Posts Tagged Wireless Security
Wardriving These Days (Part 2)
Posted by Mourad Ben Lakhoua in Pentesting, Tools on August 20, 2010
Tools for the first part may not be completed without SpoonWEP/SpoonWPA which firstly introduced in BackTrack3, this is also a part of aircrack-ng with a graphical interface allows pentester to take the same channel of the Access point and crack the security keys of the AP.
Another very interesting tool is Karmetasploit which allows you to fake access points, capture passwords, harvest data, and conduct browser attacks against clients.
Wireless penetration testing does not exist as programs only as in Backtrack but you can find a ready solution as the wifi peanaple. which is a nice trick that any person at home, the office, coffee shops or airports will not doubt that the peanaple contains a rogue access point that may conduct a Man in the middle attack and have all users credential, the price of WiFi Pineapple is 119$.
When any person turn on their laptops the wireless network software automatically connects to access points they remember. So the laptop starts to send out beacons. These beacons say “Is such-and-such wireless network around?” , wifi peanaple replies to these beacons and says “Sure, I’m such-and-such wireless access point – let’s get you online!”.
WiFi Pineapple is powered over battery and wireless hacking device based on the Fon 2100 access point.
make sure you subscribe to my RSS feed!
Wardriving These Days (part 1)
Posted by Mourad Ben Lakhoua in Pentesting, Tools on August 1, 2010
In the past it has been very difficult to crack wireless network we should search for the right software under Linux distribution checking the necessary driver compatibility to inject the packet on the network and finally you get access to the Wi-Fi network, the question do we still have the same difficulties today?
To answer this question we will be searching some online resources to prepare the correct distrubution and making it easy to get the required tools within few steps to evaluate any wireless network.
Today we can find two types of wireless network the first are non-encrypted network that’s mean you will need just a wireless device to be connected, second are using encryption under three forms WEP encryption which is also not any more secure because it can be cracked within few minutes and for 100% but we rarely find this type of encryption, Now most network are encrypted using WPA/WPA2 encryption.
First you need to get a Backtrack copy and you can make it on USB stick using UNetbootin, So you can have it with you everywhere , even if you forget your laptop you pull the USB and you boot on it to have all required tools to do your work.
Now you should check your wireless adapter to be sure that it can work on mode monitoring and this can be made by visiting Aircrack-ng portal.
This will make you ready to use latest tools for wardriving the first one is AUTOMATIC WPA HANDSHKE CAPTURE this tool is a Python script that helps you to get WPA handshakes, what you need to have is the Wlan interface, both Mac addresses of the AP/Client and as a result you will receive the dump traffic with the Handshake.
GerixWiFiCracker is a tool that can be as an extra add to Aircrack-ng for using it you just go to configuration settings and select the interface than press (Start Sniffing and Logging) and (perform a test of injection AP). By using Gerix you can also create a fake AP on the desired channel so your pc will respond to any probe request with a proper probe response, which tells the client to authenticate to the BSSID as in the airbase-ng this will also disrupt all AP on the same channel.
These tools come as update for all previous wireless penetration testing mentioned on SecTechno and there still others to come.
To be continued….
make sure you subscribe to my RSS feed!
WPA2 Might Be Spoofed!
Posted by Mourad Ben Lakhoua in News, Privacy & data protection, Vulnerabilities, Vulnerabilities & attacks on July 26, 2010
WPA2 (Wireless Protected Access ver. 2.0) – is the second version of a set of algorithms and protocols that protect data in wireless networks. As expected, WPA2 should significantly increase the security of wireless networks Wi-Fi compared with previous technologies. The standard provides the mandatory use of more powerful encryption algorithm AES (Advanced Encryption Standard) and authentication of 802.1X.
Panel of researchers reported discovering vulnerability in this protocol while it is widely used as a secure standard for wireless network. AirTight Networks said that this vulnerability concerns networks that match the IEEE802.11 Standard. The first demonstration of this vulnerability will be held in Defcon 18 on this week at Vegas.
Hole 196 is the name of this vulnerability and it uses the Man-in-the-middle method of attack, where the user is authorized in a WiFi network to intercept and decrypt all data transmitted and received by others on the same wireless network. Information that the exploit code will be publicly available, so that everyone can test it and use it, while there will be update by and standardizing bodies have been able to make adjustments in WP2.
Md Sohail Ahmad who will be demonstrating the attack at Defcon says that it took about 10 lines of code in open source MadWiFi driver software, freely available on the Internet, and an off-the-shelf client card for him to spoof the MAC address of the AP, pretending to be the gateway for sending out traffic. Clients who receive the message see the client as the gateway and “respond with PTKs”, which are private and which the insider can decrypt.
We will be following this research especially that all Access points are using this protocol and there should be un update available before the demo to fix this vulnerability.
make sure you subscribe to my RSS feed!
Security Acts Magazine No.3
Posted by Mourad Ben Lakhoua in Security Magazine on June 21, 2010
The third edition of Security Acts Magazine has been issued. This number includes a small and hopefully interesting article I have submitted on the Wireless penetration testing (War driving).
Wish you a happy reading!
http://www.securityacts.com/securityacts03.pdf
make sure you subscribe to my RSS feed!
60 seconds to Crack Wi-Fi encryption
Posted by Mourad Ben Lakhoua in News, Vulnerabilities on August 30, 2009
Researcher at the University of Hiroshima in Japan reported that they were able to develop a new method to crack wireless AP that uses WPA algorithm. The new method can take only 60 seconds to break Wi-Fi encryption.
Toshihiro Ohigashi and Masakatu Morii planned a conference on the 25th of September to provide the technical approach about exploiting this vulnerability.WPA cracking method has been demonstrated by experts from the last November but Japanese researchers have managed to be the first to transform it from theory to a real threat.
Up to now only WPA using algorithm Temporal Key Integrity Protocol (TKIP) are affected if the router works with the WPA2 that use the stronger Advanced Encryption Standard (AES) algorithm they still safe and not vulnerable to these attacks.
make sure you subscribe to my RSS feed!
Protect your Holiday! (part 3)
Posted by Mourad Ben Lakhoua in Pentesting, Tools on July 13, 2009
The idea of working with a wireless network is always risky unless you make sure of the WLAN security, as we talked in the last post of protect your holiday we will add some tools that can helps in pentesting your wireless network.
Unfortunately not everyone aware of the risk in using such a wireless network, let’s start here by Void11. Void11 is used to Deautheticate clients on the WLAN, or in our way ignoring a client from accessing the wireless network, after disabling the client from the network he will start to try acceding the WLAN, so you have to ignore him one more time. In each time the victim will try to connect he will send traffic with the authentication keys. While exchanging the keys the attacker can take the victims place on the network using his Mac address and by pass the Mac restriction. Unfortunately, this tool works well only under Linux system.
The next tool for this add is WIFIZOO, this tool demonstrate how it’s easy to detect different information in open WI-FI networks. Application objective is to get info from the whole network passively. The tool has a beautiful interface but not only gathers SSID data. It also adds client info like, IP addresses, and passwords of some protocols (Pop3/ftp/telnet). Mail traffic, Http traffic. As a result you can listen to the whole traffic in the wireless interface. But the disadvantage of using WIFIZOO that it has no channel hopping but you can configure Kismet to do this.
The last tool for this series is WIRELESSKEYVIEW, in some cases we forget our keys for the AP, and this tool is the perfect fit for this situation, in which it recovers system WEP/WPA keys. So this works like wireless zero configuration in windows XP and WLAN AutoConfig for Vista.
So think about securing your wireless network try these tools to check the security level of your network and it is always recommended to monitor all your event logs.
make sure you subscribe to my RSS feed!
Protect your Holiday! (part 2)
Posted by Mourad Ben Lakhoua in Pentesting, Tools on July 12, 2009
In this add we will go deeper in the WLAN pentesting. Not to test the performance of the Access points but to check the type of encryption and the level of encryption for this wireless network.
I picked Kismet for the fourth tool list. Kismet not only search for wireless network but also works as an Intrusion detection system and sniffer. The interesting feature in kismet which we do not find in Netstumbler or other tools is that it uses passive collecting packets, which make the operation undetectable. The method used helps in finding out some information about clients, even detecting the hidden network.
Kismet can automatically identify the user IP’s, capturing TCP, UDP, ARP and DHCP packets. Dumping information in format for wireshark / TCPDump and even identify the destination gateway (also supports GPS).
Aircrack-ng is a full package for cracking 802.11 WEP (Wired Equivalent Privacy) Encryption and WPA/WPA2-PSK keys for Wi-Fi Network.
The software package includes several tools airodump (network sniffer 802.11), aircrack (WEP and brute force WPA-PSK), airdecap( decoder for WEP/WPA files) .generally it is necessary for cracking WEP to have the exact number of packet capturing. As soon as you have the same number of network frame, aircrack will prepare a statistic attack on WEP key. Currently aircrack-ng includes three ways for recovering keys:
• First method with the PTW-attack , the main advantage of this technique is that you don’t need a big amount of packets to crack the WEP keys but the PTW-attack works only with the arp packets and this is the point of weakness , In a future version, aircrack-ptw could be extended to work with other packets too.
• The Second way with FMS/KoreK attack, in this method you will need a big amount of packets to crack WEP-keys and this work with the static influence (FMS,KoreK,Brut force).
• The third way with the dictionary attack (wordlist).
The full version of Aircrack-ng runs only under Linux system you can also find it in the BackTrack live CD. On the official website there is a windows version in which they warn that you need to develop your own DLLs to link aircrack-ng to your wireless card.
The final tool for this post will be Technitium, Technitium can help users change the Mac address of their machine. Network administrators are applying on the AP Mac restriction to not allow outsider get access to the network as a security measure this technique helps in providing network access only for machines that are listed by the administrator.
By using Airodump you can easily identify the clients Mac addresses on the network, but you will not be able to access the wireless network unless the client is connected.
On the next post of Protect your Holiday we will see how to ignore a user from a wireless network and take his place on the WLAN.
To be continued….
make sure you subscribe to my RSS feed!
(Picture from Scott Ableman)
Protect your Holiday!
Posted by Mourad Ben Lakhoua in Pentesting, Tools on July 11, 2009
Now a day we can find Wireless network everywhere in the airport, hotels, coffee shops and neighbors.
But if we search on these networks we rarely find secure ones that respect security issues for users, staff and also for home use, I wanted on this post to share some interesting tools at this time while summer is considered the season of holidays and leisure.
The first one is Netstumbler, this tool is considered as one of the best and most popular Wardriving tool. Network stumbler will search for the AP location and export info in a logfile which next can helps in converting the log in Google KML format and in a few seconds shows the location on Google Maps or Google Earth if you have it on your Pc.
For locating the active access points Netstumbler uses an active scanner so not just detecting the signal but in each second it sends a special frame (LC/SNAP frame) that helps to have a new IDS system.
Well the negative point in this tool that it runs just under windows XP and this scanner does not help in detecting the hidden access points and the information provided by this tool are not fantastic, for example it just indicates that the Wi-Fi are using encryption without providing information about the type of encryption used. So this tool we can start with to have some graphs and starting information about the network.
The second tool I have chosen is Vistumbler, Vistumbler supports Windows Vista and windows 7, supports GPS, and the funny point in this tool that it is developed using AutoIt Scripting Language.
Another utility for pentesting wireless network is inSSIDer the fact that Netstumbler do not support windows vista and even 64-bit XP Charle Pulney decided to make his own tool for searching wireless network that has been published in The Code Project. This application has a beautiful interface based on a Native Wi-Fi API and uses like Netstumbler the active method scan.
These tools can help in testing the performance of your WLAN but there still other to come.
To be continued….
make sure you subscribe to my RSS feed!
SUBSCRIBE
Latest Comments