How to Hack a WPA Wireless Network (Wifi) using Aircrack-ng and John the Ripper

Here is a video tutorial I created showing how easy it is to hack a wireless network using WPA keys for their security. It's a short 12 minute video and I hope you find it not only instructional, but also liberating. After all, informed people make the best decisions.

John the Ripper (JtR) cracks passwords offline. That is, "incorrect number of passwords entered limit" does not affect  JtR. As you can see in the video, using aireplay-ng, fake deauthentication packets were injected to the wireless access point  to force all users to reauthenticate (without them knowing it). During reauthentication, the WPA keys are exchanged between the client and the wireless access point. This exchange was recorded into a file "wificrack.cap" and the hashed PSK (Pre-Shared Key) was then cracked using JtR.  In the video, you can also see that the output file of airodump-ng can be opened using Wireshark. Opening the cap file with Wireshark reveals a lot of information about the clients connected to the wireless access point. For instance, we know the wireless AP is a Cisco-Li (Cisco-Linksys), and the WPA handshake captured was from an Apple device. The MAC address is even shown!

How to configure TFTP Server in your Linux Machine (Debian), and how to solve Permission Denied Error (Error Code 2)

I personally use a Virtualized Kali Linux in my Windows 7 machine to do a lot of things. Primarily to do IT security analysis and research for the companies I work with. But mostly, I find maintaining a Linux machine in an image comes in handy for a lot of things: I can use the Kali/Linux machine as an tftp/scp server to backup devices;

So suppose you want to copy startup-config files from your Cisco to your laptop running a virtual machine of  Kali Linux, (Debian). Let us suppose further that your Cisco router/switch cannot do SSH otherwise, we'll just use scp which is safer, and does not need any further special configuration for Linux devices.

Here's how to do it:  

1. Make sure you have the Virtual Machine in Bridged Adapter to your WIndows 7 machine's ethernet adapter. I'm using virtual box so in my case, I have to create a bridged adapter first. In Virtuabox (not in the Guest OS or Virtual Machine's Window) click File >> preferences >> Network. Then under tha tabe Bridged Adapters, create at least one adapter. 
             

           Then , in your Guest / Virtual Machine, click Machine >> Settings >> Network >> choose bridged (not NAT). After which, you need to do an ifdown eth0 and ifup eth0 inside your Kali / Linux OS console.

** Bridging will not work when you hav eport-security configured in the switchport where the computer is plugged. This is the case in most enterprise networks. If you are doing this inside your office and you are not getting a DHCP IP address, you better ask your network engineer/corporate IT if port-security is enabled.

Configuring Cisco WLAN with multiple SSIDs in different VLANs - Part 1

note: Screenshots and configuration examples are using a Cisco 2500 series WLAN controller (aka WLC). The Cisco 2500 series controller is connected to a cisco 3750 or 3650 L3 switch. This article assumes that inter-VLAN routing is already working and only the WLAN controller needs to be configured. 

Usually, enterprise networks are on multiple VLAN environment. The Wifi access points provide access to each of these different VLANs by broadcasting different SSIDs attached to different WLAN profiles. Let's say we want to configure our WLAN controller to broadcast two SSIDs namely:

1. GUEST on VLAN 5 (10.8.5.0/24);
2. IT-Department on VLAN 13 (10.8.6.0/24);

Also, let's assume VLAN 219 is pre-configured with the following information:

1. VLAN 219 is NETWORK-VLAN @10.8.219.0/24)
2. interface vlan 219 IP address is 10.8.219.1
3. a DHCP server located in VLAN 219 with IP address 10.8.219.50/24.
4. WLAN controller will be configured with IP address 10.8.219.251 in VLAN 219
5. the Access Points (APs) 10.8.219.248-250, also in VLAN 219.

There are two parts to this task. First is the VLAN configuration required in our 3750/3650 layer 3 switch which will be discussed in this article. Part 2 is configuring our WLAN controller with the WLAN profiles, SSID, and interfaces. For brevity, I will skip discussion on inter-VLAN configuration and assume that that the network converges, and inter-VLAN routing is configured properly.

Part 1: Configure the 3750/3650 layer 3

1. Configure the port interface in our L3 switch as a trunk:


  interface GigabitEthernet1/0/23
   description *** LINK TO WIRELESS-CONTROLER ***
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 5, 13
   switchport mode trunk
   !The next commands are optional
   switchport trunk native vlan 219
   udld port aggressive

• "switchport trunk allowed VLAN <ID>"  command explicitly defines what VLANs are only allowed in the interface. In this case, only VLANs 5 (Guest) and 13 (IT-Department) are allowed.  This can be optional but I would recommend you do this to minimize broadcasts traversing through the trunk. 
• "switchport trunk native vlan <ID>" command changes the native VLAN. By default, the Native VLAN is 1. But this is already expected so we change it. The native VLAN is where all vlan traffic converges and traverses. This command is optional. 
• "udld port aggressive" is an optional configuration. It detects if the link is  uni-directional and adjusts accordingly to avoid spanning-tree loops. All ports should support UDLD aggressive mode in order to work.  

Configuring Cisco WLAN with multiple SSIDs in different VLANs - Part 2

This is part 2/2 of the series.  Part 1 discussed the assumptions and the required layer 3 switch configurations. Please read part 1 prior to reading part 2 You can view part 1 here.
======================================================================
 note: Screenshots and configuration examples are using a Cisco 2500 series WLAN controller (aka WLC). The Cisco 2500 series controller is connected to a cisco 3750 or 3650 L3 switch. This article assumes that inter-VLAN routing is already working and only the WLAN controller needs to be configured.


======================================================================
IMPORTANT REMINDER: before you do all the configuration, note that the LWAPP image version cannot be higher than that of the WLAN controller. a quick "show version" command on both the WLC and the LWAPP will save you all the time and effort. 


From LWAPP: the default username is "Cisco" and password is "Cisco": 

output of show version: 

cisco AIR-CAP702I-F-K9 (MIPS74k) processor (revision 01) with 73728K/57344K bytes of memory.
Processor board ID KWC184402C5
MIPS74k CPU at 40Mhz, revision number 0x0000
Last reset from power-on
LWAPP image version 7.5.1.33
1 Gigabit Ethernet interface

AIR-CAP means this is a Lightweight Access Point (aka a Controller-based Access Point). If it says AIR-WAP, then this is not a controller-based access point and will therefore not associate to the Controller. 

From the Controller:

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 7.4.121.0

Bootloader Version............................... 1.0.20

Field Recovery Image Version..................... 1.0.0

Firmware Version................................. PIC 16.0

In this case, configuring the WLAN controller and the LWAPP will not work. the LWAPP will not associate. We will need to either downgrade the image of the LWAPP, or upgrade the image of the WLAN Controller. 

=======================================================================

Part 2: Configure the WLAN Controller

In the first part, we discussed the Layer 3 switch configuration requirements. In case you missed it, please read the first part of this article here: Configuring Cisco WLAN with multiple SSIDs in different VLANs - Part 1

As usual, the first thing to do is plug the WLAN Controller's port 1 to the trunk-configured port in the L3 switch (discussed in part 1). Port 1 is the green colored portin the figure below.

The other 3 ports will be connected to your APs (Access Points).  For brevity, we will not discuss configuring licenses and upgrading firmware in this article.

Do VLANs Unduly Complicate the Network?

Simplifying the IT infrastructure is among the top priorities of IT executives. Various surveys claiming CIOs are beginning to embrace Software as a Service (SAAS) models is actually proof that simplification of the infrastructure is a key objective. The more complicated the IT infrastructure becomes, the more expensive it is to maintain it. It also will take significantly longer person-hours to fulfill change requests.

As an IT manager, simplifiying my IT support structure is also one of my key goals. One of the most common discussion points regarding this subject is the number of VLANs required for a branch office; or, if VLANs are ever needed in the branch office network design.

My answer is always 'yes'. Surprisingly, I often find myself defending that position.

How to Access Skype Chat History of Another Person or PC.

Internet messengers (IM) indeed made the world smaller, and skype is undoubtedly the major contributor to this phenomena. 

Skype is simple to use, and hard to block. With skype, you can do free calls and videoconferencing; share your desktop; and, share files such as documents and photos with any other skype users anywhere. Skype has the ability to use any available open port to communicate to the internet which made it a bane for traditional port-based firewalls to block (a headache for most network engineers).

But is skype safe? 

Practical SSH Tunneling: Using Putty to Bypass Web Filters and Firewalls

About SSH v.2 and SSH tunneling

SSH (Secure Shell) was an Internet Task Force (IETF) protocol for encrypting traffic to access a remote host. SSH v2 standard came out in 2006 and is incompatible with SSH v.1.  Version 2 uses Diffie-Hellman (DH) key exchanges to create a tunnel between a client and a server. Thus, SSH works very similary like a VPN and was, in fact, called a poor man's VPN. SSH has lower levels of security and encryption than VPN. Apart from that, I don't really know the exact difference between an SSH tunnel and a VPN and if you happen to do, please feel free to post a comment or link to your blog/article that explains SSH versus VPN.

SSH v.2 is both a boon and a bane for network engineers. I've been using SSH v.2 to do a myriad of things, some of which to purposely circumvent network policies that would normally disallow people to access other parts of the network. For this article, we will use SSH tunneling to bypass corporate firewall and webfiltering. This is possible using any Web Socket capable browser such as Mozilla Firefox and Opera (I've heard  Google Chrome will support it soon).

Interconnecting Different Sites Using VPN Hairpinning with Cisco ASA Sample Configuration

This is  my first post in my newly created blog and I thought of sharing a project I did back in 2007. I was then working for a Danish company  who have offices, and clients, in  North America, South America, Europe, Asia, and Africa (North and East Africa to be more specific). 

The problem was how to interconnect all our offices and clients in these 5 continents fast, and inexpensively. We had support centers in Denmark, US and the Philippines and all our support personnel, and subject matter experts need to have access to the company's servers and systems deployed inside client's data centers scattered worldwide. We need to be able to SSH the servers; access the web and databases of the system; and, access server iLO (HP servers' integrated lights out) and KVMs. The inexpensive and fast, yet secure solution, is VPN. 

VPN is fast to deploy, is secure, and -- as most finance directors would like -- inexpensive. Do note that VPN is not the best solution when involving latency-sensitive traffic such as VoIP, and videoconferencing. For brevity, I did not include all other ASA configurations such as hostname, domain, and Firewalls. We will only show the VPN configurations and other relevant configuration lines.  

The Scenario: 

A certain Company ‘A’ has a Regional Office Headquarters (RoHQ) in Singapore that needs to access servers and systems deployed to a client in the US. Company ‘A’ has a  contact and support center in the Philippines who also needs to access the system deployed in our US-based client. As is the usual case, both companies agreed that their respective networks should be NAT-ed to a public IP address.