How To Crack WEP and WPA Wireless Networks

[Nytro]

How To Crack WEP and WPA Wireless Networks

Autor: Habar n-am

With the popularity of wireless networks and mobile computing, an overall understanding of common security issues has become not only relevant, but very necessary for both home/SOHO users and IT professionals alike. This article is aimed at illustrating current security flaws in WEP/WPA/WPA2.

Successfully cracking a wireless network assumes some basic familiarity with networking principles and terminology, as well as working with command-line tools. A basic familiarity with Linux can be helpful as well.

Disclaimer: Attempting to access a network other than your own, or one you have permission to use is illegal insome U.S. jurisdictions. Speed Guide, Inc. are not to be held liable for any damages resulting from the use or misuse of the information in this article.

To successfully crack WEP/WPA, you first need to be able to set your wireless network card in "monitor" mode to passively capture packets without being associated with a network. This NIC mode is driver-dependent, and only a relatively small number of network cards support this mode under Windows.

One of the best free utilities for monitoring wireless traffic and cracking WEP/WPA-PSK keys is the aircrack-ng suite, which we will use throughout this article. It has both Linux and Windows versions (provided your network card is supported under Windows). The aircrack-ng site has a comprehensive list of supported network cards available here: NIC chipset compatability list.

If your network card is not supported under Windows, one can use a free Linux Live CD to boot the system. BackTrack 3 is probably the most commonly used distribution, since it runs from a Live CD, and has aircrack-ng and a number of related tools already installed.

For this article, I am using aircrack-ng version 1.0 on a Linux partition (Fedora Core 10, 2.6 32-bit kernel) on my Sony Vaio SZ-680 laptop, using the built-in Intel 4965agn network card. If you're using the BackTrack 3 CD aircrack-ng is already installed, with my version of linux it was as simple as finding it with:

yum search aircrack-ng

yum install aircrack-ng

The aircrack-ng suite is a collection of command-line programs aimed at WEP and WPA-PSK key cracking. The ones we will be using are:

airmon-ng - script used for switching the wireless network card to monitor mode

airodump-ng - for WLAN monitoring and capturing network packets

aireplay-ng - used to generate additional traffic on the wireless network

aircrack-ng - used to recover the WEP key, or launch a dictionary attack on WPA-PSK using the captured data.

1. Setup (airmon-ng)

As mentioned above, to capture network traffic wihtout being associated with an access point, we need to set the wireless network card in monitor mode. To do that under linux, in a terminal window (logged in as root), type:

iwconfig (to find all wireless network interfaces and their status)

airmon-ng start wlan0 (to set in monitor mode, you may have to substitute wlan0 for your own interface name)

Note: You can use the su command to switch to a root account.

Other related Linux commands:

ifconfig (to list available network interfaces, my network card is listed as wlan0)

ifconfig wlan0 down (to stop the specified network card)

ifconfig wlan0 hw ether 00:11:22:33:44:55 (change the MAC address of a NIC - can even simulate the MAC of an associated client. NIC should be stopped before chaning MAC address)

iwconfig wlan0 mode monitor (to set the network card in monitor mode)

ifconfig wlan0 up (to start the network card)

iwconfig - similar to ifconfig, but dedicated to the wireless interfaces.

2. Recon Stage (airodump-ng)

This step assumes you've already set your wireless network interface in monitor mode. It can be checked by executing the iwconfig command. Next step is finding available wireless networks, and choosing your target:

airodump-ng mon0 - monitors all channels, listing available access points and associated clients within range. It is best to select a target network with strong signal (PWR column), more traffic (Beacons/Data columns) and associated clients (listed below all access points). Once you've selected a target, note its Channel and BSSID (MAC address). Also note any STATION associated with the same BSSID (client MAC addresses).

running airodump-ng displays all wireless access points and associated clients in range, as well as MAC addresses, SSIDs, signal levels and other information about them.

WEP is much easier to crack than WPA-PSK, as it only requires data capturing (between 20k and 40k packets), while WPA-PSK needs a dictionary attack on a captured handshake between the access point and an associated client which may or may not work.

3. Capture Data (airodump-ng)

To capture data into a file, we use the airodump-ng tool again, with some additional switches to target a specific AP and channel. Most importantly, you should restrict monitoring to a single channel to speed up data collection, otherwise the wireless card has to alternate between all channels. Assuming our wireless card is mon0, and we want to capture packets on channel 6 into a text file called data:

airodump-ng -c 6 bssid 00:0F:CC:7D:5A:74 -w data mon0 (-c6 switch would capture data on channel 6, bssid 00:0F:CC:7D:5A:74 is the MAC address of our target access point, -w data specifies that we want to save captured packets into a file called "data" in the current directory, mon0 is our wireless network adapter)

Running airodump-ng on a single channel targeting a specific access point

Notes:

You typically need between 20,000 and 40,000 data packets to successfully recover a WEP key.

One can also use the "--ivs" switch with the airodump-ng command to capture only IVs, instead of whole packets, reducing the required disk space. However, this switch can only be used if targeting a WEP network, and renders some types of attacks useless.

4. Increase Traffic (aireplay-ng) - optional step for WEP cracking

An active network can usually be penetrated within a few minutes. However, slow networks can take hours, even days to collect enough data for recovering the WEP key.

This optional step allows a compatible network interface to inject/generate packets to increase traffic on the wireless network, therefore greatly reducing the time required for capturing data. The aireplay-ng command should be executed in a separate terminal window, concurrent to airodump-ng. It requires a compatible network card and driver that allows for injection mode.

Assuming your network card is capable of injecting packets, in a separate terminal window try:

aireplay-ng -3 -b 00:0F:CC:7D:5A:74 -h 00:14:A5:2F:A7:DE -x 50 wlan0

-3 --> this specifies the type of attack, in our case ARP-request replay

-b ..... --> MAC address of access point

-h ..... --> MAC address of associated client from airodump

-x 50 --> limit to sending 50 packets per second

wlan0 --> our wireless network interface

aireplay-ng allows for injecting packets to greatly reduce the time required to recover a WEP key

Notes:

To test whether your nic is able to inject packets, you may want to try: aireplay-ng -9 wlan0. You may also want to read the information available -here-.

To see all available replay attacks, type just: aireplay-ng

5. Crack WEP (aircrack-ng)

WEP cracking is a simple process, only requiring collection of enough data to then extract the key and connect to the network. You can crack the WEP key while capturing data. In fact, aircrack-ng will re-attempt cracking the key after every 5000 packets.

To attempt recovering the WEP key, in a new terminal window, type:

aircrack-ng data*.cap (assuming your capture file is called data...cap, and is located in the same directory)

aircrack-ng can successfully recover a WEP key with 10-40k captured packets. The retreived key is in hexadecimal, and can be entered directly into a wireless client omitting the ":" separators

Notes:

If your data file contains ivs/packets from different access points, you may be presented with a list to choose which one to recover.

Usually, between 20k and 40k packets are needed to successfully crack a WEP key. It may sometimes work with as few as 10,000 packets with short keys.

6. Crack WPA or WPA2 PSK (aircrack-ng)

WPA, unlike WEP rotates the network key on a per-packet basis, rendering the WEP method of penetration useless. Cracking a WPA-PSK/WPA2-PSK key requires a dictionary attack on a handshake between an access point and a client. What this means is, you need to wait until a wireless client associates with the network (or deassociate an already connected client so they automatically reconnect). All that needs to be captured is the initial "four-way-handshake" association between the access point and a client. Essentially, the weakness of WPA-PSK comes down to the passphrase. A short/weak passphrase makes it vulnerable to dictionary attacks.

To successfully crack a WPA-PSK network, you first need a capture file containing handshake data. This can be obtained using the same technique as with WEP in step 3 above, using airodump-ng.

You may also try to deauthenticate an associated client to speed up this process of capturing a handshake, using:

aireplay-ng --deauth 3 -a MAC_AP -c MAC_Client mon0 (where MAC_IP is the MAC address of the access point, MAC_Client is the MAC address of an associated client, mon0 is your wireless NIC).

Once you have captured a four-way handshake, you also need a large/relevant dictinary file (commonly known as wordlists) with common passphrases. See related links below for some wordlist links.

You can, then execute the following command in a linux terminal window (assuming both the dictionary file and captured data file are in the same directory):

aircrack-ng -w wordlist capture_file (where wordlist is your dictionary file, and capture_file is a .cap file with a valid WPA handshake)

Additional Notes:

Cracking WPA-PSK and WPA2-PSK only needs 4 packets of data from the network (a handshake). After that, an offline dictionary attack on that handshake takes much longer, and will only succeed with weak passphrases and good dictionary files. A good size wordlist should be 20+ Megabytes in size, cracking a strong passphrase will take hours and is CPU intensive.

Cracking WPA/WPA2 usually takes many hours, testing tens of millions of possible keys for the chance to stumble on a combination of common numerals or dictionary words. Still, a weak/short/common/human-readable passphrase can be broken within a few minutes using an offline dictionary attack. My record time was less than a minute on an all-caps 10-character passphrase using common words with less than 11,000 tested keys! A modern laptop can process over 10 Million possible keys in less than 3 hours.

WPA hashes the network key using the wireless access point's SSID as salt. This prevents the statistical key-grabbing techniques that broke WEP, and makes hash precomputation more dificult because the specific SSID needs to be added as salt for the hash. There are some tools like coWPAtty that can use precomputed hash files to speed up dictionary attacks. Those hash files can be very effective (sicne they're much less CPU intensive and therefore faster), but quite big in size. The Church of WiFi has computed hash tables for the 1000 most common SSIDs against a million common passphrases that are 7Gb and 33Gb in size...

[lafurat]

Sa crackezi WAPul e cam greu sau aproape imposibil, pentru ca trebuie sa folosesti dicctionare. Ai mai multe posibilitati sa spargi wpaul numa daca victima are passul pus de la companie, dar merita incercat

[zippy]

Sa crackezi WAPul e cam greu sau aproape imposibil, pentru ca trebuie sa folosesti dicctionare. Ai mai multe posibilitati sa spargi wpaul numa daca victima are passul pus de la companie, dar merita incercat

Pun pariu ca nu stii sa spargi nici wep!

No offence ...

[boradarius]

@nytro nu exista ceva de genu asta dar pentru symbian 3rd?

[greerasu_tony]

@nytro nu exista ceva de genu asta dar pentru symbian 3rd?

exista numai pt nokia n900 pt symbian 3rd nu exista

[zippy]

exista numai pt nokia n900 pt symbian 3rd nu exista

NeoPwn Mobile Pentesting - Pioneers of Mobile Network Auditing

[AlucardHao]

sal.. am si eu o intrebare.. de curiozitate cam cat dureaza in general sa faci un bruteforce la o cheie wpa dupa ce ai prins handshake-ul

eu am lasat 20 si ceva de ore pe bruteforce.. si nu a dat nici un rezultate..

comanda de bruteforce: /pentest/passwords/jtr/john --stdout --incremental:all | aircrack-ng -b (aici am pus macul prins de la handshake) -w - fisier.cap

ce sa ii fac?? ca la wep merge mai repede.. dar wpa.. nu stiu cum, dar din cate se pare dureaza mult prea mult.

[begood]

bruteforce-ul dureaza la infinit. e absurd sa intrebi asta.

depinde cat de lunga si complexa e parola.

ia si tu wpa rainbow tables si sparge cu aia, sau "inchireaza" niste computere si ruleaza dictionare. bruteforce e absurd sa bagi la wpa.

[Cheater]

Si pt htc merge sau orice alt pda cu wm, se poate emula un linux, iti pui ce ai u nevoie, si done. Acum nu stiu daca driverele wifi din kernel suporta injectie dar probabil se gasesc patchuri.

[AlucardHao]

salut.. tocmai am terminat un list de 7 gb de parole.. si tot nu am reusit sa gasesc parola pentru un wpa.. si am pus si pe sistemu desktop o lista de 33 Gb.. se poate ca sa ma ajute si pe mine cineva? sau macar na.. sa imi zica alta optiune...

am uploadat folderul cu handshakeu capturat pe Index of /edx

daca nu se poate sa primesc ajutor in gasirea parole atunci poate un mic sfat cum sa fac altcumva merci mult de tot

[Cheater]

I-am dat de lucru serverasului meu, am: 2.8 GHz x 4 Coruri = 11.2GHz total din care ~98% foloseste pentru spargerea wpa-ului, testand ~2695.02 k/s postez daca primesc un rezultat curand.

Bafta!

PS: cand voi face rost de ceva $$ in plus mi s-a pus pata si pe o placa video cu CUDA ceva mai rasarita .

[AlucardHao]

multam mult :.. raman dator ..

[Cheater]

Dupa 63 de ore si peste 572 milioane de incercari am fost nevoit sa renunt.

[greerasu_tony]

testand ~2695.02 k/s

doar atat? mie pc-ul fix imi merge cu 3.500k/s si e un dual core de 2.20ghz cu overclocking la 2.50ghz si placa video nu e cinestie de care

[sirHackelot]

Response to Cheater "Dupa 63 de ore si peste 572 milioane de incercari"

salut - ai incercat un list de 7 gb de parole, dar ce fel de cuvinte se aflau in 7 gb, daca folosesti 7 gb cuvinte englezesti, si vrei sa spargi un wpa roman, banuiesc ca poate ar ajuta mai mult un dictionar roman mai mic - decat 7 gb engleza - (poate am inteles eu ceva gresit, si ai facut bine totul - era o idee de la mine) - apropos, cine are un dictinar roman bun, o lista buna cu cuvinte romanesti si fara diacritice

[rampart]

Response to Cheater "Dupa 63 de ore si peste 572 milioane de incercari"

salut - ai incercat un list de 7 gb de parole, dar ce fel de cuvinte se aflau in 7 gb, daca folosesti 7 gb cuvinte englezesti, si vrei sa spargi un wpa roman, banuiesc ca poate ar ajuta mai mult un dictionar roman mai mic - decat 7 gb engleza - (poate am inteles eu ceva gresit, si ai facut bine totul - era o idee de la mine) - apropos, cine are un dictinar roman bun, o lista buna cu cuvinte romanesti si fara diacritice

Dap, si eu vreau )

[Cheater]

Am folosit brute, nu dictionare, daca as fi incercat dictionare as fi incercat in romana, am cativa gb, privat.

@greerasu_tony ori a folosit placa video, ori vezi si u unde am eu "." in numar si unde il ai tu , nu are cum sa fie asa o diferenta, am verificat procesul si folosea toate coreurile la cap mare, de asemenea am comparat cu spusele altora de pe forumuri si se mentine diferenta corect.

[soll86]

Am folosit brute, nu dictionare, daca as fi incercat dictionare as fi incercat in romana, am cativa gb, privat.

@greerasu_tony ori a folosit placa video, ori vezi si u unde am eu "." in numar si unde il ai tu , nu are cum sa fie asa o diferenta, am verificat procesul si folosea toate coreurile la cap mare, de asemenea am comparat cu spusele altora de pe forumuri si se mentine diferenta corect.

Fa un upload cu dictionarul ala ..

[wepobad]

:Dpentru pass urile din fabrica uite o mura in gura Herramientas inseguridad, monitorización y auditoria de redes inalámbricas - clave por defecto WPA redes WLAN_XXXX - wpamagickey valabil doar pentru wpa la mine a functzionat pentru cateva ......in rest mai belejte si tu oki pe net ca tot ai timp de frecat matzu

Edited July 23, 2011 by wepobad