DEFCON 24: Wi-Fi Sheep Hunt Contest Brief

WI-FI SHEEP HUNT 2016

Wall of Sheep (WOS)

Packet Hacking Village (PHV)

MISSION BRIEF:

WELCOME to WI-FI SHEEP HUNT 2016. Your mission, if you choose to accept it, is to hunt and herd our lost SHEEPS. Clues will be broadcasted in the PHV airwaves – near, far and wide. You’ll need your strongest and fastest wireless “Kung-Fu” to collect the clues and decipher the codes. Accumulate points by playing one or all the challenges.

1:\> NFC SHEEP HUNT

2:\> RF SHEEP HUNT

3:\> WEP/WPA SHEEP HUNT

WARNING: If the “airwaves” smell rotten, that’s probably not us. This is DEF CON, don’t say we didn’t warn you...

REGISTRATION:

1. In person at PHV Info Booth.

2. Online at https://t.co/WFI9TLVt4j - CLOSED 08/06/2016

MISSION DETAILS:

1. NFC SHEEP HUNT: There are NFC tags hidden all around the PHV. Use your handheld device (iPhone, Android…etc.) to sniff them out, retrieve and decipher the codes. Points are awarded for every tag you find, extra points for every code you decipher.

2. RF SHEEP HUNT: Locate RF beacons, then decipher the codes to earn points.  We have military grade radio detection gear for you to use. Registration and gear reservation is required. Go to the PHV Info Booth for details.

1. WEP/WPA SHEEP HUNT: Find the correct WEP/WPA APs and crack the key. Every key (WEP/WPA) you crack & submit earns you points.

WEP? really?! But how strong is your wireless kung-fu?! These APs are dynamic and can change its security settings. Move fast when you spot them ---> crack the key and grab a sheep before it disappears.  NOTE: Point value decreases the longer you take to crack it.

EXTRA POINTS: Grab SHEEPS (files) from WEP, move them to the WPA.  Once you’re inside the network, sniff around and hunt for SHEEPS (files)… yes, you’ll need both keys to move the files from one wireless network to the other.

NEED HELP TO JOIN THE FUN?

Come by the Wi-Fi Sheep Hunt desk and we’ll help you to get started. No laptop or gear? No problem, we have some you can use for a limited time. Registration and gear reservation is at the PHV Info Booth.

FOR TIPS/CLUES:  Follow the @WallofSheep on Twitter

Go To: https://twitter.com/wallofsheep

Hashtag: #WOS #WIFISH #SHEEPHUNT

2016.0128.WHY.FIGHT

SOURCE: 
http://resources.infosecinstitute.com/wifite-walkthrough-part-1/#article
http://resources.infosecinstitute.com/wifite-walkthrough-part-2/#article

WHAT IS IT?
In this article series, we will look at a tool named Wifite suitable for automated auditing of wireless networks. Most of you who have experience in wireless pentesting would use tools like airmon-ng, aireplay-ng, airodump-ng, aircrack-ng to crack wireless networks. This would involve a sequence of steps, like capturing a specific numbers of IV’s in case of WEP, capturing the WPA handshake in case of WPA etc, and then subsequently using aircrack-ng to crack the password required for  authentication to the network. Wifite aims to ease this process by using a wrapper over all these tools and thus making it super easy to crack Wifi networks.
Ethical Hacking Training – Resources (InfoSec)

Here is a list of features of Wifite as per its official homepage.

• sorts targets by signal strength (in dB); cracks closest access points first
• automatically de-authenticates clients of hidden networks to reveal SSIDs
• numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
• customizable settings (timeouts, packets/sec, etc)
• “anonymous” feature; changes MAC to a random address before attacking, then changes back when attacks are complete
• all captured WPA handshakes are backed up to wifite.py’s current directory
• smart WPA de-authentication; cycles between all clients and broadcast deauths
• stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit
• displays session summary at exit; shows any cracked keys
• all passwords saved to cracked.txt
• built-in updater: ./wifite.py -upgrade

RECOMMENDED WIRELESS CARD
Before we start using wifite, make sure you have a proper wireless card that supports packet injection. If you don’t have one, i would suggest that you buy this card.

ALFA 1000mW 1W 802.11b/g USB Wireless WiFi network Adapter with 5dBi Antenna

 

"aireplay-ng" bug info and fix
Note that there is a bug in Wifite that may or may not be there in your particular version of Wifite. The bug basically doesn’t aireplay-ng to function properly and displays an error like aireplay-ng exited unexpectedly . In order to fix this, you will have to make slight modifications in the code of wifite. You can install gedit (apt-get install gedit) which is a text editor and then edit the wifite python script (found in /usr/bin/wifite) using the steps mentioned here. To open wifite, use the command gedit /usr/bin/wifite. This will open up the source code of wifite. Then replace every occurence of cmd = [‘aireplay-ng’, with cmd = [‘aireplay-ng’,’–ignore-negative-one’,

UPDATE to the latest version
Wifite can be found under Applications -> Kali Linux -> Wireless Attacks -> 802.11 Wireless Tools. Also, note that if you are running wifite in a different VM than Kali Linux, then you have to make sure that tools like airmon-ng, aireplay-ng, airodump-ng, aircrack-ng are already installed on that system. This is because Wifite is nothing but a wrapper over all these tools. Before we even start using Wifite, it is better to update to the latest version.



LIST ALL THE COMMANDS and SWITCHES 
In my case, i already have the latest version. In this tutorial, we will be targeting a simple Wifi network with WEP encryption. Just using the command wifite -h will give you a list of all the commands.


Crack some WEP
A very tempting option would be -all which tries to attack every network that it finds. We will try it in later articles in this series. However, first lets take a look at all the targets that we have. To do that, use the command wifite -showb


Once this is done, we can see that wifite has put our network interface card into monitor mode (using airmon-ng) and started to look for clients. After a few more seconds, it will start displaying the list of access points.


Note that as it is mentioned in its feature list (automatically de-authenticates clients of hidden networks to reveal SSIDs), this list will also include hidden access points. Hence, wifite can also be used to find hidden access points. In this case we will attack an access point with the BSSID 00:26:75:02:EF:65 that i have set up for testing purposes. The access point has a simple WEP password 1234567890.


To start attacking an access point, just press Ctrl+C. Wifite will now ask you to choose a target number from the list. The target number for my test network is 1, so let me enter that. Note that if you press Ctrl+C again, it will quit Wifite.


You can now see that Wifite will start attempting to crack the WEP access point using the different known techniques for cracking WEP encryption. After some unsuccessful tries, it has finally begun to start attacking the access points using different techniques for cracking WEP.


Once enough IV’s are being captured, it will automatically start cracking the password.


As we can see, Wifite has successfully figured out the WEP key for the access point. Wifite is an extremely useful tool for cracking wireless networks. As i mentioned previously, you need to have all the tools like airmon-ng, aireplay-ng, airodump-ng, aircrack-ng already installed on your system. To further prove the point, let’s dive into the source code of Wifite.


As we can see, the python code has mentions of calling aireplay-ng. Hence, it is recommended to run Wifite inside Kali linux.  


Crack some WPA
In this article, we will look at cracking access points using WPA-PSK or WPA2-PSK using Wifite.
If you have used tools like airodump-ng, aircrack-ng etc to crack WPA access points before, you would know that the required thing to successfully crack a WPA-PSK network is a captured WPA four-way handshake.


To start wifite for cracking a WPA access point, give it the option -wpa to only target WPA networks. Also, give it a dictionary file as an input for cracking the WPA passphrase with the -dict option. In kali linux, the wordlists are stored at the location /usr/share/wordlists. Wifite will now start scanning for WPA access points.

Press Ctrl+C to give a target number. In my case, the target number is 2 which is an access point i have configured for testing purposes. The access point uses WPA2-PSK encryption with the key as “password”.

Wifite will now start listening for the handshake. Once it has found it, it will automatically start cracking the passphrase using the dictionary file that we supplied.

And as you can see, Wifite has successfully found the passphrase for the access point.
Sometimes, things may not work as smoothly. In order to capture a WPA handshake between the client and the access point, the client has to connect to the wireless network during that period when we are monitoring the network. If the client is already connected, there will be no handshake that is captured. Wifite does this by automatically sending deauthentication packets to a particular client or a broadcast deauthentication packet if it is required. You can specify the time between deauthentication packets using the -wpadt flag. Hence, when the client tries to reconnect to the access point, the handshake is captured.
You can also specify which tool you want to use to crack the passphrase once the four-way handshake has been successfully captured. By default, aircrack-ng is selected. You can also use cowpatty, pyrit or tshark to crack the passphrase.

Another cool option in Wifite is to anonymize your MAC address using the -mac option. Even though it is quite trivial using simple commands or macchanger utility to change the MAC address for a specific interface, it is good to have this feature in the tool itself. However, in order to make this work, you first have to take that specific interface for which you want to change the MAC address down to managed mode if it is in monitor mode previously. You can use the command iwconfig to check all the interfaces that are in monitor mode and then take them down using the command airmon-ng stop interface-name command. As we can see from the image below, the mon0 interface is in monitor mode.

Hence, lets take it down using the command airmon-ng stop mon0
.
Now we can add the -mac option to anonymize the MAC address. As you can see, Wifite is intelligent enough to change the MAC address to something that is similar the existing MAC address of the interface and not to something ridiculous (for e.g AA:BB:CC:DD:EE:FF) which is a giveaway.

And when you stop the capture, Wifite is nice enough to change the MAC address back to the original one.

PHV.DCXXIV.2016.0128

2016.0128.WEP.WPA

Choosing the right security configuration for your wireless network is very important, especially because hacking is so easy now. Free software tools are now easily available that make it trivial for even unsophisticated "script kiddies" to break into secured wireless networks. Securing your Wi-Fi network with a password is the first step but its efficacy is very low if the security method chosen is WEP. Passwords for Wi-Fi networks secured with WEP can usually be cracked within minutes.^[1] WPA2 is the recommended security method for wireless networks today.

Comparison chart

	WEP	WPA
Stands for	Wired Equivalent Privacy	Wi-Fi Protected Access
What is it?	A security protocol for wireless networks introduced in 1999 to provide data confidentiality comparable to a traditional wired network.	A security protocol developed by the Wi-Fi Alliance in 2003 for use in securing wireless networks; designed to replace the WEP protocol.
Methods	Through the use of a security algorithm for IEEE 802.11 wireless networks it works to create a wireless network that is as secure as a wired network.	As a temporary solution to WEP's problems, WPA still uses WEP's insecure RC4 stream cipher but provides extra security through TKIP.
Uses	Wireless security through the use of an encryption key.	Wireless security through the use of a password.
Authentication method	Open system authentication or shared key authentication	Authentication through the use of a 64 digit hexadecimal key or an 8 to 63 character passcode.

WEP and WPA security options while connecting to a wireless network

Encryption in a Wi-Fi network

It is possible to "sniff" data being exchanged on a wireless network. This means that if the wireless network is "open" (requires no password), a hacker can access any information transferred between a computer and the wireless router. Not having your Wi-Fi network password-protected also creates problems such as an intruder piggy-backing on your Internet connection, thereby slowing it down or even illegally downloading copyrighted content.
Seucring a Wi-Fi network with a password is, therefore, absolutely essential. WEP and WPA are the two security methods supported almost universally by routers and the devices that connect to them, such as computers, printers, phones or tablets. WEP (Wired Equivalent Privacy) was introduced when the 802.11 standard for Wi-Fi networks was launched. It allows the use of a 64-bit or 128-bit key. However, researchers discovered vulnerabilities in WEP in 2001 and proved that it was possible to break into any WEP network by using a brute-force method to decipher the key. Using WEP is not recommended.
WPA, which stands for Wi-Fi Protected Access, is a newer standard and is much more secure. The first iteration of the WPA protocol used the same cipher (RC4) as WEP but added TKIP (Termporal Key Integrity Protocol) to make it harder to decipher the key. The next version - WPA2 - replaced RC$ with AES (Advanced Encryption Standard) and replaced TKIP with CCMP (Counter mode with Cipher block chaining Message authentication code Protocol). This made WPA2 a better and more secure configuration compared with WPA. WPA2 has two flavors - personal and enterprise.

Other Wi-Fi security best practices

Choosing WPA2 is a good start but there are other things you can do to make your Wi-Fi network even more secure. For example,

• Do not broadcast SSID: The SSID is the name of the Wi-Fi network. By not broadcasting the SSID, the wireless network becomes "hidden". It will still show up in network scans by devices but they would only see it as "Unidentified Network". When the network broadcasts its SSID (name), the hacker only has to decipher the password. But when the network name is unknown, logging on to the network will require that the intruder must know not only the password but also the SSID.
• Use a strong password: This one is obvious but bears a mention because it is very important. Computers are very powerful and cloud computing has made it very cheap and easy to rent extraordinarily large raw computational power. This makes brute-force attacks possible, where the hacker tries every combination of letters and numbers until the key is deciphered. A good password has the following characteristics:
  • is longer than 10 characters
  • uses a healthy mix of characters — upper case, lower case, numbers and special characters like ^*
  • is not easily guessable, like a birthday, or name of a family member or pet name
• Change the default IP address of the router: Virtually all wireless routers are preconfigured to use 192.168.1.1 as the IP address of the router on the network it creates. There are some sophisticated exploits that use this common setting to transmit the infection to the router, thereby compromising not just one computer but all Internet traffic that goes via the router from any device. It is advisable to change the routers IP address to something else, such as 192.168.37.201. 

• Security measures

  There are a range of wireless security measures, of varying effectiveness and practicality.
  

  SSID hiding

  Further information: SSID § Security of SSID hiding and Network cloaking
  A simple but ineffective method to attempt to secure a wireless network is to hide the SSID (Service Set Identifier).^[15] This provides very little protection against anything but the most casual intrusion efforts.
  

  MAC ID filtering

  One of the simplest techniques is to only allow access from known, pre-approved MAC addresses. Most wireless access points contain some type of MAC ID filtering. However, an attacker can simply sniff the MAC address of an authorized client and spoof this addresses.
  

  Static IP addressing

  Typical wireless access points provide IP addresses to clients via DHCP. Requiring clients to set their own addresses makes it more difficult for a casual or unsophisticated intruder to log onto the network, but provides little protection against a sophisticated attacker.^[15]
   

PHV.DCXXIV.2016.0128

DEFCON 23: WiFi Sheep Hunt Summary of Contest

WiFi Sheep Hunt Summary of Contest:

Hello potential WiFi Sheep Hunt contestants! We have lost our Ovis aries, or Sheep for the biologically impaired. Your job as a Sheep Herder is to help us find our sheep and return them to the “farm”. 

The first Sheep Herder to successfully return all lost sheep to the “farm” will be the 1 st Prize Winner of the WiFi Sheep Hunt contest. 

This year we have 3 ways of sheep herding (playing). You choose the way you want to play, but choose carefully, as once you choose you may not switch to another way of playing. A Sheep Herder may be an individual or a team but as a team you may only choose one way of playing.
 
Sheep Herder Type 1
This type of sheep herder has a computer, tablet or other type device with wireless packet sniffing capabilities/skills and is not afraid to use them at DEF CON. These individuals are brave, very brave.

Sheep Herder Type 2 
This type of sheep herder has no computing device whatsoever, which in some cases may be a wise choice at DEF CON, but wants to join in on the fun. YES, you do not need a phone, you do not need a tablet and you do not need a computer to play as type 2 sheep herder.

Sheep Herder Type 3
This type of sheep herder has a phone, tablet or other type device with NFC reading capabilities and is not afraid to use them at DEF CON. You did make a backup image of your phone and/or tablet before you arrived didn't you?

NOTE: In years past we have frowned upon hacking our contest equipment but this year we have had change of heart, as long as you don't render it useless. 

DO NOT BRICK IT. 

Our equipment is dated, has not been patched and may be vulnerable to attacks. This is DEF CON btw. Hack at least 2 of our wireless access points and ONLY OUR WIRELESS ACCESS POINTS and prove to us YOU hacked them by changing their broadcasting SSIDs to something that identifies YOU and if no one returns all our sheep to the “farm” then you win 1st Prize. You must have signed up as a Sheep Herder Type 1 to win in this way.

Your WPA Security and The Reaver Pro

The Reaver Pro and WPS

For Humans: Turn of WPS on your home router if it is configurable in your router, or buy one that does not use it. This article in wikipedia talks all about it, https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup

The Reaver Pro makes it automatic to exploit the WPS venurability that you can be 0wn3d in a few hours.  I does not matter if you put a 128 character password, or change it every 10 minutes.  Once the Reaver Pro figures out your WPS PIN, it's game over.

For PenTesters: Don't get all excited, it does not work on all routers.  I tried and already surveyed some.  So far, Netgear and Motorola routers responded to the Reaver and they were eventually 0wn3d.  Some routers have a threshold on how many request you can send before it starts ignoring the Reaver.  On average, the Reaver was running about 3-5 days. So, this is a long term process -  be patient.