Before login

You are here: Home » WEP & WPA Cracking - Test Your Security

WEP & WPA Cracking - Test Your Security

/ by / Mr. P / on / July 21, 2010 @ 2:38 pm
WEP Key

Disclaimer/Things to Remember

Before you read this, there are a few things you should remember:

  • Using any of the techniques in this article, other than in a licensed penetration test, or in your own network, is illegal in the majority of countries, and immoral in all of them, and as such, shouldn't be used other than in the aforementioned circumstances
  • This information is presented first and foremost so that you can know where the vulnerabilities are on your network, and therefore protect yourself, but also so that you can better perform a penetration test. Use this information wisely, and for these two purposes only
  • If you agree to these points, and understand them, then read on...

 

What you will learn...

  • What WEP/WPA are
  • How the Aircrack program works
  • How to do a WEP Crack
  • How to do a WPA Dictionary Attack
  • Advanced wireless cracking techniques such as chopchop and Fragmentation attacks
  • How to use this information to configure the wireless card to access the network

What you should know...

  • Basic knowledge of networks and wireless networks is beneficial
  • Basic knowledge of the Linux operating system and Bash console is beneficial
  • This article will focus on the use of Aircrack with the BackTrack Linux distro, so possession     of a copy of this live CD would be beneficial. It is available at http://www.offensive-security.com/

What are WEP and WPA?

WEP:

WEP stands for 'Wired Equivalent Privacy' or 'Wireless Encryption Protocol' and is used to secure 802.11 standard wireless networks. It was developed to bring a certain level of confidentiality to wireless networks, as opposed to the openness of wired networks. However, shortly later it was discovered that WEP could be cracked in as little as a few minutes with the tools outlined later in this article (and those like it). WEP was officially recognised in September 1999 as a standard of encryption. It uses RC4 stream ciphers (which is simple in design and use, but falls short of Cryptography standards for confidentiality) for encryption, and uses the checksum of CRC-32 to check for integrity of the packets. There are two major key standards that are used in WEP;

  • 64-bit WEP (40 bit key with a 24 bit Initialisation Vector to form RC4 traffic size standard)
  • 128-bit WEP (104 bit key with a 24 bit IV)

The IV's are what are needed for cracking WEP, and these are captured with Airodump-NG (documented later in the article). IV stands for 'Initialization Vector' and is a 3 byte vector attatched to each packet. This is used in authentication of the client with the access point, and contains the wireless key. So if we aim to capture as many of these as we can, then the time needed to crack the WEP key is drastically reduced, as we have already been given bits and pieces of it from these IV's. For a 64-bit key crack, you need about 250,000 IV's, and for a 128-bit key, you generally need around 1,500,000 IV's. This can take anywhere from a few minutes to a few hours to collect, however, the good news is Aircrack-NG (the cracking program) can be run at the same time as the capturing is in progress.
For WEP, there are two different methods of authentication:

  • Open System
  • Shared Key

In Open System authentication, the client does not need to provide any form of credentials (the WEP key) to the Access Point (AP) during authentication and association (the connecting to the AP). However, once connected, the WEP keys are required to use the AP. The Open System authentication makes it easier and faster to capture IV's using various injection methods, however, Shared Key authentication can be cracked quicker in some cases, because the WEP key can be captured and decrypted from the four way handshake.
In Shared Key authentication, the WEP key is used during the authentication. Something called a 'four way challenge-response handshake' is used. This consists of:

  • the client sends a request for authentication to the AP,
  • the AP sends back a challenge in 'clear-text',
  • the client then has to send this 'clear-text' back encrypted with the WEP key in a second     authentication request,
  • the AP decrypts then compares the received text with that it has sent, and decides whether to     associate with the client or not
WPA:

Wi-Fi Protected Access (comprising WPA and WPA2) was brought in as the solution to WEP's security vulnerabilities, and as of March 13 2006, it is the standard (WPA2) that all wireless devices need to include as an option in order to be 'Wi-Fi Certified'. WPA was created by the Wi-Fi Alliance, a group that owns the 'Wi-Fi' trademark. WPA is designed to distribute a different key to every user, however, a more vulnerable 'Pre-Shared Key (PSK) option is available, where every user has the same pass-phrase. This is practical for homes and small businesses who cannot afford the cost of an 802.11 authentication server. PSK keys consist of either 8 to 63 ASCII characters, or 64 hexadecimal digits. Currently, the only way to crack PSK is to employ a dictionary based attack (documented later in the article). Data in WPA is also encrypted with the RC4 stream cipher (same as WEP), consisting of a 128-bit key and a 48-bit IV. WPA prevents replay attacks via the use of MIC (Message Integrity Code) – a secure message authentication code preventing the alteration of a payloads integrity.

 

So How Does Aircrack Work?

Aircrack-NG is a program distributed in the Aircrack program suite, and is the actual component of the suite that cracks the pre-captured IV's (explained in depth later). Aircrack-ng is able to crack WEP and WPA/WPA2 PSK's.

How does it crack WEP?

Once enough packets have been captured via the use of the Airodump program, Aircrack-ng is able to crack a WEP key using one of two methods. Airodump is a program that sniffs all the wireless traffic in the air around it, and captures it to a file that you have specified for use in cracking later. The two methods that Aircrack-ng can employ to crack are PTW (requiring very few packets to obtain the key, but is more restricted in situations that it can be used in), and the FMS/KoreK method, which uses a mathematical procedure of statistical origin combined with a brute-force attack in order to crack the key. A dictionary method is also available for WEP, but this is mainly used for WPA.

Who wrote Aircrack?

Aircrack was developed by Thomas d'Otreppe, an IT consultant for the company 'Pulsar Consulting'. Thomas studied networking at the 'Haute Ecole de Bruxelles' for a period of three years, and in July 2006, moved on to his current position at Pulsar Consulting – a Belgian business in Brussels, Belgium. Thomas is a proficient coder in many languages, including Java, C++, VB .NET, PHP and Pascal (amongst others).

PTW Method:

A paper in 2005 (by Andreas Klein – available at http://cage.ugent.be/~klein/RC4/RC4-en.ps) detailed how there were many more relations between the RC4 stream cipher and the key than had been found by Fluhrer, Mantin, and Shamir (the pillars behind the FMS/KoreK method employed by Aircrack-ng). The PTW method uses the information discovered by Klein to employ it in a WEP key attack, and is basically an enhanced version of the FMS/KoreK method. One of its main downfalls is that it can only be used with ARP request and reply packets, and not other traffic.

FMS/KoreK Method:

(More info available at the following paper - http://wiki-files.aircrack-ng.org/doc/using_FMS_attack.pdf  )
This method uses a combination of statistical analysis, and brute force attacks. Overall, certain captured IV's effectively leak part of the WEP key for certain key bytes, and when handling each byte of the key individually, it is more likely that the correct IV is captured for each key byte, and when it is, the probability of a correct key goes up dramatically, up to as much fifteen percent. Using the statistical method, a series of votes is collected for the probability that each of the keys is one of those in the WEP key's bytes. Each different attack has a different probability of a particular byte being correct because of different mathematical variabilities in each method. These votes are collected, and a small number of likely keys is generated, which are then tested with brute force to determine which key is correct. In Aircrack-ng, the particular byte leaked with it's amount of votes is displayed in the format:  byte(votes)  for example A5 (145)  as in the following screenshot.
Keybyte, Depth, Votes in Aircrack-NG
Figure 1. A screenshot showing the keybyte, depth, and votes display in Aircrack-NG

In effect, Aircrack uses maths to find the probability of a key being correct, and then a short brute forcing session to determine if this is so. Obviously, with more data you are more likely to have the correct key. However, if time is not an issue, and the key is not found using standard values, then another factor that can be changed is something called the “fudge factor”. This basically tells Aircrack how broadly to use brute-forcing. For example, if say by default, Aircrack searches between the values of 0 and 2 for an initial fudge factor, whereas if you modify the fudge factor to a higher value (which is an option in your attack), then Aircrack would search between, say, 0 and 5 or 0 and 10. This will obviously take a lot longer, but it is more likely to find a key if this was difficult before. If you chose a fudge factor of two, this would take every value half as possible as the most popular byte and above, and then it would brute force them to check if they were correct. The amount that you increase the fudge factor by is directly proportional to the time and CPU power required to brute force the key.

For dictionary attacks, the dictionary must consist of ASCII or hexadecimal keys, and not both at the same time. WPA is only cracked via the use of dictionary attacks, and the better the word list, the more likely you are to crack long or complicated WPA keys.

 

How To Use BackTrack

BackTrack is a Linux Live-CD distribution which came into existence through the merging of the WHAX security auditing distro, and Auditor – another Linux distro who's main focus was security. BackTrack is based upon SLAX, and as such – it is highly customizable to the experienced user. For the less experienced though, it comes with literally hundreds of tools pre-installed and ready to use, as well as pre-patched drivers so things like wireless cracking will work with most cards straight away (as long as the cards support raw packet injection). BackTrack's main focus is also security auditing, and has been ranked as the #1 Linux Distribution by Insecure.org (the home of Nmap – a popular port scanning tool). Using BackTrack is a basic procedure for a lot of people out there who've used Linux live CD's before, but not everyone has done so, and as such, I will guide you in how to do it. First of all, you need to head over to http://www.remote-exploit.org/backtrack_download.html and click on a link to download the ISO. For those of you who have never seen an ISO before, it is an image (or copy) of an entire CD in a single file, and can be burnt onto CD. The trick with burning ISO's is not to burn the actual ISO itself to the disc as a data file, but rather the contents of that ISO. There are two ways of doing so. One is to extract the contents of the ISO with WinRAR, and then burn the extracted files to the root of the CD. The other is to get a program like Nero or UltraISO and click on the option to “Burn ISO to Disc” or “Burn image to Disc”. Most CD burning programs will have this option, as well as instructions on how to do this, so I won't detail this step any further. Once the image has been burned to the disc, you will need to boot of this CD. In order to do this, one of two things must be done. You must either go into your computers BIOS settings (usually it will tell you what key to press in order to do this [most common are “Delete”, “F8”, or “F10”] – and this must be done as the computer is still booting up – and will usually display this within a few seconds of pressing the on button) and change the boot order so that the CD drive is before the Hard Drive (detailed instructions are available in your motherboard manual), or some newer laptops and PC's will have option select a boot device on startup (E.g. “Press F10 to go to Boot Menu”) - you must select to boot from the CD drive. Once this has been successfully done, a prompt will be displayed as “boot:” without the quotes. At this point, just press enter and wait for everything to load. When everything is finished loading you will be prompted to login. The username is “root”, and the password is “toor”. Once you have type these in, type “startx” and press enter. This will load the desktop, and you are ready to go. One problem that may be encountered on newer computers with SATA drives is an inability to boot – in this case, copy the “BT” folder off of the CD to the C Drive of the main computer. This should solve that problem. Any other issues can be sorted out by visiting http://www.backtrack-linux.org/forums/
BackTrack Desktop
Figure 2. The BackTrack Desktop

 

Choosing the Right Wi-Fi Card

As you would be aware, a lot of Wireless cards are out there on the market, but only those which support Raw Packet Injection, and Monitor Mode are able to used for wireless cracking. All cards need to be patched with the MadWifi card drivers (how to tell if your card is compatible - http://www.aircrack-ng.org/doku.php?id=compatible_cards ). A list of compatible cards is available at http://www.aircrack-ng.org/doku.php?id=compatibility_drivers&s=patching%... , and the MadWifi drivers are available at http://madwifi.org/wiki/UserDocs/GettingMadwifi , with patching instructions available at http://madwifi.org/wiki/UserDocs/FirstTimeHowTo . However, BackTrack comes with all cards already patched so that you only have to worry about compatibility (which is much better for work on the fly), and this is why I prefer to use BackTrack.

 

How To Do A Basic WEP Crack with Aircrack (with and without a client)

This section of the article demonstrates how to crack a WEP key with the Aircrack suite, and assumes the following:

  • you are using the BackTrack Linux distro, which has wireless card drivers already patched for     injection. If you are not, consider patching your drivers with the Madwifi drivers. These are     available from http://www.madwifi.net/ (as explained just before)
  • you are close enough to the access point to be able to send and receive packets. If you are too     close though you will flood your wireless card and cause no packets to be decipherable. It is     preferable to be no closer than 2 metres to the AP. If you were any closer, you might as well     just use Ethernet cabling
  • you are using the latest version of aircrack-ng. I will explain how to install this in a moment
  • the name of your device is ath0. This will need to be changed according to your device name,     though this is generally standard for most wireless cards
  • all commands are run as root, which is standard in BackTrack, however, in other distros this     can also be accomplished with the “sudo” command

The following is a list of the information used in this section:

  • MAC address of the pc running aircrack-ng, which is in this case, 00:13:46:74:03:F5
  • BSSID, which is the MAC address of the access point - 00:11:50:51:FD:DC
  • ESSID, the nickname given to the wireless network, in this case – DOVER
  • Client MAC address (computer attatched to the network), in this case 00:17:AB:4B:53:C7
  • AP channel – we're using channel 1, but the standard is channel 9
  • the wireless interface name – ath0

First thing we need to do is have the latest version of aircrack-ng source code on a flash drive or HDD drive so that we can install this in the live system. Although the version with the live CD will work for what we are going to do, it is faster and more reliable with the latest version. This can be obtained from http://download.aircrack-ng.org/aircrack-ng-0.9.1.tar.gz (this is the latest stable version, you can use the development version at your own risk if you desire). Copy or download this to the desktop of BackTrack and open a console session and type the following (remembering to exclude everything before the #):
bt ~ # cd Desktop/
bt Desktop # tar xfz aircrack-ng-0.9.1.tar.gz
bt Desktop # cd aircrack-ng-0.9.1
bt aircrack-ng-0.9.1 # make
bt aircrack-ng-0.9.1 # make-install
bt aircrack-ng-0.9.1 # cd ..
bt Desktop # rm -r aircrack-ng-0.9.1.tar.gz aircrack-ng-0.9.1  (this should remove the files off the desktop,  but this can be done manually using the delete button)

Once this is done, you should have the latest version of aircrack-ng installed. This is what we will be using, but first a little bit of theory about what we are going to do. The first type of security we are going to crack is a WEP-Encrypted Network, the weaker of the two main types of encryption. Our situation is a home network with a computer already attatched to the network (also known as a client). If a client is attatched, you will often have to just start the network traffic dumper (airodump-ng) and sit back until it has collected enough IV's, however, this isn't always the case, and so we will also trick the access point into thinking we are already part of the network, and then bounce traffic off of it to capture more packets (remembering that the more packets we capture, the higher chance of getting the WEP key we have). To do this, we have to set the wireless card into a special monitor mode on the specific channel of the wireless network that we are trying to crack. This allows us to intercept all data that is travelling through the air on that channel (and having it monitor just one channel speeds up the capture process immensely). We then use a program called airodump-ng (part of the previously installed aircrack-ng suite) to capture all this traffic to a file, which we will use later. I will also demonstrate a second alternative method to use if you have no clients attatched to the network. We will then use a program (also part of the suite) called aireplay-ng to trick the AP into thinking we are part of the network (called fake authentication) and also use it to inject packets into the network, in something called ARP request-replay mode (which generates more traffic, which means more packets and more IV's – they're what we want). The final step (and the most simple) is the actual cracking of the key (using aircrack-ng). Everything that is explained here is the same process that was used in the video included on the disc that came with this magazine. I will now explain how we do all this, step by step. All the MAC addresses and other variables used are listed above, so where you see them, just substitute them for your equivalents.

Once you have booted from BackTrack (or whatever distro you are using), and are on the desktop, open up a terminal session (the command line prompt for linux). Enter in the command:
bt ~ # iwconfig

This will show us all the available network connections on the laptop or PC being used. Generally, it will include 'lo' which is the loopback interface (local – 127.0.0.1), an 'eth0' which is your ethernet connnection, and in this case 'wifi0' and 'ath0', the wireless connections (on the ath0 connection, it will say 'Access point: FF:FF:FF:FF:FF:FF' – this is not actually the MAC address of the AP, it is instead your local MAC address, so take note of what it says).
iwconfig Window
Figure 3. Iwconfig window

Once this is done, and in the same window, we will need to proceed to stop the wireless interface (ath0) so that we can start it with the special drivers and monitor mode needed. We do this by typing
bt ~ # airmon-ng stop ath0
bt ~ # airmon-ng start wifi0

We have just stopped the ath0 interface, and then started it with the special MadWifi drivers (by starting wifi0 instead of ath0 – this is important to do). At the moment, we have started it monitoring on every channel, because at this stage we do not know what networks are around us. To find out what networks there are, we need to open a new console and start airodump-ng. We do this by typing the following
bt ~ # airodump-ng -w test ath0

The -w test option tells it to write the capture to a file named test, via the interface 'ath0'. We should now see a window similar to the following, which will display all available networks in the surrounding area (that traffic passes through from).
Airodump
Figure 4. Airodump displaying all local networks

You will see a number of different columns in this window. The BSSID column contains the MAC address of any available AP's. The PWR column is an indication of the power of the signal that you are receiving. The stronger it is, the better for faster traffic etc. The Beacons is an indication of the amount of traffic travelling by. The #Data is what we need to pay attention to – this is the amount of IV's you have captured. The #/s is also important, as this indicates how many IV's per second you are capturing. CH is the channel the network is on. MB is the speed of the network (in MB/s). ENC, CIPHER, and AUTH are all encryption method related, and ESSID is the nickname of that network. Out of this window, note down (probably on a piece of paper or separate text file) the BSSID of the AP you wish to gain access to, and it's BSSID, and remember what channel it is on. You can now stop airodump-ng by pressing the 'Ctrl+C' combination (this will stop any current terminal operation). In the bottom half of the window, you will notice a few different, but somewhat similar columns. The Station is the MAC address of any client in the network, and the BSSID is the MAC of the access point it is connected to. The PWR is the signal strength between the client, and your computer. Packets is the amount of packets that the client has sent to the AP, and probes is the ESSID of the network that it is connected to. Now that we know what channel the network is on, we need to head back over to our original console session that we did all of our 'iwconfig' and 'airmon-ng' commands on. Once there, type
bt ~ # airmon-ng stop ath0
bt ~ # airmon-ng start wifi0 1

This starts wifi0 monitoring on channel 1. Re-enter iwconfig command just to check everything looks ok, and then head over to the previous airodump-ng console session, and enter in
bt ~ # airodump-ng -c 1 -w output ath0

Which will start ath0 monitoring on channel 1, and dumping to the file 'output.cap'. Leave this running for now. You may or may not see any activity. We now need to do a fake authentication with this AP (trick it into thinking we are part of the network already, so that it will send us traffic). This is done by typing
bt ~ # aireplay-ng -1 0 -e DOVER -a 00:11:50:51:FD:DC -h 00:13:46:74:03:F5 ath0

Where -1 0 tells it to do a Fake Authentication with a re association timing of 0 seconds (but this can be configured to personal taste). If you are feeling experimental, instead of -1, you can use -0, which will tell it to disassociate all attatched clients, forcing them to reconnect and send data, which will generate IV's. You will have to change the timing interval to suit though. DOVER is the ESSID of the AP (which is defined by the -e option). The -a 00:11:50:51:FD:DC is the AP's MAC address, -h 00:13:46:74:03:F5 is our local MAC address, and ath0 is obviously the interface. We are basically providing the program with all the information it needs to do it's fake Authentication. A successful authentication should say 'Authentication Successful :-)' (yes – that includes the smiley face). Now we can go one of two ways; client attached, or client not attached. They are as follows:

 

The following section is what to do when you have a client attatched:

If you have no clients attached, or this method does not work for you, skip to the next section.
We now need to set aireplay-ng to do generate some ARP requests for us. Aireplay-ng will listen for ARP packets on the network, which it will then capture, and re-inject into the network, and the AP will re-broadcast them, causing many more IV's to be generated. By doing this step, we should see the '#/s' rate in airodump-ng increase quite drastically. Enter
bt ~ # aireplay-ng -3 -b 00:11:50:51:FD:DC -h 00:13:46:74:03:F5 ath0

Where -b 00:11:50:51:FD:DC is the access point's MAC address, and -h 00:13:46:74:03:F5 is once again our local MAC address of our PC. Ath0 is still the interface. Shortly after this is entered, you should see the number of ARP requests increasing, and the #/s of the airodump-ng window anywhere between 150 and 300, as well as #Data increasing faster.
Successful ARP request-reply
Figure 5. Successful ARP request-reply

Now skip past what to do when you have no clients, and proceed to “Cracking the Key”.

 
The following section is what to do when you have no clients attatched:

Fragmentation Attack

(further reading at http://darkircop.org/bittau-wep.pdf  )
Sometimes you will find that there ins't a client attached to the network, or the previous method did not work for you. In such a case, you will need to use aireplay-ng to capture a PRGA (pseudo-random generation algorithm) to create more packets for injection, which will allow us to gain more IV's. There are two ways of doing this, I will explain the Fragmentation attack. If this doesn't work, use the next section – the Chopchop Attack. To start this, enter (in a new console session):
bt ~ # aireplay-ng -5 -b 00:11:50:51:FD:DC -h 00:13:46:74:03:F5 ath0
Where -5 is telling it to do a Fragmentation attack, using the rest of the data. Aireplay-ng will now read all packets before it finds a suitable one, at which point, it will display the contents of it on the screen, and ask you if you want to use this packet. To this, answer 'y' for 'yes'. This is the PRGA packet we use for ARP packet creation and injection.
PRGA Packet Found
Figure 6. PRGA Packet Found

After this, a success message will be displayed on the screen, and near the bottom of that screen, it will say “Saving keystream in fragment-1013-153351.xor” where the fragment-xxxx-xxxxxx.xor is a unique filename to your system. Nearer to the top of that message, it will also say 'Saving chosen packet in replay_src-1013-152347.cap' where the filename is also unique to your PC. Take note of these file names – i.e. Do not close this console session. If this attack didn't work, use the next section – Chopchop attack. If it did work, skip the Chopchop attack and go to 'Creating the ARP Packet'.

Chopchop Attack

The Chopchop attack is used to do exactly the same as the Fragmentation attack, but is used when fragmentation doesn't work. To start a fragmentation attack, open a new console and type
bt ~ # aireplay-ng -4 -h 00:13:46:74:03:F5 -b 00:11:50:51:FD:DC ath0

Where -4 indicates to do a Chopchop attack using the given information. The system will again display the captured packet, and ask you if you would like to use this one. Press 'y' for 'yes', and take note of the '.xor' and 'cap' files it created and displayed the name of in the success message. Now proceed onto 'Creating the ARP Packet'.

Creating the ARP Packet

In one of the previous two steps, you would have captured an 'xor' and a 'cap' file. These are the files we are going to use to create our ARP packet for injection. To do this, type in a new console session
bt ~ # packetforge-ng -0 -a 00:11:50:51:FD:DC -h 00:13:46:74:03:F5 -k 255.255.255.255 -l 255.255.255.255 -y fragment-1013-153351.xor -w  replay_src-1013-152347.cap

Where -0 tells packetforge-ng to generate an ARP packet, with the information given. Leave the IP addresses as 255.255.255.255, as these will work for most AP's. We do not need an interface at this stage, as we were only creating the packet, not injecting it yet. It should say 'Wrote packet to replay_src-1013-152347.cap', where the 'cap' file is of the same name. Keep this console open. The next step is the injection process. In the same console session, type
bt ~ # aireplay-ng -2 -r replay_src-1013-152347.cap ath0

Where tells aireplay-ng to use interactive frame selection, and -r is just the filename of the ARP packet. You should now start to see the IV's in airodump-ng increasing fairly fast, and the #/s at quite a reasonable speed.
How to crack the WEP key (applicable to both clients and no-clients situations):
Now all there is left to do is wait until enough IV's have been captured, and then run aircrack-ng to get the password. Aircrack-ng can also be run whilst the capture is still happening, and it will display the password when it finds it, as it will continuously update the IV list as they are captured. To do this, we enter (in a new console session)
bt ~ # aircrack-ng -z output*.cap
The -z option tells it to use the faster PTW method, which is possible because we used ARP packets. If we did not use ARP packets, we would have to leave out the -z option, and capture many more packets. Output*.cap tells aircrack-ng to use every capture file starting in output, and ending in .cap. Aircrack-ng will then display a list of all networks that had traffic captured. Choose the one that you were trying to crack (in this case DOVER – we do this by pressing 1, because it is the first in the list). It will then proceed to crack the key, and eventually display it on the screen. In this case, the password was --:1F:98:11:98:6F:--:15:B8:39:7E:56:-- (the – are blanked out for privacy reasons).
Successful Key Cracked
Figure 7. Successful key Cracked

To use this key in BackTrack to access the internet, enter the following commands in a new console session (you can close all the others).
bt ~ # wlanconfig ath0 destroy
bt ~ # macchanger --mac 00:17:AB:4B:53:C7 wifi0 (this is optional, use it to fake yourself as a different computer by using some other MAC address)
bt ~ # wlanconfig ath0 create wlandev wifi0 wlanmode managed

The system responds by displaying the following:
ath0
bt ~ # ifconfig ath0 up
bt ~ # iwconfig ath0 essid DOVER key --:1F:98:11:98:6F:--:15:B8:39:7E:56:--
bt ~ # dhcpcd ath0

In this example, I used a 128-bit key for encryption, however, I would advise you use a 64-bit key for learning purposes to start off with.

 

How To Do A Basic WPA-PSK Crack with Aircrack

Now I will tell you how to crack the second type of wireless network encryption – the WPA encrypted networks. As mentioned earlier, the only way to crack a WPA encrypted connection is to capture a 4-way handshake between a Client and the AP, and then to use a dictionary attack on the password in this handshake, plus (as written earlier), aircrack-ng can only crack the PSK (pre-shared keys), so if the WPA encryption is no PSK, then you will not be able to crack it. You will be able to tell this by looking in the airodump-ng capture screen under the “AUTH” column (for Authentication Method). It should say PSK. Considering that WPA needs to be cracked via a dictionary attack, I will explain what that is for those of you who don't know. A dictionary or wordlist is basically a text file (or sometimes just plainly, a file with no extension) with one word on each line. The program that uses this takes the word on each line and tests this against the password to see if they match. If they match, you have found the password, if not, it moves on to the next one. Some programs offer features such as smart mutations, where your wordlist may contain for example:
dog
cat
person

But with smart mutations, these will be tested not only as written, but also with things like
Dog, Cat, Person, DOG, CAT, PERSON, C@T, C@t, P3RSON, P3rson, P3RS0N, P3rs0n, etc.
That is basically what smart mutations do, but they will obviously take a lot longer to go through your wordlist, as it is (at bare minimum) doubling the total length of the list. Now, seeing as wordlists are required for WPA cracking, it is a good idea to have one (or more than one). You can create your own if you wish, but this is time consuming and only really worth it if you already have a fairly good idea of what you think the person would have their password as. Instead, you can download them from many locations on the web. I personally have complete wordlists from every different language, as well as names of people, celebritys, places, TV shows, common passwords, odd words, Star Trek, movies, and many other things. If you would like some links for downloads, refer to the list at the end of the article, in the “On the Web” section. There are two methods of gaining the WPA four-way handshake that we need. One is Passively, i.e. You sit and wait for another client to connect to the network, and then airodump-ng will capture that handshake. The other method is Actively, where you use aireplay-ng to de-authenticate an existing (currently connected) client. This will force them to reconnect to the network, at which point the handshake will occur and you will capture this. The procedure for cracking a WPA network is to start our wireless card in the monitor mode required and the correct channel for the network, then we will set airodump-ng capturing so that any handshakes which occur will be recorded, then we will de-authenticate the connected client, and use aircrack-ng to crack the key. To start this, we will need to set up the card into monitor mode, and then determine which channel the WPA network is on. Although you should know how to do this from the WEP section, I will explain this again. In a new console session, enter
bt ~ # airmon-ng stop ath0
bt ~ # airmon-ng start wifi0

Now open up a second console session for airodump-ng, and type
bt ~ # airodump-ng -w test ath0

You should see something similar to the following – a window detailing all available wireless networks in your radius:
Airodump Window with WPA
Figure 8. Airodump-ng window with WPA

You will notice for this that the network 'alpha' is on channel 11, so we will need to set the wireless card to monitor this channel only. To do this, go back to the airmon-ng console session we used previously. Type
bt ~ # airmon-ng stop ath0
bt ~ # airmon-ng start wifi0 11

Now, head back to the airodump-ng window and type
bt ~ # airodump-ng -c 11 -w output ath0

Which specifies to listen on the channel 11 (though not needed because the card is only monitoring on channel 7 anyway), and dump to the output file. Now, at the bottom of the airodump-ng window, there should be a column of “BSSID”. We need to look for the BSSID of our AP here, in this case it is 00:4D:B5:7D:5E:74. Next to this, under “STATION”, we need to take note of the MAC address listed, as this is the physical address of the station that we will de-authenticate to grab our four-way handshake. In this case it is 00:18:DE:D7:9A:D5. If there are no stations listed, you will just have to wait until one connects, and then de-authenticate them if you need to (though ideally, the four-way handshake will be captured when they connect). To de-authenticate the station, open up a new console session and type
bt ~ # aireplay-ng -0 1 -a  00:4D:B5:7D:5E:74 -c  00:18:DE:D7:9A:D5 ath0

The -0 is the de-authentication option, and 1 is the amount of de-auths to send. The -a option is obviously the AP's MAC address, and -c is the clients MAC. The console should say
12:00:00  Sending DeAuth to station   -- STMAC:  00:18:DE:D7:9A:D5

This packet is sent straight from your computer to the client, rather than from your computer via the AP to the client, so you have to make sure that you are not only close enough to the AP, but also to the client. When they try to reconnect, airodump-ng should capture the four-way handshake and write it to the output file. Now, once the handshake has been captured, the only thing left to do is crack the key. This is done via opening a new console session and typing
bt ~ # aircrack-ng -w wordlist.txt output*.cap

Remember that your wordlist has to be in the same directory as your capture file, which is also the working directory that the console is in (by default – the '/root' directory). Aircrack-ng will now use the wordlist to try and crack the password. Success should look like this:
WPA Key Found
Figure 9. Aircrack-ng successfully cracked WPA key
 

Summary

As we can all see from this article, wireless networks are evidently very insecure by default. This information can be useful in checking the integrity and strength of your home wifi network, or your businesses network if you are the Network Security Auditor for your workplace, and have permission to do so. Remember, doing this to networks that you are not the owner of is against the law in all countries. The techniques/procedures outlined in this article are often used by security professionals in demonstrations and tests. So until a more secure option is available, if wireless is the only option, then the best option is to use a long, non-dictionary word (preferably a combination of words/letters/numbers in a randomly generated string) in a WPA or WPA2 key. There are various options though to protect your PC using both software and hardware WIDS (Wireless Intrusion Detection Systems). Some software titles that can achieve this are Network Chemistry, RFprotect, and Trend Micro Internet Security Pro 2008. However, the easiest and cheapest solution is simply to turn off your router when it is not in use.

On the Web

/tags/