Monday, September 26, 2011

OSWP Part 2

I have almost completed the OSWP course.  I have been watching videos, taking notes and practicing the exploits.  I did hit a snag, however, with my Linksys access point.  Apparently, there is an issue with the shared key authentication of WEP encryption.  You cannot create an XOR file when you are running airodump-ng and executing a de-authentication of a currently associated client using aireplay-ng.  You get a message of "Broken SKA".  It is very frustrating since I assumed it was my version of Backtrack or possibly my drivers for my ALFA (AWUS036H).  However, I found numerous links about the problem:

Of course, cracking WEP by bypassing SKA was one the last steps of the course.  However, I have another access point that I could use: Dlink-655.  I setup the new access point with the same ESSID and the same VICTIM, I mean client.  This time I was successful.  As soon as I de-authenticated the client, the XOR file was created.  I could then use the file to execute a fake authentication with the Wireless network.  The file was created instantly too.  There must be some bug with either airodump-ng or Linksys.  Possibly, it could be a combination that could be producing this weird behavior.  

Anyway, the only thing left in the lab is cracking WPA networks with the dictionary/custom wordlists.  That should be fine.  I also want to use a collaboration of cewl, crunch and the wordlists from Backtrack 5 R1 to use in the field.  I wonder what kind of results I would get during a security assessment.   

Before I forget, if people are having trouble using profile variables to make the commands shorter, I used the ".bashrc" file.  The /etc/profile was not working for me like the videos illustrated.  I just figured it was my fault since I am using Backtrack 5 R1. Fortunately,  I was able to use the variable $ESSID by adding to the file ".bashrc" for example: 
export ESSID=oswpexam