is a very specialized Linux distribution

(or abbreviated as distro) based on the Debian

GNU/Linux including a large collection and variety

of software applications and tools that are mainly

concerned with Penetration testing and digitalForensics. The current and most updated version

is BackTrack 5 Release 3 which we will be using

during all our upcoming examples and demos.

BackTrack now is the defacto standard for IT

Security Professionals working in the Penetration

testing field with a lot of resources and training

resources. Further information about BackTrack

and download links can be accessed at the official

BackTrack site http://www.backtrack-linux.org/

What is Aircrack-ng Suite?

Aircrack-ng (Next Generation) is a suite of

applications / tools including packet detector,

sniffer and WEP, WPA and WPA2 cracking tools, it

runs under both Linux and Windows however its

highly recommended to run under Linux not

because of the Aircrack issues with Windows butrather the limitations in Windows Operating itself

since its highly proprietary software with a lot of

restrictions especially with the network cards and

their respective drivers. For more information on

the tool, tutorials, downloads and supported

configurations please check the official site

http://www.aircrack-ng.org/

WEP threats

WEP or Wired Equivalent Privacy is one of the

first encryption algorithms used in Wireless to

encrypt data travelling in the air in Wireless LANs;

its also used as part of the shared authentication

mechanism to verify the wireless client device.

WEP uses an algorithm called RC4 known as

stream cipher (Given by RSA security) and

pseudo-random number generator (PRNG) andthe main problems with WEP or RC4 is:

The RC4 source code was posted in the

mid 90s and available on the internet for anyone

which gives the intruders and hackers the chance

to check the code and break it later.

There are many software packages

available in the market and most of them are free

tools that are used to crack the WEP.

RC4

RC4 is a very popular method of encryption and

its adopted by many applications. One of the

famous applications thats uses RC4 is SSL (secure

Socket Layer protocol) which most of the web

sites use to secure their data. RC4 cipher key

consists of two parts, Static and Dynamic part.

The Static part is the shared secret key that the

user enters in the Wireless device in order to

connect to the Network or gain access. Its

sometimes known as the pre-shared password.

The Length of this Key can be either 40 bit or 104

bit and it can be entered in either Hexadecimal

number or ASCII plain text value. If you are using

Hexadecimal then you will enter 10 characters for

the 40 bit key and 26 characters for the 104 key.

If you are using the ASCII then you will enter 5

characters for the 40 bit key and 13 characters for

the 104 key. The Dynamic part of the RC4 is the IV

(Initialization Vector). The Length of this part is 24

bit and it must be noted that this IV is always

changing and thats why its Dynamic. This IV is

appended (attached) to the shared secret key (40

bit or 104 bit) which gives us total of either 64 (40

+ 24) or 128 (104 + 24) bit encryption.

How WEP Works:RC4 works by using the XOR (Mathematical

function used with binary numbers, it gives

output of Zero for identical binaries and One

when the two input are different) with the cipher

key in order to encrypt data.

WEP Encryption Process:

1. The actual Data (un-encrypted plain text) sentfrom the sender station passes first by an

Integrity check algorithm which creates an


5/13


6/13

Tools and Devices Needed during

the Attack

1. Laptop or Computer with BackTrack 5 R3

loaded on it. It can be Virtual machine or physical

computer with good RAM and Processing power.

My test Laptop was Dual core processor and 8 GBRAM.

2. Wireless card able to inject traffic and packets.

I will be using the most popular and available

wireless card Alfa Networks AWUS036H utilizing

the Realtek 8187 driver supported by the Aircrack

suite, however there are other cards. Another

good one is Netgear WN111. For complete list

with supported cards and drivers under eitherWindows or Linux, please check the following site

http://www.aircrack-

ng.org/doku.php?id=compatible_cards

3. Access Point supporting WEP encryption (Most

of Access points / Routers will satisfy this need)

BackTrack Basics

Turn on the Monitoring Mode: The First Step to

capture and crack the WEP encryption key is to

turn the Wireless Network card into monitoring

mode (Similar to the Promiscuous mode in

Ethernet Networks). The Easiest way to do so is

to use the Airmon-ng Command. Running

airmon-ng without any parameters will display

the current wireless interfaces on your computer

or Laptop to check which one will be used in the

Packet sniffing and injection incase you have

several cards. In my case I had two interfaces

(The first network is the default Wireless card

built in the laptop) and I enabled the WLAN0

(which has the Realtek RTL8187) interface using

Airmon-ng start wlan0 as per attached.


7/13

March, 26th 2013

01/2013

7

To check if there is any process accessing the

Wireless card and may cause any future problems

you can run the airmon-ng check, if any process

is listed you can kill them using the command

airmon-ng check kill. The next step will be

checking and identifying the nearby networks,

sometimes you might get many Wireless

Networks in your coverage area and it would

ertainly be beneficial if you can start your

monitoring mode on the exact channel of the

Access Point that you are targeting. To get a list

of the nearby Access points / Networks you can

either get it using the BackTrack Graphical

Interface from Applications Internet WICD

Network Manager.

Another way would be

using the EGREP

functionality with the

IW DEV command as

shown below (This

command is case

sensitive and thespaces should be

preserved) iw dev

wlan0 scan | egrep

DS\ Parameter\

set|SSID


8/13

In my current test scenario the target Wireless Network using WEP was using Channel 11. So my network

card monitoring mode was commenced on Channel 11 to filter the surrounding Access Points.

WEP Key Recovery Step by Step

attack:

1. In my current test scenario the target Wireless

Network using WEP was using Channel 11 and I

fired my monitoring mode on Channel 11 to filter

out the surrounding Access Points using the

command airmon-ng start wlan0 11 as shown onthe picture above.

2. Start an Airodump Capture on the Given Access

Point Channel and BSSID. The output of this

Airodump will be saved on a Capture file on the

computer disk to be passed later to the Aircrack

tool to recover the Key. Airodump-ng is mainly

used for Capturing 802.11 frames and in our case

the WEP IVs. The Command used is as follows:

airodump-ng -c 11 --bssid xx:xx:xx:xx:xx:xx -w

testdemo mon0 Where C stands for the

Channel, BSSID is the MAC address of the


9/13

March, 26th 2013

01/2013

9

Target Access Point and W is followed by the name of the output capture file.

As you can see from the above image that by

pointing and targeting Channel 11, I was able to

filter the list of Access Points to only my target AP

(Ending with 87) and there is one station

currently connected (ending with A8:42) Make

sure to keep the Airodump-ng window running

till you finish step 3, 4 and 5 and gather the

needed IVs

3. We will run the first attack using Aireplay-ng

which is the fake authentication. The Fake

Authentication attack is used mainly when you

need to attack a WEP enabled access point and

there are no current clients associated to this

Network and you need to fake this network. Fake

Authentication allows you to use both WEP

authentication (Open and Shared), It should be

noted that its only used with WEP enabled

Wireless Networks and not WPA or WPA2. Its

recommended by all security professionals to

start always with the fake authentication attack.

The command used is:

aireplay-ng -1 0 -e AP-SSID -a xx:xx:xx:xx:xx:xx -h

yy:yy:yy:yy:yy:yy mon0

Where 1 stands for the Fake Authentication

attack which is the number 1 attack, 0 is the

timing in seconds for Re-association, e is for the

Wireless Network name that users connect towith their network cards, a is the Target Access

Point MAC address and h is followed by the

MAC address of my internal Realtek Wireless

card.


10/13

To confirm that my Fake Authentication was successful we will run the Airodump again (Ran earlier in Step

2) and we will find the new Workstation (Our Realtek Card ending with 07:b0) added to the list of

connected stations.

4. Run an ARP request Replay attack (ARP stands for Address Resolution Protocol and its TCP/IP protocol

used to convert an IP address into a physical address, such as an Ethernet address), this is one of the most

effective methods to generate new IVs. It listens for an ARP packet then retransmits it back to the access

point which will make the Access Point repeat the ARP packet with a new IV, this process should be done

over and over for some time till enough number of Initialization Vectors IVs are collected. aireplay-ng -3 -b

xx:xx:xx:xx:xx:xx -h yy:yy:yy:yy:yy:yy mon0 Where 3 stands for the ARP request Replay attack which is the

number 3 attack in the suite, b is Target AP MAC address and h is your MAC address after successful

Fakeauthentication

attack and

association to

the Target

Access Point or

any already

associated

client MAC

address.


11/13


12/13

Thank you for reading our magazine from

cover to cover. Please share with us your

comment about this issue on Twitter or

Facebook:

@Hackinsight

http://www.facebook.com/hackinsi

ght

[email protected]

The techniques described in our articles may only be

used in private, local networks.The editors hold no

responsibility for misuse of the presented techniques

or consequent data loss.

Become our Beta

Tester and receive

each article before

the publicationdate!

About the author

only available security compared to nothing

however you need to take some extra

precautions. Check for the most updated

drivers from your Access Point

Manufactures, use a 128 bit encryption

key, change the key frequently and finally

install any free IDS system to monitor theconnections and if any malicious attacks is

launched against your system.

I will try to explore more advanced WEP

cracking techniques including data / packet

injection in further future articles and

explores the world of the famous secured

WPA and WPA2 and their weakness

(Remember there is no complete secure

system )

Ahmed Nabil

is an IT

professional with

more than 13 years of experience,

specialized in IT infrastructure, security,

system administration and IT management.

My real passion is Networking and Security.

I hold a BS, MS, MCITP, MCSE, CCNP, CWSP,

CEH, CHFI, ITIL and PMP. You can follow me

on my blog (http://itcalls.blogspot.com)
http://www.twitter.com/Hackinsighthttp://www.twitter.com/Hackinsighthttp://www.facebook.com/hackinsighthttp://www.facebook.com/hackinsighthttp://www.facebook.com/hackinsighthttp://www.facebook.com/hackinsighthttp://www.twitter.com/Hackinsighthttp://www.facebook.com/hackinsighthttp://www.facebook.com/hackinsighthttp://www.twitter.com/Hackinsight


13/13

March, 26th 2013

01/2013
http://www.cyexdesign.com/http://www.cyexdesign.com/http://www.cyexdesign.com/http://www.cyexdesign.com/

Documents

Hacking teaser 2013