PDA

View Full Version : WEP hacking in detail: Mac filter, Dhcp off, still quite safe?!



Dionysos
07-13-2008, 04:01 PM
Hello from Italy this time!

I just subscribed to the forum, hoping that some experienced guys out there could help. I studied the posts for more than 3 weeks, but finally I couldn't find a solution. Answers / help welcome. After this issue is resolved, I plan to sum it up and share the solution with other people. I am a more or less a beginner with this software, so please don't be too harsh!

Equipment / Hardware:

Backtrack 3 Final (live version)
Wireless Card: Broadcom + Alfa USB (=It started with the ALFA)

Access Point:

"Routerboard" Router
WEP protection (128)
Authentication: OPN
+ Mac Filter enabled (5 clients)
Dhcp disabled

Ok, there is a grillion of WEP Hacking tutorials out there, so I said, I wanna try this, too. Let's get the ALFA started. For everyone's concern, this is my network at home! As a starting point, I reconfigured the network, enabling the WEP encryption with 128 key length instead of the WPA. First: DHCP ON! I removed my laptop's MAC from the whitelist. I successfully spoofed the address with macchanger:

macchanger --mac 00:15:D6:02:84:62 wlan0

That's how I could associate with my AP, using aireplay without any "permission problems". After some time, using the well-known tools, such as airmon-ng, airodump-ng, aircrack-ng, I figured that my ALFA does its job and I could crack my key in less than 2 hrs, with around 1,5 million ivs. Then I used the following command to connect to the internet:

wlan0 ==> "mode managed" and "up"

iwconfig wlan0 essid okcom.it
iwconfig wlan0 key 27:4B:7B:6B:71:41:52:2A:75:54:6D:5E:XX
iwconfig wlan0 ap 00:0C:42:XX:XX:XX
ifconfig wlan0 up
rm /etc/dhcpc/*
dhcpcd -nd wlan0

Fine this one worked!

Just for fun, I tried the same with the the broadcom chipset bcm43xxx. Ok, injection worked, but differently: I could inject 10 pps without crashing using the standard -3 method in airreplay. Note here, that I had to use the p 0841 method with my ALFA! The broadcom card somehow recognized different packets sent, thus making it possible to use the easy -3 method:

aireplay-ng -3 -b [MAC AP] -h [my spoofed MAC] wlan0

This may be interesting for future purpose. Anyway, it took me about 1,5 days to succeed. The "key" in aircrack was the -K option (Capital K).

aircrack-ng -K -z -x2 -f10 -b [MAC AP] output.cap

Took less than 30 sec to get the correct key!


Ok, now my idea: As already stated in some posts, let's try to make your WEP more secure and disable DHCP. Done. Set everything in the router that the internet works with static ip, went to my laptop again. This is exactly where all the tutorials stop and hell no, I couldn't figure out a nice solution.

Let's go mac resolving I thought:

Configured kismet.conf, set the wep key: ==> It won't resolve the IP Range, thus making it hard to guess any broadcasts or default gateways.
Never mind, checked out some posts, read that wireshark is the answer: I configured wireshark so that I can do live-decryption as well as monitor the traffic. Believe it or not, after letting it run for over 2hrs, there was not a single arp request visible. What's going on here?! WEP safe?! I kept on chatting with the 1st computer while wireshark was running, downloading some windows updates on the 2nd computer. For sure there was some traffic (there should be some arp requests at some point, no?!).
I can monitor all the outgoing traffic, destination and sources "outside" the network. But no way anyone could decrypt my ssl connections with ettercap unless he's IN the net. Apparently it's not so easy or all the forums end with: "use this, use that", 2 lines that shall help to resolve this problem or the thread is closed because it's so obvious that someone is hacking his neighbours' WLAN. This is not what this threat is about.

I also tried some things with TCPDUMP, without success. Long story short:

How to determine the default gw, the ip-range and the netmask if DHCPC is disabled?! Is there a tool, a way, why won't my AP send any ARP's?

Thanks for your help!
If you guys need any further details please write.
I hope I made myself clear so that the first answer won't be "why do you wanna do this" or "use the search option". I'm serious here because relating to this topic I could not find anything in the web, so I consider WEP encrytion not the best solution possible but with DHCP disable worthwhile to have!

PS I heard something about the chopchop method and wait until I would log on with one of the other, "valid" computer but I couldn't work myself through it. Let me know. Another tutorial tries its best with tcpdump and the following command

tcpdump -v -i wlan0

then the IP range shows up, well it didn't do anything in my case.


Cheers

Dionysos

Apollopimp
07-13-2008, 04:56 PM
this is my network at home! As a starting point

from that i get that after we help you crack your own network you will most likely be cracking networks that aren't yours..

also you said your new ,if so than put your copy of backtrack in the trash and try your hand at Slax or Ubuntu.. these are more noobish friendly..

i hardly come here anymore because of all the "i need help cracking networks" it gets old.. we all know the truth so don't lie to us we are not stupid..

streaker69
07-13-2008, 05:13 PM
from that i get that after we help you crack your own network you will most likely be cracking networks that aren't yours..

also you said your new ,if so than put your copy of backtrack in the trash and try your hand at Slax or Ubuntu.. these are more noobish friendly..

i hardly come here anymore because of all the "i need help cracking networks" it gets old.. we all know the truth so don't lie to us we are not stupid..

To quote Happy Harry Hardon "I can smell a lie like a fat in a car".

Dionysos
07-13-2008, 06:07 PM
Geez,

This is exactly why I was doubting so much if it's worth the effort putting this post online. From my point of view, I described my matter as objective as I could. But apparently there seems to be still no-one out there who can give an adequate answer to a proper question!
With your guys' postings this threat isn't gonna be anything besides "I said that" but "I don't believe you..."

Look, I'm trying to understand what's been written in so may forums and I never wanted this to be an ethical posting but:

MAC-Spoofing + DHCP disabled doesn't enhance the security of WLAN. ==> Why?!?

All I read, and now: get - with myself asking someone, is lousy answers with no matter of respect: "Dump your Backtrack in the trash"
I checked your posts "Apollop", dude, the value you added to this forum with you last postings is: "Use the search button". Are you somewhat angry? There's always gonna be people with less experience who will ask other, more experienced guys for advice. So I asked! I can see where you are coming from, but this is simply not it.

I used Backtrack for a year already, improving my Linux knowledge and finally understanding why so many computer scientists complain about the security issues of Windows. Have you guys read my whole post/threat?

I will rephrase my question: Why is WEP considered so unsafe if the IP-Range, Default Gateway and Subnet are not known!
All I can get from the forums and reports is the same:

Ask someone else! It's unsafe but I don't know why! There are possibilities but I'm not gonna say or I don't know.

If you don't want this question answered in this forum, that's no problem to say it out loud, from my point of view I would appreaciate an answer. Look, I don't need any command lines if that's what you are complaining about, in my opinion - let me put it that way - scientific answer is fine.

I hope I made myself clear

disappointed...

streaker69
07-13-2008, 06:47 PM
I will rephrase my question: Why is WEP considered so unsafe if the IP-Range, Default Gateway and Subnet are not known!



Because it can be cracked within 3 minutes without needing to know the IP range, Default Gateway or the Subnet.

MAC filtering is easily bypassed by MAC Spoofing an active client on the network. Getting the rest of the information is just a matter if listening to the traffic.

Dionysos
07-13-2008, 07:03 PM
Ciao Streaker,

Thank you for taking this seriously.
Your answer refers to what I was writing, so please correct me if I'm wrong here.

In order to find the WEP key, one simply doesn't need the IP-Range, the Default GW or the Subnet, I agree.

So you state, that after finding the key, all on needs to do is monitor the traffic to find out the about the Default GW, etc.
Even after monitoring the decryted traffic for hours with my other compis connected to the internet, there was nothing like an ARP protocol or something that seemed useful. For sure I could set some filters properly to get detailed info what about the data sent and received, but nothing that came close to my internal settings of the network. So, are there routers out there which obviously do something to work against intruding or am I asking the wrong question?

Cheers

Dionysos

Barry
07-13-2008, 07:24 PM
What are you using to monitor the traffic?


Never mind, just reread your op.

hallamasch
07-13-2008, 08:48 PM
1 - You can only intercept wireless traffic
(except if the lan is using HUBS or you use somekind of arp attacks)

2 - You don't need arp requests to see the gateway
(every packet show's you the source and destination of that packet, which will always be the gateway, except if you have a direct line to the net.) [read up on TCP/IP]

3 - If you don't find any information about the network by using other techniques you can try with a brutefoce method, by scanning the default ranges first and then the remaining ones with a simple ping method or sending broadcast packets. (simplified)

I simplified some things, to not confuse the reader.
I assume you didn't see any traffic because your other machines were connected over the wire.

*I appologize for my bad spelling it's in the middle of the night here and my coffe has run out

Barry
07-13-2008, 08:55 PM
1 - You can only intercept wireless traffic
(except if the lan is using HUBS or you use somekind of arp attacks)

2 - You don't need arp requests to see the gateway
(every packet show's you the source and destination of that packet, which will always be the gateway, except if you have a direct line to the net.) [read up on TCP/IP]

3 - If you don't find any information about the network by using other techniques you can try with a brutefoce method, by scanning the default ranges first and then the remaining ones with a simple ping method or sending broadcast packets. (simplified)

I simplified some things, to not confuse the reader.
I assume you didn't see any traffic because your other machines were connected over the wire.

*I appologize for my bad spelling it's in the middle of the night here and my coffe has run out

Coffee should never run out....

hallamasch
07-13-2008, 09:03 PM
You are right, but i am innocent. It's my girlfriend's fault she probally wanted me to get in bed early tonight, instead of spending another regular night in front of the screen.

i guess what i wrote is going to be hard to decrypt, but the information in there should be helpful =)

sunapi386
07-13-2008, 10:30 PM
There's like a million "Cracking WEP" tutuorials on the "interweb" .. This is just more of that same ol'.. waste of time.
There are dozens of tutorials out, why make more?

fr0zen.sm0ke
07-14-2008, 12:18 AM
There's like a million "Cracking WEP" tutuorials on the "interweb" .. This is just more of that same ol'.. waste of time.
There are dozens of tutorials out, why make more?
Dude it wasn't just a tutorial. He explained his steps and then asked few questions.
And if you have gone through "millions" of cracking WEP then why don't you reply to his questions?

Kennosuke
07-14-2008, 02:32 AM
I realize he began this thread to ask about the faults and insecurities regarding WEP, but continuing along the category of wireless security, how effective would you say WPA is? I understand that using the right wordlist is necessary to make cracking WPA feasible, but should the AP have a non-comprehensive password not revolving around a real word, what's the chances someone could crack that?

An example might be a password of "123abc456def" Most wordlists I've seen revolve around real words and "l337" words.

Would WPA be the safest home-use network security for wireless APs?

Apollopimp
07-14-2008, 02:40 AM
I realize he began this thread to ask about the faults and insecurities regarding WEP, but continuing along the category of wireless security, how effective would you say WPA is? I understand that using the right wordlist is necessary to make cracking WPA feasible, but should the AP have a non-comprehensive password not revolving around a real word, what's the chances someone could crack that?

An example might be a password of "123abc456def" Most wordlists I've seen revolve around real words and "l337" words.

Would WPA be the safest home-use network security for wireless APs?


at this time the only way to crack wpa is with the password you could have a 50 Terabyte password list but if the actual password is not in the list than you will never crack it.

a password like this but 63 charters would be uncrackable a~.<)Q{}^*d2*x~\K|>:;T'[^r@9n could you imagine how big your password list would need to be i believe 11111111 to 99999999 is like 11gbs

Dionysos
07-15-2008, 08:14 AM
Ciao!

Thanks for the info! I don't really wanna post something inadequate here, so basically I'm trying to figure out what you wrote.

1: Ok, never expected to monitor wired traffic with my wireless card
2: Will study TCP IP more, currently playing with:

wireshark filter dns.flags==0x8180, monitoring DNS.


3. furthermore, I started playing with "arping", "fping" and "hping" in BT3.

For me it's important to figure serveral approaches to one problem. I try to start working my way through and understand more. I want this post to be interesting and informative, so thanks for reading first of all and thanks for giving some advice, too. I shall keep you posted on the progress - that's the only way to make a post rational and gives it orientation. Thanks

Cheers

Dionysos

PS I guess WPA is a challenge and from the idea itself: it s safe. But how many XP users out of 100 will click on "accept the certificate", even though it s faked and someone is playing with the net.
For some nice tables regarding WPA, check the shmoo group's website.

imported_=Tron=
07-15-2008, 08:27 AM
PS I guess WPA is a challenge and from the idea itself: it s safe. But how many XP users out of 100 will click on "accept the certificate", even though it s faked and someone is playing with the net.
For some nice tables regarding WPA, check the shmoo group's website.This has nothing to do with WPA, and as long as you use a strong passphrase along with WPA there is no reason to fear that anyone would gain access to your AP and be able to perform a MITM attack on you. There are naturally other ways to perform a MITM than to gain access to a wireless AP, but these scenarios have even less to do with WPA encryption than the previously mentioned.

Dionysos
07-15-2008, 12:24 PM
Ciao,

Catch your point! It was my lunch break so I had to be quick, minds flowing faster than I could write. I will be more precise in explaining myself in future, so to straighten this out:

I asked myself the question: How many out of 100 WinXP users will accept a fake certificate from someone who is playing with net (actually performing a MITM attack, as you stated correctly)==> 80?! maybe 90?!
Thus, refering to the discussed points concerning WPA:
How many out of 100 WinXP users will choose a sensible password or passphrase(length!) when setting up the WPA secured network?! 60?! 70?!
It's gotta be quick today, with setting up things - accomplishing something. That's my opinion. Most people don't think about it due to the lack of knowledge or simply ignorance: Media puts "WPA" is bulletproof in a headline and that's for a lot of people out there all they wanna know. Otherwise, when set up sensibly, WPA seems to be a very safe solution.

Quoting a professor of my brother: (prof asking the students)

"How do you choose a password?"
Student: "Case sensitive. Use numbers and special characters"
Professor: "You don't choose a password! You choose the length of the pw and create a random chain of characters!"

(I hope this didn't get lost in translation)

==>If you wanna play around with your router and see what kind of WPA-passwords one can actually hack by using precomputed tables: the tables of the shmoo group are a good source!

In fact the MITM has nothing to do with cracking keys of WEP or WPA networks. Hope I made myself clear this time.

Cheers

Dionysos

imported_=Tron=
07-15-2008, 12:49 PM
I asked myself the question: How many out of 100 WinXP users will accept a fake certificate from someone who is playing with net (actually performing a MITM attack, as you stated correctly)==> 80?! maybe 90?!
Thus, refering to the discussed points concerning WPA:
How many out of 100 WinXP users will choose a sensible password or passphrase(length!) when setting up the WPA secured network?! 60?! 70?!
It's gotta be quick today, with setting up things - accomplishing something. That's my opinion. Most people don't think about it due to the lack of knowledge or simply ignorance: Media puts "WPA" is bulletproof in a headline and that's for a lot of people out there all they wanna know. Otherwise, when set up sensibly, WPA seems to be a very safe solution.Well now I understand the connection between the two that you were trying to make, pardon my last reply but as you say yourself your previous post was rather unclear. :D

I absolutely agree on that most people, especially windows users, probably are so used to clicking on pop-ups that they will blindly accept next to anything without paying any real attention to the actual warning message. I would believe that this same thoughtlessness often applies to WPA as well as any other service requiring you to choose your own password and remember it.

I can't refrain from citing Pureh@te's signature here as I find it to be one of the more insightful out there and it indeed is relevant to this subject:
Social engineering, because there is no patch for human stupidity!

ReckaH
07-15-2008, 02:00 PM
from that i get that after we help you crack your own network you will most likely be cracking networks that aren't yours..

also you said your new ,if so than put your copy of backtrack in the trash and try your hand at Slax or Ubuntu.. these are more noobish friendly..

i hardly come here anymore because of all the "i need help cracking networks" it gets old.. we all know the truth so don't lie to us we are not stupid..

This post is just RUDE.
You don't disrespect members like this.
If you want to be sure, that no one is using this forum to hack networks that aren't his. YOU HAVE TO CLOSE IT.

you say you hardly come here anymore.
I say GOOD FOR US.

we don't need replies like this. Mister i know it all. :mad:

timstewart
07-15-2008, 04:43 PM
I totally agree ReckaH although the post you quoted isn't the only one. Time and time again this type of response is seen on these forums by big mouths but also by people who should know better. I saw this thread from the very first post by Dionysos and watched as the type of posts I expected to appear unfortuneatly did.

Come on lads, it aint that hard to distinguish between the dicks that want to piss about with their neighbours network and people that are starting out and want to learn.

Apollopimp
07-16-2008, 12:05 AM
i guess you haven't noticed backtrack is not for newbies.. if you want to learn and are not in it just to crack wep or wpa networks than learn slax or Ubuntu first than come here and ask for help....



98% of noobs that come here and there first 10 posts are about trying to crack there network is total bullsh*t and we all know it..they just wanna crack there neighbors network and want members here to help them because backtrack is run by commands and they have no clue what there doing..

ReckaH
07-16-2008, 06:39 AM
i guess you haven't noticed backtrack is not for newbies.. if you want to learn and are not in it just to crack wep or wpa networks than learn slax or Ubuntu first than come here and ask for help....



98% of noobs that come here and there first 10 posts are about trying to crack there network is total bullsh*t and we all know it..they just wanna crack there neighbors network and want members here to help them because backtrack is run by commands and they have no clue what there doing..

Apollopimp i know that, but instead of big mouthing let the admins of the forum deal whit it.
Or just don't reply if you think that.
But please stop whit bashing.
You had to learn it also.

And it are alway's the same people who do this.
hmmm maby thats the way to get your posting-number up.

All i am saying is, THIS FORUM HAS ADMINS AND MODERATORS.
So let them do there job instead of jumping to conclusions.:eek:

FargenDog
07-18-2008, 05:03 PM
i guess you haven't noticed backtrack is not for newbies.. if you want to learn and are not in it just to crack wep or wpa networks than learn slax or Ubuntu first than come here and ask for help....



98% of noobs that come here and there first 10 posts are about trying to crack there network is total bullsh*t and we all know it..they just wanna crack there neighbors network and want members here to help them because backtrack is run by commands and they have no clue what there doing..

As all but a rank Linux Noob I totaly disagree. BT3b was one of the nicest live Linux distros I played with even ignoring its security tools. It worked great on every computer I played with it on. I could watch movies, burn DVDs, surf the net, etc. Of course for any of us with a thirst for learning how things work (or don't work as the case may be) BT is an unbelievable resource/tool set ready to be played with for the newb - everything collected and set up by ppl in the know.

Like it or not WEP cracking is interesting - malicious or not. I tried playing with Linux years ago and it wouldn't install on my laptop so I said forget it. I had a course which covered some Solaris stuff so I thought I would try Linux again. WEP was interesting and definately drew me into playing with Linux. Now I have my kids playing with Linux and my disintrest in Linux has changed into a eye opening experience.

Thankfully there are those who understand that they too were noobs and that not everyone learns in the same way or pace.

So to all the ppl on this Forum in particular those who spend countless hours helping - a heart felt thank you for sharing knowledge. I think most of us here live by the principal of teaching and sharing so the trolls and big mouths are just a bump in the road to knowledge...