Disclaimer : This topic is for Educational Purpose only. I will not encourage you to perform this knowledge for the purpose of harassing or gaining advantage for others. Let's be aware that in some countries there are Laws pertaining to Cyber Attack, but this topic is actually used by Penetration Testers who have the consent to perform this, for the sake of knowing the weakness of such PC-Network System. As in the movie Spiderman- said " Great Powers comes with Great Responsibility ", so you are Responsible for your Action. Just do this in your Lab whether at school, home or at work.
Tools Needed :
-- A PC or Laptop with at least 4GB of memory and CPU Processor Dual Core and up.
-- CPU that support Virtualization Technology
-- Any of Virtual Machine Platform - Virtual Box, VMWare, Virtual PC, but I prefer Virtual Box by Oracle because it is FREE.
-- Backtrack 5 Release 3 or Kali Linux ( the updated version of Backtrack)
-- A WiFi USB Adapter capable of Injecting Packets - I used DLINK DWA-125, but other Penetration Tester use ALFA AWUS036H, a long range USB WiFi Adapter made by Alfa Network. But if you have one other than the said adapter, I'll show you how to test your adapter if its capable of injecting packets across the network medium.
Required Knowledge :
-- You must know how to install Virtual Machine in your PC.
-- A simple Basic Linux Networking commands, but I'll show the most commands that are usually use.
-- You must know how to install ISO Image in Virtual Machine Platform, because we're going to use BackTrack ISO in our Virtual Machine.
But if you have no idea about this topic, don't worry in my next post I'll show you step by step tutorials regarding that pre-requisite. But for the sake of this post, let's continue. Just Bookmark this or hit Control D.
So lets begin Fire up your Virtual Machine and start Backtrack or Kali Linux.
Now plug-in you USB Wireless (WiFi) adapter in any unused USB port in your PC. If this is the first time you plug it in, you must install the required driver. Image below show my Adapter is detected by my main PC.
After the WiFi USB Adapter is now installed, switch to your Virtual Machine, I'm using Virtual Box. Click the Devices Menu, to USB Devices then select Ralink 11n Adapter. If this adapter not appear, then there might be a problem to the installation of your USB Adapter. Please check the driver if it's properly installed in your main PC. If the adapter appear just select it.
Verify that the USB WiFi Adapter is detected by Virtual Machine. In Backtrack open terminal command line , to check if the USB WiFi adapter is detected, refer to image below.
In terminal command line type ifconfig then enter, this will display all the network hardware present in your Virtual Machine, including your USB WiFi Adapter if it's detected. See the image below..You will see wlan0 - this represent your USB WiFi Adapter, you must also see that it's in the UP state, If you don't see the UP state, issue the command ifconfig wlan0 up - this will bring your adapter to UP state, verify again by typing ifconfig.
Now that your Adapter is running, It's time to begin our Penetration Test, although there are many test that we may perform against the WiFi that are running in our Lab, let's conduct first Log-in Credentials Test, this test can actually capture the password of the WiFi, to demonstrate that WiFi have inherent insecurities. After the test I will present possible solution to evade this threat. Although this test is applicable only to small to medium SOHO Router ( Small Office Home Office ) and not using the 802.11x Server Authentication Method offered by Enterprise High End Router. Reminder, never do this against other WiFi. Set-up your own Lab and have it done in the right manner, as I presented in this topic that I used Virtual Machine running Backtrack to simulate as attacker, I also set-up separate WiFi Router to have it as a victim, for us to see the real world Wireless Penetration Testing and make possible solution to protect us from this threat.
Here We Go !!
In terminal command line type
Airmon-ng start wlan0
this will bring our USB Wireless Adapter to monitor mode, this is a pre-requisite in order for the adapter to capture packets from WiFi medium.
After setting in Monitor mode, let's verify if we have another network parameters which is mon0 (pronounced as mon-zero ) by typing ifconfig, you will see this command frequently, try to familiarize.
You will see now mon0 in the network list.
Also by typing airmon-ng again, it will show also the mon0 mode that are created.
Now that our Adapter is Monitor mode, let's check if your USB Wireless Adapter support Packet Injection and our target accepts Packet Injection. In command line terminal, type the command :
airodump-ng mon0
airodump-ng is used to monitor and capture packets from the WiFi medium. This command function will perform scanning test about the WiFi present in the vicinity including WiFi name, channel, MAC address, authenticaton/ security type and the client that are connected in Scanned WiFi/s.
We need to gather some information of our target ;
SSID = redmar
MAC Address = 00:01:E3:C3:A2:AC
Channel = 6
Encryption/Authentication = WPA2
In order for the Injection test to succeed we must lock our adapter ( mon0 ) channel at the channel used by our target which is channel 6, issue the command
iwconfig mon0 channel 6 - lock to channel
iwconfig mon0 - verify
2.4 GHz Channel and Corresponding Frequencies
Source : community.arubanetworks.com
As we know the information of our target, we can perform now the Packet Injection Test. Type the command below in Terminal command line.
aireplay-ng -9 -e (ssid) -a (mac of router) mon0
where :
-9 = filter for packet injection test
-e = for ssid or wifi name
-a = mac address of the router or access point
mon0 = monitor mode
example :
aireplay-ng -9 -e redmar -a 00:01:E3:C3:A2:AC mon0
In this test our target WiFi SSID or name is "redmar" and mac address is 00:01:E3:C3:A2:AC
This is very important, if the test failed or you get poor percentage on injection quality then you cannot proceed. If it's says success and higher injection percentage quality, then you can use your WiFi Adapter for Wireless Penetration Test to inject packets to the vulnerable target as it accepts also injected packets.
Packet injection (also known as forging packets or spoofing packets) is a computer networking term that refers to the process of interfering with an established network connection, by means of constructing packets to appear as if they are part of the normal communication stream. The packet injection process allows an unknown third party to disrupt or intercept packets from the consenting parties that are communicating, which can lead to degradation or blockage of users' ability to utilize certain network services or protocols. Packet injection is commonly used in man in the middle attacks and denial of service attacks.
(Source : Wikepedia - http://en.wikipedia.org/wiki/Packet_injection)
Now that the Packet Injection Test is successful, we're now ready to execute the task in order for us to acquire the Log-in Credential of our target, the PASSWORD of the WiFi. Let's check first the required function for this attack to be successful.
1. USB WiFi Adapter must be in Monitor mode (mon0)
2. USB WiFi Adapter must support Packet Injection and the target accept Packet Injected.
3. We have the right information regarding our target.
4. We need stronger signal to our target, if it's poor it might fail the test.
We all know that airodump-ng is a command use to capture packets (data) across the WiFi medium. Let me explain first of how the client and the router (Access Point) communicates before the client will access the network. For a WiFi that has a security feature, before we use that WiFi and connects to the Internet, we need to supply the right log-in credentials, and PASSWORD is very important. In order for us to acquire the password, we must capture the communication packets between the client and the access point, this is one of problem in wireless communications, the data sent over the air can actually be intercepted and analyze using sophisticated tools.
For easy understanding refer to two people communicating with each other, what you hear secretly of how their conversation is all about may be used as a reference against them for whatever purpose. This is the way the client PC and a Router Access point communicate before the client is given the pass signal to enter the network, we need to hear their communication using right tools.
So what actually is the conversation of the client and the access point ? In Wireless (WiFi) terminology, before the client is given the pass, it actually goes in the so called 4-Way Handshake method of authenticating the client by the Router Access Point, this method is the real communication between the client and the A.P for authentication. This is all we need, to capture the 4 way handshake data, because it contains the actual password transmitted by the client to the A.P.
Image Source : slideplayer.us
I have give you basic idea of what the 4 way handshake is, now it's time to capture that 4 way handshake.
So everything is up and ready.
In Terminal Command Line type
airodump-ng -c 6 --bssid 00:01:E3:C3:A2:AC -w wifitest --ivs mon0
where :
-c is the channel used by our target Access Point
--bssid is the MAC Address of the target A.P
-w we need to save the capture packets, you have to name it according to your preferences
mon0 is our USB Adapter in monitor mode.
Now that airodump-ng start capturing packets of our target A.P, our aim is to capture the 4 way handshake, and that handshake only occurs during client to A.P authentication process, this is where you type the password and tries to connect to the WiFi. So how do we capture the 4way handshake ? One method is wait for another client to connect to the A.P, but it takes long time. In order to speed the process we need to force 1 client to disconnect in the WiFi Network, so that this client will reconnect again, thus the authentication process of 4 way handshake method will takes place between the client and the A.P, so we may able to capture that handshake. To do this client disconnection process, open another Command line Terminal, leaving the airodump-ng terminal open.
Type this disassociation command to force the client to disconnect, this is where packet injection takes place.
aireplay-ng -0 5 -a 00:01:E3:C3:A2:AC -c AC:81:12:94:47:23 mon0
where :
-0 filter for de-authentication/disassociation
5 number of de-authentication packets to be injected
-a MAC Address of A.P
-c MAC Address of Client
mon0 - Wireless USB adapter in Monitor mode
You will now see at the image that I have two Terminal open, the first is for airodump-ng that capture the packets and second is for packet injection to force 1 client to disconnect and reconnect again, thus 4 way handshake occur between the client and A.P, and revealing / capturing the 4 way handshake that we need.
Now that we have the captured 4 way handshake packets, we need to decrypt it, because this packet is encrypted meaning there is a security that it will not display in plain text and see its content directly.
In Terminal 1 - airodump-ng, stop the capturing, but until you see the WPA Handshake, if you don't see it just continue the packets capturing. When WPA handshake display, stop the process by pressing control + C. Now we need to decrypt the captured 4 way handshake.
In the latter process we named the filename "wifitest", it is now saved in the directory root folder.
Although there are many methods used in WiFi Log-in Credentials Test, for this topic I will use Dictionary Attack to decrypt the 4 way handshake and reveal its password. Dictionary attack is the basic of WiFi Password PenTest, it uses dictionary wordlist where all the possible passwords are stored, the larger the dictionary wordlist file the better, because if the password is not listed in the dictionary, it will definitely fail to reveal the password. There are many Dictionary that can be downloaded over the net, some may reach tons of Gigabytes just to download it. This method is still applicable to SOHO based routers Access Point that uses WPA/WPA2 encryption / authentication method. We all know that WPA2 is the highest standard security that may apply to SOHO Routers but still susceptible to this kind of attack.
So let' start decrypting the Handshake.
In command line terminal type the following command
aircrack-ng -w /root/Desktop/darkc0de.lst wifitest-01.ivs mon0
-w is the save filename which is wifitest-01.ivs
/root/Desktop/darkc0de.lst the location of the dictionary worlist file, for fast searching I'll copied it to my desktop..but it's original location is /root/pentest/passwords/wordlists.
darkc0de.lst dictionary password list is already included in Backtrack, but if you prefer other dictionary wordlist, you may search it over the Internet.
Decrypting takes a little longer depending on the password, sometimes it takes an hour or more, so you better wait, as I've said the password decrypting depends on your dictionary , if the password is not in the wordlist then it may fail, search for another wordlist or try another method.
Here is now the Password of our target WiFi !!!
Now that you have the knowledge as an I.T Pen Tester as I always noted that do not use it for the sake of gaining advantage for others WiFi equipment, This is for Educational Purpose to broaden our knowledge about the real world threat and make possible solutions to mitigate it.
For ordinary user, mostly home user, you are now aware that this threat is actually existing as of today, despite of the effort of Security I.T Specialist to tighten the security in Wireless Internet device, there is somewhat way to exploit it.
So How do you protect your WiFi Home / Business appliances for this kind of threat.
1. Make strong password. Do not use simple names or numbers. Be unique, the password must be as much as possible 10 characters up combining Alphanumeric and symbols, uppercase, lowercase and special characters. Follow the links below for WPA Password Generator that may help you to generate your password.
This is only example of how your password must be. You may use it or try to have your own, but remember the basic idea of creating pass as shown in the image.
2. Do not broadcast you SSID, remember it is the name of your WiFi, being sent over the air and the public knows. This is one technique of mitigating this threat. You will not easily be hack if your WiFi SSID name is not broadcasted. But for experienced hacker, there is a way to evade this, But as I've said, delaying the hacker to exploit your wireless Network is a great way to drop his/her intention if he/she will not find the real SSID WiFi name.
3. One simple solution is Turn-off your WiFi when not in use. Do not let it running 24-hrs 7 days a week. This will also save your equipment to prolong its life and aside evade hacker to make a scan in your network.
4. Decrease the Transmit Power of your WiFi, it is always in the default which is 100% transmit power, you may noticed that if you are in your neighbor you still see your WiFi name when you scan for WiFi connections. It is one way also of evading hackers, because in the test that I showed, before you actually capture the WPA Handshake it is a must that you have stable connection in your target WiFi, meaning stronger signals. If the signal of your target is poor you will not probably capture the handshake because of the errors in the packets. So how do you see what percentage of your WiFi transmit power will be use ? This is subject for experiment because I outlined in my previous post that WiFi signals are prone to interference Refer here Ways to Improve Home WiFi
As I've always said we have the power to control everything, just open our mind and be updated always regarding technological matters. Awareness is one example, as I present this topic to let the readers be more aware and be vigilant.
Pls. follow this link or Bookmark because I will update this post when I have plenty of time.
Thanks anyway......
No comments:
Post a Comment