Results 1 to 7 of 7

Thread: Network with MAC filtering, WPA-PSK, and AD...

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    10

    Default Network with MAC filtering, WPA-PSK, and AD...

    Ok, so my friend and I managed to lock down the network pretty well with hopes of a more difficult challenge (having succeeded multiple times with WEP and WPA-PSK cracking).
    I setup a Server (running server 03) with AD enabled for my machines. I turned on MAC address filtering on my crappy linksys router, with WPA-PSK encryption. However, I had my friend enter the password. I know the password is horribly complex (as the fellow is my IT partner) so a dictionary attack is out of the question. MAC address filtering is easy to get by. I had him also change the login and pass to the router.
    Are my only options telnet under an anonymous account?
    Or, for the windows side of things, is the saved WPA password associated with the AP in some sort of file that can be A: analyzed or B: decrypted (if encrypted)?
    Any suggestions, or leads on a path to search down?

  2. #2
    Senior Member PrairieFire's Avatar
    Join Date
    Apr 2007
    Posts
    705

    Default

    Quote Originally Posted by m3thical View Post
    Ok, so my friend and I managed to lock down the network pretty well with hopes of a more difficult challenge (having succeeded multiple times with WEP and WPA-PSK cracking).
    I setup a Server (running server 03) with AD enabled for my machines. I turned on MAC address filtering on my crappy linksys router, with WPA-PSK encryption. However, I had my friend enter the password. I know the password is horribly complex (as the fellow is my IT partner) so a dictionary attack is out of the question. MAC address filtering is easy to get by. I had him also change the login and pass to the router.
    Are my only options telnet under an anonymous account?
    Or, for the windows side of things, is the saved WPA password associated with the AP in some sort of file that can be A: analyzed or B: decrypted (if encrypted)?
    Any suggestions, or leads on a path to search down?
    Code:
    #Telnet
     mtd-erase -d nvram
    Use at your own risk.

    or

    Code:
    #Telnet
    cd /tmp/
    #Look for .conf file
    cat ath0_hostap.conf
    Μολὼν λαβέ - Great spirits encounter heavy opposition from mediocre minds.

  3. #3
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    10

    Default

    #Telnet
    mtd-erase -d nvram

    Use at your own risk.
    Blatant and noisy, but I suppose it will work...

    I'll try the latter first. I want to be as quiet as possible, not that it really matters. Hell I could reset the router manually, but I want to learn about security, not just execute code.

    Thanks for the reply though!

  4. #4
    Junior Member default's Avatar
    Join Date
    Nov 2007
    Posts
    87

    Default

    Quote Originally Posted by m3thical View Post
    Or, for the windows side of things, is the saved WPA password associated with the AP in some sort of file that can be A: analyzed or B: decrypted (if encrypted)?
    Any suggestions, or leads on a path to search down?

    I wonder if WZCook would work?

    http://www.freewarereview.info/2007-..._wpa_psks.html

  5. #5
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    10

    Default

    Wow, that looks exactly like what I was thinking of. I will try that out, thanks!
    My current struggle is finding the external IP for the router without being associated with it. Capturing data promiscuously does not give me much, even when I generate traffic with the laptop I am on now. (I could use this laptop to get it, as i am associated with the AP I am trying to crack, but thats no fun is it?). Again, if anyone has any ideas, or if someone can point me in the direction of some information, that would be spectacular.

  6. #6
    Senior Member shamanvirtuel's Avatar
    Join Date
    Mar 2010
    Location
    Somewhere in the "Ex" human right country
    Posts
    2,988

    Default

    well you will be able to get the ip wirelessly

    like that :

    you need to chopchop a wireless arp packet, the chopchop process will decrypt ips so you just have to open the dec packet in wireshark or simply in tcpdump to get the ips in human readable format

    to limit your capture to wireless arps use this switch

    aireplay-ng -F --chopchop -m 68 -n 68 -b APMAC -h CLIENTMAC CARD

    will save 2 packet a replay_srcxxxx.cap & replay_decyyyy.cap

    open the replay_dec one

    that's the way we get ips for set up an arp amplification attack where we need both ips , the ap one & client one

    hope helps
    Watch your back, your packetz will belong to me soon... xD

    BackTrack :
    Giving Machine Guns to Monkeys since 2006

  7. #7
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    10

    Default

    aireplay-ng -F --chopchop -m 68 -n 68 -b APMAC -h CLIENTMAC CARD

    will save 2 packet a replay_srcxxxx.cap & replay_decyyyy.cap
    Thanks for the reply. I tried the chopchop attack but just get stuck with my card reading packets, so I tried a few different variations but I am still only able to read the packets, and those 2 files are not being written. I let the packet count reach 160,000 and still nothing. Tried deauthing the clients, fake authenitcated and still no files are being written to my root directory.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •