• cracking wep with windows xp pro
  
• cracking wep with windows xp pro cont
  
• cracking wep with windows xp part 2
  
• cracking wep with windows xp part 2 continued
  
• cracking wep with windows xp part 2 continued 2
  

• 2007 a hacking odyssey part one: reconnaissance
  
• 2007 a hacking odyssey part one: reconnaissance continued
  
• 2007 a hacking odyssey part one: reconnaissance continued 2
  
• 2007 a hacking odyssey part one: reconnaissance continued 3
  
• 2007 a hacking odyssey part one: reconnaissance continued 4
  

• 2007 a hacking odyssey part two:  network scanning and nmap
  
• 2007 a hacking odyssey part two:  network scanning and nmap continued
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 2
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 3
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 4
  

• 2007 a hacking odyssey part two:  network scanning and nmap cont 5
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 6
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 7
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 8
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 9
  

• computertutorials
  
• computertutorials2
  
• securitytutorials2
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials3
  
• securitytutorials4
  

CRACKING WEP WITH WINDOWS XP PART 2

Part Two in the Cracking WEP series covers what to do once you have a valid WEP key – I recommend you read Part One (if you have not already) before reading this tutorial if you want to understand how WEP works and how to get the WEP key. It can be found here: http://www.tazforum.thetazzone.com/viewtopic.php?t=2069



So, you have managed to get a valid WEP key, and are wondering what to do next?

Well, first of all, you should try to associate with the Wireless Access Point (WAP or AP). This is made very easy in Windows XP SP2:


When SSID Broadcasting is enabled:
Start > Connect to > Wireless Network Connection > View Available Wireless Networks

You will now be presented with a list of wireless networks that Windows XP has managed to find. If SSID broadcasting is enabled on the AP, the network name will show up, and the application will also let you know if the AP is using WPA encryption or not.

If it shows the network name and then 'Security enabled wireless network' beneath it, there is a 90% chance that it will be using WEP for its security. If it is using WPA, it will say "Security Enabled Network (WPA)".

Now just double click on the network name and it will prompt you to enter the WEP key – enter this twice and see if it lets you connect.

If it does, well done, you have successfully associated with the AP – if it does not, the following are the most likely possible causes of this:

- The AP has MAC Address filtering enabled;
- You are too far away from the AP;
- The WEP key is wrong.

The AP has MAC address filtering enabled
If you followed my previous paper to obtain the WEP key, I mentioned writing down the MAC addresses that had successfully associated with the AP in case MAC address filtering was active.

Now you know why!

Change your MAC address (covered later on) to one that you know was associated and therefore authenticated to that AP. Then, wait until it is not in use - the early hours of the morning are usually good for this - change your MAC Address, and try to associate with the AP. You can try it whilst the rightful owner of the MAC is online, but you will either kick him off or be rejected by the AP.

You are to far away from the AP
- Move closer to it;
- Wait until night time – wireless waves travel further at night, especially if it has been raining (the more humid, the better);
- Get an external and more powerful antenna, or a directional antenna (these are much more powerful than omnidirectional antennae);
- Try another wireless card;
- Sometimes moving rooms in your house can solve the issue – I pick up APs in one room in the front of my house that I don’t in a room at the back of my house;
- Move into the garden – there are no walls or electrical interference in the garden!

The WEP key is wrong
This may sound obvious but I have had students do this in the past... Make sure that the WEP key you have managed to obtain is for the same AP to which you are trying to connect!
Check you are entering it in correctly – it is in HEX so the 0 is a ZERO, not a capital ‘O’ – there is no ‘O’ in HEX – I have seen this before too!


If SSID broadcasting is disabled:
If SSID broadcasting is disabled, and if you have not managed to find it with Airodump, you will have to fire Airodump back up and let it collect data again (use your IVS file and just add data to this) until it finds the SSID – it will find it, given enough data. There are other applications that will do this on various operating systems, but I am using Airodump here.

Once you have the ESSID (the name of the wireless network), you need to tell Windows what AP you would like it to connect to. You do this like so:

Start > Connect to > Wireless Network Connection > View Wireless Networks > Change Advanced settings (on the left) > Wireless Networks (Middle tab on top) > Add (under preferred networks) > Type the SSID exactly as Airodump has displayed it to you into the "SSID" box > Network Authentication is usually OPEN > Select WEP from the Data Encryption > Uncheck ‘The Key is provided for me automatically’ box if it is ticked > Then enter the WEP key into the relevant boxes, without the colons.

If you wish, you can go to the last tab (Connection) and check the box to ‘Automatically connect when network is in range’. This will automatically connect you to this network when Windows picks it up; this setting is usually enabled by default.

The other settings will differ by AP but are usually left unchecked.


Changing your MAC address:
For some people, this can seem a bit daunting and/or a complex task to do. This would have been true a few years ago, but nowadays there are hundreds of applications which can do this for you, and with Windows XP SP2 it can even be done using the inbuilt network configuration tools.

First, let me very briefly explain what a Media Access Control (MAC) address is and why it is so important on a network.

All Network Interface Cards (NICs) have an unique set of numbers and letters encoded into the hardware when they are made in the factory. Theoretically, every single NIC in the world has a different MAC address. It is encoded using the HEX numbering system – that is, the decimal digits (numbers from 0-9) and the letters A-F (the same HEX that a WEP key uses).

It will look something like this: 00:09:5B:84:A6:DF

Each manufacturer has a different OUI (Organisationally Unique Identifier) at the beginning of the MAC address, but that is not important to us here.

When you try to assiciate with an AP your MAC address is included with the header of the frame (data) that you are sending. The AP will check this against a local database to see if you are allowed to associate with the AP or not. If you are not obviously you will not be allowed to associate, so will need to spoof your own MAC address. Be awre that you will cause a duplicate entry in the AP's ARP cache if you try to use the MAC address of a host that is already associated with the AP. It may be wise to wait until a quiet period - usually at night before doing this.

I don’t want to go into too much detail here about this process, but if you do want to learn more about it and how it can be exploited on a network, you can read other papers that I have written here:
http://tazforum.thetazzone.com/viewtopic.php?t=473
http://tazforum.thetazzone.com/viewtopic.php?t=530

To change a MAC address, I like to use AMAC: http://amac.paqtool.com/

You can download a trial version of it from the link above, and the more resourceful of you will be able to find a crack to unlock the full version of it.

The program is very user-friendly, and there is no need for me to explain how to use it. But, if you do have any issue with changing your MAC address with it, post in this thread and someone will try to help you (DO NOT post asking where to get the crack).

To change your MAC address using Windows' inbuilt tools, you must use the Windows Device Manager (this is not possible on ALL wireless adaptors, especially in-built ones). Here are instructions on how to do this:

Control Panel > System > Hardware > Device manager > Network Adaptors > Select your network adaptor > Advanced > MAC Address / Hardware Address/Locally administered address > Change it to the desired value.

**Make sure you write the original one down so you can change it back**

Or you can do it via the registry:

1. Open up a command prompt and type “ipconfig /all”, write down the Description for the NIC you want to change and also the MAC address you want to change.

2. Open up a command prompt and type “net config rdr”

3. Write down the long number between the curly braces { }. This is the GUID of the NIC – you may have more than one; if so, write them all down or copy and paste them into a text file for reference later on.

4. Start -> Run, type “regedt32”. Do not use Regedit.

5. If you so wish you can back your registry up in case you inadvertently mess it up – the registry is vital to how Windows operates, and incorrectly changing a setting could render your computer unusable.
To back it up, either right click on the root of the key we are editing (in this case, it is HKEY_LOCAL_MACHINE) and select Export – call it something appropriate and save it somewhere (like My Documents). Or, if you want to back up the whole registry, right click on My Computer > Export – this will export the entire registry.

6. Go to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\ {4D36E972-E325-11CE-BFC1-08002BE10318}. Double click on the first one to expand the tree. The sub keys are 4-digit numbers, which represent a whole range of different hardware. You should see most of them start with 0000, then 0001, 0002, 0003 and so on.

7. Go through each sub-key that starts with 0000 and check the DriverDesc keyword on the right until you see the NIC you want to change the MAC address on. The DriveDesc will be the same as what your NIC was called in the Device Manager. If you are not sure about the DriverDesc, you can verify it by checking if the NetCfgInstanceID keyword value matches the GUID from step you wrote down earlier.
If there is no match, then move on to 0001, 0002, 0003, and so on, until you find the one you want. Usually 0000 contains the first NIC you installed on the computer.

8. When you have found and selected the correct sub-key (0000, in my case), check if there is a keyword "NetworkAddress" on the right side of the window.
If the "NetworkAddress" keyword does not exist, we will have to create it, like so:
Click on the drop down menu “Edit -> Add Value”.
In the Add Value window, enter the following value then click OK.
Value Name: = NetworkAddress
Data Type: = REG_SZ
Then the String Editor window will pop up:
Enter the new 12 digit MAC address that we know is allowed to authenticate to the AP > OK.

Close the registry.

To make this MAC address active you need to either disable and then re-enable the NIC or just reboot your system.

So now we have a MAC Address that we know is allowed to associate with the AP, try to re-authenticate.

You should now be able to connect – if not, carry on with the troubleshooting steps mentioned above!

If you’re still unable to authenticate, post in this thread with any error messages and a detailed description of what is going wrong and someone will try to help you out!






I will take it now that you have been able to associate with the AP and are connected OK.

There is no set way to do things from here on, and you can go off and search for a whole range of things you can do to a computer on the same network as you!

But, to get you started, I will give you a few basic ideas and things you can try.


Administratively connect to the AP
Open up a command prompt and type IPCONFIG:

Look under the relevant NIC to find your IP address and your Default Gateway:
Code:

Ethernet adapter Wireless Network Connection:

        Connection-specific DNS Suffix  . : bubbles
        IP Address. . . . . . . . . . . . : 192.168.2.4
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.2.1

The IP Address and Subnet mask tell us what subnet we are on - in the example above, I am on the 192.168.2.0 network and a 255.255.255.0 mask. From this, I can determine that the possible range of IP’s that could be active is 192.168.2.1 – 192.168.2.254.

We already know that 192.168.2.1 is active and what it is – the default gateway. In this case (and probably in yours too), it is also the IP address of the AP!

So we open up our web browser and type 192.168.2.1 into it, which will take us to the admin login page for the AP.
There's a 9/10 chance that the make and model of the AP will be displayed for us here – when we have this, pop along to Google and search for ‘default wireless access point passwords’ which will give you thousands of sites which will list the default passwords for WAP’s (such as this one: http://www.phenoelit.de/dpl/dpl.html). Find the entry for the make and model of the AP and try the login details to see if they work.

If they do not, go and download Brutus and try an HTTP brute force attack against it.

Once we have managed to connect to the AP as an adminstrator, we can see its whole configuration – look for any port forwarding entries to give you an idea of what services may be running behind the AP. You may also be able to see all the DHCP assignments (IP addresses that the AP has given out to hosts). You can also open ports on the AP, should you wish to. Check its logs. Some AP’s will not allow wireless clients to talk to each other, which will mess up any further testing attempts later on, so you should turn that setting off now. Enter your own, correct MAC address into the MAC address table so that you will be able to connect when other hosts are connected next time. Check the range of IP’s to be issued to hosts – if the owner only has two computers he may only have set two IP addresses to be issued, so extend this by one so that you can connect at the same time as the other two hosts.

I would not change the password once you know it, as this will let the owner know that he has been pwned and will just prompt him to hard reset the router and try harder to secure it. If you launch any attacks from the outside, you can also go in and delete the logs here.

Original Tutorial by nokia for TheTAZZone-TAZForum

Originally posted on September 2nd, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.