Home Wireless Pen Testing for Business or Pleasure . . . .

Friday, June 21, 2013

Jayson Wylie

54a9b7b662bfb0f0445d1661d7ed180b

Responsible Security Testing

I would like to prelude the following information with a note that tools in the BackTrack distribution series should be viewed to have the potential to be used in both beneficial and a harmful ways.  Analogies that I like to compare the tools to are ones like Chef’s knives.  They can be used for the hard work of creating nutritious meals or put gaping holes in someone’s internal systems.

It all boils done to intent.  What is the intent for using a tool against a target or reason for an engagement? 

My intent for presenting the following information is to identify and start people in the use of easy and commonly used BackTrack 5 R3 (BT5 R3) tools to look for some of the more current critical flaws found in the home brand lines of network wireless devices. This includes small business and shops that choose commonly used cheap brands like D-Link, Linksys and Netgear.

This issue becomes a great opportunity for an aspiring Security Professional looking for a few bucks due to reasons that I will detail later. As with a small business, security may also be more critical for a home system whose owner ‘s telecommute or VPN into more secured systems and may not want dnmap, new distributed nmap, or distributed sniffers egressing sensitive information out.

I suggest looking into Maltegoto help find opportunities by doing some active reconnaissance. Those who could be pursued, for a business purpose, by showing information them that their information can be easily obtained. It’s always good to start with an active Google search for example:

allintext:”John Doe” New York City site:Linkedin.com |

inurl or intitle:”John Doe” resume site:docs.google.com…or don’t specify a site

There is always a difference between the hats.  A Greyhat uses tools like those found in BT5 R3 and obtains sensitive information that allows unauthorized system access to approach the owner(s) for the opportunity for business or Kudos for finding a solution. 

A Blackhat could use the information more for exploitation, like for fraud or unauthorized use of resources for nefarious purpose and this could be deemed more criminal. I would always get permission prior, which means I take no prosecution or conflict risk, and that’s a Whitehat to me.

Introduction and Scope

There is plenty of opportunity to check areas with wireless density of home brands whether it’s for business, personal, friends or relatives to develop relationships and build on the customary ‘point’ system or cash. There may be even more room for improvement if they sit right on the WWW.

As with the security posture with any entity, one may not know if there is protection prior to testing. BT5 R3 can be used to easily detect issues but it might take more research than my advice to fix any certain situation.

A few more heads in the government and private sectors are becoming more security aware. Implementations of Defense-in-Depth and proactive monitoring by either desire or necessity will and is creating more of a security culture.

The segments that will most likely lag behind the rest are home network users.  The cause is a combination of these products having certain, ease-of-use, features and the lack of knowledge of most home users to properly secure or monitor their networks. 

The bottom-line is that unless you are one of those technology enthusiasts there is a great chance for being a victim through various tactics used by those looking for your goods. And the truth is, if anyone truly wanted to get into a home wireless device/network, they will. Use Detection practices.

Wireless Testing Requirements

Testing wireless is different than testing on a constant LAN/WAN connection.  Things might have changed but if you run BT5 R3 in a virtual machine, you will need to have an external supported wireless adapter. I recommend anything Alfa.

BackTrack tools can also be run natively on an operating systems depending on the platform.  This allows internal cards but in the case of using a Mac Book Pro you can’t install native Alfa drivers but can use them through Kismac whose Linux equivalent is Kismet, which is a good tool for scanning Wi-Fi networks.

The direct wireless interface, as seen in the shell command iwconfig,is rarely used in the tools identified. The monitor interface mon0 is typically used. For most I would say having a monitor interface and a Basic Service Set Identifier (BSSID) would get the some of the basic functions out of tools.  Service Set Identifier (SSID) is what is broadcasted, or not, and can this also be used to single out a network target.

Some tools will need to be set up.  It is easiest to run them out of the BackTrack menu, if possible, in their loaded shell or GUI.  The shell tools will have switches but the<command>--help will give the option and command formats available.  Extensive information about a tool can sometimes be found in manual pages. The manual page content available can be pulled with the command or tool followed by MAN.

The range, strength of signal and sometimes number of probes varies the effectiveness and results for some of the wireless tools identified. Your results will be faster if you are within close proximity of the point than if you are at the edge of the range of your wireless. Channels also come into play and there is channel hopping as well as devices that are either configure or set to a default channel.  Many of the mentioned tools can be set to only probe a certain channels. 

Additional Reading on Wireless Design

Much of the configuration needed to perform testing, focused on a certain network, can be found in the web interface of the device.  If you are searching for business or opportunities there are other ways to find out information on a larger scale and the same tools can be usually used to do both.

The Vector

People usually use wireless routers for years.  It may be because a new faster band emerges like 802.11ac or a band, like 802.1n, comes out of draft.  I would estimate that the leading edge, of the protected curve, is with the technology enthusiast that leaves the rest of the home market typically keeping a router until it breaks.

Exposure to these types of wireless network vulnerabilities allows for the potential for detection and possibly exploitation for those in range of a malicious hacker.  This could be a kid down the block or the vehicle parked in the street.  The monitoring device just needs to be in distance to be able to cleanly probe the wireless network(s).

The vast majority of wireless networks are in Europe and the United States.   There are others progressive countries with more wireless point density than say, Africa, but this is a very large attack vector that only has a barrier of being close enough and having the time to probe public 802.11 Radio Frequency.

Start with yourself, circle of friends, known small business owners, and the down to acquaintances before jumping into the ‘Wild’.

A Few Current Feature Flaws

Most home brands of wireless network devices can have a few major design flaws and due to the size of this market base and typical lack of qualified operators, it is a big issue.  The option of WEP is an obvious one and should never be used. Wireless Protected Setup (WPS) makes it easier to connect to a wireless network as opposed to using a passphrase.

This is still found in new routers and devices like smart TVs and printers even as it has been such an outstanding flaw. The implementation of WPS had flaws found over a year ago and completely bypasses encryption through a 4 digit PIN that is really larger with pre and post keys internally. This still only requires a little amount of time to crack.

Universal Plug and Play (UPnP) is another ‘easy mode’ feature that allows network devices to integrate easier. Another mention should be the remote root ability to a certain model of Linksys router just found but it could very well spread across more of their models. 

With some of these major feature flaws, it could require the purchase of a new more secure model, configuration changes or a firmware upgrade.  Even then, there can be issues that can be fixed and anytime firmware is being upgraded there is a chance of bricking the unit.  So research the solution implementations well prior to taking action.

The WEP Option Issue

Finding networks protected by WEP is like finding a network not protected at all.  Both of these unprotected states give a good chance for an easy approach to the network’s owner to be a potential customer for further services.  You especially want to protect those in your inner circle.

It is known to those with experience with wireless encryption options that this can be cracked very fast using the wesside-ng tool or now the wifite.py script. wesside-ng uses,the basics, the BSSID and the interface. From terminal type:

Wesside-ng -i <interface (ie. mon0)> -v <BSSID>

If you want to see how quick it is to crack WEP, set your router to it and use your own BSSID.  Using wesside-ng or any other WEP cracker is a good Proof of Concept (PoC) test to show a network’s owner.

A new addition to the BT releases is theWifite.py script and it can be found in Wi-Fi Exploitation tools area.  It allows a greater ability to target one or crack any WEP in range. This cuts down on some of the work.  

Tools can be a variety of things but a script tool is not a file that can run alone.  So you can’t try to run it with something like ./msfconsole which is the Metasploit console with ./wifite.py

It has to be proceeded with the language compiler it is written in.  So the extension *.PY is written in the Python language and is why it leads the command before the script.  So Perl uses *.PL and *.PM extensions and would be executed with that command. (ie. perl perlscript.pl). 

Here it is now using a broadcasted SSID:

python wifite.py -i <Interface> -e <SSID>                   

It can also be uses as a shotgun to everyone in distance:

python wifite.py -i <interface> -all –wep -showb

This script has so much power and versatility for testing wireless networks it can be use to attack more advanced encryption than WEP as well the next commonly found flaw.               

Wi-Fi Protected Setup (WPS) 

With a flawed feature you would think that the obvious defensive action would be to disable the function, either through hardware or a configuration change? Maybe upgrade the firmware or feel safe that your regular vendor firmware updates are keeping easy mode flaws in a network safe?

There are a couple of factors that makes common sense and general network device maintenance that create a poor symptom, for the flaw, when upgrading the firmware. Upgraded firmware for some devices, other than that which comes from the factory will let you disable the feature but for some its just aesthetic while WPS stays on!

The best chance of protection would be to upgrade the firmware with the ones that have been giving a fix.  This next table will show the lack of aggression of Cisco, probably the largest market share, to fix their home networking products with the flaw:

Cisco's Attempt to Fix WPS

There seems to be a bit of misperception of this exploit that I have seen portrayed on the Internet.  A of people seem to state that this method is for cracking WPA/WPA2.  This is not the case.  It is test or attack against the WPS flaw and the compromise of that feature which uses different methods to connect.  It’s a four digit pin with some pre and post salting.

Wash is used straight through the terminal.  This tool is a WPS flaw scanner that surveys points within range or can send out probes.

This tool can be tweak to perform faster because probing wireless networks and getting good information by using the -C switch and that turns off Frame Check Sequence (FCS)errors. This will always discard poorly received packets. Getting closer in proximity to weak signals points will improve the ability to collect  as well.

A basic wash survey is:

wash -C -i <interface> -o <output file>                  

This will detect all WPS affected access point within range and send it to an output file.  Wash can also be used scan mode with the -s switch.  Survey is the default and is more passive where setting it to scan mode will set up probes.

wash -C -s -i <interface> -o <output file>                  

Wireless detection is all about time.  It’s the resources of the machine, adapter and the number of probes you have out. If you want to adjust the exposure and the probes per network in scan mode type:

wash -i -C <interface> -s -n [1 - 15 ] -o <output file>      

You can use the Reaver tool, found in the wireless WLAN exploitation menu, to crack WPS with allowed time. If you already know the SSID or BSSID and have a functioning interface you can do a basic function like:

reaver -i <interface> -b <BSSID> | -e <SSID> -vv

The –vv switch will show information.  It is best when approaching, both for personal and business, an activity or engagement to be stealthy.  You don’t want to affect availability, which could impact the business, user or yourself.  Putting a second delay with the -d switch will lessen the aggression.

The -x switch, in seconds, will set reaver to hold off on additional pin attempt on a fail and this should be set to a high value.  It can be set to go slow and steady with -r x:y for waiting y seconds for every x PIN attempt.

A good command-line for switches in reaver to allow a long, safe and steady test is:

reaver -i <interface> -d 10 -x 1800 -r 30:100 -5 -A -o <output file>-q

The -5 set it to the 5ghz range and -c can set it to a certain channel. -A is so you don’t associate with any network so that will keep the scan honest.

Do research into other value added scripts, plugins or add-ons when becoming more proficient in using BT5 R3 like this following Perl script that is a reaver wrapper giving the original commands more abilities to control the test:

Net-War Reaver Wrapper

There is a declared mean average of a little over ten thousand tries before access is typically obtained through WPS with reaver.  If it is turned off in the router configuration and the vulnerability is shown through the test, then I would suggest either looking into supported firmware like DD-WRT or look for a replacement.

The results pulled from reaver tool can be sensitive information about the wireless router configurations that can be used to show the owner that they are not secure and then may be interested in hearing more.  They may or may not and feel violated.  Just be careful in the way you present having their personally used information.

Universal Plug and Play (UPnP)

Another vulnerable feature implemented on many network devices is UPnP.   This feature is used on many different products, like WPS, for ease of discovery and access. This is a flaw that has estimate of 50+ million vectors recently reported from a reputable security firm recently.

I feel the most common use of this flaw is to make a call back to the router and if the attacker knows the router type, they can try the default credentials against it. It would be best if you use an OS that supports Little Snitch, or the likes, and this can be easily blocked.  An even easier protection would be to change the device’s credentials from the default. 

Unlike WPS, UPnP is associated with an IP port. That port is UDP/1900. If the feature can’t or isn’t turned off it should be closed or blocked. Since this affects a variety of devices, it is best to use a lateral port scan tool. nmap is my favorite that can alternatively be used with the Zenmap GUI.

Let’s see a basic command for Nmap for a TCP SYN, UDP, and targeting port 1900 on what would be the default gateway in both tools for most home-style networks:

nmap -sS -sU –p 1900 192.168.1.1                  

The command line version gives a lot more ability to perform quicker scans or gather more information if you know the switches. Both tools require an understanding of it versatility but it is easier to parse command line output files if you don’t know Grep, Awk or a language like Perl and have huge results.

 

Zenmap’s GUI may make people feel more at ease with using the scan and gives beginners a way to ease into command line if they are not yet confortable.  Here is the same UPnP scan in Zenmap:

 

image

 

Think it is prettier than trying to see through the BT desktop? The state of this one is good and bad.  It’s closed for direct connection with TCP but UDP could be used to attack because you will see this as a common state and the attack vector.

 

If UPnP cannot be turned off then the UDP/Port 1900 should be blocked with a stateful or application firewall.  This means using Windows Firewall with Advanced Features or PIX with some fancy internal setup.

 

This scan should be done both internal and external for a network and attempts made to turn off the feature or isolate the device if possible. Again, buy or suggest replacements if the flaw cannot be eliminated.  

 

For external test you will need to have the public IP address that the router uses. This can usually be found in the DHCP configuration in the router Web Admin page and probably like Status.  Perform external tests from another external Internet network.  Try iHop or a coffee shop if you have no other option. 

 

I feel you have to know the Metasploit framework is you want to proof. Metaploit take a little work to get set up in BT5 R3.It has changed a little bit in recent years so if you haven’t look at in in a while, you will have to learn the new tricks and commands like attaching the database.  Much information can be found on the Internet but a good book is out: Metasploit: The Penetration Tester’s Guide by HD Moore.  HD Moore is a major contributor, if not the brains behind it all, to Metasploit.

 

Remote Rooting a Linksys Device

A recent flaw that has been reported and is a small side not due to the small vector that this flaw effects.  However, if it has been found in one device it is very possible that there are similar vulnerabilities in the whole line or at least other comparable models.   The model that is currently identified as affected by the exploit is the WRT54GL model.

 

 

image

 

 

Details on Linksys Root Vuln

 

It may pay to go on Ebay and stock up on older models of Cisco Routers.  This would be especially good for the models that are End of Life and not able to have firmware upgrades. 

 

No harm… no foul if it’s all your own stuff and some End User License Agreement (EULA) doesn’t restrain testing.  Bug Bounty programs are emerging and there are always those who would buy bugs like security companies intended to make a profit and government.

 

A related rooting tool in BT5 R3 is telnetenable.py. It’s probably easier to find the scripts in the shell with locate but they can also be found in the menu.  It’s a tool to get telnet access to Netgear devices.  It’s a minor tool addition but is noteworthy and simple if you know the model and try the default credentials and that’s what is set.

 

image

 

The great thing about scripts is that the code can be looked at, reviewed or altered by one who knows how to code in the specific language.   You will have to find a way to view the code and most veterans will fall back on the VI Editor or know known as VIM and it can be opened from terminal by typing vi.  

Included in the Accessories menu for BT there isgedit text editor.  This is not as easy and using some of the other *nix style editors.  I use nano because it’s quick and easyfrom the terminal so to open scripted tools to better understand them.  From the menu choose the command shell and type:

nano wifite.py

This is a very complex script.  Read remarks, notes and if you are trying to learn Ruby, Python or even Perl, there are plenty of examples on the disto to work off to better improve your skills and understanding of scripting in different common scripting languages.

Further Protection Suggestions

I hope that I have impressed the exposure that most home network brand or wireless routers to be hopelessly weak in security.  There are a few additional things that can be done.  Your wireless device can be turned off when you are not using it.  Changing the SSID and MAC to reflect different devices than they actually are is form of security through obscurity.

 

Do research correctly on this to make sure you are changing the configurations appropriately.  Changing the SSID to Cisco* to 2WIRE* will require equivalents changes in the MAC to reflect the vendor of the two. You can turn off the SSID but this can be but this can be obtained with airodump-ng and will only stop the casual browsers.  

 

Most wireless network devices have the ability to restrict MAC addresses.  This can be a recommendation to get some amateur off the network.   The ease of changing the MAC address of a device

 

Monitoring is the proactive activity of checking of the device and host logs.  Intrusion system, firewall and content proxy logs are come into play in more complex environments.  Detection is a little more involved and will take maybe a Google education or experience.  You have to know what you are looking for or if what you are looking at shouldn’t be there.

 

Protection usually involves keeping patches and firmware up-to-date. More specifically, it is to find or know weakness and take action to eliminate the vulnerabilities.

Conclusion

The home office and small business markets are huge vectors with tremendous exposure to find vulnerabilities at the network perimeter and internally. It’s a nice gesture to use security skills to improve the networks of those you would like to help. 

 

If income is necessary read a book on consulting and know what you are doing to best protect your efforts.  Know the regional cyber laws and regulations.  Be confident and be able to speak in terms of the cost of the threat to business as opposed to the solution.  This makes it a little more difficult to sell a solution and the threat needs to be expressed in monetary terms of loss or damage so a new device and the price to put it in sounds like a bargain especially when costs, additional to services, are required. 

 

I predict that home networks will be targeted more and more to gain financial or identity information.  The ways of criminal tactics have changed through the years from destruction to financial gain for most victims.  We have gone from virus infections to now financial Trojans.

 

Home networks and those who use related equipment need to be secured as much as the rest of the segments of the market.  The flaws are extreme and the tools are easy to pick up to start helping protecting home security for business or for pleasure.

Responsible Security Testing

I would like to prelude the following information with a note that tools in the BackTrack distribution series should be viewed to have the potential to be used in both beneficial and a harmful ways.  Analogies that I like to compare the tools to are ones like Chef’s knives.  They can be used for the hard work of creating nutritious meals or put gaping holes in someone’s internal systems.

It all boils done to intent.  What is the intent for using a tool against a target or reason for an engagement? 

My intent for presenting the following information is to identify and start people in the use of easy and commonly used BackTrack 5 R3 (BT5 R3) tools to look for some of the more current critical flaws found in the home brand lines of network wireless devices. This includes small business and shops that choose commonly used cheap brands like D-Link, Linksys and Netgear.

This issue becomes a great opportunity for an aspiring Security Professional looking for a few bucks due to reasons that I will detail later. As with a small business, security may also be more critical for a home system whose owner ‘s telecommute or VPN into more secured systems and may not want dnmap, new distributed nmap, or distributed sniffers egressing sensitive information out.

I suggest looking into Maltegoto help find opportunities by doing some active reconnaissance. Those who could be pursued, for a business purpose, by showing information them that their information can be easily obtained. It’s always good to start with an active Google search for example:

allintext:”John Doe” New York City site:Linkedin.com |

inurl or intitle:”John Doe” resume site:docs.google.com…or don’t specify a site

There is always a difference between the hats.  A Greyhat uses tools like those found in BT5 R3 and obtains sensitive information that allows unauthorized system access to approach the owner(s) for the opportunity for business or Kudos for finding a solution. 

A Blackhat could use the information more for exploitation, like for fraud or unauthorized use of resources for nefarious purpose and this could be deemed more criminal. I would always get permission prior, which means I take no prosecution or conflict risk, and that’s a Whitehat to me.

Introduction and Scope

There is plenty of opportunity to check areas with wireless density of home brands whether it’s for business, personal, friends or relatives to develop relationships and build on the customary ‘point’ system or cash. There may be even more room for improvement if they sit right on the WWW.

As with the security posture with any entity, one may not know if there is protection prior to testing. BT5 R3 can be used to easily detect issues but it might take more research than my advice to fix any certain situation.

A few more heads in the government and private sectors are becoming more security aware. Implementations of Defense-in-Depth and proactive monitoring by either desire or necessity will and is creating more of a security culture.

The segments that will most likely lag behind the rest are home network users.  The cause is a combination of these products having certain, ease-of-use, features and the lack of knowledge of most home users to properly secure or monitor their networks. 

The bottom-line is that unless you are one of those technology enthusiasts there is a great chance for being a victim through various tactics used by those looking for your goods. And the truth is, if anyone truly wanted to get into a home wireless device/network, they will. Use Detection practices.

Wireless Testing Requirements

Testing wireless is different than testing on a constant LAN/WAN connection.  Things might have changed but if you run BT5 R3 in a virtual machine, you will need to have an external supported wireless adapter. I recommend anything Alfa.

BackTrack tools can also be run natively on an operating systems depending on the platform.  This allows internal cards but in the case of using a Mac Book Pro you can’t install native Alfa drivers but can use them through Kismac whose Linux equivalent is Kismet, which is a good tool for scanning Wi-Fi networks.

The direct wireless interface, as seen in the shell command iwconfig,is rarely used in the tools identified. The monitor interface mon0 is typically used. For most I would say having a monitor interface and a Basic Service Set Identifier (BSSID) would get the some of the basic functions out of tools.  Service Set Identifier (SSID) is what is broadcasted, or not, and can this also be used to single out a network target.

Some tools will need to be set up.  It is easiest to run them out of the BackTrack menu, if possible, in their loaded shell or GUI.  The shell tools will have switches but the<command>--help will give the option and command formats available.  Extensive information about a tool can sometimes be found in manual pages. The manual page content available can be pulled with the command or tool followed by MAN.

The range, strength of signal and sometimes number of probes varies the effectiveness and results for some of the wireless tools identified. Your results will be faster if you are within close proximity of the point than if you are at the edge of the range of your wireless. Channels also come into play and there is channel hopping as well as devices that are either configure or set to a default channel.  Many of the mentioned tools can be set to only probe a certain channels. 

Additional Reading on Wireless Design

Much of the configuration needed to perform testing, focused on a certain network, can be found in the web interface of the device.  If you are searching for business or opportunities there are other ways to find out information on a larger scale and the same tools can be usually used to do both.

The Vector

People usually use wireless routers for years.  It may be because a new faster band emerges like 802.11ac or a band, like 802.1n, comes out of draft.  I would estimate that the leading edge, of the protected curve, is with the technology enthusiast that leaves the rest of the home market typically keeping a router until it breaks.

Exposure to these types of wireless network vulnerabilities allows for the potential for detection and possibly exploitation for those in range of a malicious hacker.  This could be a kid down the block or the vehicle parked in the street.  The monitoring device just needs to be in distance to be able to cleanly probe the wireless network(s).

The vast majority of wireless networks are in Europe and the United States.   There are others progressive countries with more wireless point density than say, Africa, but this is a very large attack vector that only has a barrier of being close enough and having the time to probe public 802.11 Radio Frequency.

Start with yourself, circle of friends, known small business owners, and the down to acquaintances before jumping into the ‘Wild’.

A Few Current Feature Flaws

Most home brands of wireless network devices can have a few major design flaws and due to the size of this market base and typical lack of qualified operators, it is a big issue.  The option of WEP is an obvious one and should never be used. Wireless Protected Setup (WPS) makes it easier to connect to a wireless network as opposed to using a passphrase.

This is still found in new routers and devices like smart TVs and printers even as it has been such an outstanding flaw. The implementation of WPS had flaws found over a year ago and completely bypasses encryption through a 4 digit PIN that is really larger with pre and post keys internally. This still only requires a little amount of time to crack.

Universal Plug and Play (UPnP) is another ‘easy mode’ feature that allows network devices to integrate easier. Another mention should be the remote root ability to a certain model of Linksys router just found but it could very well spread across more of their models. 

With some of these major feature flaws, it could require the purchase of a new more secure model, configuration changes or a firmware upgrade.  Even then, there can be issues that can be fixed and anytime firmware is being upgraded there is a chance of bricking the unit.  So research the solution implementations well prior to taking action.

The WEP Option Issue

Finding networks protected by WEP is like finding a network not protected at all.  Both of these unprotected states give a good chance for an easy approach to the network’s owner to be a potential customer for further services.  You especially want to protect those in your inner circle.

It is known to those with experience with wireless encryption options that this can be cracked very fast using the wesside-ng tool or now the wifite.py script. wesside-ng uses,the basics, the BSSID and the interface. From terminal type:

Wesside-ng -i <interface (ie. mon0)> -v <BSSID>

If you want to see how quick it is to crack WEP, set your router to it and use your own BSSID.  Using wesside-ng or any other WEP cracker is a good Proof of Concept (PoC) test to show a network’s owner.

A new addition to the BT releases is theWifite.py script and it can be found in Wi-Fi Exploitation tools area.  It allows a greater ability to target one or crack any WEP in range. This cuts down on some of the work.  

Tools can be a variety of things but a script tool is not a file that can run alone.  So you can’t try to run it with something like ./msfconsole which is the Metasploit console with ./wifite.py

It has to be proceeded with the language compiler it is written in.  So the extension *.PY is written in the Python language and is why it leads the command before the script.  So Perl uses *.PL and *.PM extensions and would be executed with that command. (ie. perl perlscript.pl). 

Here it is now using a broadcasted SSID:

python wifite.py -i <Interface> -e <SSID>                   

It can also be uses as a shotgun to everyone in distance:

python wifite.py -i <interface> -all –wep -showb

This script has so much power and versatility for testing wireless networks it can be use to attack more advanced encryption than WEP as well the next commonly found flaw.               

Wi-Fi Protected Setup (WPS) 

With a flawed feature you would think that the obvious defensive action would be to disable the function, either through hardware or a configuration change? Maybe upgrade the firmware or feel safe that your regular vendor firmware updates are keeping easy mode flaws in a network safe?

There are a couple of factors that makes common sense and general network device maintenance that create a poor symptom, for the flaw, when upgrading the firmware. Upgraded firmware for some devices, other than that which comes from the factory will let you disable the feature but for some its just aesthetic while WPS stays on!

The best chance of protection would be to upgrade the firmware with the ones that have been giving a fix.  This next table will show the lack of aggression of Cisco, probably the largest market share, to fix their home networking products with the flaw:

Cisco's Attempt to Fix WPS

There seems to be a bit of misperception of this exploit that I have seen portrayed on the Internet.  A of people seem to state that this method is for cracking WPA/WPA2.  This is not the case.  It is test or attack against the WPS flaw and the compromise of that feature which uses different methods to connect.  It’s a four digit pin with some pre and post salting.

Wash is used straight through the terminal.  This tool is a WPS flaw scanner that surveys points within range or can send out probes.

This tool can be tweak to perform faster because probing wireless networks and getting good information by using the -C switch and that turns off Frame Check Sequence (FCS)errors. This will always discard poorly received packets. Getting closer in proximity to weak signals points will improve the ability to collect  as well.

A basic wash survey is:

wash -C -i <interface> -o <output file>                  

This will detect all WPS affected access point within range and send it to an output file.  Wash can also be used scan mode with the -s switch.  Survey is the default and is more passive where setting it to scan mode will set up probes.

wash -C -s -i <interface> -o <output file>                  

Wireless detection is all about time.  It’s the resources of the machine, adapter and the number of probes you have out. If you want to adjust the exposure and the probes per network in scan mode type:

wash -i -C <interface> -s -n [1 - 15 ] -o <output file>      

You can use the Reaver tool, found in the wireless WLAN exploitation menu, to crack WPS with allowed time. If you already know the SSID or BSSID and have a functioning interface you can do a basic function like:

reaver -i <interface> -b <BSSID> | -e <SSID> -vv

The –vv switch will show information.  It is best when approaching, both for personal and business, an activity or engagement to be stealthy.  You don’t want to affect availability, which could impact the business, user or yourself.  Putting a second delay with the -d switch will lessen the aggression.

The -x switch, in seconds, will set reaver to hold off on additional pin attempt on a fail and this should be set to a high value.  It can be set to go slow and steady with -r x:y for waiting y seconds for every x PIN attempt.

A good command-line for switches in reaver to allow a long, safe and steady test is:

reaver -i <interface> -d 10 -x 1800 -r 30:100 -5 -A -o <output file>-q

The -5 set it to the 5ghz range and -c can set it to a certain channel. -A is so you don’t associate with any network so that will keep the scan honest.

Do research into other value added scripts, plugins or add-ons when becoming more proficient in using BT5 R3 like this following Perl script that is a reaver wrapper giving the original commands more abilities to control the test:

Net-War Reaver Wrapper

There is a declared mean average of a little over ten thousand tries before access is typically obtained through WPS with reaver.  If it is turned off in the router configuration and the vulnerability is shown through the test, then I would suggest either looking into supported firmware like DD-WRT or look for a replacement.

The results pulled from reaver tool can be sensitive information about the wireless router configurations that can be used to show the owner that they are not secure and then may be interested in hearing more.  They may or may not and feel violated.  Just be careful in the way you present having their personally used information.

Universal Plug and Play (UPnP)

Another vulnerable feature implemented on many network devices is UPnP.   This feature is used on many different products, like WPS, for ease of discovery and access. This is a flaw that has estimate of 50+ million vectors recently reported from a reputable security firm recently.

I feel the most common use of this flaw is to make a call back to the router and if the attacker knows the router type, they can try the default credentials against it. It would be best if you use an OS that supports Little Snitch, or the likes, and this can be easily blocked.  An even easier protection would be to change the device’s credentials from the default. 

Unlike WPS, UPnP is associated with an IP port. That port is UDP/1900. If the feature can’t or isn’t turned off it should be closed or blocked. Since this affects a variety of devices, it is best to use a lateral port scan tool. nmap is my favorite that can alternatively be used with the Zenmap GUI.

Let’s see a basic command for Nmap for a TCP SYN, UDP, and targeting port 1900 on what would be the default gateway in both tools for most home-style networks:

nmap -sS -sU –p 1900 192.168.1.1                  

The command line version gives a lot more ability to perform quicker scans or gather more information if you know the switches. Both tools require an understanding of it versatility but it is easier to parse command line output files if you don’t know Grep, Awk or a language like Perl and have huge results.

 

Zenmap’s GUI may make people feel more at ease with using the scan and gives beginners a way to ease into command line if they are not yet confortable.  Here is the same UPnP scan in Zenmap:

 

image

 

Think it is prettier than trying to see through the BT desktop? The state of this one is good and bad.  It’s closed for direct connection with TCP but UDP could be used to attack because you will see this as a common state and the attack vector.

 

If UPnP cannot be turned off then the UDP/Port 1900 should be blocked with a stateful or application firewall.  This means using Windows Firewall with Advanced Features or PIX with some fancy internal setup.

 

This scan should be done both internal and external for a network and attempts made to turn off the feature or isolate the device if possible. Again, buy or suggest replacements if the flaw cannot be eliminated.  

 

For external test you will need to have the public IP address that the router uses. This can usually be found in the DHCP configuration in the router Web Admin page and probably like Status.  Perform external tests from another external Internet network.  Try iHop or a coffee shop if you have no other option. 

 

I feel you have to know the Metasploit framework is you want to proof. Metaploit take a little work to get set up in BT5 R3.It has changed a little bit in recent years so if you haven’t look at in in a while, you will have to learn the new tricks and commands like attaching the database.  Much information can be found on the Internet but a good book is out: Metasploit: The Penetration Tester’s Guide by HD Moore.  HD Moore is a major contributor, if not the brains behind it all, to Metasploit.

 

Remote Rooting a Linksys Device

A recent flaw that has been reported and is a small side not due to the small vector that this flaw effects.  However, if it has been found in one device it is very possible that there are similar vulnerabilities in the whole line or at least other comparable models.   The model that is currently identified as affected by the exploit is the WRT54GL model.

 

 

image

 

 

Details on Linksys Root Vuln

 

It may pay to go on Ebay and stock up on older models of Cisco Routers.  This would be especially good for the models that are End of Life and not able to have firmware upgrades. 

 

No harm… no foul if it’s all your own stuff and some End User License Agreement (EULA) doesn’t restrain testing.  Bug Bounty programs are emerging and there are always those who would buy bugs like security companies intended to make a profit and government.

 

A related rooting tool in BT5 R3 is telnetenable.py. It’s probably easier to find the scripts in the shell with locate but they can also be found in the menu.  It’s a tool to get telnet access to Netgear devices.  It’s a minor tool addition but is noteworthy and simple if you know the model and try the default credentials and tha

Possibly Related Articles:
19068
Wireless Pen Testing Backtrack
Post Rating I Like this!
Default-avatar
Gregory MacPherson Interesting content, double-posted, poorly edited (or poorly written, I can't tell which). Ed: someone yank this, proof-edit it, and re-post it.

=;^)
1371856320
54a9b7b662bfb0f0445d1661d7ed180b
Jayson Wylie I regret not making sure the images were included and it does look like I double posted. This is my largest submission as per word count to date.

Working on another large article and will take more time to ensure that it looks correct prior to clicking save in the future.
1372285997
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.