Simple How-To on Wireless and Windows Cracking - Part 2

by KES

Your Statement About Monitor Mode was Vague/Wrong

In retrospect, the description of Monitor Mode was incomplete.

Certain drivers inherently place the NIC in this mode, and that was the process I was outlining.  However, with many drivers that are injection capable, you may have the proper driver in place and still see the NIC in Managed Mode until airmon-ng start changes the mode.  You can manually change the mode with iwconfig as well.

BackTrack is Different Now / Installation Problems

Since the article was originally written, BackTrack 3 has moved through BackTrack 4-beta to BackTrack 4 Final, which was released in mid-January (now found at www.backtrack-linux.org).  Some of the changes implemented impact how to install (for instance bootinst.bat is gone, and is now a much more straightforward process).

I strongly recommend browsing the BackTrack forums (at both remote-exploit.org and backtrack-linux.org) and doing heavy searching of the forums and Google before posting questions there that have likely been asked before.  The user base there is immense, and if you have a problem or question, it's very likely someone else does too, and has already posted about it.

This is All Old Information / Everyone Knows that WEP is Weak

Clearly not everyone knows it well enough or it wouldn't still be so prevalent, even in corporate settings, or be the "recommended" setting on certain routers.  The more people that know how to get past it (and demonstrate this to those who make implementation decisions), the faster it will be phased out.

You Told People How to Defeat It, But Didn't Teach Them Why WEP is so Weak

WEP uses the RC4 encryption cipher, which is a stream cipher (encrypting continuously generated data rather than a pre-defined block of data).  The plaintext data is combined with the encryption key data.  While this is conceptually sound, and is a process used effectively in other ciphers, a core limitation is that the encryption portion of the data must not repeat.

The flaw here is that part of each data packet is the Initialization Vector (IV), which prevents duplication in the short term and is a relatively short piece of data.  Therefore, in a large enough data set, IVs will begin to repeat and, with enough repeating data, one can then determine the encryption key and decrypt everything.  This "large enough" is the key to the process outlined in the how-to.  By flooding the network, the dataset grows to a sufficient extent to enable cracking.

One item of note here is that some wireless cards do not support injection (needed for the process of boosting the data flow).  However, given the prominence of online gaming and video (YouTube, Netflix streaming video, etc), even without injection, if a network has a sufficiently active user (or many casually active users) enough data will be generated to allow cracking the key.

There Isn't an Easier Way than this Command Line Approach to aircrack?

I explained how to use Aircrack-ng step-by-step because it more fully illustrates the elements and should help people understand the process in general.  However, there are some products that facilitate the cracking process... look into wesside-ng and Gerix Wi-Fi Cracker (a GUI that implements the various steps).

I'm Trying to Use Some of the Tools You Mentioned to Get a Gmail Password, But it's Not Working

Many sites use SSL and session cookies for authentication purposes.  If this is the case, it can be problematic to get the password, but you can easily capture the cookie or session key after the user authenticates and then make the site believe your browser is the authenticated user, a process referred to as sidejacking, cookie theft, or session hijacking.

In BackTrack 4, there are two tools to make this process easier: Hamster/FERRET (from Errata Security) and WifiZoo.  Both of these sniff packets and, if cookie information is seen, generate a copy of the cookie.  Once you launch a browser with this cookie, you will be taken into the account that generated that cookie.  Also, as an FYI, Hamster/FERRET works in Windows.

1.)  BT -> Radio Network Analysis -> Privilege Escalation -> Hamster

2.)  In Firefox, check your proxy settings to make sure 127.0.0.1:1234 is in place.

3.)  Go to http://hamster

4.)  Choose adapter, submit.

5.)  Wait for appropriate data to be collected.

6.)  GOTO target.

If you are cracking a WEP network to illustrate its weakness (for instance, if you work in IT and are arguing an upgrade) this is a very powerful element to include in the demonstration.  You could also use Wireshark and filter for instant messages.  Both are effective in winning budget dollars

Why Not Just Edit the Boot Order?

My article included interrupting the booting process because I wanted to show as much flexibility as possible.  However, if one plans on frequently using a particular machine with a USB OS, you should adjust the boot order in the BIOS, so that the machine checks for USB drives before the HDD (or better yet, make the machine a dual-boot).

What if I Already Have a Different Linux Distribution?

You can add Aircrack-ng suite and others tools via your distribution's respective package manager.

Anything Else?

In a multi-city study, I have found that approximately 1 out of 3 WEP networks are secured with the phone number of the location.  Since Aircrack-ng can use word lists, the following shell script will generate a word list of all the phone numbers in a given area.

The user just has to populate the first array with area code+exchange(s) in the AA:AE:EE: format (a good source for this data is www.area-codes.com).  The example below is seeded with information for Danbury, Connecticut.  I have also posted this script, as well as a much larger one for New York City (with nearly 2000 area code/exchange combos covering 11 area codes), in the Aircrack-ng forum in the suggestions area.

To use the word list, I'd recommend running:

# airodump-ng -t WEP -w <capture file> <interface>

and then after you have a tiny bit of data (just four IVs), you can run:

$ aircrack-ng -w h:<wordlist> <capture file>

Even for New York City, with twenty million options, that's a mere 0.001% of the potential WEP password set, and if the 30% success rate holds, is a meaningful tool, AND does not require injection.

#!/bin/bash w=("20:32:05:" "20:32:07:" "20:32:40:" "20:32:41:" "20:32:89:" "20:32:97:" "20:33:00:" "20:33:12:" "20:33:13:" "20:33:76:" "20:34:24:" "20:34:48:" "20:34:60:"\ "20:34:82:" "20:35:12:" "20:35:33:" "20:35:46:" "20:36:16:" "20:36:17:" "20:36:48:" "20:37:02:" "20:37:30:" "20:37:31:" "20:37:39:" "20:37:40:" "20:37:43:"\ "20:37:44:" "20:37:46:" "20:37:48:" "20:37:49:" "20:37:70:" "20:37:75:" "20:37:78:" "20:37:88:" "20:37:90:" "20:37:91:" "20:37:92:" "20:37:94:" "20:37:96:"\ "20:37:97:" "20:37:98:" "20:38:25:" "20:38:26:" "20:38:30:" "20:38:37:" "20:38:85:" "20:39:17:" "20:39:35:" "20:39:42:" "20:39:47:" "20:39:94:") p=0 k=0 e=0 y=0 for w in "${w[@]}" do for ((p = 0; p <= 9; p++)) do for ((k = 0; k <= 9; k++)) do for ((e = 0; e <= 9; e++)) do for ((y = 0; y <= 9; y++)) do key="$w$p$k":"$e$y" echo "$key" done done done done done

Code: WEP-phone-number.sh

(Simple How-To on Wireless and Windows Cracking - Part 1)