Introduction to wireless hacking

No explicit questions like "how do I hack xxx.com" please!
Post Reply
User avatar
MoralExploit
forum buddy
forum buddy
Posts: 10
Joined: 26 Jun 2006, 16:00
14

Introduction to wireless hacking

Post by MoralExploit »

Introduction to Wireless Hacking
by MoralExploit



I know many of you think wardriving is very overrated right now. But I
decided to make a tutorial for the new people. Who dont know much.

Hope I helped.


Wardriving and wireless hacking has become a major thing in the
Hacking community. Ever since Wireless was introduced it was just
laughed at from the Wireless community. They tried to implement WEP
which we just laughed at once again because it was easly cracked. From
there they tried hard to make a better security. If you are just a
homenetwork MAC and WEP should be enough security. But For corporate
networks. They came out with WPA. which seems to be unbreakable. Until
now. I will explain the tools used to get in a network. And get around
the security.

--------------------------------------------------------------------------------------------------
Wardriving
--------------------------------------------------------------------------------------------------

For wardriving Under the Windows platform There is netstumbler,
probably the most widley used Wardriving utility. (http://www.netstumbler.com/downloads/)
Now for the people who use linux and other unix like systems, They get
the better tools when it comes down to packet capturing. But for the
wardriving aspect of this most people use Kismet. People enjoy this
because it puts your card in promiscuous mode. What this means is that
it listens to what is flying around in the air insted of sending out
"Hello" packts like Netstumbler does. You can download Kismet here
(http://www.kismetwireless.net/download.shtml). There are Many more
but these are the easiest and most widley used.

---------------------------------------------------------------------------------------------------
Packet Gathering.
---------------------------------------------------------------------------------------------------

Under the windows platform there are a couple. There is Ethereal
(http://www.ethereal.com/download.html) Airopeek NX although it cost a
hell of alot of money it is good (http://www.wildpackets.com/products/demos).
Now for the Best program (opinion) there is Aircrack. Aircrack runs
off the Airopeek NX dll files. (http://www.cr0.net:8040/code/network/aircrack-2.1.zip)
It is a zip which contains A application that gathers the Pacets One
that brute forces it and some others. Those are the best ones for
windows to use.

For Linux. there are MANY
The most popular right now is Airsnort. It works the same as Aircrack
but Aircrack says that its much faster. (http://airsnort.shmoo.com/)
All you really need to do for the linux versions is go to google and
type WEP Linux. There is also a linux version of Aircrack. you can get
it here. (http://www.cr0.net:8040/code/network/aircrack-2.1.tgz)

--------------------------------------------------------------------------------------------------
Some Information on WPA
WPA Cracking Proof of Concept Available

By Glenn Fleishman

We warned you: short WPA passphrases could be cracked—and now the
software exists: The folks who wrote tinyPEAP, a firmware replacement
for two Linksys router models that has on-board RADIUS authentication
using 802.1X plus PEAP, released a WPA cracking tool.

As Robert Moskowitz noted on this site a year ago, a weakness in
shorter and dictionary-word-based passphrases used with Wi-Fi Protected
Access render those passphrases capable of being cracked. The WPA
Cracker tool is somewhat primitive, requiring that you enter the
appropriate data retrieved via a packet sniffer like Ethereal. Once
entered, it runs the cracking algorithms.

Remember that to crack WEP, an attacker has to gather many packets,
possibly millions, but can then easily crack any key. For WPA, certain
shorter or dictionary-based keys are highly crackable because an
attacker can monitor a short transaction or force that transaction to
occur and then perform the crack far away from the physical site.

The solution to this WPA weakness involves one of three approaches:

Choose a better passphrase: Pick passphrases that aren’t entirely
comprised of dictionary words, meaning they need some random nonsense
in them. “My dog has fleas”: very bad. “Mdasf;lkjadfklja;dfja;dfja;d”:
very good, but hard to type in. Passphrases should be at least 20
characters.

Use randomness to choose a passphrase: A random passphrase of at least
96 bits and preferably 128 bits will defeat the cracking that Moskowitz
wrote about, according to his paper. Tools like SecureEZSetup from
Broadcom and AOSS (AirStation One-touch Setup System) from Buffalo are
two automated ways to produce better passwords of this variety.

Use WPA Enterprise or 802.1X + WPA: Deploy enterprise-based
authentication which will allow a strong WPA key to be uniquely
assigned to each user. This isn’t as expensive as it once was. The
TinyPEAP folks are pushing their method, but you can also turn to
Interlink Networks’s LucidLink product (for on-site control), Gateway
Computer’s 7000 series of access points with on-board PEAP service, and
Wireless Security Corporation’s WSC Guard, available from them directly
or for certain Linksys models via Linksys.

Update: Alert Slashdot readers noted that KisMAC has had a WPA cracking
tool built in for several months. KisMAC is a Macintosh-only version
of Kismet, a tool for monitoring and cracking wireless networks (for
good and evil). Kismet itself lacks this feature. The Mac-only nature
of KisMAC has most likely limited the spread of this knowledge.

Two NetworkWorldFusion writers pointed out last month KisMAC’s ability
in a great overview of WPA’s weakness and the justification for
adopting 802.1X plus WPA.

--------------------------------------------------------------------------------------------------
WPA
--------------------------------------------------------------------------------------------------

This is cowpatty
The only frames cowpatty cares about are the EAPOL frames that make up
the TKIP four-way handshake. The tool will ignore all other frames.
So you should get Asmany EPOL frams as you can then run cowpatty.
(http://www.michiganwireless.org/too...owpatty-2.0.zip)

For linux you have
WPA-cracker (http://www.michiganwireless.org/tools/WPA-Cracker/)

--------------------------------------------------------------------------------------------------
MAC Spoofing
--------------------------------------------------------------------------------------------------

Under the windows platform there is a easy to use program called. SMAC
it cost money but you have a free trial version that works well.
(http://www.klcconsulting.net/smac/). Another program for windows
Bwmachak created by Black Wave will change the address of a oriooco to
one that you specify. First remove the card then use the program.

C:\BWMACHAK.exe 000d8030103b

wala you have a new MAC address.

Under the linux Platform you can use a Program called Sirmacsalot (I
think) which you can download here (http://www.michiganwireless.org/tools/sirmacsalot/)

you can also do it manualy

remember to know what it is running on (eth0 or eht1)
[root@localhost root] # ifconfig eht0 down
[root@localhost root] # ifconfig eth0 hw ether 00:0D:80:30:10:B3
[root@localhost root] # ifconfig etho up
[root@localhost root] # ifconfig eht0
eth0 Link encap: Wavelan HWaddr 00:0D:80:30:10:b3

Also I will update you. Im trying to work on a program that will change
the MAC address under the Windows platform.

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11532
Joined: 06 Apr 2005, 16:00
15
Location: The zone.
Contact:

Post by bad_brain »

nice posts man.... :wink:
Image

User avatar
Gogeta70
^_^
^_^
Posts: 3247
Joined: 25 Jun 2005, 16:00
15

Post by Gogeta70 »

¯\_(ツ)_/¯ It works on my machine...

User avatar
FrankB
Ph. D. in Sucko'logics
Ph. D. in Sucko'logics
Posts: 315
Joined: 06 Mar 2006, 17:00
14
Location: Belgistahn
Contact:

Post by FrankB »

It must be a sekt, they post the same thing everywhere..

--
FrankB

User avatar
MoralExploit
forum buddy
forum buddy
Posts: 10
Joined: 26 Jun 2006, 16:00
14

Post by MoralExploit »

yea thats mine I wrote it.
Moralexploit wrote it I will send him a letter to give me the correct credit.
Here is where I origionaly posted it
www.informationleak.net/wireless.txt
Also it was published on the government security portal.
which you can see here just scroll down.
I do not take peoples work without giving them credit as you see in this tutorial.
I think I have proven my self Legit.
Also If you guys know of any other places where this is Posted without saying I wrote it will you please let me know.
Thanks
Moral

Post Reply