Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: pentesting my wireless network.

  1. #1

    pentesting my wireless network.

    hi all,

    i'm trying to break into my own wireless network, and it's encrypted with 128-bits WEP and access control,
    for the firt part, i know that there are tools like airsnort which would be able to crack the key if given enough time, but as for the access control, how would you ( or some hacker) would get past that???

    according to my calculations, there would be 281.474.976.710.656 possibilities, so a program which would try all of them by spoofing your mac, would take a hell of a lot of time...

    i've read that this would still be possible for a hacker to get past my security, and no doubt it will be possible, but i want to know how much time it would take by testing it myself...

    at the moment i'm trying to get my wlan card to work with RH9, when i'm finished i'm going to download airsnort and see what it can do...

    if someone can give me more info about the access control, i would highly appreciate it

    as for those who don't believe: this is not some pathetic try of social engineering, i am just a little paranoid of my own network since my system with very personal files is on the same network.


    thanks in advance for the replies

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    518
    Well if you are THAT worried, do you HAVE to use wireless?
    Its not secure. It can be hardened, but never will be perfect, as its broadcasting signal, etc.
    Hardwires are much harder to get at... If its a small network, run wired and its one less thing to worry about.
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

  3. #3
    ok, but i like wireless as well, now i can sit in my garden with my notebook and come to this forum :P

    i know it is not totally secure, but i want to test how long it would take to break the network, if it would take a couple of days for instance, then i wouldn't have to worry, since my home is stand-alone and anyone who would come that far near my home to get on my network, would be stupid to stay in our backyard for a couple of days

  4. #4
    Junior Member
    Join Date
    Oct 2001
    Posts
    20
    I'm new to wireless but ...(o'reilly book very good and I think they produce a wireless hacks book too)
    My understanding of WEP cracking is that you need multiple captures of the associations and transferred packets to then run a dictionary attack against the captured packets for the wep keys. WEP 128 would require several hundred thousand (maybe a million) packets captured making it very time consuming - the recommendation for protection against WEP cracking is to change the WEP key frequently (every 15minutes I think I read).

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    While I don't think it a good idea to post specific directions here to demonstrate
    Mac Address and Arp spoofing, I would like to suggest you use Knoppix STD
    to do your research. RH9 is way overkill and bloated for this type of work. Knoppix STD has the tools you need as part of the distro and its all run from a CD unless of course you choose to install it directly to you HDD.

    http://www.knoppix-std.org/

    Cheers!!

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Here is a little something that I've done... I've played around a bit.. but not too much.
    (note: encryption was not enabled on this network at the time...so I don't know if you can grab valid MAC addresses through sniffing encrypted traffic)

    If the client has MAC filtering enabled... sniff for a while and get some valid MAC addresses.

    When that specific MAC address isn't in use, then spoof that MAC address and use it as your own.

    You will then get an IP on the network. Either through DHCP or by statically assigning your IP.

    You can then get access to the router... because you will be on the internal wlan.
    Since the cheap routers (linksys/dlink/etc) don't allow you to put ACLs on who can access the router.

    Find out what the user id for that model is (should show you model when you go to login... at least the ones I've messed with.)

    Then fire up something like brutus and put in the userid that you know and get a good password list. Start brute forcing/password guessing the router admin page.

    Set the parameters in brutus (or other similar script kiddy tool) to go a bit slower and to retry after three logins (or appropriate logins... linksys like to use 3 I believe... so does d-link) since it'll block your attemts. the program can disconnect and reconnect over and over until it guesses the right password.

    I've had success doing this on my buddy's wlan.

    Then I was able to add my NIC to the MAC filters or whatever else I wanted... basically if you own the router then you can do what you like on the network as far as accessing it.

    After that we enabled the encryption and it was time to go home. I'd like to get back over there and play some more... actually I'd like to get myself one to mess about with.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    If you have the system that has your personal files hardened against any type of attack, then it wouldn't matter if anyone cracked your wireless or not. But if you have printer and file sharing enabled, and/or other entry points avalible, then you could have a problem.

    On my wireless LAN at home, I have 3 computers that use it to share an internet connection. I have the SSID, Password and Admin/User accounts changed and password protected. Encryption is used also.

    But I am assumming that some one could crack my system, and enter my LAN. So, each computer is set up as a seperate enity and hardened the same as if it were directly connected to the net.

    I don't use any file sharing between computers and if I need to print something on the computer with the printer, I simply burn it to a cd or send it as an attachment in an e-mail.

    This works well for me, but you might have different requirements that demand you use file sharing and such.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  8. #8
    (post #5)

    While I don't think it a good idea to post specific directions here to demonstrate
    Mac Address and Arp spoofing, I would like to suggest you use Knoppix STD
    to do your research. RH9 is way overkill and bloated for this type of work. Knoppix STD has the tools you need as part of the distro and its all run from a CD unless of course you choose to install it directly to you HDD.
    i already have a copy of both the distro's and even Auditor, but the problems with these distro's are that they don't support my wireless card, so i would have to use the ndiswrapper, but for that i need the source of the kernel, and i haven't been able to get that with an install of one of those distro's

    You can then get access to the router... because you will be on the internal wlan.
    Since the cheap routers (linksys/dlink/etc) don't allow you to put ACLs on who can access the router.

    Find out what the user id for that model is (should show you model when you go to login... at least the ones I've messed with.)

    Then fire up something like brutus and put in the userid that you know and get a good password list. Start brute forcing/password guessing the router admin page.

    Set the parameters in brutus (or other similar script kiddy tool) to go a bit slower and to retry after three logins (or appropriate logins... linksys like to use 3 I believe... so does d-link) since it'll block your attemts. the program can disconnect and reconnect over and over until it guesses the right password.

    I've had success doing this on my buddy's wlan.
    this is not what i meant, i don bother getting into my router, since it is my own , and i don need to too if i would just have to get access to the network ...

    but thanks for the reply

    i'm running a firewall on that computer, no server service is running, i've changed the admin and guest accountname and they have hard passwords.... also guest is disabled... and fully up to date with patches...


    as for my router, it is behind another router which is connected to the internet, so from the outside i think it would be pretty difficult to get into that computer, so that leaves only the wireless as vulnerable....


    as for the sniffer part, i haven't thought about that yet, this should be possible, right after i cracked the WEP encryption, so we'll see what will work...


    thanks for all your replies. you've been a great help!

  9. #9
    hmm, doesn't 281.474.976.710.656 sound like too large of a number for MAC brute forcing?

    I remember reading in some thread on this site that wireless manufacturing companies have their mac addresses assigned. It's just the first 6 digits, but that does take a large chunk out of the problem.

    Durring a trip to the local electronics store, i found mainly 4 companies that would provide easy to configure consumer-level wireless devices. They were linksys, dlink, belkin, and netgear. So an attacker could just work with these 4 companies assigned MAC addresses to cut down on wasted time. For example, my wireless card is by belkin, and the first 6 digits are 0030BD. I Just went to the IEEE company_id assignments page and found these listings for belkin:
    00-11-50 (hex) Belkin Corporation
    001150 (base 16) Belkin Corporation
    00-30-BD (hex) BELKIN COMPONENTS
    0030BD (base 16) BELKIN COMPONENTS
    So if someone knows that i use a belkin card, they could just brute that address which would only require 16,777,215 guesses.
    Similarly,
    00-04-5A (hex) The Linksys Group, Inc.
    00045A (base 16) The Linksys Group, Inc.
    00-06-25 (hex) The Linksys Group, Inc.
    000625 (base 16) The Linksys Group, Inc.
    00-0C-41 (hex) The Linksys Group, Inc.
    000C41 (base 16) The Linksys Group, Inc.
    00-0F-66 (hex) Cisco-Linksys
    000F66 (base 16) Cisco-Linksys
    Can be found for linksys.

    by the way, this info was from this text document:
    http://standards.ieee.org/regauth/oui/oui.txt

    Not to mention I frequently use my wireless card at the local library, so anyone could see the huge yellow sticker on my card and know that it's a belkin. Wow, a whole new level of physical security... i guess i should put duct tape or some other kind of sticker on my card now.

    edit: no i don't specify a difference from hex and base 16, that was the way it was listed in the document
    You are so bored that you are reading my signature?

  10. #10
    @ÞΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    Location
    St. Petersburg, FL
    Posts
    1,705
    Ummm... You seem to specify a difference between hex and base 16?


    You do not have to brute force a MAC, just capture one....


    The packet capture for a WEPcrack attack on 128 bit encryption is several million, after that the key can be computed in about 10 seconds.....


    As far as breaking in, I would see what the range is, then lower the Tx power as far as you can...
    Real security doesn't come with an installer.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •