Catchme-NG! WEPGuard
Posted by TrevelynJun 9
Theory…
The project came out of pure theory… “Why can’t I make WEP more secure? I have the resources..” WEP is cracked using a replay attack. All attack methods boil down to the same thing; you are replaying a packet that makes the router give you a nice, fresh, shiny, new IV. I won;t get into what exactly it is, you can learn more from wiki or Aircrack-ng.org Pure math is used with statistics in cracking the WEP key after gathering enough IV’s through something called “votes” in Aircrack-NG. After being on the Offensive side of wifi, I decided to try and stop myself… literally.
What I used was a single box on the LAN that had both a wireless device (that can inject packets, in monitor mode) and a wired device right into the LAN. I set up an extra wired device to SSH to the Box as it didn’t have a monitor.
The whole concept of this application is that a device is listening for ARP packets on the LAN. I used TCPDump and set it to listen ONLY for ARP requests using something similar to the following:
tcpdump -nne arp -i eth0
There’s an awesome, very detailed guide to tcpdump HERE: Linux-IP.net I then have the output go to a file by using a bent pipe.
tcpdump -nne arp -i eth0 > file.txt
Then I created a process that reads the file and clears it out every 3 seconds. If it sees more than, say 20 ARP packets in it, then you known you have an attacker. Here is a simple Perl script that will read the file and check for the attacker:
#!/usr/bin/perl -w
my $sendmail = "/usr/sbin/sendmail -t";
my $n = 0;
scanner();
sub scanner {
open (LOG, "file.txt"); # don't die!
while (
if ($_ =~ /ethertype\sARP/) {
@line = split(/ /, $_);
$ATTK_MAC = $line[1];
$n++;
}
}
if ($n > 0) {
attack();
}
}
$n = 0;
close FLE;
sleep 3;
scanner();
sub attack {
open (SNDML, $sendmail);
print SNDML $reply_to;
print SNDML $subject;
print SNDML $send_to;
print SNDML "Content-type: text/plain\n\n";
print SNDML "You have an attacker! from MAC: $ATTK_MAC";
close(SNDML);
system "aireplay-ng -0 0 -a
}
# Done.
Now there’s some flaws in the code, I’m sure, I just wanted to give the gist of what this exercise is about. That isn’t the actual code, just an example written by memory. The actual application wouldn’t start DDoSing the first MAC address it saw, it’s a bit smarter and pushes the MAC’s into an array. Also an attacker can spoof his MAC to a legitimate client, and you would be DDoSing a legitimate client! If you have a list of white-listed MAC addresses, you can stop the attack without DDoSing the legitimate client. What you could do is simply flood the air with non-existent MAC addresses, ALL of which don’t do anything but hide your legitimate clients. Another way is to use MAC filters in your AP. If your AP is linux based, all of this can run right from the AP (router) and you can even go so far as to putting the routers WLAN interfaces down temporarily.
Even still, this is a security breach, and you just received an Email saying you have an attacker with the MAC address! What are you gonna do now? Obviously go into the Lab/work/home and track the machine or cause down, before bringing your network back up.
I tested this whole thing out one day. I brought up the AP with WEP, I setup a legit client, and I ARP replayed to get the IV’s. The Machine attacked me and disassociated me and de-authenticated me instantly. Then is when I realized that if I added the:
aireplay-ng -1 999 -q 10 ...
to the aireplay-ng command, that I can re-authenticate with “keep alive” packets. This is when I added the -0 (go forever) to the de-authentication command in the beginning of this paper. You can only go so far though. Once the attacker realizes that he/she has been made, they would probably leave though. You can visually inspect the area around the Lab/work/home, call the authorities, etc.
I don’t give up…
I think I have found a solution, and that is to temporarily drop ARP requests from all MAC addresses that start broadcast flooding using arptables. This is a temporary fix and should give you enough time to secure your WLAN until the attacker gives up or leaves!
Extra steps…
Flood the air, obfuscate where your real client are to an attacker, MAC filters, DHCP client that has a finite amount of addresses to offer (ALL IN USE) = 3 machines, 3 IP’s and that’s it. The WEPGuard, hidden ESSID, HTTPS for the router configuration, ARPtables to drop ARPs from $ATTK_MAC MAC addresses, re-act swifty to the emergency Email sent out by the WEPGuard, know who to call in case of a wireless penetration attempt is detected, and stay cool.
~Douglas.



















