Category: Wireless Hacking

Jan 06 2015

Wifiphisher – Fast Automated Phishing Attack Tool for WiFi Networks

wifiphisherWifiphisher is a security tool that mounts fast automated phishing attacks against WPA networks in order to obtain the secret passphrase. It is a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining WPA credentials.

From the victim’s perspective, the attack makes use in three phases:

1] Victim is being deauthenticated from her access point: Wifiphisher continuously jams all of the target access point’s wifi devices within range by sending deauth packets to the client from the access point, to the access point from the client, and to the broadcast address as well.

2] Victim joins a rogue access point: Wifiphisher sniffs the area and copies the target access point’s settings. It then creates a rogue wireless access point that is modeled on the target. It also sets up a NAT/DHCP server and forwards the right ports. Consequently, because of the jamming, clients will start connecting to the rogue access point. After this phase, the victim is MiTMed.

MiTM Attack

3] Victim is being served a realistic router config-looking page: Wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests. As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for WPA password confirmation due to a router firmware upgrade.

Requirements:
― Kali Linux
― Two wireless network interfaces, one capable of injection.

Wifiphisher works on Kali Linux and is licensed under the MIT license.

More Info: sophron/wifiphisher – GitHub

Dec 29 2011

Reaver – WiFi Protected Setup Brute Force Attack Tool

Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf.

Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.

On average Reaver will recover the target AP’s plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

While Reaver does not support reconfiguring the AP, this can be accomplished with wpa_supplicant once the WPS pin is known.

Description:
Reaver targets the external registrar functionality mandated by the WiFi Protected Setup specification. Access points will provide authenticated registrars with their current wireless configuration (including the WPA PSK), and also accept a new configuration from the registrar.

In order to authenticate as a registrar, the registrar must prove its knowledge of the AP’s 8-digit pin number. Registrars may authenticate themselves to an AP at any time without any user interaction. Because the WPS protocol is conducted over EAP, the registrar need only be associated with the AP and does not need any prior knowledge of the wireless encryption or configuration.

Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP’s 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10^7 (10,000,000) possible values.

The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10^4 (10,000) possible values for the first half of the pin and 10^3 (1,000) possible values for the second half of the pin, with the last digit of the pin being a checksum.

Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts. The speed at which Reaver can test pin numbers is entirely limited by the speed at which the AP can process WPS requests. Some APs are fast enough that one pin can be tested every second; others are slower and only allow one pin every ten seconds. Statistically, it will only take half of that time in order to guess the correct pin number.

Installation:
Reaver is only supported on the Linux platform, requires the libpcap and libsqlite3 libraries, and can be built and installed by running:

$ ./configure
$ make
# make install

To remove everything installed/created by Reaver:

# make distclean

Usage:
Usually, the only required arguments to Reaver are the interface name and the BSSID of the target AP:

# reaver -i mon0 -b 00:01:02:03:04:05

Download: reaver-1.3.tar.gz

Reaver Home: http://code.google.com/p/reaver-wps/

Dec 27 2011

WiFi Protected Setup (WPS) PIN Brute Force Vulnerability

WiFi Protected Setup
The WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on many wireless routers makes this brute force attack that much more feasible.

Description:
WiFi Protected Setup (WPS) is a computing standard created by the WiFi Alliance to ease the setup and securing of a wireless home network. WPS contains an authentication method called “external registrar” that only requires the router’s PIN. By design this method is susceptible to brute force attacks against the PIN.

When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total.

It has been reported that many wireless routers do not implement any kind of lock out policy for brute force attempts. This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot.

Impact:
An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.

Solution:
We are currently unaware of a practical solution to this problem. Please consider the following workarounds:

Disable WPS
Within the wireless router’s configuration menu, disable the external registrar feature of WiFi Protected Setup (WPS). Depending on the vendor, this may be labeled as external registrar, router PIN, or WiFi Protected Setup.

Vendor Information:

Vendor Status Date Notified Date Updated
Belkin, Inc. Affected   2012-01-06
Buffalo Inc. Affected   2011-12-27
D-Link Systems, Inc. Affected 2011-12-05 2011-12-27
Linksys (A division of Cisco Systems) Affected 2011-12-05 2011-12-27
Netgear, Inc. Affected 2011-12-05 2011-12-27
Technicolor Affected   2012-01-06
TP-Link Affected   2011-12-27
ZyXEL Affected   2011-12-27

Credit:
Stefan Viehböck

References:
wi-fi-protected-setup-pin-brute-force-vulnerability
Wi-Fi_Protected_Setup
WCN-Netspec.doc
wifi-protected-setup
WPS Vulnerability Tesing – Google Docs
disabling-wps-on-the-router

Aug 04 2011

Wardriving Evolves Into Warflying

WarflyingBLACK HAT USA 2011 — Las Vegas — Yesterday at Black Hat, two security researchers demonstrated how a radio-controlled model airplane outfitted with a computer and 4G connectivity could be used to create a nearly undetectable aerial hacking device that could perpetrate aerial attacks on targets otherwise unreachable by land.

Created completely with off-the-shelf equipment and open-source software — and with a budget of only about $6,100 — the demo plane they brought on stage with them was capable of wireless network sniffing and cracking, cell tower spoofing, cell phone tracking and call interception, data exfiltration, and video surveillance.

“There is some really evil stuff you can do from the sky,” said Mike Tassey, who together with Richard Perkins spent more than 1,300 hours building, testing, and refining the device they call the Wireless Aerial Surveillance Platform (WASP).

WASP

Built on top of a surplus Army target drone Perkins had sitting in his basement, the device has been equipped with multiple wireless antennae and a microcomputer loaded with GPS, wireless sniffing tools, and the Backtrack 5 penetration testing toolkit. The 14-pound, 6-foot-long plane connects through a 4G dongle with a small base station that controls it using Google Earth and an open-source autopilot software solution. The base station streams data gathered by the plane and sends it over a VPN connection to a more robust back-end PC, which can take care of the heavy-lifting, such as crunching through large dictionaries to perform brute-force attacks. The Internet connectivity would make it possible to also crowdsource data to multiple hackers with different skill sets if a project needed the manpower.

The plane itself is powered off of an electric engine that is hard to detect by ear once it is as close as 50 feet away. Though FAA regulations prohibit flight of such devices from going above 400 feet, the drone itself would be capable of going well above 20,000 feet in altitude.

Perkins and Tassey said a device such as the one they developed could potentially be used for a number of nefarious reasons beyond run-of-the-mill hacking, including drug trafficking and terrorism. On the plus side, such drones could also be used by forces of good, including for search and rescue, military and law enforcement operations, and even to provide emergency cellular service in disaster zones. Whether built for good or bad, the design is not complicated, they said.

“You don’t need a Ph.D. from MIT to do this,” Perkins said.

Jul 15 2011

Vodafone Hacked – Root Password Published

Vodafone Sure Signal HackThe Hacker’s Choice announced a security problem with Vodafone’s Mobile Phone Network.

An attacker can listen to UK Vodafone mobile phone calls.

An attacker can exploit a vulnerability in 3G/UMTS/WCDMA – the latest and most secure mobile phone standard in use today.

The technical details are available at http://wiki.thc.org/vodafone.

The problem lies within Vodafone’s Sure Signal / Femto equipment.

A Femto Cell is a tiny little home router which boosts the 3G Phone signal. It’s available from the Vodafone Store to any customer for 160 GBP.

THC managed to reverse engineer – a process of revealing the secrets – of the equipment. THC is now able to turn this Femto Cell into a full blown 3G/UMTC/WCDMA interception device.

A Femto is linked to the Vodafone core network via your home Internet connection. The Femto uses this access to retrieve the secret key material of a Vodafone customer who wants to use the Femto.

THC found a way to circumvent this and to allow any subscriber – even those not registered with the Femto – to use the Femto. They turned it into an IMSI grabber. The attacker has to be within 50m range of the UK Vodafone customer to make the customer’s phone use the attacker’s femto.

The second vulnerability is that Vodafone grants the femto to the Vodafone Core Network HLR /AuC which store the secret subscriber information. This means an attacker with administrator access to the Femto can request the secret key material of a UK Vodafone Mobile Phone User.

This is exactly what happened. The group gained administrator access to the Femto. An attacker can now retrieve the secret key material of other Vodafone customers.

This secret key material enables an attacker to listen to other people’s phone calls and to impersonate the victim’s phone, to make phone calls on the victim’s cost and access the victim’s voice mail.

This is clearly a design flaw by Vodafone. It is disgusting to see that a major player like Vodafone chooses ‘newsys’ as the administrator password, thus allowing anyone to retrieve secret data of other people.