What’s in a Name?

hello-my-name-is-wifiMost home users select their wireless network name without much thought to the actual name except to make it easy for them to see and connect to. So many people never think that the networks name also known as the Service Set Identifier or SSID could be a security risk. Okay, a security risk may be a reach, but let’s just say some SSIDs are more secure than others, and I will list some dos and don’ts when selecting an SSID.

Before the list lets discuss what makes the SSID important. Hackers need to gather several pieces of information including the SSID to crack a networks WPA/WPA2 password. Hackers have pre-configured tables with this information including common or default SSID names and if you’re using one of these common names you have made their job easier and your network more of a target.

  • Do change the SSID from the factory set default wireless network name.
  • Don’t select a name in top 1000 most common SSIDs. Now this list is very long and at first glance you will notice a lot of factory given default names (dlink, Linksys, 2wire, Netgear, etc…), so as mentioned above change the default name.
  • Don’t use your first or last name, address, phone number, or anything else personal. Broadcasting personal information identifies who owns the network, and may aid the hacker in cracking the wireless password.
  • Do be unique when selecting an SSID, but too much creativity may draw attention to the networks name along with attempts to hack the network. With a maximum of 32 characters you have some creative capabilities, but also think camouflage, so the network name blends in with the other networks in range and does not stand out.
  • Do follow these rules even if your SSID is hidden or not being broadcast. Hidden network SSIDs can very easily be discovered and they are not immune.

The most important thing to learn is to always change the SSID from the default. Having a unique SSID can not only make the hackers job more difficult, but it may signal to the hacker that if the name was changed other settings were changed as well persuading the hacker to look for an easier target.

Cracking WPA using Fern WiFi Cracker

Note: For this demo I’m using a lab environment network that is not routed to the internet. I will be using the Fern WiFi Cracker open source wireless security tool included in the Kali Linux and Backtrack 5 r3 security distros. Before attempting to use Fern or any other utility in Kali or Backtrack please make sure to read the help and MAN pages for a complete description of the program options and switches. This demo is for wireless pentesting educational purposes and to emphasize the insecurities of using a weak or common dictionary word for wireless network authentication and encryption security key or passphrase.

Fern Wi-fi Cracker can crack WEP, WPA, and WPA2 secured wireless networks. Fern basically takes the command line utilities to crack these networks and puts them in a GUI. Very simple to use… scary easy! Fern also provides some extra functionality for hijacking sessions and locating a computers geolocation via its Mac address, but I have not tested with these features.

For this demo I will be using Backtrack 5 r3 running in VMware Workstation on a Win 7 host.

Originally I was using Fern in Kali and ran into some issues with my wireless adapter and with the program freezing or not opening after updating it. I have the fixes I discovered in another blog post for anyone else that may have these same problems.

Router Setup

I’m using an old Cisco/Linksys 802.11g wireless router for this demo and all the settings are defaulted except the security settings, which I set to WPA Personal with a Shared Key passphrase of “password”. The word password should never be used for a real password or passphrase and I’m using it here since I know the Fern program will quickly crack it. In real world situations a WPA/WPA2 passphrase should be completely random and not a common dictionary word. For help on creating a secure WPA/WPA2 passphrase please read my earlier blog post.

wpakey

Setup the Wireless Adapter

Plug in the USB wireless adapter (I’m using the Alfa AWUS036H 802.11b/g USB wireless adapter) and open the Terminal and run iwconfig to verify the USB adapter interface.

iwconfig

On occasions I have had to bring the wireless adapter interface up using the following command.

#ifconfig wlan0 up

Starting the Fern Program

To start Fern from the Terminal type in the following commands

#cd /pentest/wireless/fern-wifi-cracker
#python execute.py

or start Fern via the GUI using the Backtrack menu

Applications/Backtrack/Exploitation Tools/Wireless Exploitation Tools/WLAN Exploitation/fern-wifi-cracker

Using the Fern Program

Select the Interface and Fern enables monitor mode. If your wireless interface does not show in the list hit the Refresh button and try again.

interface

Before starting the scan double-click on any blank area of the Fern home screen to bring up the Access Point Scan Preferences screen. You can set the channel option to scan a single channel or leave it at the default All Channels. One nice feature is to check the Enable XTerms option which will have Fern open up the Terminal windows during its usage to see what the program is doing in the background. Click OK when done.

xterms

Back on the Fern home screen click the Scan for Access points button.

scanaps

Two Terminal windows will open; one showing the WEP enabled networks (no screen shot), and another showing the WPA enabled networks. The top part of the WPA Scan Terminal window shows the networks being found, and the lower part shows any connected client devices. For a WPA attack to work it requires a connected client. The most important part of the attack will kick the client off the wireless network and capture the 4-way handshake when the client device re-authenticates to the network. If the network you want to pentest has no connected client your out of luck!

wpanetworks

On Ferns home screen the networks being detected will start populating next to the WiFi WEP or WiFi WPA buttons. (I have been seeing less and less WEP enabled networks, so that is a good thing!)

networks

Clicking on the WiFi WEP or WiFi WPA button will bring up the Attack screen and the top pane will list the networks found. Select the AP to crack, but before clicking the Attack button to the right let’s go over a couple of settings.

networkwpa

I will use the Regular Attack option, but there is a WPS Attack option and I believe Fern uses the Reaver utility to launch the WPS attack. You can read more about Reaver by clicking here.

Common.txt is the wordlist that comes with the Fern program, but any wordlist you download or have created on your own can be used by hitting the Browse button and pointing Fern to the alternative wordlist file.

wordlist

With the Regular Attack and the wordlist selected hit the Attack button.

attackbutton

Fern will start the attack and on the left side of the screen the attack steps will turn yellow as Fern works through the various steps. The most important step is capturing the 4-way handshake and Fern will open an aireplay-ng Terminal window showing the progress of deauthentication (if XTerms is checked in the preferences) of the connected client.

settings

It may take several attempts to deauth a client and capture the 4-way handshake.

deauth

Once Fern has captured the handshake it will start the bruteforce attack. Viola! If the WPA key is in the wordlist being used it will display the found key in Red.

wpakeyfound

As I mentioned I setup a passphrase I knew would be found quickly, and from start to finish this attack took under 4 minutes!

Back on the Fern main screen is a Key Database button and it now shows one entry.

database

Clicking the Key Database button will display the found keys.

database2

Conclusion

Using a common dictionary word for a WPA or WPA2 passphrase makes it easier to hack with utilities like Fern. The Fern utility is free to download and simple to use, and not everyone is going to use it for legit wireless pentesting purposes.

With possession of the WPA key a person can associate to network and have a gateway to the internet, or they could launch other attacks. For example, with possession of the WPA key the attack could be expanded to include decryption of the data traffic of the legitimate clients on the wireless network.

Thanks for reading and stay wireless secure!

Keys, Keys, and Even More Keys!

I thought I had a good understanding of how the WPA/WPA2 encryption key generation process worked, that was, until I read Chapter 5 of the CWSP (Certified Wireless Security Professional) Study Guide. I was definitely amazed and a little confused of what all happens in the background when a client authenticates and the encryption keys are created. Dealing mostly with personal or small office wireless environments I took a special interest in the process to generate the encryption keys in small office home office (SOHO) networks. I’m a firm believer that a strong passphrase is mandatory when using WPA/WPA2 Personal, and part of writing this blog was not only my way to fully understand the encryption key creation process, but at the same time to stress how important it is to select a completely random WPA/WPA2 passphrase. An easily guessed passphrase or a common dictionary word can expose your wireless network and connected devices to hacking or decryption of the data. The passphrase will not only authenticate clients to the access point, but it is also the initial seeding material to create the master keys that are then used to create the transient and temporal keys that encrypt the unicast data frames and broadcast and multicast frames.

Definitions

Let’s start by defining the alphabet soup of letters and give some quick definitions to the important terms being used in the article.

WPA/WPA2 Passphrase: Selected by the network owner and entered as a simple ASCII character string from 8 to 63 characters. The passphrase is configured on the access point and manually entered on the client devices that will join the APs wireless network.

Authenticator: In a SOHO network this will be the access point.

Supplicant: Any device wanting to join an access points service set.

Pre-Shared key (PSK): The result when the passphrase goes through the passphrase to PSK mapping formula.

PMK (Pairwise Master Key): Is the highest order key and derived from the pre-shared key (PSK).

GMK (Group Master Key): Generated by the authenticator (access point) and is the seeding material for the group temporal key.

4-Way Handshake: Uses the pseudo-random function to create and distribute the dynamic encryption keys.

Nonce: A randomly generated value only used once.

PTK (Pairwise Transient Key): Final encryption key used to encrypt unicast data traffic.

GTK (Group Temporal Key): Final encryption key used to encrypt broadcast and multicast traffic.

Selecting the Passphrase

The first step is to choose the passphrase and enter it in the security section of the wireless routers management interface. Notice I did not say select a password! As mentioned before avoid using common dictionary words, and don’t use your name, address, phone number, pet’s names, favorite sports team name, etc… It is recommended to select a completely random passphrase and using a passphrase generator is the best option to select a random passphrase. For help on selecting a highly secure passphrase read my earlier blog post on creating a secure WPA/WPA2 passphrase.

WPA/WPA2 passphrases are static and susceptible to offline dictionary attacks, and it will become very clear why this passphrase be absolutely random for maximum security of the wireless network.

The graphic below shows the encryption key generation process and can be referenced throughout the article.

WPA/WPA2 Encryption Key Generation

WPA/WPA2 Encryption Key Generation

Passphrase to PSK Mapping

Manually enter the passphrase on the client devices that will be joining the wireless network. The passphrase authenticates the device to the APs wireless network, and behind the scenes the passphrase will go through the “passphrase to PSK mapping” function to transform it into the 256-bit Pre-Shared Key (PSK).

Here is the formula to convert a passphrase to the PSK.

PSK = PBKDF2(PassPhrase, ssid, ssidLength, 4096, 256)

The whole point of the passphrase to PSK mapping formula is to simplify configuration for the average home network user. Anyone can remember an 8 to 63 character passphrase compared to a 256-bit PSK.

Master Keys

The PSK will become the Pairwise Master Key (PMK), so basically the PSK is equal to the PMK.

The authenticator (access point) generates the Group Master Key (GMK). The GMK is derived by the authenticator and used to create the Group Temporal Key (GTK). The GTK will be used by the AP and all the authenticated clients to encrypt multicast and broadcast traffic.

4-Way Handshake

The graphic below is from Chapter 5 of the CWSP Study Guide to further explain the 4-way handshake process.

4wayhandshake2

The 4-way handshake is a 4 frame exchange (not including acknowledgements) between the supplicant and the authenticator. Using a pseudo-random function (PRF) the 4-way handshake will create the Pairwise Transient Key (PTK) by combining the PMK, an authenticator nonce, a supplicant nonce, the authenticator’s MAC address (AA), and the supplicant’s MAC address (SPA).

Here is the pseudo-random function formula and below the formula is a brief description for the 4 frames exchanged during the 4-way handshake.

PTK = PRF (PMK + ANonce + SNonce + AA + SPA)

Message 1: The authenticator sends its ANonce to the supplicant. The supplicant now has all the information needed to generate the PTK using the pseudo-random function. The PTK protects the unicast data traffic.

Message 2: The supplicant will send its SNonce to the authenticator. The authenticator now has all the information needed to generate a matching PTK using the pseudo-random function.

Message 3: The authenticator generates the GTK from the GMK and transfers the GTK to the supplicant. The GTK is encrypted using the PTK and a secure exchange takes place. The GTK protects the broadcast and multicast traffic.

Message 4: An acknowledgement that the client has successfully installed the PTK and GTK.

The client is now authenticated and possesses the dynamic encryption keys and can securely send and receive traffic through the access point.

Conclusion

In a SOHO network the passphrase is not only used for keeping unwanted devices from joining the network, but also the seeding material to create the transient and temporal encryption keys. If an attacker obtains the passphrase they could not only join the wireless network, but they could crack the PTK encryption key. If an attacker captures a 4-way handshake exchange between a client and the access point, and with possession of the passphrase the attacker has all the variables needed to duplicate the PTK. With the PTK the attacker can decrypt any unicast encrypted data frames between the individual client and the AP. Passphrase secrecy and having a passphrase that is not susceptible to dictionary cracking methods is vital for the security of any network using WPA/WPA2 Personal.

Extra Security Note: Having one person control the passphrase is probably a harder thing to do in a home network, but in a small office environment ideally one person should know the passphrase and enter it on the devices needing to connect to the wireless network. The less people who know the passphrase the more secure the network will be!

Use Reaver to Crack WPA/WPA2 Passwords

Premium Accounts 2014

Let’s use Reaver to crack WPA/WPA2 passwords! Through all this journey of cracking passwords (with permission), I learned you need two things: Time and Luck. There is no easy way to get a networks password, unless you actually go and ask for it nicely… but that’s not an option sometimes.

(Note: Consider this post educational, or a proof-of-concept intellectual exercise. The more you know, the better you can protect yourself. Breaking through someone’s Wireless Network is ilegall, use it at your own risk)

There are 2 methods to hack WPA/WPA2:

  1. With Dictionaries: Usually takes plenty of time and if the password is not on the dictionary, you won’t find it.
  2. With Reaver: Uses a vulnerability called Wi-Fi Protected Setup, or WPS. It exists on many routers and can take between 5 and 10 hours to crack.

When we tried using dictionaries and had no luck, we can move on to…

View original post 311 more words

Wigle Wi-Fi Wardriving Android App

This is a quick tutorial on how to install and scan for wireless networks using the Wigle app on an Android phone, and how to save the scan to a file that can be loaded in Google Earth to visualize the scanned networks on a map. If you’re not familiar with Wigle.net you should visit the website. The Wigle site has a searchable database of  over 75 million wireless networks that people have uploaded to it.

NOTE: For these instructions I’m using a Droid4 phone with Android version 4.0.4.

Installing the Wigle App
  1. Go to the Google Play Store and search for Wigle.
  2. Tap on Wigle Wifi Wardriving in the Apps section.
  3. Tap install.
  4. Tap Accept & Download.
  5. Depending on the speed of the network your on it might take a minute or two to download the Wigle app and install it.
Scanning for Networks
  1. Go to the device Settings and tap on Wi-Fi to turn it on.
  2. Go to the Apps section and tap on the Wigle Icon.
  3. Wigles List view is the default.
  4. Bring up the Wigle app options and tap on Scan On.
  5. The List view will start filling up with networks that are being found.
  6. The Map tab will display the networks on a graphical map.
  7. The Dashboard tab will display scanning statistics.
  8. When done scanning bring up the Wigle options menu and tap on Scan Off.
App Settings
  1. Bring up the Wigle options menu and tap on Settings.
  2. Turn off or uncheck the sounds and announce GPS status change settings. (Optional, but I liked having the sounds off especially if I was war walking)
  3. Turn off voice commands.
  4. There are several settings to adjust how the program scans based on how fast your moving. You will probably want to experiment with these settings to see how they will affect your scanning.
Save the KML File and Load it In Google Earth
  1. Go to the Data tab and tap on KML Export Run.
  2. Click OK to confirm the export.
  3. The Success screen will show the location along with the name of the KML file. The file name will include the date and time it was created after the underscore. Click OK.
  4. Browse the phones file system and find the Wiglewifi folder. If you have the Google Earth app loaded on your phone the KML file will be associated with the program and tapping on the file will open the file in Google Earth. (To load the Google Earth app go to Google Play Store, refer to the beginning of this blog post on installing the Wigle app for reference to install the Google Earth app)
  5. The Google Earth app will open and show the scanned networks. Double tap on the screen to zoom in.
  6. Tap on a pin icon to show the details of a network.
Thanks for reading this blog about the Wigle app and please post any questions or comments you have. You can also visit my earlier blog post on how to Visualize Wi-Fi Networks Using Vistumbler and Google Earth.

Visualize Wi-Fi Networks Using Vistumbler and Google Earth

Vistumbler is an excellent free tool that scans for nearby wireless networks within range of your wi-fi adapter. Once Vistumbler finds a wireless network it will display the networks SSID, signal strength, encryption being used, mac address, the networks channel, access point manufacturer, and much more.

If you download and install the Google Earth application and have a GPS device you can use the most advanced feature of the program. You will be able to map the nearby wireless networks Vistumbler finds onto a map of Google Earth.

Below are the steps to install the necessary programs and how to configure them and a GPS unit to capture the networks and place them onto a Google Earth map.

1. Download and install the Vistumbler program. http://www.vistumbler.net

  • Vistumbler will only run on Windows Vista and Windows 7. Windows XP users will need to check out a similar scanning program called Netstumbler.

2. Download and install Google Earth. http://www.google.com/earth/index.html.

3. Open the Vistumbler program and configure it to work with the on board wireless adapter.

  • Disable any third-party wireless configuration utilities and disconnect from any wireless networks you are connected to.
  • Click the Interface menu option and from the list of available interfaces select your wireless adapter.

  • One nice thing about Vistumbler is it works with a wide variety of adapters including USB wireless adapters. As seen below a USB adapter is plugged into the laptop and is listed as one of the available interfaces.

4. Plug the USB GPS unit into the laptop.

  • For this tutorial I’m using a Globalsat BU-353 mouse receiver unit. A Globalsat BU-353 USB GPS unit can be purchased on Ebay or Amazon for 30 to 35 dollars.
  • Install the drivers that come with the Globalsat GPS unit and run the GPS utility that also came with it to first establish the current GPS position.

5. Right click on the My Computer desktop icon and select Properties from the pop up menu, then select Device Manager and expand the Ports section.

  • Verify the COM port that the Prolific USB-to-Serial Comm Port is assigned. This is the port that the Globalsat BU-353 GPS unit is using and it will need to be set in the Vistumbler program.

6. Go back to Vistumbler and click on the Settings menu option and select GPS Settings.

  • In the Com settings select the port number that was found in the step 5.
  • The rest of the default settings can be accepted.

7. Click Settings again and select Auto KML/Auto Sort.

  • Adjust the path to your Google Earth installation.
  • An optional setting is to check the Automatically Open KML Network Link box. This setting will open Google Earth showing real-time visualization while a scan is in progress.

8. With everything setup and in place it is time to start the scan.

  • On the main screen for Vistumbler hit the Scan APs and the Use GPS buttons.

9. The Vistumbler window will start filling up with the wireless networks it finds.

  • If the GPS is working correctly the Latitude and Longitude fields will be filled in with coordinates (not shown in the screen shot below, verify with your own scanning).

10. If Google Earth was not set up to open automatically (see step 7) when scanning click on the Extra menu option and select Open KML NetworkLink.

11. When done scanning click the Stop and Stop GPS buttons.

12. Another nice feature of Vistumbler is any number of filters can be set up and applied to live scans or saved scans.

  • Select the View menu option and select Filters, and then Add/Remove Filters to open the filter designer window.
  • Any saved filter will be listed below the Add/Remove Filters option and can be turned on or off by clicking on the filter name in the list.

13. Save the scan to a Vistumbler VSZ file format.

  • Click the File menu option and select Export to VSZ, and then select All APs.

14. Export the scan results to a Google Maps KML file.

  • Click the File menu option and select Export to KML, and then select All APs.

15. Open the Google Maps program and load the exported KML file.

  • Select File and Open and browse to the KML file exported in step 14 from Vistumbler.
  • Networks with no encryption will be shown with a green circle, WEP encrypted networks are orange, and networks utilizing WPA or WPA2 are red. Clicking on a network will display the networks information.

  • With the scanned networks loaded in Google Earth, you can use all the tools available in Google Earth to mark up the scan, and any changes can be saved back to the original KML file. You can transfer the KML file and load it on any OS you have Google Earth installed on.

Thanks for reading and happy scanning! Please post any comments or ask any questions you might have about any of the steps listed here or about the Vistumbler program.

Why You Should Password Protect Your Wireless Network

I see examples all the time of people either wanting to know how to hack their neighbors wireless network (I’m also asked how to do this), or like the screen shot below shows almost bragging about using a wireless network that belongs to their neighbors. This example leads me to believe people are buying wireless routers and plugging in the devices to their DSL or cable modems and not changing any of the factory default settings on the router. While plugging in a wireless router is the quickest way to get the wireless network up and running, out of the box most home or small office wireless routers have no security set up.

Yahoo! Answers Example of Person Accessing Neighbors Wi-Fi

One essential security setting to configure on the router is a WPA or WPA2 passphrase. The WPA passphrase will then be entered on the wireless devices accessing the wireless network thus controlling what devices can connect. Not only will the WPA passphrase control what devices can join the network, but it will also be used to encrypt the communications of the network.

Some helpful tips:

  • If you’re unfamiliar with your wireless router consult the user’s manual for how to get access to the management interface and how to configure the security settings. If you do not have the manual most manufacturers have them available for download from their web sites.
  • DON’T USE WEP! WEP encryption has known flaws and can be cracked very easily.
  • Visit my earlier blog post for tips on selecting a strong WPA2 passphrase.

Leave me a comment or question if you need some help setting up WPA encryption on your specific router. I will definitely post a replay or offer a link to assist with your question.

Is Your WPA2 Protected Wireless Network Really Secure

You’ve set up a wireless network in your home or small office and configured it with the highest level of encryption using a WPA2 passphrase. But is that WPA2 passphrase strong enough to protect the wireless network? A weak WPA2 passphrase could be hacked allowing an unauthorized person to use the wireless network. Even worse this unauthorized person could decrypt the communications revealing emails you send, web sites you visit, and passwords you use for access to websites.

You’re probably saying to yourself if WPA2 encryption could be broken on my wireless network is there anything I can do to improve security for the network? Yes, with a couple of safe guards WPA2 can provide the required security, and I will describe how to apply these safe guards by always changing the factory default network SSID, and how the WPA2 passphrase should be a completely random string of characters.

All small office home office routers ship from the factory with a default SSID assigned to the wireless network name. It might be Dlink, Linksys, or something else the vendor selected. You should always change this SSID to something of your choosing, but avoid a network SSID that might identify who owns the network, or something found in the top 1000 SSID names. Along with the WPA2 passphrase, the SSID is used to create the key to encrypt the wireless communications. Even though the SSID name can easily be found, if you’re using the factory default SSID or a common SSID name you make the job of the hacker that much easier.

With the SSID changed let’s move on to WPA2 passphrase. The WPA2 passphrase should be a completely random string of letters and numbers. Don’t use common dictionary words, names, a famous quote, the name of your favorite sports team, etc… At a minimum the WPA2 passphrase should be 25 characters, and you can bang on the keyboard until you get something with 25 characters or use a password generator web site. I like to use the password generator on the WhatsMyip.org website. If you use this site scroll down to the bottom of the page and look for the WPA Password Generator section, and use the “Better” option to generate a random 32 character passphrase.

WPA Password Generator

WPA Password Generator

After getting WPA2 passphrase entered into the wireless management interface on the router you should copy it into a Notepad file and save that to a USB storage drive. You can plug the USB drive into the other wireless devices and open the file to copy and paste the WPA2 passphrase into those devices to quickly add them to the network. Some devices may not have USB ports, and may require you to manually type in the passphrase, but this will be a onetime entry since the devices will save the passphrase.

The two suggestions above will increase the security of your wireless network and make it harder for a potential hacker to break. Making your wireless network a difficult target will more than likely cause a hacker to move on to an easier one.

Additional Reading:

To learn more about passphrases check out the Wikipedia page.

If you’re looking for more security tips when setting up a home wireless network check out my earlier blog post.