Description: This video is meant to open up a Q&A thread for the Wireless LAN Security Megaprimer. Please start this series by watching Part 1 http://www.securitytube.net/video/1756, if you have not done so already.
Please post your questions in this thread and we will try and answer them soon! Watch the video on the rules and process to post questions, and the role of the community in it :)
Tags: wpa-psk , wireless , wifi , security , megaprimer , pbkdf , ptk , pmk , anonce , snonce ,
The only thing I'd request now would be a look at enterprise and RADIUS. One of your high level views would be ideal Vivek but I suspect that's where you will be going to next :-)
A great series - the best I've seen in on the internet. As a veteran of tutorials I'd say this series is more in depth, and better taught than any of the paid offerings from people like CBT Nuggets. In years to come people will still be talking about this megaprimer - it's really the best in it's class - thank you once again Vivek.
It has been a long journey so far and I am both amazed and very grateful for the detailed account of WLAN security that you have explained in the videos. I do not really have any questions about problems that I see when sniffing and analysing my wireless traffic but I have a number of conceptual questions. It is possible that you plan to cover them in the final videos, but here they are, just for the sake of completeness.
I have researched exactly how TKIP and AES work and am thoroughly confused by all the acronyms: PMK, PTK (they are easy!), GTK, KCK, KEK, TSC etc. I do not know how the various keys and elements are generated from the Passphrase (thence the PMK) and are used in the encryption process.
I have also done some reading around various attacks against WPA: Beck-Tews (and the Halvorsen extension), Ohigashi-Morii, Hole196 and do not know how practical they are. Are they simply theoretical? You have demonstrated the dictionary attack and I am aware that tables can be generated by the attacker, based upon the ESSID and a dictionary.
Finally, I do not know if you plan to cover 802.1x. As far as I understand, that is used in an enterprise situation and requires a back-end authentication server.
There may be other questions that pop into my head over the next seven days and I will be sure to post them here for consideration by you and others who might be able to point me in the right direction.
Hello Vivek, once again thanks for the great series of videos with excellent lectures.
I have got a question regarding metasploit, i ran an exploit againts win xp sp3, exploit was successful but when the payload started the av had blocked it and there was no meterpreter session. I have tried to auto run the kill av in the msf advance settings but it doesn't seem to be working. Am i doing something wrong with the advance options or do i have to use client-side exploit?
and I would like to know if you have done any videos based on sql injections, xss or any other techniques for application and database vulnerabilities.
My problem with vmware and the network is that, vmware only sets up eth0 however it can get online from the host machine's internet. It doesn't show the wlan0 untill I take it over from the host by activating the usb port in vmware. I'm using a tower by the way, I only have one wifi usb adapter. So how do I setup a virtual wlan0 in vmware and still get online from the host connection?
I wanted to thank you for the whole series, it was more than expected to be honest!
I wish we could have an idea of howto hack HSPA and WiMax wireless connections :D
I know its too much, but it would be wonderful to know about those stuff.
Thanks again Vivek for your time and effort you gave the community, and I really wish you with all my heart good luck.
Vivek you are the best but I have a suggestion for the WEP part I think it's need a video about attacking a red without a client ( with no client connected to the router and using "packetforge-ng" ). Thank you for your time and for the great.
job
allisonmagicelite - in answer to your vmware networking issues, you should be able to edit your vm settings to connect wlan0 at boot.
If your vm is a linux machine then you can set eth0 to autostart on boot.
You can also try find a copy of vmwares virtual network editor that ships with vmware workstation as that can help configure your hosts networking a lot easier (I use 3 separate subnets/ip ranges)
I'll do what I can to help the community along but I'm afraid my wifi knowledge is more geared to the business end of it ( I work for a WISP). Maybe we could all get together and make a wireless "cheat sheet" to help people remember all the different commands used in the videos. I guess just starting from the basics and working our way up. Just a thought.
vivek.. my question.. is i am using to computers and one AP.. i have one connected to the AP.. while using airodump-ng it doesnt show any STATIONs/clients when there should be clients cause one computer is connected to the AP.... airodump-ng doesnt show any STATIONs
Thanks so much Vivek for this, Your AWESOME :)
I would like to share something i found on
Two Japanese scientists, Toshihiro Ohigashi of Hiroshima University and Masakatu Morii of Kobe University can crack WPA encryption in sixty seconds. The attack works on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm.
Ohigashi and Morii’s full paper http://www.thetechherald.com/article.php/200935/4331/Report-WPA-TKIP-proven-flawed
look for the pdf posted on that site. I haven’t gone through it yet but i will take a look at it tomorrow.
Thanks Vivek for all u did for the community. I'm interested in cracking WPAx and in what i've learned, the only thing at moment we can do is to optimize the time for dictonary attack or, at least, the brute force attack.
In this case (dictionary attack) it would be very interesting if u can cover the best practice to generate the best fit wordlist (i think at tools like Cewl, Crunch or others ?). Thank you again.
@X17:
Maybe its to primitive or obvious, but why don´t inject a "vlc-session" first. Then deactivare the av by hand. Then log out and inject a meterpreter
EDIT: Sorry, I meant "vnc-session"
@3lL060:
Thanks for the idea!that would work.i was just thinking of a way to being stealthy.lol.
Thanks Vivek and all off you "R00t'5 community" of SecurityTube, This is really terrific J O B ,All The Best.
information ---> No Share ---> No more
information ---> Share ---> Improvement
Thank's once again and a lot of appreciations.
Keep it up bro.
Very nice video on
Cracking WiFi - WPA/WPA2 with Hidden SSID (aircrack-ng + airolib-ng)
by g0tmi1k
http://g0tmi1k.blogspot.com/2009/07/video-tutorial-how-to-crack-wpawpa2.html
Just started watching your videos to educate myself in this area to help with my studies, your videos are amazing and have helped no-end. Please keep going! Thanks!!
@VIVEK, Thanks for all the Videos of all the Primers that you have posted.
To be Honest I haven't Finished the whole WLAN Security Series Because I like to test the things As I watch them cuz that is the real way to learn stuffs and that is keeping me behind the group.
Again thank you for all the Series.
I found the page like 3 weeks ago and I'm currently on a Human Buffer overflow with all this data on video to process. =)
Thanks my friend.
Regards,
@X17:
yes. maybe it isn´t really stealth, because maybe the person in front of the computer see the mouse moving^^
But maybe just inject the vnc session, then look if the user sits in front of the computer (when his mouse is moving or there will be some keys pressed - so you don´t have to battle with him for the mouse-control :) )
Then if nothing happens he possibly isn´t in front of the computer... Then deactivating the av and so on...
Maybe someone know a better (stealthy) way?
VIVEK really very useful Video series,and i know you have NO time, but am asking a favor for the community man.
Can you try to show us the finishing of :-
http://www.security-freak.net/worms/worms.html#1
hey guys check the link.
and try to notice the ethical of VIVEK.
Thanks one again.
Man, Am ready for every thing to boost this community.
keep it up guys.
andyb67, i dont know where to do that at. i dont see any wlan options in there. only for the ethernet. how could i setup a virtual wlan device for vmware ?
Vivek, by the way, you are the most awesome person i've met online, thank you for everything you've done for the community, we all appreciate your great work bro ;)
@allisonmagicelite: your usbWifi card is just another USB device so, dont look for it on the network interfaces of your VMPlayer, look for it on the USB devices of your VMPlayer so if you allow the VMPlayer to enable the VM to use the USBWifiCard then u will be able to see it on your VM when u start it.
I do it on VirtualBox with my AlphaCard, iPhone, and other usb devices without prob.
G luck.
first, i wanna say, thank you so much for all the help, much appreciated :D yah, it shows up as a usb device. so i activate it through the usb right ? yah i did that, and it takes over the card. i set the network to NAT and set it to see all usb devices and when i connect my usb device, it ends up using it completely. but i thought i was supposed to bridge the connection with the usb adapter outside of vm on the host machine, and also have it seen in vm ? if you activate it in vm, it will take control. so what exactly are the steps i should take ?
so basically, it disconnects from the host. and vmware takes over
@3lL060:
haha..yeah dat should be one way of doing it.
@allisonmagicelite:
The card can only be used at one place..if u bridge the connection from the host machine it will be known as eth0 in vm but if u directly connect it to the vm it will show up as wlan which is what u will want for monitor mode and so on.
or maybe there's another way of doing it which im not aware about.
If I leave airodump-ng running, I will eventually accumulate bad data. By that I mean, incorrect BSSIDs (compared to SSID) and SSIDs with mutated names (linksys becomes linksdasd or something like that). Sometimes I will even get unprintable SSIDs. Why am I getting so much bad data? Using scapy to search through the pcap, I see malformed MAC addresses and SSIDs with characters such as newlines! What's going on!?
When researching which wireless card to purchase, what should I be looking for?
Also, two ideas for a video:
1. The hardware aspects of Wi-Fi tech
2. Tips to get reliable packet captures
Hi Vivek!
First of all, thank you for sharing your amazing knowledge with us.
I would like to know how to setup via vmware (or virtualbox) an sslstrip attack. I'm not able to do that with virtual machines. A tutorial on virtual machines should be also appreciated...only if you can!
Thanks again!
Hi there what about the wifi bridge repeater?i've got a dd-wrt set as bridge repeater anyone know how to get info...
Thanks indeed Vivek
dude. were supposed to be online from the host machine, and somehow vivek has his wlan0 showing up in his virtual machine. so either he's got 2 wifi cards or he's online with a hard wired connect and bridging his wifi from vmware to it
chao-mu there are alot of good cards that will allow you to go into monitor mode. i have 2 different cards that i've used. a belkin wireless G and my Dlink DWL-122
i can actually setup my card inside linux directly, instead of vmware to do the MITM. but the essid doesn't show up as a name inside any of my windows systems. it shows up as boxes. like a weird hex format. how could i modify that ?
chao-mu
For wireless card you have to look in this page:
http://www.aircrack-ng.org/doku.php?id=compatibility_drivers&DokuWiki=eeeb31c9b4a15a6c8925b331d8994aa3
I think it will find will your answers .
@allisonmagicelite I was not asking which card I should chose. I was asking what hardware characteristics are important to consider when researching a particular card.
@keyman Thank you for the link. It's a useful one when considering compatibility. Several of the articles that it links too are also useful for that purpose.
well i just said screw it, after trying over and over inside winblows to get my bridge going. i just erased wingay and installed BT5. works great!
Can someone direct me to a good tutorial on creating a fake AP with a login page , I found tools for that [ gtwpa , ghost phisher ,fakeAP , airsnarf etc.. ] but I want to know how to do that manually , cos that kind of attack is very popular on airports , hotels and etc... So it would be great thing if you Vivek could make a small tut on that. If you consider taht 90 % people would enter their wep , wpa key if you server them fake login page with somekind of error than that kind of attack is very effective . Thanks you.
@Vivek: how about this for a possible topic for a WLAN security video? I know that it's a bit of a game at security conferences (Defcon etc.) to pwn vulnerable laptops so I guess that the real experts there take measures to protect themselves. By that, I guess either create a VPN or SSH tunnel to a safe network that they control at home or use 3G. but is it really as simple as that?
What measures do you take with such hostile networks to protect your laptop? I know that you can replace the hard drive when you get home so does it *really* matter if you get pwned, providing you don't access gmail, online banking etc. whilst you're at the conference?
Looks like I was a little late to the party on the wireless megaprimer, but I did finish everything so far. It has been VERY helpful since I prefer to learn all of the underlying material, instead of just watching videos of how to use a tool to solve a specific case you will probably never see for real.
Anyway, I did have one question that I posted late in an earlier video.
This involves using airbase-ng to make a fake client.
Authorized AP will have a bssid of aa:aa:aa:aa:aa:aa
My fake AP will be ff:ff:ff:ff:ff:ff
I completed an attack and my victim successfully dropped from the authorized AP to my fake AP.
I then cut the power to the victim device. A connection came into airodump-ng...
aa:aa:aa:aa:aa:aa ff:ff:ff:ff:ff:ff <and some="" other="" info="">
What is this, and is it useful for anything? It looks like since both stations have the same essid, they are making some communication about the missing client.
Any thoughts?
Thanks!
Hey Vivek, thanks so much for the videos, this is the most information on wireless security I have ever found in one location on the Internet, and especially for free, which is remarkable!
I was wondering if I could have permission to mirror downloads of your great video series here: http://www.securitytube.net/groups?operation=viewall&groupId=0 so that other members of the community can easily download and enjoy them offline.
It seems i'm a late addition to this community, but I have been trying to watch the videos to catch up.
I have to say they are really great! I have learned alot from these videos even though I'm quite new in this field.
Thanks alot for your hard work making the videos Vivik I really appreciate it!
Vivek!!! thanks I love you, do you love me!!? hahahalalala
Questions
How do you crack or do anything if there logins are in webpages? Like my college makes you log in by opening a browser and itll have you login through that... Any videos this?
Here's a video http://www.youtube.com/watch?v=erJ6uRzfcaw&list=PL92B9C4F2A0E4A476&index=0
This works but only for WEP is there any other command I have to type in order for it to work without any pass or for wpa/wpa2?
I watched all your videos and will repeat watching them till I understand all keep your videos coming on anything!
and since im going to college and all, what classes do you know of would be best for a pen tester? I really want to do it all and hack/crack w.e I like the whole idea of finding flaws etc...
yes have a alpha card a Rokland n3 wireless 802.11n usb adapter and love it. only love it because of the knowledge your giving me for free! I appreciate it. flow of free knowledge!! you sir, are elite!
lol, you guys really should look through his other videos. from start to finish. he's got alot of very informative videos in his profile.. check it out
http://www.securitytube.net/user/Vivek-Ramachandran
wait it seems he has other videos as well. under Security Bot. waaa. Is he the owner of this site? Jessusss lol Mucho respect ++ <333333
Im in the process of learning how to run Amazon's EC2 Cloud to have super computers do the WPA cracking.
Tell me if I am wrong but!
downloading Huge wordlists or creating your own dictionary takes up a lot of time and HARD DISK space. and generating PMK's for a spesific SSID is a waste of time cause what if the word isnt in the dictionary? I believe piping words from Crunch (wordlist generator) into aircrack or cowpatty is the best way to go when it comes to cracking WPA passwords.
So I will be setting up a EC2 server and have crunch and aircrack do the job. I will see how it goes and i will post back on here.
@j0k3rr how much it will cost to you ?
First of all, thanks for this video series. I've watched them all, but it's only now I have created an account and express my appreciation. You explain everything in a clear manner added with demonstrations, unlike many other video's which show only a demo without further background. I like the references to papers/sites with more info. That's the best way to learn.
Like Blackmarketeer already said, I would love to know more about the working and security of IEEE 802.1X. For example the RADIUS impersonation attack [0] by Joshua Wright and Brad Antoniewicz.
Knowing about the existence/working of all these attacks is one thing, but to be safe you have to protect your network. What about a video looking at (Wireless) Intrusion Detection/Prevention Systems in more detail?
How would you design a safe (wireless) network? Combination of a tunnel and IEEE 802.1X? Differences between a SOHO and an enterprise network?
[0] http://www.willhackforsushi.com/?page_id=37
Looking forward to more video's. :-)
My question is...I cracked wep wifi of my neighbor and seems to me that he have fast connection than mine, i would like to BOND my adsl connection with the other one....i search online but not answer....someone say vyatta can do something with some routing protocol.....any suggestion, i think this will be useful, be sure that your neighbor isn't Vivek otherwise trouble will come... thank you for all this material, i'm learning a lot.
@in0cula : Hacking into your neighbor's wifi could get you into trouble if you dont have permission...
@Kartone : Using Amazons EC2 large cluster costs about 0.68 U.S Dollars an hour. It all depends on your crunch (password generating) skills. The more you know about the person the more you will know on what kind of passwords they would most likely use. You can spend days and hours trying to the passphrase. But generating PMKs from a wordlist found on the internet for a unique SSID is kind of a waste of time and space I believe. Unless you can manage a proper database and not consume your own PC’s disk space. I am not 31337 like Vivek is. I’m just starting to learn all this thanks to Vivek. Its becoming a crazy addiction. If you have a better way please share with us. I will be posting my first video by end of today :)
Also I will be attending the Black Hat Conference in Abu Dhabi this year (Just to visiting to learn more)
Something tells me Vivek will be there :P
hey anyone got any good infos on how to integrate john with wpa cracking ?
@allisonmagicelite
You can just pipe out john to crack wpa
EXAMPLE :-
john --stdout --wordlist=specialrules.lst --rules | aircrack-ng -e test -a 2 -w - /root/capture/wpa.cap
For more info visit
http://www.aircrack-ng.org/doku.php?id=aircrack-ng
awesome thanks rootx ;)
hey guys, im still having issues doing my MITM directly from linux. i have my base wifi card in my laptop. and i have a usb wifi adapter. where can i get some more info on doing the mitm directly from linux without having to use virtualbox ?
@Vivek: I posted a suggestion on 2 June about securing a laptop whilst at a conference, such as Defcon. I've just come across a script that can be used in this scenario. Here's the link for anyone who might find it useful: http://zerohat.de/_shared_files/bt4/conference_lockdown. There's a bit of background here: http://sec.jetlib.com/BackTrack_Linux_Forums/showthread.php%3Fp%3D185840?page=16 although I'm sure there will be other articles around that deal with how it works or how it can be modified.
Guys - I'm having issues with the Fragmentation & ChopChop attacks.
I do a Fake Auth from my machine, and proceed to use aireplay-ng to carry out the attack. For each attack it says 'waiting for Beacon Frame', but never initiates the attack. I'm also watching the packets in Wireshark and I see tonnes of Beacon Frames from my AP. Any thoughts, hints, tips on why aireplay-ng is not picking them up? Happy to provide my commands on Pastebin or something if required.
Cheers.
@dduggan:
hmmm.... do you have any more information?
do you use the correct bssid?
some other complications? (e.g: are you connected to a ap with the used wifi card?)
quick question....any of you guys know of a usb wifi adapter which is supported in linux has an external antenna connection and suuports AP (master mode)?
Been looking everywhere....
post here or email me if you want
drforbin6@gmail.com
what is the master mode? can´t imagine what it means
master mode allows a card act as an AP (access point).
ah ok.
Then maybe the alfa card, which vivek uses is the right choice. I use this card too, and I´m very pleased.
Look at his first videos about the wireless megaprimer to see how to purchase it :)
I will get back on this questions soon! Meanwhile the next video in the series has been posted: http://www.securitytube.net/video/1990
Looking forward to your feedback!
@3lL060 I figure it's because I have nothing else connected to the AP, so there is no data being transmitted for the attacks to work with. I assumed that my fake auth would cause the AP to spit out a few data packets but apparently not. As soon as I connect another client to the AP (wired or wirelessly) then the attack works as expected.
@drforbin I use AirLive WL1600USB and it kicks ass and it support AP mode and it comes with deatachable 5 dBi antenna :)
MaxoNe, Thanxs for info....
the WL1600USB uses the RTL8187L chipset....you sure it enters master mode in linux? you using opensource drivers or proprietary
drivers...
in answer to previous response.
I have a alfa...great product..but it does not support AP mode..do a iw list and look at phy devices under interface modes.
Hi Guys,
Thanks a lot sir for the awesome videos. You have taught me a lot.
Please could anyone assist me with my problem.
When I am trying to capture the .xor file in wep cracking . I get only a broken ska , and thus i do not get the .xor file.
I have tried it many times yielding the same error.
Someone please reply.
Thanks,
Utkarsh
Hey,
Could someone please answer my doubt .
Thanks,
Utkarsh
The final video is now available: http://www.securitytube.net/video/2048
45+ videos and 1000+ minutes of Wireless Ownage later :) Look forward to all your comments. Please do have a look.
Vivek, hello again. i know i keep saying this but..... thank you.. i really appreciate you spending your time and energy creating these videos for others to learn and making it as easy to understand as possible.
I've been following every single video until this point and the only part that i can't get right is the Hotspot attacks where we create a fake-ap using airbase-ng. I would trully appreciate it if someone could help me with this. after creating a fake-ap using airbase-ng and after having my client(phone) connect to it, it kinda stops at the "Obtaining IP address" part then disassociates. I understand i have to do some changes on the settings, maybe on dhcp or something but i don't know where to start. can point me to the right direction or better yet show me a walkthrough? thank you in advance...
Is there a web page where you can summarize the various ifconfig,iwconfig, starts ecc...together with airodump,replays ecc like in an index. People who has seen all videos will remember, so not much description is needed. Would be great. Thanks