Wireless network hacking: Difference between revisions
No edit summary |
No edit summary |
||
Line 41: | Line 41: | ||
=== Find a target network === |
=== Find a target network === |
||
Press the Mesh button and inspect any interesting access point (AP). |
Press the Mesh button and inspect any interesting access point (AP). Any AP with a padlock on it is encrypted in one way or another. These are the ones suited for a WEP/WPA crack. |
||
=== Check if the network has some form of security === |
|||
If you can connect to the access point without any trouble, the network is not secured. |
|||
Check the instructions at [[#Securing your network]]. |
|||
=== Collect Network data === |
=== Collect Network data === |
||
Next we need to collect packet data. The way to do this is by enabling [[tcpdump]] or [[wireshark]]. However, because of some non standard wireless chipsets, we need to do the following: [[Could someone confirm that this is necessary?]] |
|||
ifconfig msh0 down |
|||
ifconfig eth0 down |
|||
killall NetworkManager |
|||
[[perhaps it would be more stylish to stop the service instead??:]] /sbin/service NetworkManager stop |
|||
Activate monitor mode on the Marvell chipset: |
|||
echo $TRAFFIC_MASK > /sys/class/net/eth0/device/libertas_rtap |
|||
ifconfig rtap0 up |
|||
Start dumping the data: [[There is another version of this in the wireshark manual with "s 1500" instead...]] |
|||
tcpdump -s 128 -i rtap0 -w $CAPTURE_FILE &> /dev/null & |
|||
However this is not at all obvious to what all this means, and in addition it is a great risk that you crash your XO. So rather use [[this]] script, like this: |
|||
[[still to do]] |
|||
su |
|||
wget http://..../capture.sh |
|||
chmod +x capture.sh |
|||
./capture.sh |
|||
Revision as of 07:26, 27 February 2008
Please copy/paste "{{Translationlist | xx | origlang=en | translated={{{translated}}}}}" (where xx is ISO 639 language code for your translation) to Wireless network hacking/translations | HowTo [ID# 112483] +/- |
These instructions describe how to test wireless networks for security holes and how to use the various security softwares with the XO OLPC. However, great care should be taken in using these tools and software as they may brick your XO in the worst case or considerably bloat your configuration. (Especially when saving large data files...)
Updating Your Software/Firmware
Check General Firmware
http://wiki.laptop.org/go/Firmware http://wiki.laptop.org/go/Upgrading_the_firmware
Check Wireless Firmware
Check that you have a recent version of the wireless firmware by following these instructions: http://wiki.laptop.org/go/Test_Config_Notes#Update_the_wireless_firmware
Check Software
In order to continue we need some network tools:
wireshark - Is the world's foremost network protocol analyzer (formerly known as Ethereal) kismet - Is a 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. aircrack-ng - Is a 802.11 WEP/WPA-PSK key cracking program that can recover keys from enough captured data packets nessus - Is a well known network vulnerability scanner bind-utils - Is a collection of utilities for querying name servers and looking up hosts. traceroute - is a computer network tool used to determine the route taken by packets across an IP network.
We can install all of these in one go (in the terminal application):
su yum install wireshark wireshark-gnome kismet aircrack-ng nessus bind-utils traceroute
Configuration of Network Tools
Performing the Analysis
Find a target network
Press the Mesh button and inspect any interesting access point (AP). Any AP with a padlock on it is encrypted in one way or another. These are the ones suited for a WEP/WPA crack.
Collect Network data
Next we need to collect packet data. The way to do this is by enabling tcpdump or wireshark. However, because of some non standard wireless chipsets, we need to do the following: Could someone confirm that this is necessary?
ifconfig msh0 down ifconfig eth0 down killall NetworkManager perhaps it would be more stylish to stop the service instead??: /sbin/service NetworkManager stop
Activate monitor mode on the Marvell chipset:
echo $TRAFFIC_MASK > /sys/class/net/eth0/device/libertas_rtap ifconfig rtap0 up
Start dumping the data: There is another version of this in the wireshark manual with "s 1500" instead...
tcpdump -s 128 -i rtap0 -w $CAPTURE_FILE &> /dev/null &
However this is not at all obvious to what all this means, and in addition it is a great risk that you crash your XO. So rather use this script, like this:
su wget http://..../capture.sh chmod +x capture.sh ./capture.sh
Cracking a WEP key
Follow the instructions at this page: http://docs.lucidinteractive.ca/index.php/Cracking_WEP_and_WPA_Wireless_Networks
TODO: We should write a short distillation of that wiki here.
Cracking a WPA key
Execute the following command in the terminal application while there is a client succesfully connected to the wireless access point:
aireplay -0 5 -a <AP MAC> -c <Client MAC> ath0
Cracking a MESH network
For More Info
http://wiki.laptop.org/go/Wireless_Driver_README http://wiki.laptop.org/go/88W8388 http://wiki.laptop.org/go/Wireless#Capturing_wireless_traffic_on_the_xo http://dev.laptop.org/ticket/4805 http://lists.infradead.org/pipermail/libertas-dev/2007-July/000607.html http://lists.infradead.org/pipermail/libertas-dev/2007-December/001003.html http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Linux.Wireless.drivers.802.11ag.html http://www.olpcnews.com/forum/index.php?topic=814.msg13043;topicseen
References:
http://www.wireshark.org/ http://www.kismetwireless.net/ http://www.aircrack-ng.org/doku.php http://www.nessus.org/nessus/ http://www.tcpdump.org/tcpdump_man.html http://www.freebsd.org/cgi/man.cgi?query=traceroute To check what's in the default installation: http://dev.laptop.org/~bert/joyride-pkgs.html