Campus WarWalking - How to Get on Any University's Wireless Connection
I have been on quite a few campus' in the U.S., and have, (for the most part) figured out how their wireless security works in most cases. They consist of one of the following, or even possibly both, (I will touch that subject later).
- VPN - This is the most common and the most secure. Generally speaking, the wireless connection itself is open, but revolves around some sort of Cisco Concentrator, or some piece of hardware that governs a VPN to access the gateway. Just as the expression goes, "You can ping, but you can't SSH." - (quoted by me, leetupload).
- MAC Address filtering - One of least common ways of protecting wireless signals. Though, this method is beginning to grow, thanks to website scripts, etc. The way it works is either two ways; One, when MAC address filtering is enabled, one purpose is to keep students out. This way, it is only used for staff on the go, connecting to the open wireless network, and they currently have their MAC address in a database that states that this connection is allowed to connect. TO clarify what a MAC address is, think of it as an IP address, but not necessarily public to the outside. It is a hardware address assigned by your NIC's (network interface card) company/ Such as, my NIC that I am currently using is the onboard Nvidia NIC controller, and the address given here: 00-18-F3-97-2B-FE corresponds to this particular company. Think of it as digitally signing software, except in this case, it is hardware. It is a simple way of identifying your product. To obtain this information in Windows, you would type: ipconfig /all. In Linux, (or the newer versions of Mac) you would type: iwconfig. A MAC address may be used for other things, such as filtering, etc. but I will discuss this a bit later.
- WEP/WPA-PSK - This is much more abundant only in High Schools, (primary schools in general). The reason being that faculty does not wish students to connect and leach bandwidth that is not related to studies. The reason for having this mainly is for using laptops provided by the school to perform in class projects. In this case, the laptops are pre-configured to automatically connect to the secured network. Though, this is the absolute LEAST secure way of doing so, considering the fact that Windows stores the password unencrypted within the registry. Doesn't that make you laugh? So if you are not in secondary school yet, you have it easy.
Now, the methods of attack. We will cover the hardest one first, then work our way down the list. Going through a VPN connection is beginning to fade in the larger more technologically/wirelessly advanced campuses in the U.S. The reason behind it is that it is becoming more and more expensive/difficult to properly and securely route traffic in the larger campuses that have students anywhere from around 10,000 to easily 40,000. But in satellite campuses or smaller schools, VPN is the way to go. If your school only uses VPN as a connection, normally the wireless access point alone is open. Hence the "ping can't SSH" comment made earlier. The only method of attack that I am familiar with in regards to gaining access to a VPN login is the following.
Boot up your Linux distribution in either VMWare, or however. I prefer Backtrack over anything else, great distribution with many tools and very many drivers pre-supported. In my case, I use the D-Link Wireless USB Adapter model: DWL-G122 with the firmware version B1. The programs that are used within this distribution are asleap and ettercap. Keep in mind though, that this is only for PPTP VPN (which is the most common used on campuses).
- Connect to your wireless network that is indeed an open station.
- Execute ettercap.
- Create a new "Sniff" from the easy point and click menu, and then specify the interface you wish to use. In my case, it is rausb0, since I am doing this wirelessly.
- Select "Hosts" and then "Scan for hosts"
- A host list will eventually appear, and then you select your first target IP/MAC address, and thereafter select yet another host, prefferable scroll down the list a bit, then double click it.
- Next, verify that the targets have been added by selecting "Targets > Current targets."
- From there, click Mitm in the menu, then choose ARP Poisoning. You will see a box appear, and check the box that says "Sniff remote connections."
- Now, highlight the first MAC address of host 1 (group 1) and click Mitm > ICMP redirect. In the dialog box, paste the MAC address that you have just copied from group 1, paste it, as well as the IP address tied to it.
- Now, click Start sniffing.
- Open up a konsole to root, and cd Desktop/, (or wherever your word list is located, for me, it is Desktop).
- We will be using "genkeys" to generate the hashed values and an index files for the same from a provided dictionary file entitled "english.txt" for this particular scenario. You can always use your own word lists, or the ones provided by leetupload.com in the database section/Word Lists.
- Type: genkeys -r english.txt -f english.dat -n english.idx (Remember to be consistent with your file names, it will be useful later on).
- Now that that has completed successfully, we now need to setup 'asleap' in live mode. The command is as follows: asleap -i rausb0 -f english.dat -n english.idx -v (What this is doing is the following; -i specifies what device you are using, which in our case is rausb0, and then you specify our newly converted word lists made earlier to be eventually targeted to our unsuspecting VPN user.
- At this moment, we now have to wait for some poor unsuspecting VPN user to connect to the same wireless network we are on. Considering the fact that internet activity occurs quite often (sessions and all) this will not take very long on an active campus.
- Once a session is started, a bunch of HexEdit-esque looking preview will appear, as well as the line stating: 'Captured PPTP exchange information:" as well as the username and password!
- Bingo, there we have it. The time that it takes to decrypt each password varies from situation to situation, but for the most part isn't very long.
Our first method is complete, now onto our other situations. Trust me, it gets much easier. If say we have simply a MAC address authentication, this will be cake. As stated earlier, MAC Address verification situations are either used for strictly "Faculty/Staff only" or an automatic way to verify all laptop/Desktop users on campuses. At IU and other large state universities, they use a script to log and register your MAC address. The way it works is as follows. The wireless connection is open, but when you pull up a browser window, it will automatically connect to a home page asking for your university ID to authenticate the session, then bingo, you're in. What they neglect to tell you is that all they are doing is simply using a script that pulls your current MAC address from your laptop/desktop and binds it to your username/password. Once you type in your network ID and password, first it verifies that you are indeed a registered student with the proper given credentials, from there, since it currently does not recognize this so called 'foreign' MAC address, it will attempt to register it with the database, thus giving the physical laptop connection to the internet without ever having to authenticate again! But let's say we aren't students, and we need to connect. Obviously a MAC address with hardware is supposed to have an ID like a snowflake, (no two are alike, supposedly). Well, since our MAC address on our laptop or what have you is not registered within the database, looks like we need to steal one and spoof it. How are we going to do that you ask? Well, nothing but the finest wireless cracking/sniffing suite of course! Aircrack-ng is the tool of choice for me. Its very efficient, and gets the job done right. Boot into your Backtrack LiveCD as we used earlier in the tutorial, and pull up a root shell. Follow these steps:
- Type: iwconfig. This is used to figure out what wireless device we have, the name, etc. We will call ours, once again, rausb0, to eliminate confusion.
- Next, we need to place our now known device into monitor mode so it can take in all packets/IVS, etc. To perform such a task, type: iwconfig rausb0 mode monitor
- Once we know our device name, we need to start sniffing access points, and what stations (clients) are connected to them. We now need to execute the following: airodump-ng --ivs --write file_name_here --channel 11 rausb0
- To explain the above command, airodump-ng is the binary program, --ivs is what file extension the weak packets should be received in (not necessary to have this command since we aren't decrypting any wireless access points, but I am a creature of habit). The channel is the 'port' per se that the signal is being distributed on, each channel having a different frequency. It just so happens that the majority of U.S. channels are 11 considering the fact that it is well above out of the way of other electronic devices that emit such signals, such as 2.4ghz cordless phones, or what have you. You can leave this command out if you are unsure of what channel your campus uses, but you will be overwhelmed with the response you get in the program. And rausb0 is simply the device we are using.
- Now once all access points are discovered, the BSSID will be displayed, as well as PWR, beacons, etc. What we are looking for consists of what is below that, the BSSID and STATION row. Once a station is found attached to some BSSID, your job is to play a matching game. Just match the BSSID on top to the access point you are trying to circumvent, and match it to the BSSID down below that shows a MAC address attached to it, the station. Bingo! Think of the station MAC address found as being the unencrypted password to connecting freely.
- Now all we need to do is forge this as our own MAC address, and we are in and have bypassed all security! To do so, simply close the program after copying the MAC address (or more; more the better for anonymity, and not to get caught) and execute the following in this order: ifconfig raub0 down
- ifconfig rausb0 hw ether 00:11:22:33:44:55 (The command before just specifies what device to change in terms of the MAC address, and the 00:11:22:33:44:55 is the example address).
- ifconfig rausb0 up
- That's it! Reconnect to the desired location, and you are in! Now keep in mind, everything that is done might be logged, and everything you do will be referred to the user's university ID/network ID. That's why frequently changing your NetBIOS and computer name is very important as well. Also, multiple addresses are good to have to help keep it spread out, and not as obvious. If you wish to browse in windows, to change the MAC address there, the easiest way is to do the following: Find out what your MAC address currently is by typing: ipconfig /all in the command prompt. Copy it, open up run > regedit > click find all > paste MAC address, clicks search. Replace every instance of the address with the new found one, and you are set to go.
All more difficult sort of methods have been covered, and the last one to most somewhat experienced users find the prior to be cake, (which indeed it is). But for newcomers, if you cannot perform this last method, then you're in trouble. :P
The last method is mainly for High Schoolers who wish not to go through the pain of decrypting their school's wireless WPA-PSK encryption and get straight to it. I swear, schools are so stupid when it comes to security. Makes me cry at night. Anyway, since we have these laptops that connect automatically to the so called "secured" wireless network, how else do they have it connect automatically on the login? Of course High Schools are too lazy to make a script that accesses the key on a dedicated database. So what do they do? They login as the Administrator on the local laptop and place the key in so that it connects on login without the end user typing one in. Let's follow these easy steps.
- When the professor grants access to the laptops, login as usual.
- Download this file called WZCOOK. This is a great tool that pulls all BSSID's/SSID's found on your local computer that store WEP/WPA passwords used to connect to the already automatic connection oriented laptop before you.
- It will go ahead and print out the stored password for the connection you are currently on. That's it! Now you may freely use this on any laptop and connect to the network without worry. If you wish to take the longer route and decrypt it yourself, checkout my very first tutorial in the tutorial sections of this site, leetupload.com.
That's it for now. Hopefully you have a better understanding about how wireless security works on campuses or possibly even in the workplace. Have fun, and don't get caught!