AdSense

Saturday, October 15, 2016

WI-FI PT / 0 - INTRODUCTION


0.0 - Introduction

According to INCIBE (National Institute of Cibersecurity, Spain) nearly 8 out of 10 users utilize wireless networks for Internet access. Also, the report noted that around 43% of users do not adopt any measures of security in their wireless connections. Previous figures give a hint of the need to implement, educate and train the general public in computer security, specifically in the wireless field.

Nowadays most computers and networks use wireless connections. This type of connection allows to access the Internet without needing a physical cable network. The biggest advantage is that the computer can be used anywhere, at home or office, while in range of the wireless router. However, there are potential risks associated to wireless networks, unless the network is properly protected, because any information sent or received could be intercepted off the air and the wireless network could be tampered. If the wireless network is unprotected, shared files and data could be at risk and network performance be compromised. Security is one of the most important issues when it comes to wireless networks. Since the birth of these, it has been attempted to ensure totally safe communications protocols, but with limited success. Unlike cable communications, where the information is contained in a very specific physical medium, wireless communications information is in the air, available to anyone who has the will and the means to intercept, analyze, and use with malicious purposes.

To illustrate the process of penetration testing for a wireless network, along this work a great number of practices will be carried out simulating attacks against clients, wireless access points, cryptographic systems and authentication mechanisms commonly available. Starting with a brief introduction to the most important characteristics of wireless frames specified in the IEEE 802.11 standard, as well as a description of the testing laboratory where carried out the practices.


0.1 - Wireless Local Area Network (WLAN)

For the purpose of having a thorough understanding of the subsequente chapters and the whole contents, it is neccessary to make a brief introduction to the main features and characteristics of wireless technologies.

A Wireless Local Area Network (WLAN) is a set of two or more devices that are able to communicate wirelessly between them. Most of WLANs are based on the standard IEEE 802.11 by the Institute of Electrical and Electronics Engineers. IEEE 802.11 is a set of specifications for the Medium Access Control (L2 sublayer) and the Physical Layer (L1) regarding wireless transmissions working within 2.4 and 5 GHz frequency bands. This standard provides directions for the products using Wi-Fi, propietary brand owned by the Wi-Fi Alliance, which is the trade association in charge of promoting interoperability between wireless devices manufacturers.

The IEEE 802.11 architecture uses different components and concepts:

- client or station (STA): it is a device like a computer, cell phone, ..., containing a wireless adapter card to provide wireless connectivity.

- Access Point (AP): its function is to bridge between the wireless STAs and the existing network backbone for network access.

- Independent Basic Service Set (IBSS): also known as "ad-hoc mode", consists of at least two STAs, used when there are no APs available.

- Basic Service Set (BSS): also known as "infrastructure mode", it is a wireless network that consists only of one AP providing service to one or more wireless clients. All clients in a BSS communicate through the AP, both between them and to a wired network.

- Extended Service Set (ESS): it is a set of two or more interconnected BSSs sharing the same SSID (network name) and security credentials. An ESS allows for mobility and roaming, because clients can move from one BSS to another BSS seamlessly. An ESS defines a single logical network segment bounded by a router.
- Distribution System (DS): a DS is the component used to interconnect BSSs. In other words, APs of multiple BSSs belonging to the same ESS are interconnected through a DS. A DS can work either wired or wireless.

- Service Set Identifier (SSID): it is a 1 to 32 Byte string used to identify a BSS or ESS. Also considered as the "network name", it is human readable.

- Basic Service Set Identification (BSSID): it is a 6 Bytes string that defines uniquely a BSS. For a BSS working in "infrastucture mode" the BSSID is the MAC address of the AP. The BSSID is the formal name of a BSS (in contrast to the informal name, the SSID), and it is always associated to only one BSS. It is important to notice that inside an ESS each of the belonging BSSs uses its own BSSID, whereas all of them use the same SSID. For an IBSS or "ad-hoc mode", the BBSID is a locally administered MAC address randomely generated.


0.2 - Versions, Frequency bands and Channels

The most important versions of 802.11 protocol are a,b,g,n,ac depending on the frequency of work. Also, the new version ac is expected to improve dramatically wireless transmissions by year 2014. The key features of 802.11 versions are as follows:

Version
Frequency (GHz)
Bandwidth
(MHz)
Data Rate
(Mbps)
Modulation
Indoor range
(metres)
Outdoor range
(metres)
802.11a
5
20
up to 54
OFDM
35
120
802.11b
2.4
20
up to 11
DSSS
35
140
802.11g
2.4
20
up to 54
OFDM/DSSS
38
140
802.11n
2.4/5
20/40
up to 72.2/150
OFDM
70
250
802.11ac 
5
20/40/80/160
from 87.6 to 866.7
OFDM




Orthogonal Frequency Division Multiplexing (OFDM) is a technique to encode digital data on multiple carrier frequencies. This scheme is used as a digital multi-carrier modulation method, in which a large number of closely spaced orthogonal sub-carrier signals are used to carry data on several parallel data streams or channels.

Direct-sequence Spread Spectrum (DSSS) is a modulation technique where the transmitted signal takes up more bandwidth than the information signal that modulates the carrier or broadcast frequency. 'Spread spectrum' comes from the fact that the carrier signals occur over the full bandwidth (spectrum) of a device's transmitting frequency.

As seen at the previous chart, the most important frequency bands used in wireless communications are 2.4 GHz and 5 GHz. Each spectrum is subdivided into channels with a center frequency and bandwidth. The 2.4 GHz band is divided into 15 channels spaced 5 MHz apart, starting at channel 1 which is centered on 2.412 GHz. The latest channels have some restrictions of use depending on the regulatory domains.





The IEEE 802.11 workgroups are in charge of establishing the technical features of frequency ranges, but each country applies his own regulations for allowable channels, users and maximum power levels within those frequency ranges, from a legal perspective. For instance, channel 14 is forbidden in the US and many other countries because it is set for other uses, and 12 and 13 channels are not used to avoid interferences with channel 11. Actually, channel 14 is legal only in Japan.

There is also a problem of "overlapping channels", which can be avoided using those channels that don't have interferences regarding to working frequencies. As we can see at the next image, for 2.4 GHz band, channels 1 (2.412 GHz), 6 (2.437 GHz), 11 (2.462 GHz) and 14 (2.484 Ghz) don't interfer because they don't use adjacent frequencies.




0.3 -  Lab Setup

0.3.1 - General description

Because this blog has got an eminently practical approachment, it is essential to set up a lab in which different experiments and practical tests can be developed. Although with some exceptions that will be detailed at the right moment, the wireless testing lab setup used in most of our practices consists of the following elements:

  • 1 Access Point Motorola SBG941, monitored from 1 PC Desktop equipped with Windows 7.
  • 1 Laptop ("kali") whose role will be as attacker or hacker, equipped with Kali Linux distribution and an Alfa Network AWUS036H wireless network USB adapter. The most important tool used for launching the attacks will be Aircrack-ng, whereas Wireshark being used for anylizing the captured packets.
  • 1 Laptop ("roch") whose roles will be as victim, equipped with Windows 7 and wireless network interface: a NetGear N600 Wireless Dual-Band USB adapter.


The layout of the topology would be as follows:


Let's examine all these elements one by one.

0.3.2 - Access Point

The most common Access Point used in this work will be a Motorola SBG941 Wireless Cable Gateway:




This Motorola SBG941 Wireless Cable Gateway combines a cable modem, an integrated 4 port router (10/100Base-TX RJ-45) and a 802.11 a/b/g/n wireless access point. The gateway is DOCSIS 2.0 standard compliant, compatible with DOCSIS 1.0/1.1 standard. The integrated AP supports WEP and WPA/WPA2 (TKIP and AES) wireless encryption. It uses WMM (QoS) to prioritize the traffic over the network. A WPS button allows for easy wireless security configuration. The router provides VPN pass-through for IPSec and PPTP. A built-in SPI firewall protects the network against intruders and Denial of Service (DoS) attacks. The Transmit Power is 17 dBm and the Receiver Sensitivity is -74 dBm.

The PC Desktop is connected to the Access Point through an Ethernet cable, using one of the 4 available ports. To configure and monitorize the access point the default gateway IP 192.168.0.1 is entered at the browser:



The network created by the Access Point uses the name or SSID (Service Set IP) "spaniard", working in the subnet 192.168.0.0/24. It is very important to notice that AP's wireless MAC address is 00:25:F2:9B:91:23, as we can see at the next image, because this MAC address will be used very frequently during the practical tests:



Also, for the special purpose of demonstrating attacks against WPA/WPA2 Entreprise with RADIUS server autentication, a D-Link DIR-615 router will be used at Chapter 6.10, where further explanations about this router will be given:


0.3.3 - The attacker

The laptop used as an attacker is named "kali", being equipped fromt the software perspective with a Kali Linux distro as operative system. Also, Aircrack-ng and Wireshark applications are often used. From the hardware perspective, an Alfa Network AWUS036H wireless network USB adapter.

Kali is a Debian Linux distribution offered by Offensive Security Ltd., considered by its authors as the successor of the well-known BackTrack. It is used for digital forensics, penetration testing, and generally for any computer security purpose. Kali is preinstalled with a suite of penetration-testing programs, including Nmap, Wireshark, John the Ripper , Metasploit, OpenVas, etc .., and the most important for our purposes, Aircrack-ng (penetration-testing wireless LANs). Kali Linux can be run from a hard disk, live CD, or live USB. Kali is distributed in 32- and 64-bit images for use on hosts based on the x86 instruction set, as well as an image for the ARM architecture for use on the Raspberry Pi computer and on Samsung's ARM Chromebook.



Aircrack-ng is a suite of tools for auditing wireless networks, consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic. The program runs under Linux and Windows. It can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks. As well as the PTW attacks, new method based on the RC4 cipher, decreasing the number of initialization vectors or IVs needed to decrypt a WEP key, making the attack much faster compared to other WEP cracking tools.




The most important tools included with Aircrack-ng are:

  • aircrack-ng cracks WEP and WPA (Dictionary attack) keys.
  • airdecap-ng decrypts WEP or WPA encrypted capture files with known key.
  • airmon-ng places different cards in monitor mode.
  • aireplay-ng packet injector (Linux, and Windows with CommView drivers).
  • airodump-ng packet sniffer, places air traffic into PCAP or IVS files showing information.
  • airtun-ng virtual tunnel interface creator.
  • packetforge-ng creates encrypted packets for injection.
  • ivstools tools to merge and convert.
  • airbase-ng incorporates techniques for attacking clients, as opposed to Access Points.
  • airdecloak-ng removes WEP cloaking from PACP files.
  • airdriver-ng tools for managing wireless drivers
  • airolib-ng stores and manages ESSID and password lists and compute Pairwise Master Keys
  • airserv-ng allows to access the wireless card from other computers.
  • buddy-ng helps server for easside-ng, runs on a remote computer
  • tkiptun-ng WPA/TKIP attack
  • wesside-ng automatic tool for recovering wep key.

Another essential software tool to be used is Wireshark, formerly known as Ethereal, a protocol analyzer used for analyzing and solving problems in communication networks, for software and protocol development, and as an educational tool. It has all the standard features of a protocol analyzer. The functionality provided is similar to tcpdump, but it adds a graphical interface and many options for organizing and filtering of information. So, you see all the traffic passing through a network, setting promiscuous mode configuration. It also includes a text-based version named tshark, examining data from a live network or from a capture file saved to disk. You can analyze the information captured through the details and summaries for each package. Wireshark includes a complete language filter, and the ability to follow the reconstructed stream of a TCP session. 

Wireshark is free software, and runs on most Unix and compatible operating systems, including Linux, Solaris, FreeBSD, NetBSD, OpenBSD, and Mac OS X, as well as Microsoft Windows.



From the hardware perspective, the hacker laptop is equipped with an Alfa Network AWUS036H wireless adapter. Its key features are:

- 54Mbps via USB 2.0 (also USB 1.1) for desktop and notebook computers
- Maximum advertised output of 1 Watt
- Compact size and great flexibility
- Plug-and-Play compatible with Microsoft Windows and Linux (drivers integrated in BackTrackR5)
- High security 64/128/256bit WEP Encryption, TKIP, WPA, 802.11x
- Packet sniffing
- Packet injection

- As we will se later, its MAC address is 00:c0:ca:72:1a:36



0.3.4 - The victim

The role of victim of the attacks launched from "kali" will be the laptop named "roch" (also the legitimiate AP will be attacked), equipped with operative system Windows 7 and a wireless network interface.

Laptop "roch" uses the Netgear N600 Wireless Dual Band USB Adapter. Dual band technology avoids interference, ensuring high speeds and great ranges. It includes an easy setup with the Smart Wizard® CD, while Push 'N' Connect gives a secured connection just pushing a button.

Its MAC address is 28:c6:8e:63:15:6b



Friday, September 30, 2016

NETCAT / 6 - Ncat - Encryption and Authentication


ENCRYPTION AND AUTHENTICATION



- Layout topology for this exercise:




- In this exercise encryption is used to avoid eavesdropping and IDS detection. Also, authentication ensures that only the desired partner is able to establish the connection.

- The command structure is similar to the usual bind shell with the only differences of using ncat for the command, --ssl for encryption, and --allow for authentication.

- Windows specifies that the only allowed host to communicate via ncat with him will be the Kali machine, and also that the connection will be encrypted:




- Kali launches the connection also with --ssl encryption:





NETCAT / 5 - Transferring files



TRASFERRING FILES WITH NETCAT


- Layout topology for this exercise:




- In this exercise Netcat is used to transfer files (either text or binary) between two hosts. 


1 - From Linux to Windows


- Windows listens on port 4444, and redirects all incoming data to a file called IN. 




- Then, Kali sends the file with path "/root/FileWindows" to Windows on port 4444:








- The transfer is successful:





2 - From Windows to Linux


- Linux listens on port 4444, and redirects all incoming data to a file called IN. 




- Windows sends the file FileForLinux to Kali on port 4444:




- The transfer is successful:





NETCAT / 4 - Connection to a TCP/UDP port and analysis with Wireshark


CONNECTION TO A TCP/UDP PORT AND ANALYSIS WITH WIRESHARK

- Layout topology for this exercise:


















- Netcat is able to connect to a port, checking whether it is open or closed, and also reading the banner from that port. In this exercise, let's use Netcat to connect to a remote POP3 mail service, running on a Windows 7 machine on port 110. 




- A nc connection is launched from Kali Linux to Windows on port 110 (POP3). The output shows that the connection is successful, and a dialogue is started between client (Kali Linux) and server (W7). The server displays the welcome banner (POP3 server ready), waiting for a USER and PASS. In this case the login attempt fails because the password is unknown, but a further password attack could be used for authentication.




- Analysis with Wireshark is always interesting. First, a filter is set to avoid all the noisy info output that Wireshark would probably produce: tcp port == 110




- It is easy to follow the three-way-handshale TCP connection process. 
SYN (initiates the three-way-handshake):



- SYN, ACK:




- ACK:




- FIN, ACK (closing the connection):




- Following the TCP stream:






NETCAT / 3 - Reverse Shell


NETCAT REVERSE SHELL

- Layout topology for this exercise:


- In this case Netcat is used for remote administration, sending a reverse shell to a listening host. A reverse shell would be useful when a router or firewall is present between the two hosts. 

- The fact that the remote shell is sent across a corporate router or firewall warns about the recommendation that outgoing traffic from a network should be watched as carefully as incoming traffic.


3.1 - Reverse shell from Kali to Windows

- Windows is listening on port 4444:





- Kali sends to Windows's port 4444 a reverse shell (-e /bin/bash), meaning that all stdin, stdout and stderr will be redirected to Windows, instead of redirecting them to the default console:










- As a consequence, after the connection is established, Windows enjoys a command shell from Kali, being able to perform a remote administration:




3.2 - Reverse shell from Windows to Kali


- In the same way than before, now Kali is listening on port TCP 4444:


- Windows sends to Kali a reverse shell (-e cmd.exe)  to port 4444


- As a consequence, Kali is able to administrate remotely Windows, because a Windows command line prompt is opened in its own console:









NETCAT / 2 - Bind Shell


NETCAT BIND SHELL

- Layout topology for this exercise:

















- In this exercise Netcat is used for remote administration, taking advantage of Netcat's command redirection abilities. 


2.1 - Bind shell on Kali Linux and connection from Windows


- The option -e specifies a filename to be executed after connection. 

- In this way, /bin/bash is bound to port TCP 4444, redirecting any input (stdin), output (stdout) and error (stderr) from /bin/bash to the network, instead of redirecting them to the default console. 







- The consequence is that anybody connecting to port TCP 4444 will be able to use Kali's command prompt, enabling remote administration:






2.2 - Bind shell on Windows and connection from Kali Linux

- In the same way than before, Windows binds cmd.exe command to port TCP 4444, redirecting stdin, stdout, stderr to the network:




- As a consequence, when Kali connects to Windows's port 4444 achieves a command prompt from Windows, enabling remote administration:






NETCAT / 1 - Chat between 2 hosts


CHAT BETWEEN 2 HOSTS

- Layout topology for this exercise:




- In this exercise a communication is established between two hosts, using Netcat. 

- First, Kali listens on its port 4444. Then, Windows launches a connection to Kali's IP on port 4444 and the dialog is started. Linux answers, etc ..., until the chat is closed. Used options are:

         - n = no name addressing conversion
         - l = listening for inbound connection
         - v = verbose
          -p = local port number

- From Linux:













- From Windows:












NETCAT / 0 - Introduction


NETCAT INTRODUCTION

- Netcat is a networking utiltiy for reading and writing directly to TCP/UDP ports. Also known as the Swiss Army Knife for hackers, it can be used both on Windows and Linux systems. Netcat can be run either as a client (reading from a port) or as a server (writing to a port), which converts it into a powerful and versatile tool that allows hackers and ethical penetration testers to perform several tasks.  

https://en.wikipedia.org/wiki/Netcat

http://nc110.sourceforge.net/

https://sourceforge.net/projects/nc110/


- There are two versions of Netcat:

nc: described above.

ncat: improved version of nc that adds two features of security: encryption and authentication. In this way the penetration tester can avoid being detected by IDS (Intrusion Detection System) and also exposition to undesired possible observers.

- Along this section we will see how to use Netcat by performing different exercises:

          1 - Chat between two hosts

          2 - Reverse shell

          3 - Bind shell

          4 - Connection to a TCP/UDP port and analysis  with Wireshark

          5 - Transfer of files

          6 - Ncat: encryption and authentication



- Regarding Linux, Netcat is usually preinstalled and configure by default, for instance at Kali Linux distro. For installing Netcat in Windows systems, any user can find several webs along the Internet where free downloads are available.


- Help and available options for both versions of Netcat in a Windows system:





























































- Help and available options for both versions of Netcat in a Linux system:








- Layout topology used for these exercises: