Simple How-To on Wireless and Windows Cracking (Part 1)
You've heard the story a dozen times: someone's on their morning commute from the bedroom to the basement office, doesn't see that empty beer/Red Bull on the steps, ends up bouncing down the stairs on their head and, voilà, they just can't seem to remember the password to their computer, or to their wireless network... Looks like they need a way to access the locked computer, break the Wi-Fi keys, and use some information gathering tools to recall what's going on...
But before that happens to you (again?), a little bit of careful planning can make that a problem of that past. That is why you're reading this, right? You wouldn't be doing any of this on anything but your own personal computer and personal network...
Before reading this, it is well worth your time to visit the BackTrack Wiki page: wiki.remote-exploit.org to check out the Hardware Compatibility List (HCL) to see if your machine and Wi-Fi card are compatible. If your existing card is not, there are tons that are, and many just need a new driver (discussed later here, and at length on the BT forums at: forums.remote-exploit.org.
Also, that Wiki has plenty of information on the tools included, some of which are touched on later.
BackTrack USB Boot Disk
The first step is to build a bootable USB drive with the BackTrack distro, a process that is very quick and easy (this tutorial was written when BT3 was the most current, however, a beta version of BT4 has recently been made available).
- Find a USB drive. The .ISO is almost 800 MB, so a 1 GB drive would work, but you may want some extra space.
- Download the USB .ISO at: remote-exploit.org/backtrack_download.html
- Download ISObuster at: isobuster.com
Alternate: Use a tool such as "unetbootin" which basically does it all for you (no #4 and #5).
- Using ISObuster, open the .ISO, and copy the /boot and /BT folders to the USB drive.
- Lastly, navigate to /boot folder on the USB drive and run: bootinst.bat
Now your bootable USB is ready to go, but it's not a sure bet just how to tell your machine to boot it. For instance, some machines will try booting from the USB automatically, while with others you must interrupt the standard loading (I am on a Lenovo R61 so I have to hit the blue "ThinkVantage" button, then F12 to choose a boot device, and then select the USB drive).
Also, before BackTrack really boots, you'll have the opportunity to choose a graphics option. This is also where you would implement any special boot instructions found on the HCL mentioned earlier (you hit "Tab" to enter them).
Once BackTrack is loaded, open an Xterm window by typing "xterm" into the small text box to the right of the menu buttons. Now, depending on which Wi-Fi card you have, you may have to utilize a new driver. If you're having a hard time figuring out what Wi-Fi card you really have, as it's often rebranded, type "lspci" and it will tell you what the hardware is. I'll give two examples here that I've seen personally and there is a ton of information on the web, so I'll leave this part to you:
I have the Intel Pro Wireless 3945 Wi-Fi adapter in my machine (at a command prompt in Windows, "ipconfig /all" tells me so) so, to change my driver (if you are using the BT4-beta, this particular driver has been patched, so there is no need to use "ipwraw"), I type:
# modprobe -r iw13945 # modprobe ipwraw
My friend has a MacBook Pro (Atheros 5418 Wi-Fi) and, for him, the process is:
# wlanconfig ath0 destroy # wlanconfig ath0 create wlandev wifi0 wlanmode monitor # ifconfig ath0 up
Once you think you have the right driver in place, you can test by typing "iwconfig" and looking at the MODE. It should be in "Monitor" instead of "Managed". You also need the ability to do packet injection, but it seems many of the drivers enable both features. Now you should be ready to proceed to the next step, identifying and cracking the Wi-Fi network(s).
First, we're going to change our MAC address for a little privacy. In my machine, my adapter is wifi0 (which I use throughout the remainder of the instructions), my friend's was ath0. The command iwconfig will show you which yours is, and then (feel free to replace "00:11:22:33:44:55" with another option if you like):
# airmon-ng stop wifi0 # macchanger --mac 00:11:22:33:44:55 wifi0 # airmon-ng start wifi0
Another note about drivers: Some drivers create a new interface when "airmon-ng start" takes place, and may create a new interface (for instance, the ath9k driver creates mon0). If this occurs after "airmon-ng start", you'll need to do the following:
# ifconfig mon0 down # macchanger -mac 00:11:22:33:44:55 mon0 # ifconfig mon0 up
And then substitute the new interface in all subsequent instructions.
Easy, right? And now, we have to take a peek at what networks are up in the area:
# airodump-ng wifi0
If you'd like to focus on the "low hanging fruit," you can use:
# airodump-ng -t WEP wifi0
Now, choose a network you'd like to use. I typically watch the DATA column to see which have activity. You can also watch the association list at the bottom of the page to see which APs have clients (a.k.a., stations) attached.
Stop airodump (Ctrl-C) and restart as follows:
# airodump-ng -c [channel] -w [filename] --bssid [bssid] wifi0
Where [channel] is from the CH column, [filename] is of your choosing, and [bssid] is the BSSID of the network you're interested in.
This focuses airodump to just gather information on that channel, from the network you specified, and copy the results to a file called: [filename]-01.cap
If the network is WEP protected, keep reading, if WPA/WPA2, jump ahead.
Now we need to associate with the network of interest, and then flood the network with data to enable key cracking. First, open another Xterm window and enter:
# aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:55 -e [essid] wifi0
Where [essid] is the name of the network. If this is successful, you'll see the following:
Sending Authentication Request (Open System) [ACK] Authentication successful Sending Association Request [ACK] Association successful :-) (AID:1)
If this doesn't work, you may have to try a few times (or other times of day), or other networks, or try moving around a bit if you only have one network of interest. Now, to generate the data:
# aireplay-ng -3 -b [bssid] -h 00:11:22:33:44:55 wifi0
If you look at the airodump window you left running, you should now see the DATA column growing like the national debt.
The last step is to use this data to find the key, so open a third Xterm window, and enter:
# aircrack-ng -b [bssid] [filename]-01.cap
It will test the data gathered to that point and, if it does not find the key, just leave it be. When the DATA column hits each increment of 5000, aircrack will try again. Eventually (typically in the 10,000 to 40,000 range) you'll get your WEP key.
Now that you have opened an airodump window for the network you're targeting, you have to capture the handshake that is generated when a valid user joins the network. The top line of the airodump window has information such as channel, elapsed time, battery life, date, time, etc. If it has captured a handshake, there will also be:
[WPA handshake: [bssid]]
You'll see the client MAC(s) in the Station list at the bottom of the airodump window. If there's no one there, then you've come at a bad time.
So now you can, a.) wait, or b.) if there are clients, kick someone off the network to force them to re-authenticate. To do this, open a new Xterm window, and enter:
# aireplay-ng -0 1 -a [bssid] -c [client MAC] wifi0
This will send one de-authenticate packet to the client. If you like, you can change the "1" to more (5, 10), but increment slowly. You want the de-auth/re-auth process to be smooth for the client.
Once you have your handshake, you have to use a word list to crack it. There are many word lists available online, with different themes and so on. You can either download this to your machine before booting to BackTrack or, if you prefer, just download one before changing drivers and such (which can interfere with typical Internet access). So, assuming you have one:
$ aircrack-ng -w [wordlist.txt] -b [bssid] [filename]-01.cap
Make sure you specify the path of the word list if it's not in the same directory as the capture file.
Unlike the ten minutes you would spend on WEP, this is going to take some time... a lot of time. If you're having problems, there is a troubleshooting guide at: aircrack-ng.org
So now that you have access to all of the networks in the area, you have plenty of tools in BackTrack 3 to toy with to your heart's content. Alternatively, you can shut down, reboot in Windows, and use your favorite tools there. This is my personal choice, but only because I got used to this toolbox. If you're familiar with the options in BackTrack, you can surely find what you need (except for Nessus and Cain & Abel).
Cain & Abel
(oxid.it) This program is perfect to just leave running all the time. It monitors network traffic and grabs usernames, passwords, and VoIP calls. It also has the ability to perform a Man-in-the-Middle attack, which allows you to divert traffic between the clients you indicate (typically a client and the router) through you, enabling you to grab HTTPS data, and other items that would otherwise be missed. Cain has tons of other features, but we're going to keep this section short since everyone has their own preferences.
(nessus.org) This is a great program that tests hosts on the network for known vulnerabilities. Very easy to use, you can just identify which host(s) to scan, and it even has a default scan profile (or you can make your own). It will then indicate which hosts have which weaknesses/unpatched holes, etc.
(metasploit.com) This one is available in BackTrack, but also has a Windows version. This is an ideal partner tool for Nessus. After you get a sense of potential vulnerabilities in Nessus (or use "nmap" to see which ports are open) you simply load Metasploit (I use the GUI, but there is an easy command line interface as well). You can then use the search for whichever terms/ports you want, or navigate the exploit list that is organized by as, service type, etc. Once you find one you like, double-click and choose your payload (what you want to do on the target machine, such as reverse VNC to have a firewalled machine connect back to you and provide you with the user's desktop) and then input any other required metrics such as the IP of the target.
(wireshark.org) This is also in BackTrack or Windows and is standard packet sniffer, so that you can see all of the activity on the network. It's got an easy filter tool as well, so you can easily target just emails, IM activity, etc. I find it helpful to run this as well as Cain, just in case Cain grabs a password and, for some reason, not the username. You can then do a search in Wireshark for the password and find the missing data.
Other Next Steps
So, all of this is well and good but, if you've fallen down your stairs and lost your memory, you might need to figure out how to get into your computer in the first place! But luckily, by virtue of booting into an alternate as (that being BackTrack instead of Windows), you now have access to the system security files of Windows and can recover, or rewrite, the password.
If you don't care what the password is, and just want to overwrite it, simply open an Xterm window and type "df", which will show you where the Windows system is (i.e., /mnt/hda1). Now just:
$ cd /mnt/hda1/WINDOWS/system32/config $ ls # (to make sure you see the files: SAM and system) $ chntpw -i SAM system
This will show you the users and ask which you'd like to overwrite.
If you do care what the password is, and don't want to change it (which would let the user know that the machine's been compromised), you have a harder task ahead. Similar to cracking WPA, in fact.
After you've changed to the right folder (as above) and confirmed "SAM" and "system" are present:
$ samdump2 -o hashes.txt system SAM
This creates a file "hashes.txt" in the directory you're in. Copy this file to your USB head back to your own machine (since this will take some time) and then choose an option:
1.) Boot into BackTrack and then crack with John the Ripper (and your handy-dandy wordlist.txt from earlier): "john --wordlist=wordlist.txt hashes.txt""
2.) Load the hashes into your new favorite program Cain. (Go to the Cracker tab at the top -> choose LM&NTLM Hashes on the left -> right-click in the body of the page -> Add to List -> import hashes from a text file -> choose your hashes.txt).
Either will take awhile, but then you'll have your password (assuming you have a good wordlist). You can also use Rainbow Tables in Cain, but I'll leave that for another time.