Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: WEP hacking in detail: Mac filter, Dhcp off, still quite safe?!

  1. #1
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    5

    Lightbulb WEP hacking in detail: Mac filter, Dhcp off, still quite safe?!

    Hello from Italy this time!

    I just subscribed to the forum, hoping that some experienced guys out there could help. I studied the posts for more than 3 weeks, but finally I couldn't find a solution. Answers / help welcome. After this issue is resolved, I plan to sum it up and share the solution with other people. I am a more or less a beginner with this software, so please don't be too harsh!

    Equipment / Hardware:

    Backtrack 3 Final (live version)
    Wireless Card: Broadcom + Alfa USB (=It started with the ALFA)

    Access Point:

    "Routerboard" Router
    WEP protection (128)
    Authentication: OPN
    + Mac Filter enabled (5 clients)
    Dhcp disabled

    Ok, there is a grillion of WEP Hacking tutorials out there, so I said, I wanna try this, too. Let's get the ALFA started. For everyone's concern, this is my network at home! As a starting point, I reconfigured the network, enabling the WEP encryption with 128 key length instead of the WPA. First: DHCP ON! I removed my laptop's MAC from the whitelist. I successfully spoofed the address with macchanger:

    macchanger --mac 00:156:02:84:62 wlan0

    That's how I could associate with my AP, using aireplay without any "permission problems". After some time, using the well-known tools, such as airmon-ng, airodump-ng, aircrack-ng, I figured that my ALFA does its job and I could crack my key in less than 2 hrs, with around 1,5 million ivs. Then I used the following command to connect to the internet:

    wlan0 ==> "mode managed" and "up"

    iwconfig wlan0 essid okcom.it
    iwconfig wlan0 key 27:4B:7B:6B:71:41:52:2A:75:54:6D:5E:XX
    iwconfig wlan0 ap 00:0C:42:XX:XX:XX
    ifconfig wlan0 up
    rm /etc/dhcpc/*
    dhcpcd -nd wlan0

    Fine this one worked!

    Just for fun, I tried the same with the the broadcom chipset bcm43xxx. Ok, injection worked, but differently: I could inject 10 pps without crashing using the standard -3 method in airreplay. Note here, that I had to use the p 0841 method with my ALFA! The broadcom card somehow recognized different packets sent, thus making it possible to use the easy -3 method:

    aireplay-ng -3 -b [MAC AP] -h [my spoofed MAC] wlan0

    This may be interesting for future purpose. Anyway, it took me about 1,5 days to succeed. The "key" in aircrack was the -K option (Capital K).

    aircrack-ng -K -z -x2 -f10 -b [MAC AP] output.cap

    Took less than 30 sec to get the correct key!


    Ok, now my idea: As already stated in some posts, let's try to make your WEP more secure and disable DHCP. Done. Set everything in the router that the internet works with static ip, went to my laptop again. This is exactly where all the tutorials stop and hell no, I couldn't figure out a nice solution.

    Let's go mac resolving I thought:

    Configured kismet.conf, set the wep key: ==> It won't resolve the IP Range, thus making it hard to guess any broadcasts or default gateways.
    Never mind, checked out some posts, read that wireshark is the answer: I configured wireshark so that I can do live-decryption as well as monitor the traffic. Believe it or not, after letting it run for over 2hrs, there was not a single arp request visible. What's going on here?! WEP safe?! I kept on chatting with the 1st computer while wireshark was running, downloading some windows updates on the 2nd computer. For sure there was some traffic (there should be some arp requests at some point, no?!).
    I can monitor all the outgoing traffic, destination and sources "outside" the network. But no way anyone could decrypt my ssl connections with ettercap unless he's IN the net. Apparently it's not so easy or all the forums end with: "use this, use that", 2 lines that shall help to resolve this problem or the thread is closed because it's so obvious that someone is hacking his neighbours' WLAN. This is not what this threat is about.

    I also tried some things with TCPDUMP, without success. Long story short:

    How to determine the default gw, the ip-range and the netmask if DHCPC is disabled?! Is there a tool, a way, why won't my AP send any ARP's?

    Thanks for your help!
    If you guys need any further details please write.
    I hope I made myself clear so that the first answer won't be "why do you wanna do this" or "use the search option". I'm serious here because relating to this topic I could not find anything in the web, so I consider WEP encrytion not the best solution possible but with DHCP disable worthwhile to have!

    PS I heard something about the chopchop method and wait until I would log on with one of the other, "valid" computer but I couldn't work myself through it. Let me know. Another tutorial tries its best with tcpdump and the following command

    tcpdump -v -i wlan0

    then the IP range shows up, well it didn't do anything in my case.


    Cheers

    Dionysos

  2. #2
    Member Apollopimp's Avatar
    Join Date
    Nov 2007
    Posts
    120

    Default

    this is my network at home! As a starting point
    from that i get that after we help you crack your own network you will most likely be cracking networks that aren't yours..

    also you said your new ,if so than put your copy of backtrack in the trash and try your hand at Slax or Ubuntu.. these are more noobish friendly..

    i hardly come here anymore because of all the "i need help cracking networks" it gets old.. we all know the truth so don't lie to us we are not stupid..

  3. #3
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Apollopimp View Post
    from that i get that after we help you crack your own network you will most likely be cracking networks that aren't yours..

    also you said your new ,if so than put your copy of backtrack in the trash and try your hand at Slax or Ubuntu.. these are more noobish friendly..

    i hardly come here anymore because of all the "i need help cracking networks" it gets old.. we all know the truth so don't lie to us we are not stupid..
    To quote Happy Harry Hardon "I can smell a lie like a fat in a car".
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  4. #4
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    5

    Default Nope, that's not it

    Geez,

    This is exactly why I was doubting so much if it's worth the effort putting this post online. From my point of view, I described my matter as objective as I could. But apparently there seems to be still no-one out there who can give an adequate answer to a proper question!
    With your guys' postings this threat isn't gonna be anything besides "I said that" but "I don't believe you..."

    Look, I'm trying to understand what's been written in so may forums and I never wanted this to be an ethical posting but:

    MAC-Spoofing + DHCP disabled doesn't enhance the security of WLAN. ==> Why?!?

    All I read, and now: get - with myself asking someone, is lousy answers with no matter of respect: "Dump your Backtrack in the trash"
    I checked your posts "Apollop", dude, the value you added to this forum with you last postings is: "Use the search button". Are you somewhat angry? There's always gonna be people with less experience who will ask other, more experienced guys for advice. So I asked! I can see where you are coming from, but this is simply not it.

    I used Backtrack for a year already, improving my Linux knowledge and finally understanding why so many computer scientists complain about the security issues of Windows. Have you guys read my whole post/threat?

    I will rephrase my question: Why is WEP considered so unsafe if the IP-Range, Default Gateway and Subnet are not known!
    All I can get from the forums and reports is the same:

    Ask someone else! It's unsafe but I don't know why! There are possibilities but I'm not gonna say or I don't know.

    If you don't want this question answered in this forum, that's no problem to say it out loud, from my point of view I would appreaciate an answer. Look, I don't need any command lines if that's what you are complaining about, in my opinion - let me put it that way - scientific answer is fine.

    I hope I made myself clear

    disappointed...

  5. #5
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Dionysos View Post

    I will rephrase my question: Why is WEP considered so unsafe if the IP-Range, Default Gateway and Subnet are not known!
    Because it can be cracked within 3 minutes without needing to know the IP range, Default Gateway or the Subnet.

    MAC filtering is easily bypassed by MAC Spoofing an active client on the network. Getting the rest of the information is just a matter if listening to the traffic.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  6. #6
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    5

    Default

    Ciao Streaker,

    Thank you for taking this seriously.
    Your answer refers to what I was writing, so please correct me if I'm wrong here.

    In order to find the WEP key, one simply doesn't need the IP-Range, the Default GW or the Subnet, I agree.

    So you state, that after finding the key, all on needs to do is monitor the traffic to find out the about the Default GW, etc.
    Even after monitoring the decryted traffic for hours with my other compis connected to the internet, there was nothing like an ARP protocol or something that seemed useful. For sure I could set some filters properly to get detailed info what about the data sent and received, but nothing that came close to my internal settings of the network. So, are there routers out there which obviously do something to work against intruding or am I asking the wrong question?

    Cheers

    Dionysos

  7. #7
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    What are you using to monitor the traffic?


    Never mind, just reread your op.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  8. #8
    Just burned his ISO
    Join Date
    Jul 2006
    Posts
    2

    Default

    1 - You can only intercept wireless traffic
    (except if the lan is using HUBS or you use somekind of arp attacks)

    2 - You don't need arp requests to see the gateway
    (every packet show's you the source and destination of that packet, which will always be the gateway, except if you have a direct line to the net.) [read up on TCP/IP]

    3 - If you don't find any information about the network by using other techniques you can try with a brutefoce method, by scanning the default ranges first and then the remaining ones with a simple ping method or sending broadcast packets. (simplified)

    I simplified some things, to not confuse the reader.
    I assume you didn't see any traffic because your other machines were connected over the wire.

    *I appologize for my bad spelling it's in the middle of the night here and my coffe has run out

  9. #9
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Quote Originally Posted by hallamasch View Post
    1 - You can only intercept wireless traffic
    (except if the lan is using HUBS or you use somekind of arp attacks)

    2 - You don't need arp requests to see the gateway
    (every packet show's you the source and destination of that packet, which will always be the gateway, except if you have a direct line to the net.) [read up on TCP/IP]

    3 - If you don't find any information about the network by using other techniques you can try with a brutefoce method, by scanning the default ranges first and then the remaining ones with a simple ping method or sending broadcast packets. (simplified)

    I simplified some things, to not confuse the reader.
    I assume you didn't see any traffic because your other machines were connected over the wire.

    *I appologize for my bad spelling it's in the middle of the night here and my coffe has run out
    Coffee should never run out....
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  10. #10
    Just burned his ISO
    Join Date
    Jul 2006
    Posts
    2

    Default

    You are right, but i am innocent. It's my girlfriend's fault she probally wanted me to get in bed early tonight, instead of spending another regular night in front of the screen.

    i guess what i wrote is going to be hard to decrypt, but the information in there should be helpful =)

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •