Archive | Security

Security
12 October 2011 0 Comments

Using the RT3090 Chipset in Monitor Mode With Airodump-ng

If you want to monitor or inject wireless traffic with the Ralink 3090 chipset, this is possible by putting the chipset in monitor mode. The aircrack-ng website states that the rt2x00-family of modules works well (a module is a linux kernel driver). I have successfully used monitor mode with the the rt2860sta module.

First you should disable any running internet services (such as DHCP clients):

$ sudo /etc/init.d/networking stop

To unload the current module and load the rt2860sta module:

$ sudo modprobe -rf <name of module to remove>
$ sudo modprobe rt2860sta

Now you should have a wlan0 interface (or similar name), and you can start monitor mode. For monitor mode to work properly, and to be able to change channels, you must stop all processes that use the wlan0 interface. Loading the rt2860sta module may have triggered the start of the DHCP client dhclient or the ifup script, so we have to shut those down first.

$ sudo /etc/init.d/networking stop

Now create the monitor interface:

$ sudo airmon-ng start wlan0

This creates interface mon0 that is running monitor mode. You can now start analyzing all traffic in the air using this interface, i.e. with airodump-ng or Wireshark.…

Tags: airodump, airomon-ng, , modprobe, mon0, networking, stop, ,
Security
20 June 2011 4 Comments

Man-In-The-Middle Attacks With Ettercap

Introduction

This post explains how to execute a man-in-the-middle attack on Linux. Only the actual attack is described here. The mechanisms of ARP poisoning and man-in-the-middle attacks are explained in a different post.

A man-in-the-middle attack. It can be achieved in various ways, but MITM through ARP  poisoning is a common method.

In this post we demonstrate a MITM with the Ettercap tool. Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN, and pretty much the Swiss army knife of ARP poisoning. Every security researcher should include it in his toolbox, and it is included in the Backtrack Linux distribution. Ettercap features a pretty nice GUI, but in this post we only use the text mode.

Command Syntax

The ettercap program has the following syntax:

ettercap [OPTIONS] [TARGET1] [TARGET2]

The targets can be IPs and MACs, and specific TCP and UDP ports can also be targetted. A simple description of the TARGET1 and TARGET2 syntax is given below. Read the target specification section on the man page for details.

TARGET is in the form MAC/IPs/PORTs. 
 
If you omit any of the parts, it means a wildcard is used for that part.
 
Examples:
//80         means ANY

Tags: , , ,
Security
16 June 2011 0 Comments

A Useful Nmap Scan

Nmap is without a doubt the best free network security scanner. An nmap command that is very useful for mapping out all hosts on a subnet is displayed below:

nmap -sS -sV -O 192.168.0.0/24

The meaning of the options is:

  • -sS. This tells nmap to use a SYN scan on host ports.

SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections.

  • -sV. This switch tells Nmap to attempt to find the service and version information of the ports it finds open.

 After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses. Nmap tries to determine the service protocol (e.g. FTP, SSH, Telnet, HTTP), the application name (e.g. ISC BIND, Apache httpd, Solaris telnetd), the version number, hostname, device type (e.g. printer, router), the OS

Tags: , nmap, no ping, os detection, service discovery, syn scan
Security
3 April 2011 1 Comment

Sniffing Wireless Traffic With Backtrack

Introduction

Picking up traffic that is not destined for your MAC address on a network interface is generally done by putting the interface in promiscuous mode. On a wired Ethernet interface this works fine. However, in the case of wireless 802.11 traffic, there is a lot of traffic that promiscuous mode will not pick up.

In order to detect all packets in the air, even those that are not associated with an access point or ad-hoc network, you will need a chipset that supports monitor mode. This guide describes how to enable monitor mode on Backtrack 4, with the Intel Wireless Lan 3945 chipset. However, it should work for most Linux/WLAN card combinations, assuming your kernel supports the WLAN card and your wireless chipset supports monitor mode.

Enabling Monitor Mode

Fire up Wireshark and try to capture on your wireless network interface (in my case it was called wlan0). You will probably only see your own traffic. Now we will use the aircrack-ng package to create a new interface in monitor mode, that will pass ALL traffic in the air to Wireshark.

$ airmon-ng start wlan0

This creates a new interface called mon0. Now start a capture with Wireshark on that interface (be sure promiscuous mode…

Tags: , , , , , ,