Kali 2 Sana Custom ISO Build – Software Defined Radio (SDR) & Wireless Tools

So I have been meaning to do this for ages as who likes configuring a system every time anyway, it’s the definition of insanity doing the same thing again and again so let’s fix that and automate the installation of Kali and modify it along the way so that you only install what you want or need in the process!

First things first you need to update your system with

apt-get update

1_Kali_Sana_Prep_Work_update

1_Kali_Sana_Prep_Work_update

Install live-build

apt-get install git live-build

2_Kali_Sana_Install_Live_Build

2_Kali_Sana_Install_Live_Build

Next you need to create a directory, git clone the live-build-config, change into the directory and then check whats inside

mkdir Kali_2.0_Custom_Build
git clone git://git.kali.org/live-build-config.git
cd live-build-config
ls

3_Kali_Sana_git_clone_live_build

3_Kali_Sana_git_clone_live_build

Now use the editor of your choice for this task and open up the following directory

nano kali-config/variant-xfce/package-lists/kali.list.chroot

4_Kali_Sana_Modify_Packages

4_Kali_Sana_Modify_Packages

For the GUI I am going to use kali-desktop-xfce as I like the speed that comes with it as it’s quite basic and light, I don’t really want the full package as I only really use the wireless and plan on using the Software Defined Radio (SDR) tools too so no need to install everything in there (You may be different so decide here what you want or need before you continue).

I will just be removing the hash from the start of kali-linux-sdr and kali-linux-wireless in order to only install those tools.

The kali.list.chroot file will look like this below

5_Kali_Sana_Packages_Before_Modification

5_Kali_Sana_Packages_Before_Modification

After it should look like I have it below, so save the file and continue to the next step

6_Kali_Sana_Packages_After_Modification

6_Kali_Sana_Packages_After_Modification

Create a new file called 01-unattended-boot.binary in kali-config/common/hooks/

nano kali-config/common/hooks/01-unattended-boot.binary

Chmod it to make it executable also

chmod +x kali-config/common/hooks/01-unattended-boot.binary

7_Kali_Sana_Unattended_File_Configuration

7_Kali_Sana_Unattended_File_Configuration

Paste in the following:

#!/bin/sh

cat >>binary/isolinux/install.cfg <<END
label install
menu label ^Unattended Install
menu default
linux /install/vmlinuz
initrd /install/initrd.gz
append vga=788 — quiet file=/cdrom/install/preseed.cfg locale=en_US keymap=us hostname=kali domain=local.lan
END

And once again save the file, courtesy of the Kali dojo.

8_Kali_Sana_Unattended_File_Configuration_Created

8_Kali_Sana_Unattended_File_Configuration_Created

When you have this done the next step is to get yourself or create a preseed file so that all the questions will be automatically answered for you, I’m going to pull mine from the kali dojo which the Offensive Security Team use for building their images, you can download it from their website located here.

Pull down the file and save it in the correct directory like this
wget https://www.kali.org/dojo/preseed.cfg -O ./kali-config/common/includes.installer/preseed.cfg

9_Kali_Sana_Unattended_Preseed_wget

9_Kali_Sana_Unattended_Preseed_wget

Now we are nearly there but the desktop is going to be bare so find a high quality image of your choosing and modify the output below in order to replace the background image with your own custom one. As I am indecisive though I am going to use the following image once again from the Kali dojo located here.

Make a new directory
mkdir -p kali-config/common/includes.chroot/usr/share/images/desktop-base/

Download and save the image into the newly created directory
wget https://www.kali.org/dojo/wp-blue.png -O kali-config/common/includes.chroot/usr/share/images/desktop-base/kali-wallpaper_1920x1080.png

10_Kali_Sana_Unattended_Desktop_Background

10_Kali_Sana_Unattended_Desktop_Background

Start off your new build

./build.sh –variant xfce –distribution sana –verbose

“build.sh” is the script that will be used to build your ISO from your configuration options
“–variant xfce” specifies you want to use the xfce desktop environment
“–distribution sana” selects the correct distribution for Kali Sana 2.0
“–verbose” will give your plenty of output on your screen to stare at for a while as it may take some time, don’t worry about reading everything as everything is parsed to a log file so you can review it all when finished anyway.

11_Kali_Sana_Build_Unattended_ISO_Start

11_Kali_Sana_Build_Unattended_ISO_Start

Patience at this point as this may take some time, the last time I created a full ISO with everything it took two hours in total to complete. With only the wireless and SDR tools I expect it to take less time to complete (This actually took six hours to complete for me).

When finished it will look like the following below without any errors

12_Kali_Sana_Build_Unattended_ISO_Finish

12_Kali_Sana_Build_Unattended_ISO_Finish

The ISO will be saved in the /live-build-config/images directory

13_Kali_Sana_Build_Unattended_ISO_File_location

13_Kali_Sana_Build_Unattended_ISO_File_location

At this point I like to copy the ISO out of my VM into my host OS. Depending on your setup this will be different.

14_Kali_Sana_Build_Unattended_ISO_File_Copy_Host

14_Kali_Sana_Build_Unattended_ISO_File_Copy_Host

Configure VirtualBox to your liking, if your unsure of configuration settings please refer to this tutorial for guidance. When booting just click on “Install” and watch the configuration magic happen all on it’s own!

15_Kali_Sana_Select_Install_to_automatically_install

15_Kali_Sana_Select_Install_to_automatically_install

Log in with
username: root
password: toor

16_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_first_boot

16_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_first_boot

Select the default configuration when prompted

17_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_first_boot_select_default_config

17_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_first_boot_select_default_config

Now you have your own custom built XFCE ISO with only Software Defined Radio (SDR) and wireless related tools that will automatically install for you, cool isn’t it? You can also use it as a live image too without installing it.

18_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_complete

18_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_complete

You can do all the normal things like install VirtualBox guest additions, for help on this refer to this tutorial

19_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_VirtualBox_Guest_additions_install

19_Kali_Sana_XFCE_Custom_SDR_WIreless_tools_VirtualBox_Guest_additions_install

Have fun building!

 

18 – WPS Offline Pixie Dust Attack

Hey everyone it’s been a while since my last blog entry and I recently started playing around with the WPS offline Pixie Dust Attack which I first mentioned back in May 2015 and wanted to document it as I have not had any success in exploiting a router vulnerable to this attack but that doesn’t mean we can’t exploit it using the older reaver method which I previously wrote about here and here. Please refer to my previous tutorial for some background on attacking WPS.
For this tutorial I am using Kali 2.0 “sana” in a VM which has all the necessary tools required to preform this attack so just get the latest ISO of Kali updated fully and you will be good to follow along 🙂

I have two routers that are susceptible to the old method using reaver so I used them again for this tutorial, unfortunately this doesn’t work but the the process does so it’s worthy of a blog entry!

First as always get your card into monitor mode, I actually came across a random issue that looks like it is a bug in Kali 2 “sana” when running airmon-ng

“airmon-ng check kill” will kill anything that may be interfering with your card when in monitor mode
“airmon-ng start wlan0” as you probably know now will place your card into monitor mode

1_Monitor_mode_Kali_Sana

1_Monitor_mode_Kali_Sana

As you can see instead of a new interface called “mon0” being created we instead have “wlan0mon” which will do the same thing. I thought it was worth mentioning as it was a weird issue.

Checking with iwconfig will show you that monitor mode is actually enabled so you don’t need to make any further changes:

“iwconfig” used below to make sure that the card is in monitor mode

2_iwconfig_monitor_mode_check

2_iwconfig_monitor_mode_check

BUT sometimes I have also found that even though it says the card is in monitor mode when you start airodump-ng sniffing the airwaves you actually see nothing so you just have to put the interface down and set monitor mode manually on the card.

“ifconfig wlan0mon down” this will put the interface down
“iwconfig wlan0mon mode monitor” this will manually set monitor mode on the wireless interface
“ifconfig wlan0mon up” this will put the interface up again

3_Kali_sana_manual_monitor_mode_configuration

3_Kali_sana_manual_monitor_mode_configuration

After you do this if you run

“airodump-ng wlan0mon” to make sure you are sniffing the airwaves

You will see things are working as expected:

4_airodump-ng_output_after_manual_configuration

4_airodump-ng_output_after_manual_configuration

My lab routers for attacking are named “dlink” and “test” under the ESSID column above

Trying this attack against the access point labeled test first:

“reaver” runs reaver
“-i wlan0mon” specifies that you want to use the wlan0mon interface for this attack
“-b 2C:B0:5D:XX:XX:XX” is used to specify the MAC address of the access point you are targeting
“-vv” is used to display very verbose output
“-w” used to mimic a Windows 7 registrar
“-n” is used as this target access point always sends a NACK
“-S” is to only use small DH keys to improve the cracking speed
“-c 1” is used to specify the channel on which the access point resides

reaver -i wlan0mon -b 2C:B0:5D:XX:XX:XX -vv -w -n -S -c 1

5_reaver_pixiedust_attack_kali_2_sana

5_reaver_pixiedust_attack_kali_2_sana

You may get different results with different access points so make sure you look at the reaver and pixiewps man pages and try different switches! I already know this access point is not vulnerable but just to show you what to do with this information all you need to do is open up pixiewps and enter in the following details you just enumerated in order to crack WPS on the target access point:

“pixiewps” runs pixiewps
“-e” Enrollee public key
“-s” Enrollee hash1
“-z” Enrollee hash2
“-a” Authentication session key
“-n” Enrollee nonce (mode 2,3,4)
“-S” Small Diffie-Hellman keys (PKr not needed)

pixiewps -e PKE -s E-Hash1 -z E-Hash2 -a AuthKey -n E-Nonce -S

6_pixiewps_kali_2_sana_pin

6_pixiewps_kali_2_sana_pin

As you can see no WPS pin is found but that just means my access point is not vulnerable to this offline attack method, it is however vulnerable to the online method as can be seen in previous tutorials here and here.

Now I also have another access point to check labeled “dlink” as you can see above so lets jump straight to it!

“reaver” to run reaver
“-i wlan0mon” will run on the interface of your wireless card
“-b 00:18:E7:XX:XX:XX” is to set the MAC address of the target access point
“-vv” runs in very verbose mode
“-w” is to mimic a Windows 7 registrar
“-n” as the target AP always sends a NACK
“-S” to use small DH keys to improve the crack speed
“-c 6” is to set the channel the access point is running on

reaver -i wlan0mon -b 00:18:E7:XX:XX:XX -vv -w -n -S -c 6

This PIN generated is incorrect as the PIN on the router is neither of the PIN’s generated below but it’s worth trying if the access point is either a D-link of Belkin, you may get lucky with the default PIN generator created by the devttys0 team especially if your router is listed in the D-link or Belkin posts showing how they were reversed in order to generate these WPS PIN’s.

7_Kali_sana_2_pixiewps_d-link_default_pin_generation

7_Kali_sana_2_pixiewps_d-link_default_pin_generation

Another method

“reaver” to run reaver
“-i wlan0mon” will run on the interface of your wireless card
“-b 00:18:E7:XX:XX:XX” is to set the MAC address of the target access point
“-a” to auto detect the best advanced options for the target access point
“-vv” runs in very verbose mode
“-w” is to mimic a Windows 7 registrar
“-K 1” to Run pixiewps with PKE, PKR, E-Hash1, E-Hash2 and E-Nonce (Ralink, Broadcom, Realtek). Increment the value after -K.
“-n” as the target AP always sends a NACK
“-S” to use small DH keys to improve the crack speed
“-c 6” is to set the channel the access point is running on

reaver -i wlan0mon -b 00:18:E7:XX:XX:XX -a -vv -w  -K 1 -n -S -c 6

8_Kali_sana_2_pixie_dust_reaver_WPS_PIN_method

8_Kali_sana_2_pixie_dust_reaver_WPS_PIN_method

Even though these methods aren’t working for me it doesn’t mean they won’t work for you so give them a try on your home router and see if you are vulnerable to this attack as the amount of time needed to crack a wireless network is greatly decreased if this method works so it’s definitely worth trying.

Before I end this tutorial though I just want to point you in the direction of some cool switches I discovered in the latest version of the aircrack-ng suite which you can use for WPS enumeration.

“airodump-ng” to start airodump-ng sniffing the airwaves
“-i wlan0mon” to set the interface to sniff on
“-W” to display if the access point supports WPS
The first field of the  column  indicates the version supported. The second field indicates the WPS config methods of which there can be more than one separated by a comma:
USB = USB method,
ETHER = Ethernet,
LAB = Label,
DISP = Display,
EXTNFC = External NFC,
INTNFC = Internal NFC,
NFCINTF  =  NFC Interface,
PBC = Push Button,
KPAD =  Keypad. Locked is displayed when the AP setup is locked.
“-M” to display the manufacturer from the IEEE OUI list

airodump-ng -i wlan0mon -W -M

9_Kali_sana_airodump-ng_WPS_enumeration

9_Kali_sana_airodump-ng_WPS_enumeration

Wash also has a cool feature now too to enumerate some more information from your router

“wash” to run wash
“-i wlan0mon” to run the interface of your wireless card
“-g” to pipe output and run reaver alongside wash to get the chipset
“-c 1” specifies the channel you wish to run on

wash -i wlan0mon -g -c 1

10_Kali_sana_wash_enumeration

10_Kali_sana_wash_enumeration

It’s handy for checking if the access point is locked out quickly before trying the reaver or Pixie Dust Attack.

That’s it for now, attacking WPS has come a long way in a short period of time and it’s only a matter of time until this is a simple procedure that works in a matter of seconds to minutes once enough PIN generation algorithms are reversed and added to make this much simpler than WEP to crack. You remember how easy WEP was to crack right, it’s like traveling back in time to 2005 all over again.

 

17 – Revisited – using Wash and Reaver to bypass long WPA2 passphrases and attack WPS to bypass TKIP encryption this time

Ok, someone contacted me recently and said this did not work for TKIP and they couldn’t get it working so this is to show that TKIP can also be bypassed and not just AES when using ‘reaver’. Thanks for the feedback.

See here for the previous lesson on ‘reaver’ and ‘wash’ to bypass WPA2 AES encryption if you want to read more information on this attack.

You should note that this is not actually breaking the WPA2 AES/TKIP encryption algorithms, but is in fact undermining the inherent trust we have in Wi-Fi Protected Setup (WPS), it is here for convenience so that people don’t need to enter in long WPA keys and for that we have introduced a weakness in our current security model and infrastructure that can be broken, very easily.

Think of someone leaving a Raspberry Pi 2 like the one I am using and adding a battery to it, concealing it (or not) in a location near to the access point they need to gain access to. The battery will last for a lot longer than required for the assessment and also gets rid of the risk required with the on-line attack, automate the whole process and you don’t need to do anything else to it, you can also do this for normal wireless assessments that don’t have WPS.

Anyway, first configure your router as follows:1 - router configurationStart monitor mode with airmon-ng, you don’t actually require your card to be in monitor mode for this assessment but I like to check the access point details are correct etc so I just do it out of habit.2 - start airmon-ngStart airodump to check your access point

airodump-ng mon0 –bssid 00:18:E7:XX:XX:XX -c 6

“airodump-ng” runs airodump-ng
“mon0” is the interface of the card
“–bssid” is for the MAC address of the access point
“-c 6” is to run on channel 63 - Start airodump-ng and check your access pointOutput of airodump-ng below, something else to note here is that no client is attached to the network we are recovering the WPS PIN from. You do not require any clients to be connected to the access point in order to carry out this attack, you are strictly communicating with the access point.4 - airodump-ng outputrun wash

“wash” runs wash
“-i” is for the interface in which you want to capture packets on which is mon0
“-c” is for the channel to listen on in this case 6

Explaining the output below

BSSID is our target access point MAC address
Channel 6 is the channel of our access point
RSSI is the Received signal strength indication ( A minus is a good thing here 😉
WPS Version which is 1.0
WPS Locked tells you if the access point has been locked due to to many attempts for example
ESSID is the network name of the access point5 - wash start checkAs before just run “reaver” from the terminal for a full list of switches available to you

“reaver” runs reaver
“-i” is to select the sniffing interface in this case mon0
“-b” is followed by the target access point MAC address or BSSID
“-vv” is for very verbose output
“-w” is to mimic a Windows 7 registrar

reaver -i mon0 -b 00:18:E7:XX:XX:XX -vv w

Excerpt from Stefan Viehbock’s paper, this explains how the WPS communication process works for design flaw #1 :6.1 explaining the process6.2 explaining the process6.3 explaining the process6.4 explaining the processYou only require seven numbers as the last is a checksum and a ‘zero’, once the first four numbers are authenticated you then only require a further three numbers in order to get the correct PIN. This in effect makes the cracking process quite trivial to carry out with very little resources

design flaw #2:

The bruteforce attack then allows you to determine the PIN with a live attack over the air as a received ‘EAP-NACK’ will help you to determine whether the PIN is correct or not in only 11,000 attempts. The ‘EAP-NACK’ helps you to determine if the first or second part of the PIN is correct or not as when you receive an ‘EAP-NACK’ after an M4 or M6 it means it is incorrect and it is therefore unauthenticated.6.4.1 explaining the process version 2So when you look at the output from reaver below you may see it differently now:6 - start reaverI left it to run for the night again7 - reaver finished TKIPThe total time was 2 hours 01 minute or ‘7250 seconds’ as you can see above, we can also see the PIN, PSK and AP SSID above which is the sign of success!

Lesson learned:

The reaver WPS attack may not work against all access point’s and you may run into issues. I tried this on my Netgear too and it timed out on me after a certain number of attempts, this needs to be researched further but you just need to play around with the pin attempts per second and play with some other options to get it to work, it’s also good to note that reaver will actually save your previous attempts so you can even break the PIN over a few day’s if you need to space out your assessment for any reason. It’s not a good idea to have a ‘burned in’ eight digit PIN as an access method to any system, especially if it’s an easier method to access a system than a big long passphrase which allows you to bypass WPA/2 encryption and do so in a fraction of the time compared to trying to crack the passphrase after you capture the four way handshake, even then you either need a good word-list or a cloud service to try and crack the unknown faster than you would otherwise.

 

 

 

 

16 – WEP Fragmentation attack – NO Clients

Configure your access point as it was in the previous lesson, please refer to that lesson also for more information on this attack vector as it is explained a bit more in the previous lesson, the reason for this lesson is to show you that it also works with no clients attached to the access point.

First things first put your card into monitor mode1 - Enable monitor modeStart airodump-ng

airodump-ng mon0 -c 6 –bssid 2C:B0:5D:XX:XX:XX -w frag

“airodump-ng” to start airodump-ng
“mon0” is to set the interface of your wireless card
“-c” is to set your channel which is currently set to 1
“–bssid” is to set the MAC address of the access point
“-w” is to write this to a capture file called frag2 - Starting airodump-ngOutput of airodump-ng currently looks like the following with no data packets being sent or received on the network currently3 - airodump-ng outputNext run aireplay-ng to do a fake authentication with the access point using your actual physical card MAC address

aireplay-ng -1 0 -e test -a 2C:B0:5D:XX:XX:XX -h 00:C0:CA:XX:XX:XX mon0

“aireplay-ng” to start aireplay-ng
“-1” is for a fake authentication
“0” is for re-association timing in seconds and may need to be adjusted
“-a” is followed by the MAC addres of the access point
“-h” is the physical MAC address of your card
“mon0” is the interface of the wireless card4 - fake authentication with the access pointOutput of airodump-ng now looks like the following with our card associated with the access point using the fake authentication5 - airodump-ng output after fake authenticationRun the fragment attack

aireplay-ng -5 -e test -b 2C:B0:5D:XX:XX:XX -h 00:C0:CA:XX:XX:XX mon0

“aireplay-ng” to start aireplay-ng
“-5” specifies that you want to run the fragmentation attack
“-e” is to specify the SSID of the access point which is test
“-b” is to set the MAC address of the access point
“-h” is your physical wireless card MAC address
“mon0” is the interface of your wireless card6 - fragmentation attack no clientsSuccessful output from the fragmentation attack looks like the following above, as you can see we have obtained the keystream and it is saved in the xor file which we can now use to create an arbitrary packet using packetforge-ng next.

packetforge-ng -0 -a 2C:B0:5D:XX:XX:XX -h 00:C0:CA:XX:XX:XX -k 255.255.255.255 -l 255.255.255.255 -y replay_dec.xor -w arp-request

“packetforge-ng” to start packetforge-ng
“-0” is to forge an arp packet
“-a” is for specifying the access point MAC address
“-h” is to specify your wireless card MAC address
“-k” is for setting the destination IP and or port in this case a broadcast 255.255.255.255
“-l” which is a lower case ‘L’ to save confusion is for setting the source and or port which is once again a broadcast 255.255.255.255
“-y” is to use the xor file obtained from the fragmentation attack to forge the packet
“-w” is to write the forged packet to a file which is called arp-request7 - packetforge-ng arp requestA quick look at airodump-ng before we start to see the data packets and make sure we are still associated with the access point, if you are not just run the fake authentication again before you continue.8 - airodump-ng outputOnce you have your packet forged from the previous step you can then inject it into the access point issuing the following aireplay-ng parameters

“aireplay-ng” will start aireplay-ng
“-2” is to run an interactive packet replay
“-r” is to select the file in which to extract packets from in which is arp-request here
“mon0” is the interface of your card to run this from9 - aireplay-ng arp packet injectionWait a few minutes to generate enough packets before running aircrack-ng as I noticed on the Raspberry Pi 2 anyway this seems to freeze the injection process and thus means restarting the process over again, wait for a few minutes and you should see the data has risen greatly, the more data packets seen here the better for the cracking process10 -airodump-ng output data packets growing hugelyStart aircrack-ng against the airodump-ng capture using the following

“aircrack-ng” starts aircrack-ng
“frag-01.cap” is the name of the capture file in which to run aircrack-ng against

As you can see we have obtained a huge amount of IV’s  so this should be quick and easy11 - start aircrack-ngAircrack-ng success looks like the following12 - aircrack-ng success no clientsLesson learned:

I really find I am repeating myself now when it comes to WEP encryption and you can probably already hear me saying it, don’t use WEP! If you know somebody using it help them out and teach them how to secure their network . Much like the Chopchop attack carried out in the previous lesson this allows you to greatly increase the speed in which you can obtain and crack the WEP key by increasing the volume of data packets on the network by injecting our arbitrary arp packets forged with packetforge-ng into the access point in order to obtain more IV’s and speed up the cracking process. Even when no clients are connected to the access point this attack can still be carried out and the WEP key obtained, you would not even notice anything suspicious on any of your wireless clients as you most likely will not know this was even carried out.

 

 

15 – WEP Fragmentation attack

Similar to the Chopchop attack carried out in the previous lesson the fragmentation attack greatly speeds up the cracking process by injecting arbitrary packets into the wireless access point and by generating them with packetforge-ng after obtaining the xor file from the fragmentation attack.

There is a great write up by Andrea Bittau which explains this attack in a lot more detail than I am going to here and you should give it a read as it is very informative.

Once again like Chopchop the pseudo random sequence produced by the RC4 which is referred to as the PRGA is required to successfully carry out this attack. Aireplay-ng will automatically extract the 8 byte keystream and use it to inject our arbitrary forged packets into the access point network.

This is also a great attack to run if there are no clients currently connected to the access point 🙂

Let’s get to it and have a closer look so first configure your router as follows1 - Configure routerPut your card into monitor mode2 - configure monitor modeStart airodump-ng

airodump-ng mon0 -c 6 –bssid 2C:B0:5D:XX:XX:XX -w frag

“airodump-ng” to start airodump-ng
“mon0” is to set the interface of your wireless card
“-c” is to set your channel which is currently set to 1
“–bssid” is to set the MAC address of the access point
“-w” is to write this to a capture file called frag3 - airodump-ng startNext run aireplay-ng to do a fake authentication with the access point using your actual physical card MAC address

aireplay-ng -1 0 -e test -a 2C:B0:5D:XX:XX:XX -h 00:C0:CA:XX:XX:XX mon0

“aireplay-ng” to start aireplay-ng
“-1” is for a fake authentication
“0” is for re-association timing in seconds and may need to be adjusted
“-a” is followed by the MAC addres of the access point
“-h” is the physical MAC address of your card
“mon0” is the interface of the wireless card4.1 - fake authentication with the access pointOutput of airodump-ng currently looks like the following with no data packets being sent or received on the network currently and out wireless card is associated using a fake authentication as seen above4 - airodump-ng outputRun the fragment attack

aireplay-ng -5 -e test -b 2C:B0:5D:XX:XX:XX -h 00:C0:CA:XX:XX:XX mon0

“aireplay-ng” to start aireplay-ng
“-5” specifies that you want to run the fragmentation attack
“-e” is to specify the SSID of the access point which is test
“-b” is to set the MAC address of the access point
“-h” is your physical wireless card MAC address
“mon0” is the interface of your wireless card5 - fragment attack startSuccessful output from the fragmentation attack looks like the following below, as you can see we have obtained the keystream and it is saved in the xor file which we can now use to create an arbitrary packet using packetforge-ng6 - fragment attack processedNow you can use packetforge-ng to craft a packet of your choosing which is an arp packet in this case like in he Chopchop attack

packetforge-ng -0 -a 2C:B0:5D:XX:XX:XX -h 00:C0:CA:XX:XX:XX -k 255.255.255.255 -l 255.255.255.255 -y replay_dec.xor -w arp-request

“packetforge-ng” to start packetforge-ng
“-0” is to forge an arp packet
“-a” is for specifying the access point MAC address
“-h” is to specify your wireless card MAC address
“-k” is for setting the destination IP and or port in this case a broadcast 255.255.255.255
“-l” which is a lower case ‘L’ to save confusion is for setting the source and or port which is once again a broadcast 255.255.255.255
“-y” is to use the xor file obtained from the fragmentation attack to forge the packet
“-w” is to write the forged packet to a file which is called arp-request7 - create arp request with packetforge-ngOnce you have your packet forged from the previous step you can then inject it into the access point issuing the following aireplay-ng parameters

“aireplay-ng” will start aireplay-ng
“-2” is to run an interactive packet replay
“-r” is to select the file in which to extract packets from in which is arp-request here
“mon0” is the interface of your card to run this from8 - Inject arp-request forgedWait a few minutes to generate enough packets before running aircrack-ng as I noticed on the Raspberry Pi 2 anyway this seems to freeze the injection process and thus means restarting the process over again, wait for a few minutes and you should see the data has risen greatly, the more data packets seen here the better for the cracking process9 - airodump-ng outputStart aircrack-ng against the airodump-ng capture using the following

“aircrack-ng” starts aircrack-ng
“frag-01.cap” is the name of the capture file in which to run aircrack-ng against

As you can see we have obtained a huge amount of IV’s  so this should be quick and easy10 - aircrack-ng startingAircrack-ng success looks like the following11 - aircrack-ng successLesson learned:

I really find I am repeating myself now when it comes to WEP encryption and you can probably already hear me saying it, don’t use WEP! If you know somebody using it help them out and teach them how to secure their network . Much like the Chopchop attack carried out in the previous lesson this allows you to greatly increase the speed in which you can obtain and crack the WEP key by increasing the volume of data packets on the network by injecting our arbitrary arp packets forged with packetforge-ng into the access point in order to obtain more IV’s and speed up the cracking process.

 

14 – WEP Koreks Chopchop Attack

It’s time to look at another WEP attack, this time Koreks Chopchop which sometimes will look like it’s working against an access point but will fail as the access point is not actually vulnerable because it drops packets shorter than 60 bytes, however if it drops packets shorter than 42 bytes aireplay-ng will try to guess the rest of the missing data as the headers are predictable. Because WEP used a short 24-bit IV that meant IV’s with the same key would be reused, IV being an initialization vector or a nonce.

This attack is a related-key attack because we can observe the operation of the cipher under several different parameters whose values are initially unknown, due to the theory behind Chopchop however there is a mathematical relationship connecting the keys.

WEP is famous for using an RC4 algorithm which is a stream cipher and cause of it’s downfall, as you may be aware security advocates have been calling for RC4 to be removed from anything that uses it like SSL as it is well and truly broken. Because of the birthday attack or birthday paradox it means that it is likely that for every 4096 packets , two will share the same IV and thus the same RC4 key which means the packets can be attacked.

The aim of the Chopchop attack like the fragmentation attack is to obtain the PRGA or pseudo random generation algorithm file which cannot be used to decrypt packets as it is not the WEP key. However, we can use it to create new packets with packetforge-ng for injection.

Let’s configure our access point like the following below1 - Configure routerPut your card into monitor mode2 - configure monitor modeStart airodump-ng listening

“airodump-ng” to start airodump-ng
“mon0” for your card interface
“-c” for the channel of your access point in this case 1
“–bssid” is followed by the MAC address of the access point
“-w” writes to a file called out3 - start airodump-ng listeningOutput looks like the following with one client attached4 - airodump-ng outputNext run aireplay-ng to do a fake authentication with the access point using your actual physical card MAC address

aireplay-ng -1 0 -e test -a 2C:B0:5D:XX:XX:XX -h 00:C0:CA:XX:XX:XX mon0

“aireplay-ng” to start aireplay-ng
“-1” is for a fake authentication
“0” is for re-association timing in seconds and may need to be adjusted
“-a” is followed by the MAC addres of the access point
“-h” is the physical MAC address of your card
“mon0” is the interface of the wireless card5 - fake authentication with the access pointAfter the fake authentication looking at airodump-ng output again you will see you are now authenticated7 - airodump-ng output after fake authenticationNow that we have authenticated we can run a Chopchop attack with the following parameters

aireplay-ng -4 -e test -b 2C:B0:5D:XX:XX:XX -h 00:C0:CA:XX:XX:XX mon0

“aireplay-ng” to start aireplay-ng
“-4” specifies the Chopchop attack
“-e” specifies the SSID of the access point in this case ‘test’
“-b” specifies the MAC address of the access point
“-h” is used to specify you physical wireless card MAC address
“mon0” is the interface of your wireless card8 - aireplay-ng chopchopOnce the aireplay-ng Chopchop attack is running you will see the following output and accept ‘yes’ to accept a packet, you can also choose ‘no’ and accept another packet if the size is too small.9 - ChopChop processingWhen Chopchop is finished you will see something similar to the following output, you have now obtained a capture file and a xor file from Chopchop processing the packet you selected.10 - Chopchop finishedNow you can use packetforge-ng to craft a packet of your choosing which is an arp packet in this case

“packetforge-ng” to start packetforge-ng
“-0” is to forge an arp packet
“-a” is for specifying the access point MAC address
“-h” is to specify your wireless card MAC address
“-k” is for setting the destination IP and or port in this case a broadcast 255.255.255.255
“-l” which is a lower case ‘L’ to save confusion is for setting the source and or port which is once again a broadcast 255.255.255.255
“-y” is to use the xor file obtained from the Chopchop attack to forge the packet
“-w” is to write the forged packet to a file which is called arp-request11 - packetforge arp-requestOnce you have your packet forged from the previous step you can then inject it into the access point issuing the following aireplay-ng parameters

“aireplay-ng” will start aireplay-ng
“-2” is to run an interactive packet replay
“-r” is to select the file in which to extract packets from in which is arp-request here
“mon0” is the interface of your card to run this from12.0 - arp-request injectionLooking at airodump-ng output now and you will see the Data and frames increasing hugely once packets start getting injected like below13 - airodump-ng outputNext thing to do is run aircrack-ng but something to note here is that when doing this on the Raspberry Pi 2 while running the Chopchop attack it seems to freeze injection if you do this while it is happening so it’s best to let it run and capture for a few minutes and then run aircrack-ng like so

“aircrack-ng” to start aircrack-ng
“out-0*.cap” is the capture file or files in which to run aircrack-ng against but as I had some issues here with aircrack-ng freezing the injection process I have a few extra capture files below the asterisk allows you to open multiple files at the same time

Also take note of the amount of IV’s obtained below as this will make the cracking process much easier and faster to carry out14 - Starting aircrack-ngSuccess then looks like the following once aircrack-ng has cracked the key15 - aircrack-ng successLesson learned:

Don’t use WEP, I really cannot stress it enough and if you have been following along with these lessons you will see it is often very trivial to obtain the WEP key and there are many different attack vectors which can be carried out in order to obtain the key therefore don’t use WEP and if you know anyone who is using WEP show them how to secure themselves with a strong WPA passphrase in order to make make it harder to compromise their home or business. The Korek Chopchop attack is very interesting and is a good way to understand how WEP encryption works, it is worth carrying out this attack in your lab in order to understand WEP encryption better and why you should refrain from using it.

 

13 – Return of the WEP SKA

Lucky, or unlucky number 13 as it may be if you are superstitious, it’s time to return to the good old WEP SKA which had been tried in two previous lessons here and here but I am now using my Netgear router instead of the D-Link I had been using previously, both of which are recommended for the OSWP certification and gave it a shot again and what do you know I obtained the XOR, this means I am going to cover this now properly and get this working rather than working around it like I had previously, we will look at the packets in wireshark and see if there is anything different compared to the D-Link, even though there are many different attacks they will not work on every access point so it’s always worth trying a different method and trying harder!

Configure your router as follows:1 - Router Configuration SKAEnable monitor mode on your card, I am using the number ‘1’ at the end in order to specify channel 1 while enabling monitor mode2 - Enable montior modeStart airodump-ng in order to obtain the XOR

airodump-ng mon0 -c 1 –bssid 2C:B0:5D:XX:XX:XX -w SKA_OUT

“airodump-ng” runs airodump-ng
“mon0” is the interface of the card
“-c 1” is to run on channel 1
“–bssid” is for the MAC address of the access point
“-w” is the name of the file to write to which is SKA_OUT in this case
3 - Run airodump-ng to obtain the XOR Output of airodump-ng looks like the following
4 - airodump-ng outputNow we can see there is a client associated so let’s de-authenticate it with aireplay-ng

aireplay-ng -0 1 -a “2C:B0:5D:XX:XX:XX -c F4:09:D8:XX:XX:XX mon0

“-0″ – means deauthentication
“1” – is the number of deauths to send (feel free to increase this!)
“-a 2C:B0:5D:XX:XX:XX” – is the MAC address of the access point
“-c F4:09:D8:XX:XX:XX” – is the MAC address of the client you are deauthing
“mon0″ – is the interface name

5 aireplay-ng deauth
 Now if we look at airodump-ng again we will see the following output up the top right as we have successfully obtained the XOR and this can be seen up the top where it says 151 bytes keystream followed by the access point MAC address
6 - airodump-ng output XOR obtained
 Running an ‘ls’ in our current working directory you will see there is a file that now ends with a .xor extension
7 - ls to check for the XOR
Looking through the capture file here though even with a full keystream now it seems there are some issues with injecting the XOR in order to authenticate with the access point, I mainly put this down to the de-authentication that is being used below so I switched to a different method of de-authentication seen in the next image
8 - XOR failed authentication with the access pointRestarting and running airodump-ng from the start again in order to obtain the capture file then running aireplay-ng in order to de-authenticate with the following

aireplay-ng -1 6000 -o 1 -q 10 -e test -a 2C:B0:5D:XX:XX:XX -h F4:09:D8:XX:XX:XX mon0

“aireplay-ng” starts aireplay-ng
“-1” is for fake-authentication
“6000” means reauthenticate every 6000 seconds, the long period also causes keep alive packets to be sent
“-o 1” means send only one packet at a time, the default is to send multiple and can confuse some access points
“-q 10” means send a keep alive packet every 10 seconds
“-e” is for specifying the SSID of the access point eg test
“-a” is for specifying the client MAC address or your card MAC address, you may need to spoof it to be that of the client
“-h” is for specifying the MAC address of the access point
“mon0” is the interface of the wireless card

It should look like the following

9 - aireplay-ng alternative method
Looking at airodump-ng we have obtained 151 bytes of a keystream and checking the working directory there is also a XOR file located here also
10 - airodump-ng output XOR obtained again
In order to properly test this out though I stopped the previous instance of airodump-ng that was running and started a fresh one while removing my connected client from the access point
11 - fresh airodump-ng instanceNow for the fake authentication with the access point

aireplay-ng -1 0 -e test -y SKA_OUT2-01-2C-B0-5D-XX-XX-XX.xor -a 2C:B0:5D:XX:XX:XX -h F4:09:D8:XX:XX:XX mon0

“aireplay-ng” is to start aireplay-ng
“-1” is for fake authentication
“0” is for setting the re-association timing in seconds
“SKA_OUT2-01-2C-B0-5D-XX-XX-XX.xor” is the XOR file obtained from the previous steps
“-a” is the MAC address of the client you want to spoof or a random MAC of your choice
“-h” is the MAC address of the access point
“mon0” is the interface of your wireless card

12 - Shared Key Fake Authentication working
airodump-ng then looks like the following, as you can see the client MAC address is now associated with the access point
13 - airodump-ng output successNow to analyse the captured keystream with wireshark to see what went on using the following filters

(wlan_mgt.fixed.auth.alg == 1) || (wlan_mgt.fixed.listen_ival == 0x000a) || (wlan_mgt.fixed.aid == 0x0001) || (wlan.fc == 0xb040)

“||” stands for OR
“wlan_mgt.fixed.auth.alg == 1” will filter all the Authentication packets
“wlan_mgt.fixed.listen_ival == 0x000a” will filter all the Association request packets
“wlan_mgt.fixed.aid == 0x0001” will filter all the Association response packets
“wlan.fc == 0xb040” will filter all the data packets

Starting up wireshark against the capture file from airodump-ng

14 - starting wireshark with the capture file
Using the filter above in wireshark to get rid of the noise and focus on the packets we want to look at easier
15 - wireshark packets to check
Packet 1:Authentication request sent by the client to the access point

16 - packet 1 authentication request
Packet 2:Challenge text is sent from the access point

16 - packet 2 challenge text sent
Packet 3:Client sends the encrypted challenge response to the access point

17 - packet 3 encrypted challenge sent
Packet 4:Authentication is successful in the fourth packet

18 - packet 4 success message
Now if you look closely you will also see an association request and association response follow close behind these packets as seen belowPacket 5:

Association Request

19 - association request follows
Packet 6:Association Response

20 - association response follows
Now I also captured a XOR keystream injection when using it to do a fake authentication, analysed the packet capture and noticed one difference compared to the first packet seen above.
21 - XOR injection packet 1

The vendor specific information is removed but everything else looks and works as you would expect.

Lesson learned:

As per the previous Shared Key Authentication attempts in which failure was witnessed with some perseverance an attacker can obtain a keystream by either de-authenticating a client on your network or being passive and waiting for a client to connect manually in order to obtain a keystream without any active attack being carried out and then authenticate to the access point when the client is not on the network anymore or spoof another MAC address and authenticate with the network that way, the problem here though is that this may set of an alarm somewhere that something is wrong and a new MAC has authenticated with the network that is not authorised. As with every other lesson learned on WEP though, just don’t use it and leave well alone.

 

 

12 – Using Wash and Reaver to bypass those long WPA/WPA2 passphrases and attack WPS to get around AES encryption

After the last lesson we learned that even on a Raspberry Pi 2 it is possible to crack WPA/WPA 2 passphrases with ease and even more so when we precomputed a PMK file but this requires a lot of storage for the PMK hash file and a long time at least on a RPi 2 so let’s try and speed this up even more using another attack against the Wi-Fi Protected Setup (WPS).

WPS is a different standard created by the Wi-Fi Alliance and introduced back in 2007, the goal of the protocol was to allow home users who do not understand how to use wireless security like Wi-Fi Protected Access (WPA) and may feel intimidated by it’s configuration options easily connect devices to an existing network without the need to enter a long passphrase.

Two independent researchers discovered this attack back in 2011 around the same time, Stefan Viehbock and Craig Heffner who released wash and reaver making it a trivial task to obtain the pin over the air without physical access to the access point. Stefan has a great PDF explaining this attack which is worth the read.

Put simply reaver performs a brute force attack against the access point and attempts every possible combination in order to guess the access points 8 digit pin number.

Even better yet as these are only numeric values there are a total of 10^8 or 100,000,000 possible values for any given pin number. BUT even better than that is the fact that you only actually need know half the pin 10^4 or 10,000 possible values for the first half as the access point will let you know when you have obtained the first four numbers in the pin so the actual amount of possible permutations you need is 11,000 and not 100,000,00, wait though you said 11,000, where did the extra 1,000 come from you ask? Well in the last four values of the second part of the pin you only need to calculate 10^3 or 1,000 as the last numeric value is actually a checksum which as you can imagine makes it even easier to crack than what you had been thinking a second ago 🙂

There was even a newer faster offline method released last year in 2014 by Dominique Bongard called the “Pixie Dust Attack”.

For now though let’s focus on wash and reaver so enable WPS on your access point like I have below1 - D-Link WPS ConfigurationNow to check the access point has WPS enabled before proceeding with reaver run wash first, to see what options are available to you just type “wash” and run it for a list of switches available to you2 - wash switchesNow that we see what it can do let’s run it with some of those switches, make sure you have monitor mode enabled prior to proceeding as outlined in this previous lesson.

wash -c 6 -i mon0

“wash” runs wash
“-c” is for the channel to listen on in this case 6
“-i” is for the interface in which you want to capture packets on3 - running washExplaining the output above

BSSID is our target access point MAC address
Channel 6 is the channel of our access point
RSSI is the Received signal strength indication ( A minus is a good thing here 😉
WPS Version which is 1.0
WPS Locked tells you if the access point has been locked due to to many attempts for example
ESSID is the network name of the access point

Now to run reaver against the access point4 - running reaverAs before just run “reaver” from the terminal for a full list of switches available to you

“reaver” runs reaver
“-i” is to select the sniffing interface in this case mon0
“-b” is followed by the target access point MAC address or BSSID
“-vv” is for very verbose output

reaver will just look like this for the next while but just leave it running and come back and check on it in an hour or so to see how it is getting on, no point staring at the screen until you get the pin!5 - reaver left runningAfter leaving reaver running over night I was greeted with the screen below this morning6 - reaver found pin and AES passphraseAs you can see above in 12,340 seconds or 3 hours 40 minutes we obtained the PIN and passphrase for for WPA/WPA2 “AES” network that we had configured, take a minute and let that sink in as we have obtained the passphrase for an “AES” network.

Lesson learned:

Disable Wi-Fi Protected Setup (WPS) as an attacker can leverage this technology in order to bypass your WPA/WPA2 configuration including “AES” without needing to know the passphrase and also obtain it in the process, all it takes is four numeric values to take you down and that is a lot easier for an attacker to compute compared to a long and complicated password. With the option of turning this into an off-line attack this becomes even more dangerous. Also it is worth trying this against your own router if it has WPS as even if you disable this option on some routers it actually remains active! If you have one of those routers you should really replace it for one that does allow you to disable this technology or better yet one that does not contain this technology to begin with. There may also be a firmware upgrade for your router so check the manufacturers website and upgrade as it may save you having to purchase a new router.

 

11 – Using coWPAtty and genpmk to speed up the WPA/WPA2 cracking process

Many tools exist in order to speed up the cracking process and in this lesson we are going to look at Cowpatty or “coWPAtty” created by a security researcher called Joshua Wright along with another tool called genpmk also created by Joshua.

First the Pre-Shared Key (PSK) or Pairwise Master Key (PMK)

This can be a very time consuming task calculating the Pre-Shared Key using the CPU, you can also use a GPU but for now we are working off the CPU on the Raspberry Pi. The Pre-Shared Key is derived from the WPA/WPA2 passhrase in this lesson “password12345” along with the SSID which is “test”. The combination of the passhprase and the SSID are passed through the “Password Based Key Derivation Function” or PBKDF which then outputs a 256 bit Pre-Shared key (PSK). After this the cracking involves using the 256 bit PSK with the four-way handshake and verifying it against the Message Integrity Code also known as the MIC or referred to as the “Michael” which is there to prevent against forgery attacks. These parameters vary in the handshake every time therefore this step cannot be precomputed.

The PBKDF is a SHA-1 based function documented under RFC 2898

DK = PBKDF2(HMAC-SHA-1, passphrase, SSID, 4096, 256)

DK is your derived key
PBKDF is your password based key derivation function
HMAC-SHA-1 is the default pseudorandom function
passphrase is you guessed it, your passphrase
SSID is of course your network Service Set Identifier or network name of the access point
4096 is the amount of times the combination is hashed, this can be over 4096 times
256 is the intended length of the derived final key which is 256

The four-way handshake

The four-way handshake is used in order to derive the Pairwise Transient Key (PTK), think of this as temporary encryption used to encrypt the data and confirm the identity of any wireless clients trying to connect to the access point. The handshake also contains the Group Temporal Key (GTK) which is used to decrypt multicast and broadcast traffic.

The PTK is generated by concatenating together the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. This is then put through a pseudorandom function.

PTK is the Pairwise Transient Key which is 64 bytes
PMK is the Pairwise Master Key aka the Pre-Shared key or PSK

1 – AP nonce (ANonce) is an arbitrary number or value sent to the STA or client station used only once in the first packet from the Access Point
2 – STA nonce (SNonce) is an arbitrary number or value sent from the client to the access point with a message integrity code (MIC) along with authentication which makes it a message authentication integrity code or MAIC
3 – The access point then sends the Group Temporal Key (GTK) including a sequence number along with another MIC to the client station
4 – The client station sends an acknowledgment confirming to the access point that everything is ok.

This can be seen in the diagram below:Four-Way handshake WPA_WPA2Now that we have gone through a little bit of background information on this it is time to run Cowpatty by simply typing “cowpatty” in the terminal to see a list of filters which you can use1 - Cowpatty from terminalCowpatty requires the following in order to run successfully

1 – A word list

2 – A file in which the password hash has been captured

3 – The SSID of the target access point

Referring the the previous lesson on cracking a WPA2 network you will need the capture file in which the four way handshake was obtained in order to proceed, if you don’t have it just follow the lesson and then come back when you have it and continue on from here.

If you look in the /usr/share/wordlists directory you will see a lot of different word lists to choose from already stored in Kali2 - locate password file kaliI copied this to my current working directory for this cowpatty lesson which is /root/WPA_cowpatty3 - gunzip password listUsing gunzip to extract the currently compressed word list you can see we now have a txt file to work with 4 - Checking the wordlist sizeTo check the size of the file above I am using stat which on it’s own will give you the size in bytes but pipeing this into awk we then focus on the “Size:” and then print it out calculating into MB’s so in this case we see 133.44 MB’s worth of a word list to play with.5 - cowpatty PMK creationJust so this is not a waste of time it’s probably a good time to verify the password is actually contained within the word list by using grep

“grep” to use grep
“password12345” this is the search query and the password used for the WPA2 cracking lesson earlier
“rockyou.txt” is the name of the file in which to search
4.1 - Checking the password is in the word listNow in order to create a precomputed PMK file in order to speed up the cracking on the SSID being assessed you can run cowpatty with the following filters

“cowpatty” to start cowpatty
“-f” to specify the location of your word list which is the current working directory in my case
“-r” to specify the pcap directory in which the handshake has been obtained in this case the current working directory.
“-s” in order to specify the SSID of the access point which is test6 - cowpatty workingOnce working you will see output like above in the terminal and as suggested you need to be patient here especially if doing this on the Raspberry Pi 2 like I am!

It didn’t take that long to find the password as you can see below cowpatty generated a hash for every password in the word list and then using the SSID as a seed compared it to the captured hash and once the correct hash was matched it is displayed on the screen along with the amount of passphrases tested and the amount of time it took which was 12 minutes 34 seconds and much quicker than running without cowpatty.7 - cowpatty retrieved passwordNow that we have used cowpatty to calculate the hash of the password in 12 minutes 24 seconds it would be nice to crack the password even faster by generating a hash for future use on the same SSID so let’s do that with genpmk!

Running genpmk will show you a list of switches you can use:8 - genpmk switches“genpmk” starts genpmk
“-f” is the option for selecting your password word list
“-d” is the option to use for the file you create for your precomputed hash file
“-s” is the option for the SSID you are creating the precomputed hashes for9 - genpmk generationSomething noteworthy to add here is that this takes ages on the Raspberry Pi 2 and that is why I will be covering password cracking using “The cloud” in a future lesson, and yes I did use that phrase “The cloud”.

Now after leaving this running all night it is still running and has created a huge file which is going to topple my Pi soon so I am going to kill it off, but an example of what it looks like now is below:10 - genpmk still runningSize generated so far11 - Size of generated word listTime taken to generate the word list so far which was 13 hours 37 minutes (13.37) which is actually a really random time to stop at hahaha.12 - genpmk time to generate fileNow as the file created was guaranteed to have “password12345” as the initial running of cowpatty cracked it at key no. 15,000 and the generated hashed list using genpmk was at key no. 979,000 when I stopped it so I decided to run it and see how quickly this would crack the password to get an answer before I move on here.

“cowpatty” to run cowpatty
“-d” for the hashfile you are using
“-r” is the pcap file in which your four way handshake was captured
“-s” is followed by the SSID of the access point that you obtained the four way handshake from13 - cowpatty with hash fileAs you can see above 15,123 passphrases were tested against in 1.11 seconds which meant that instead of 20.44 passphrases a second as had been previously the case now we are cycling through 13651.49 passhrases a second which is a significant jump on the Raspberry Pi 2 for cracking passwords.

Now just so that we could have some comparison with the rockyou password list I decided to end this by running the list through aircrack-ng to see the time saving we gained to put this into perspective14 - testing rockyou against aircrack-ng only15,146 keys were cycled through at a speed of 320.18 keys per second in 3 minutes 2 seconds which is much slower than using genpmk as you seen a moment ago.15 - aircrack key found rockyouLesson learned:

WPA/WPA2 cracking can be sped up a great deal by using coWPAtty and genpmk which means we can then compute the password a lot quicker than just using aircrack-ng to do so. It’s worth checking your access point passphrase against a list like this or better yet making up an extremely long random passhrase not in a dictionary but even with something like that with enough computational power anything is possible. It just really means you make an attack like this more costly for your attacker to carry out.

 

10 – WEP – Open Authentication – ARP Replay

OK, we have covered a lot of WEP but there is still a lot that has not been covered and from time to time I will dive back into the land of WEP and have a look at a different attack in order to keep things interesting but also just try a different attack vector.

As the title suggests we are going to run an ARP replay which will involve capturing ARP packets in the air and using aireplay-ng to inject them back into the network in order to simulate ARP responses. This attack is very fast as a lot of data is generated during this time and a lot of IV’s are obtained which help in speeding up the cracking process. ARP packets have a fixed header in the protocol and because of this the ARP packet can easily be identified from all other packets even when traffic is encrypted.

Like we did every other time and as you are well used to by now we need to configure the access point to the following configuration in order to run this attack:1 - Configure access pointPut your card into monitor mode
2 - Enable monitor modeStart airodump-ng with your filters set to that of your access point writing to a file for cracking in a minute

“–bssid” for setting your access point MAC address
“-c” for your channel in this case 6
“-w” for writing to a file called WEP_ARP
“mon0” is the interface of our wireless card3 - airodump-ng filtersOutput in airodump-ng then looks like the following, notice how the data is low at this point4 - airodump-ng output startIn a separate terminal we need to set our aireplay-ng filters

“-3” is the option for ARP replay
“-b” is for the access point MAC address
“-h” is the client MAC address we are spoofing / or not spoofing as the case may be as it works either way
“mon0” is the interface of the wireless card5 - aireplay-ng filters setOnce it is running it looks like the following6 - aireplay-ng arp replay runningLooking at the output in airodump-ng now you should see the data and frames have risen a great deal7 - airodump-ng data growingYou can safely start up aircrack-ng now and try and crack the key8 - starting aircrack-ngSuccess looks like the following, notice how the time taken was 00:00:01 due the the amount of IV’s captured from the ARP replay.9 - aircrack-ng successLesson learned:

Don’t use WEP, don’t even think about using WEP as it can be easily defeated and is just not worth the hassle of a breach. Aireplay-ng can be used to speed up the cracking process by replaying ARP packets into the network which then causes the network to reply with ARP packets which greatly increases the number of data packets that can be captured over the air. It is then a trivial process for aircrack-ng to analyse the cryptographic weakness in these data packets and easily crack the key.