Monday, September 26, 2011

OSWP Part 2

I have almost completed the OSWP course.  I have been watching videos, taking notes and practicing the exploits.  I did hit a snag, however, with my Linksys access point.  Apparently, there is an issue with the shared key authentication of WEP encryption.  You cannot create an XOR file when you are running airodump-ng and executing a de-authentication of a currently associated client using aireplay-ng.  You get a message of "Broken SKA".  It is very frustrating since I assumed it was my version of Backtrack or possibly my drivers for my ALFA (AWUS036H).  However, I found numerous links about the problem:

http://www.chris-mohan.com/2010/03/wifu-aireplay-ng-ska-attack-problem-with-linksys-wap54g/
http://trac.aircrack-ng.org/ticket/372
http://trac.aircrack-ng.org/ticket/703
http://www.backtrack-linux.org/forums/backtrack-5-experts-section/44327-wifi-ap-wrt45gl-linksys-cisco-broken-ska.html

http://forum.aircrack-ng.org
/index.php?PHPSESSID=dd18de1ba952d186cf749d7760f2643e&topic=233;prev_next=next


Of course, cracking WEP by bypassing SKA was one the last steps of the course.  However, I have another access point that I could use: Dlink-655.  I setup the new access point with the same ESSID and the same VICTIM, I mean client.  This time I was successful.  As soon as I de-authenticated the client, the XOR file was created.  I could then use the file to execute a fake authentication with the Wireless network.  The file was created instantly too.  There must be some bug with either airodump-ng or Linksys.  Possibly, it could be a combination that could be producing this weird behavior.  






Anyway, the only thing left in the lab is cracking WPA networks with the dictionary/custom wordlists.  That should be fine.  I also want to use a collaboration of cewl, crunch and the wordlists from Backtrack 5 R1 to use in the field.  I wonder what kind of results I would get during a security assessment.   


Before I forget, if people are having trouble using profile variables to make the commands shorter, I used the ".bashrc" file.  The /etc/profile was not working for me like the videos illustrated.  I just figured it was my fault since I am using Backtrack 5 R1. Fortunately,  I was able to use the variable $ESSID by adding to the file ".bashrc" for example: 
export ESSID=oswpexam