Monday, December 18, 2017

HOWTO : Wifi Intrusion Detection Without Tears

Wifi everywhere! When you are using wifi no matter it is a public or private hotspot, you are at the risk of being attacked.

When access point and client communicate, they will carrying out a four-way handshake in which the encrypted passphrase will also be transmitted between them. When attacker captures the four-way handshake, the encrypted passphrase is also captured in which it can get the passphrase by wordlists brute forcing.

However, we do not know the one who at the building or parking lot opposite your home or office is a hacker. Fortunately, we can inspect the suspicious or malicious packets in the air, it is the tool namely WAIDPS which stands for Wireless Auditing, Intrusion Detection and Prevention System.

You can leave this tool running and it will report back if there is any suspicious activity in the air near you. You can even fight back to the attacker. However, in my opinion, it is too late for that as the attacker may already have your encrypted passphrase with the four-way handshake.

If you observe any attack such as deauthentication, you can reset your passphrase to a stronger one in order to stop the attack on your wifi router.

By the way, MAC address filtering and hidden SSID mean nothing to attacker. The best way to defense is to have a very strong passphrase.

Reference

[1] WAIDPS - Wireless Auditing, Intrusion Detection and Prevention System
[2] Kali Linux

That's all! See you.


Tuesday, December 05, 2017

HOWTO : Wifi Penetration Testing Without Tears

Wifi everywhere! There are a lot of private and public wifi access points around you. Almost everyone will use wifi at anytime. The security of wifi should be taken into account.

The most common wifi frequencies are 2.4GHz and 5GHz at the time of this writing. 2.4GHz frequency channel range is between 1 and 14 while 5GHz frequency channel range is between 34 and 165. That's include a/b/g/n/ac modes.

You can even find some access points still using WEP but it is not common. Almost all access points are using WPA/WPA2. To get passphrase of WEP from access point is very easy. However, WPA/WPA2 is not very hard indeed.

When access point and client communicate, they will carrying out a four-way handshake in which the encrypted passhrase will also be transmitted between them. When attacker captures the four-way handshake, the encrypted passphrase is also captured in which it can get the passphrase by wordlists brute forcing.

To complete the capture steps, you need a tool namely Aircrack-ng. It is a very powerful wifi auditing tool. Furthermore, there is a good tool to brute forcing WPA/WPA2 key, it is Hashcat. Hashcat is very powerful tool for password recovery. Hashcat requires GPU to do the brute forcing job. The more powerful the GPU, the faster the process of brute forcing.

However, to carry out the wifi penetration testing is somehow very hard for some people. It is because it will involve a lot of steps and procedure to complete. In addition, you also need a workable wifi USB dongle or card to make the job done.

Current version of Aircrack-ng 1.2 RC4 does not fully compatible to 5GHz frequency. It is required to patch it and compile it yourself in Kali Linux.

Realtek 8812au chipset wifi USB dongle is ready for 5GHz frequency and penetration testing. The driver is required to compile and install on Kali Linux yourself too.

One of the automated tools for penetration testing wifi is WAIDPS. It also can act as intrusion detection and prevention system for wifi. It just a few keystrokes to complete the wifi penetration testing.





Reference

[1] List of WLAN channels
[2] Kali Linux
[3] Aircrack-ng Official Site
[4] WAIDPS - Wireless Auditing, Intrusion Detection and Prevention System
[5] Install Realtek 8812au Linux Driver
[6] Patch Aircrack-ng For 5GHz Band On Kali Linux 2017.3
[7] Hashcat Official Site
[8] Install Hashcat on Ubuntu 16.04.3
[9] TP-Link Archer T4UHP (Realtek 8812au chipset)
[10] ALFA AWUS036NH (Realtek 8812au chipset)
[11] D-Link DWA-171 Nano USB Adapter (Realtek 8812au chipset)

That's all! See you.


HOWTO : Patch AirCrack-NG For 5GHz Band On Kali Linux 2017.3

Since AirCrack-NG release 1.2rc4 and github repository commit number 7552fdc do not detect 5GHz channel number properly, you need to use jpmv27's repository for the workaround till official is patched in the next release.

The following is the best way than this as it uses the latest source of AirCrack-NG from GitHub.

Step 1 :

apt install pkg-config libssl-dev libsqlite3-dev libnl-3-dev libnl-genl-3-dev libpcre3-dev

Step 2 :

To patch for 5GHz band :

git clone https://github.com/aircrack-ng/aircrack-ng
cd aircrack-ng/src

wget https://github.com/jpmv27/aircrack-ng/commit/8199c04357ea05daaf2de2ae7eebb28d30baef87.patch

patch < 8199c04357ea05daaf2de2ae7eebb28d30baef87.patch


Step 3 :

To fix a typo :

nano bessid-ng.c

Replace line 709 where

err(1, "wi_wirte()");

to

err(1, "wi_write()");

Step 4 :

make
make install


Important

Make sure not to uninstall aircrack-ng by "apt" command as it will also uninstall some useful packages at the same time.

Kali Linux's Aircrack-ng is installed at /usr/bin and /usr/sbin while GitHub's Aircrack-ng is installed at /usr/local/bin and /usr/local/sbin. The $PATH will search for /usr/local first. Therefore, you will run GitHub version instead of original one.

When Kali Linux updated AirCrack-ng, you can uninstall the GitHub version by the following command when the source code is still there :

cd aircrack-ng
make clean
make uninstall


Remarks :

If using WAIDPS, make sure to use v1.0 R.6d (or newer) as it fixed for the newer aireplay-ng display.

Reference

5GHz Patch
Typo Patch

That's all! See you.


Monday, December 04, 2017

HOWTO : Install HashCat on Ubuntu 16.04.3

hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 200 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking.




Step 1 :

sudo apt install ocl-icd-libopencl1 git build-essential

mkdir ~/infosec
cd infosec

git clone https://github.com/hashcat/hashcat
cd hashcat
git submodule update --init

make

cd ~/infosec
git clone https://github.com/hashcat/hashcat-utils
cd hashcat-utils/src

make

cp *.bin ../bin


Step 2 :

To crack WPA/WPA2 passphrase, convert cap to hccapx :

If using WAIDPS, copy the "cap" file to "~/infosec" :

cp /.SYWorks/Saved/Handshake_F92A673ED5C2_hihi_StrictFull.cap ~/infosec

cd ~/infosec
hachcat-utils/bin/cap2hccapx.bin Handshake_F92A673ED5C2_hihi_StrictFull.cap hihi.hccapx


If you are using Kali Linux 2017.3, "cap2hccapx.bin" is located at the following :

/usr/lib/hashcat-utils/cap2hccapx.bin

Step 3 :

The following are the example usgaes of hashcat to crack WPA/WPA2 passphrase:

To crack with rockyou dictionary :

cd ~/infosec/hashcat
./hashcat -m 2500 ~/infosec/hihi.hccapx ~/rockyou.txt


To crack up to 8 digits :

./hashcat -m 2500 ~/infosec/hihi.hccapx -a 3 ?d,?d?d?d?d?d?d?d?d --increment-min 1 --increment-max 8 --increment

To crack up to 8 characters for all available characters including space :

./hashcat -m 2500 ~/infosec/hihi.hccapx -a 3 ?a,?a?a?a?a?a?a?a?a --increment-min 1 --increment-max 8 --increment

To crack with rules and rockyou dictionary :

./hashcat -m 2500 -r rules/best64.rule ~/infosec/hihi.hccapx ~/rockyou.txt

The WPA/WPA2 crack on MacBook Pro (Retina Mid 2012 - NVIDIA GeForce GT 650M and Intel HD Graphics 4000) with hashcat required about half an hour for captioned first 2 examples. The third example requires over 305 years to complete on my MacBook Pro. The forth example requires 1 day and 13 hours to complete on my MacBook Pro.

Reference

How to Perform a Mask Attack Using hashcat

That's all! See you.


Sunday, December 03, 2017

HOWTO : Install Forked AirCrack-NG on Kali Linux 2017.3

Since AirCrack-NG release 1.2rc4 and github repository commit number 7552fdc do not detect 5GHz channel number properly, you need to use jpmv27's repository for the workaround till official is patched in the next release.

Step 1 :

apt install pkg-config libssl-dev libsqlite3-dev libnl-3-dev libnl-genl-3-dev libpcre3-dev

Step 2 :

git clone https://github.com/jpmv27/aircrack-ng

cd aircrack-ng


Step 3 :

make
make install


Make sure not to uninstall aircrack-ng by "apt" command as it will also uninstall some useful packages at the same time.

That's all! See you.