Takeway: Cracked 64 bit WEP in 5 minutes, could get 128 to break
With the help of a friend brining over a 3 COM 7760 Wireless AP last night we were able to practice and observe from the victims standpoint the cracking of WEP 64 and 128. Booting to BackTrack 3 we first tested that we could crack the WEP 64 using SpoonWep.
SpoonWep is a graphical interface that does just what it says spoon feeds the WEP cracking for you all you need to know is the channel and BSSID, which is the MAC address of the victim AP (Access Point). You can snag this info using Kismet, which we did for practice, but obviously we knew the MAC since we were also in possession of the AP.
By the way some definitions of SSID, ESSID, BSSID:
SSID Short for Service Set Identifier, a 32-character unique identifier attached to the header of packets sent over a WLAN that acts as a password when a mobile device tries to connect to the BSS. The SSID differentiates one WLAN from another, so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device will not be permitted to join the BSS unless it can provide the unique SSID. Because an SSID can be sniffed in plain text from a packet it does not supply any security to the network.
ESSID The Extended Service Set ID (ESSID) is the name of the network you want to access. It is used to identify different wireless networks. ESSID is just an extended SSID allowing for more features.
BSSID The BSSID is a 48bit identity used to identify a particular BSS (Basic Service Set) within an area. In Infrastructure BSS networks, the BSSID is the MAC (Medium Access Control) address of the AP (Access Point) and in Independent BSS or ad hoc networks, the BSSID is generated randomly.
SpoonWep cracked the key in about 5 minutes so we knew it was doable. We wanted not to be so spoon fed and get our hands dirty so we attempted the crack again using:
Airodump-NG Aireplay-NG Aircrack-NG
First we needed to capture data to crack, for 64 bit WEP at least 5000 IVS would be needed. We used airoducmp to capture these.
Typing: Airodump-NG --help will give the list of options and filters. We went with the command:
Breaking this down: airodump-ng is the command --ivs tells airodump to save only captured injection vectors -w dumpfile tells airodump to write to a file I called dumpfile --bssid aa:bb:cc:dd:ee:ff the AP to capture data from; the mac is made up for the case of this blog --channel 11 the channel to capture data on ath0 the name of my NIC
Once airodump was capturing IVS we saw that the data being captured was not increasing very fast, because there was little communication going on between the AP and a node already connected to it. we wanted it to capture faster; this is where Aireplay comes in.
Like Airodump, using the command aireplay-ng --help lists your command options. Notice when doing this there are several attack modes:
--deauth count : deauthenticate 1 or all stations (-0) --fakeauth delay : fake authentication with AP (-1) --interactive : interactive frame selection (-2) --arpreplay : standard ARP-request replay (-3) --chopchop : decrypt/chopchop WEP packet (-4) --fragment : generates valid keystream (-5) --caffe-latte : query a client for new IVs (-6) --cfrag : fragments against a client (-7)
The attack we chose was ARP Replay since that was what SpoonWep used. Our initial command looked like this
aireplay-ng -3 -b aa:bb:cc:dd:ee:ff -x 1024 ath0
Breaking this down: aireplay-ng is the command -3 is the number of the attack we chose, this could also be - - arpreplay -b aa:bb:cc:dd:ee:ff is again the AP we are attacking -x 1024 is number of packets per second we are injecting the default is 500, we found 1024 is the max
ath0 is my NIC
This still did not appear to greatly speed up the data capture rate then watching AiroDump we saw the mac of a computer connected to the AP we were attacking. So we rewrote our aireplay command to include a source MAC address. The MAC we used was the one already connected to the AP, thus forcing traffic between the two. Notice the -h we placed in the command.
This ramped up data capture and in time we were at 5000 IVS and beyond. Now it was time to set up the crack.
AirCrack actually performs the cracking to determine the WEP key needed to connect to the network Again - - help will show the options needed. The command we ran was:
aircrack-ng -a 1 -b aa:bb:cc:dd:ee:ff -n 64 dumpfile.ivs
Breaking the down: aircrack-ng is the command -a 1 tells aircrack it is working agains WEP -b aa:bb:cc:dd:ee:ff is the BSSID we are attacking -n 64 is the key strength, 64 bit dumpfile.ivs is the file holding all the data airodump has “dumped”, remember the first command I wrote about? Airodump created a dumpfile.txt and dumpfile.ivs; IVS is what you need to crack against
You can begin the cracking process while the airodump is still running aircrack will continue to read the file as it is updated.
All in all it took about 5 minutes to crack the 64 bit WEP.
Using the same process as above, but configuring for 128 we tried to attack 128 bit WEP. The thing is we had no luck. All reading we have performed said around 20000 IVS is needed, we had over 500,000 IVS and still no luck; it was late so we gave up on that and plan to try again in the near future.
Take Away: Know your windows variables for portability of your scripts
%time%, %date%, and %computername% are my most commonly used Windows variables. A lot of times when I run a script I am spitting text out to log file and this is where the 3 variables come in handy. I place them at the top of my script preceded with an echo command. This helps me to know when the script kicked off and on what machine it is running.
echo %computername% # spits out the name of your computer
echo %date% # spits out the current date on the system
echo %time% # you guessed it; spits out the current time on the system
Open a command window and try it out there. At the command prompt just type one of my echo statements above, without the # sign and everything behind it and you will see what I am talking about.
I especially like the %time% variable. I perform a %time% echo at the beginning and again at the end of the script to determine how long the script ran. I also use %computername% to help make the script portable. For example notice the following command:
blat.exe file.txt -to "email@example.com" -serverSMTP 10.10.10.20 -f "%firstname.lastname@example.org" -attacht %computername%*.csv -subject "%computername% login failure audit" -body "This came from c:\evtqury on %computername% where a scheduled task runs to execute this report"
Now, I am to tired to break down what all this script is doing beyond saying I am reading the security logs for event 680 on a daily basis, mailing a CSV log to myself with the results to see if there are any failed domain logins I need to investigate.
Just notice how I am using the Windows variable %computername% I am using it to name my the output file so it easily differentiated from all of the files from other systems I receive, I am also using it it build the “from” email address so I can sort the messages from each of the servers in my .pst folder. I am using the variable in the body of the email and finally I am using when I delete the my output file.
Because I am using the variable I write one script and copy it out to many servers, such as Server1, Server2 and Server3. If I were to use the server's actual names in the script well then obviously I would have to create script for each server.
For father's day I received an Acer Netbook. What a great toy and what I was most excited about was to have an Atheros wireless NIC compatible with BackTrack 3 and Kismet. I was actually dreading that I was going to have to work to get BackTrack installed onto a USB to boot the OS on my XP OS Netbook. To my suprise while researching the web on how to do this and proactively search for any gotcha's I came accross a great tool found on Source Forge; Unetbootin. This is a stand alone app that will not only go and retieve the ISO image for you but will install it onto the USB as well! Viola, with selection of a couple of drop downs and radio buttons you are ready to go; click the OK button and sit back. In less than 30 minutes I had downloaded (thanks to my 20 down 5 up ISP) and installed two USB bootable OS'es. Ubuntu and BackTrack 3.
FOR THE BUSY (or IMPATIANT): Point of the Story: SubINACL scans every single folder and file unless you tell it not to.
I am working on modifying permissions on up to 3 million folder and file objects on one root drive. In a Microsoft environment. I obviously am scripting this as well as performing the process in stages; right now I am in the testing stage in a non-production environment (see my first posting of “Script the World” series).
The initial command I chose was to use was XCACLS from Microsoft. It is a fairly simple command to view and edit permissions on files and folders. I noticed that it ran a little slow for my tastes and was discussing this with a co-worker who mentioned he used Microsoft's SubInACL. SubInACL can be used for similar purposes but appears to be more robust that XCACLS.
When I tried SubInACL it took much, much, longer than XCACLS to complete and in some of my tests even “hung”. This was very odd as my co-worker had successfully used SubInACL for his tasks. I began researching using Google and Microsoft's ProcMon and realized upon what I would call at best a nuance and at worst a bug.
Let me set the stage: I have a root drive for testing; “H:” and in this root drive I have 10 directories:
AAA BBB CCC DDD EEE FFF GGG HHH III JJJ
Inside each of the directories I have 20,000 folder and file objects. Since I will perform these permission changes in stages when I am working with production folders I only want to a select group of folders at one time; for example
Stage 1 AAA BBB CCC
Stage 2 DDD EEE FFF etc....
So using scripting and reading from a list (another reference to my Script the World 1 post) I am able to automate these changes; however, as mentioned above, SubInACL seemed to “hang”. I researched this issue on the web and stumbled across a forum posting that had a similar issue; one the posters stated that SubInACL scans all folders and files in the parent directory on which you are making changes, even though you did call it touch those folders. For example using the command to change permissions folder AAA:
would result in SubInACL changing those permissions but then going to SCAN, (NOT MODIFY; I WANT TO BE CLEAR. It only performs a read) the remainder of the folders and files in H: Using Sysinternal's (now Microsoft's) Process Monitor confirms this. I turned on ProcMon, filtered for SUBINACL.EXE and sure enough I see it work on the AAA folder and its files but then it goes on read every other folder and file in the H: drive before finishing the command!
Now there is an “Exclude” switch in SubInACL but it does not work for what I am doing since I am working at the root of the directory. The command would be
A programmer I am not! I do study scripting languages but with my positition and other tools we utilze scripting can be spread far enough apart that I have to pull the books back off the shelf or dig around google to refresh my memory. I try and practice shell scripting, PERL, and VB Script when I need to automate a task and I do keep my scripts around as I have found over the years I continually refer back to them and borrow from one another to accomplish new tasks. Speaking of "referring back" take my advice and take the time to write notes either via comments in the script itself or in a text file in the same directory where you keep the script about the purpose of the script, how it works, why you used it; and WHERE! Over the past 10 years I have become better at this but I also still get bit by digging up scripts years back and have to re-figure why I did what I did.
The stuff I am going to present here is actually a bit embarrassing I mean the stuff I write is SIMPLE! There is also quite a bit of bailing wire and bubble gum involved which leads me to say; test your script in a non-production, non-critical environment before ever using it in a place that could harm your company and possibly your employment status.
As stated this is simple stuff but like me there may be others that need a little idea or hint on how to get things going for themselves.
In this post I am going to show what I do to read from a list and execute a command against each item in that list in a Microsoft Windows environment using a batch file as your executable. In this example I am going to do a ping command against a list of URLs. DON'T BLINK!
STEP 1: Select or create a directory to work from. I like to keep the items below in the same folder, it makes calls that much easier.
STEP 2: Open NOTEPAD.EXE and make a list of urls you want to ping; for example
For this example save the document as LIST.TXT; and place LIST.TXT in the directory from STEP 1.
STEP 3: Open NOTEPAD.EXE and type in the following:
FOR /F %%A IN (LIST.TXT) DO PING %%A
Save this file as PINGURL.BAT in the directory from step one.
You are done! Execute the script in the method you prefer. For this example lets lets do it from the command prompt.
BTW: Jing is a handy little program. I am not ready to give it a rating but below is a link to the video of me executing the script and showing you where the files are stored.