|
Shortcuts
|
How To Crack WEP and WPA Wireless NetworksCracking WEP, WPA-PSK and WPA2-PSK wireless security using aircrack-ng2008-11-21 (updated: 2013-02-25) by Philip Tags: aircrack, Wireless, Wi-Fi, WPA, WEP, WPA2, NIC, hash, wordlist, security, SSID, channel, crack, hack, reaver, WPS, vulnerability 
Introduction With the popularity of wireless networks and mobile computing, an overall understanding of common security issues has become not only relevant, but very necessary for both home/SOHO users and IT professionals alike. This article is aimed at illustrating current security flaws in WEP/WPA/WPA2. Successfully cracking a wireless network assumes some basic familiarity with networking principles and terminology, as well as working with command-line tools. A basic familiarity with Linux can be helpful as well. Disclaimer: Attempting to access a network other than your own, or one you have permission to use is illegal insome U.S. jurisdictions. Speed Guide, Inc. are not to be held liable for any damages resulting from the use or misuse of the information in this article. To successfully crack WEP/WPA, you first need to be able to set your wireless network card in "monitor" mode to passively capture packets without being associated with a network. This NIC mode is driver-dependent, and only a relatively small number of network cards support this mode under Windows. One of the best free utilities for monitoring wireless traffic and cracking WEP/WPA-PSK keys is the aircrack-ng suite, which we will use throughout this article. It has both Linux and Windows versions (provided your network card is supported under Windows). The aircrack-ng site has a comprehensive list of supported network cards available here: NIC chipset compatability list. If your network card is not supported under Windows, one can use a free Linux Live CD to boot the system. BackTrack is probably the most commonly used distribution, since it runs from a Live CD, and has aircrack-ng and a number of related security auduting tools already installed. For this article, I am using aircrack-ng on another Linux distro (Fedora Core) on a Sony Vaio SZ-680 laptop, using the built-in Intel 4965agn network card. If you're using the BackTrack CD aircrack-ng is already installed, with my version of linux it was as simple as finding it with:
The aircrack-ng suite is a collection of command-line programs aimed at WEP and WPA-PSK key cracking. The ones we will be using are:
1. Setup (airmon-ng) As mentioned above, to capture network traffic wihtout being associated with an access point, we need to set the wireless network card in monitor mode. To do that under linux, in a terminal window (logged in as root), type:
Note: You can use the su command to switch to a root account. Other related Linux commands:
2. Recon Stage (airodump-ng) This step assumes you've already set your wireless network interface in monitor mode. It can be checked by executing the iwconfig command. Next step is finding available wireless networks, and choosing your target:
WEP is much easier to crack than WPA-PSK, as it only requires data capturing (between 20k and 40k packets), while WPA-PSK needs a dictionary attack on a captured handshake between the access point and an associated client which may or may not work.
3. Capture Data (airodump-ng) To capture data into a file, we use the airodump-ng tool again, with some additional switches to target a specific AP and channel. Most importantly, you should restrict monitoring to a single channel to speed up data collection, otherwise the wireless card has to alternate between all channels. Assuming our wireless card is mon0, and we want to capture packets on channel 6 into a text file called data:
Notes: You typically need between 20,000 and 40,000 data packets to successfully recover a WEP key. One can also use the "--ivs" switch with the airodump-ng command to capture only IVs, instead of whole packets, reducing the required disk space. However, this switch can only be used if targeting a WEP network, and renders some types of attacks useless.
4. Increase Traffic (aireplay-ng) - optional step for WEP cracking An active network can usually be penetrated within a few minutes. However, slow networks can take hours, even days to collect enough data for recovering the WEP key. This optional step allows a compatible network interface to inject/generate packets to increase traffic on the wireless network, therefore greatly reducing the time required for capturing data. The aireplay-ng command should be executed in a separate terminal window, concurrent to airodump-ng. It requires a compatible network card and driver that allows for injection mode. Assuming your network card is capable of injecting packets, in a separate terminal window try:
Notes: To test whether your nic is able to inject packets, you may want to try: aireplay-ng -9 wlan0. You may also want to read the information available -here-. To see all available replay attacks, type just: aireplay-ng
5. Crack WEP (aircrack-ng) WEP cracking is a simple process, only requiring collection of enough data to then extract the key and connect to the network. You can crack the WEP key while capturing data. In fact, aircrack-ng will re-attempt cracking the key after every 5000 packets. To attempt recovering the WEP key, in a new terminal window, type:
Notes: If your data file contains ivs/packets from different access points, you may be presented with a list to choose which one to recover. Usually, between 20k and 40k packets are needed to successfully crack a WEP key. It may sometimes work with as few as 10,000 packets with short keys.
6. Crack WPA or WPA2 PSK (aircrack-ng) WPA, unlike WEP rotates the network key on a per-packet basis, rendering the WEP method of penetration useless. Cracking a WPA-PSK/WPA2-PSK key requires a dictionary attack on a handshake between an access point and a client. What this means is, you need to wait until a wireless client associates with the network (or deassociate an already connected client so they automatically reconnect). All that needs to be captured is the initial "four-way-handshake" association between the access point and a client. Essentially, the weakness of WPA-PSK comes down to the passphrase. A short/weak passphrase makes it vulnerable to dictionary attacks. To successfully crack a WPA-PSK network, you first need a capture file containing handshake data. This can be obtained using the same technique as with WEP in step 3 above, using airodump-ng. You may also try to deauthenticate an associated client to speed up this process of capturing a handshake, using:
Note the last two numbers in brackets [ 5:62 ACKs] show the number of acknowledgements received from the client NIC (first number) and the AP (second number). It is important to have some number greater than zero in both. If the first number is zero, that indicates that you're too far from the associated client to be able to send deauth packets to it, you may want to try adding a reflector to your antenna (even a simple manilla folder with aluminum foil stapled to it works as a reflector to increase range and concentrate the signal significantly), or use a larger antenna.
Once you have captured a four-way handshake, you also need a large/relevant dictinary file (commonly known as wordlists) with common passphrases. See related links below for some wordlist links. You can, then execute the following command in a linux terminal window (assuming both the dictionary file and captured data file are in the same directory):
Additional Notes: Cracking WPA/WPA2 usually takes many hours, testing tens of millions of possible keys for the chance to stumble on a combination of common numerals or dictionary words. Still, a weak/short/common/human-readable passphrase can be broken within a few minutes using an offline dictionary attack. My record time was less than a minute on an all-caps 10-character passphrase using common words with less than 11,000 tested keys! A modern laptop can process over 10 Million possible keys in less than 3 hours. WPA hashes the network key using the wireless access point's SSID as salt. This prevents the statistical key-grabbing techniques that broke WEP, and makes hash precomputation more dificult because the specific SSID needs to be added as salt for the hash. There are some tools like coWPAtty that can use precomputed hash files to speed up dictionary attacks. Those hash files can be very effective (sicne they're much less CPU intensive and therefore faster), but quite big in size. The Church of WiFi has computed hash tables for the 1000 most common SSIDs against a million common passphrases that are 7Gb and 33Gb in size...
7. Crack WPA using the WPS Vulnerability (Reaver) Many Wi-Fi devices are aslo vulnerable to a WPS (Wi-Fi Protected Setup) vulnerability described in US-CERT TA12-006A Alert. WPS provides simplified mechanisms to secure wireless networks, most often using a PIN as a shared secret to authenticate clients and share the WEP/WPA/WPA2 passwords and keys. The external PIN exchange mechanism is susceptible to brute-force attacks that allow for bypassing wireless security in a relatively short time (few hours). The only remedy is to turn off WPS, or use an updated firmware that specifically addresses this issue. A free Linux open-source tool called Reaver is able to exploit the WPS vulnerability. To launch an attack:
An attack using Reaver typically takes between 4 and 8 hours (provided WPS requests are not being limited by the AP), and returns the SSID, WPS PIN and WPA passphrase for the target network. Note that some routers may lock you out for a few minutes if they detect excessive failed WPS PIN attempts, in such cases it may take over 24 hours. Notes:
Troubleshooting Tips Even with the above tools properly installed, it is common to get a few errors/warnings during the attacks, usually related to timeouts, poor signal, or interface driver not supporting monitor/injection modes. Here are some points to consider: 1. Is your adapter properly set in monitor mode ?
Final Thoughts As demonstrated above, WEP cracking has become increasingly easier over the years, and what used to take hundreds of thousands packets and days of capturing data can be accomplished today within 15 minutes with a mere 20k data frames. Simply put, cracking WEP is trivial. WPA/WPA2-PSK encryption is holding its ground if using a strong, long key. However, weak passphrases are vulnerable to dictionary attacks. WPA/WPA2 may be on borrowed time as well, according to some recent news. The WPS vulnerability renders even WPA/WPA2 secured wireless networks very vulnerable. An extensive list of vulnerable devices is available here: google docs spreadsheet. Note that some routers (including most popular Cisco/Linksys models) will NOT turn off WPS even if turned off via the radio button in their web admin interface. You may be able to turn it off using third-party firmware, such as DD-WRT (which does not support WPS).
Related Links
User Reviews/Comments:
rate:
avg:
by
Philip - 2009-12-13 10:04
Yes, I used the Intel 4965 agn, however Backtrack Live CD at the time (I believe it was 3) did not have the correct driver for it... So I just used Fedora core. You may have to install additional drivers depending on your distro.
Hi!! I'm looking for a way to crack wpa tkip without using brute force...
Does anyone know? Thanks!
question: why do you need to fake the attacker's MAC address?
thanks!
In general, you may want to fake a MAC address to:
- to clone the MAC of an already authenticated client so packets will appear to come from them - tp use a MAC that is not blocked by the AP - to obscure your own NIC information (you can get the NIC manufacturer from its MAC, for example)
Thanks for the tutorial
I am on the 4 way handshake bit. 1. How long does it normally take to complete the 4 way handshake? 2. Sometimes my internet disconnect whilst doing that? Please advise. Thanks
"SSID needs to be added as salt for the hash" - yuck, thats sound like a bad recipe.
Addidional: using other capture programs like 'ComView for WiFi' or 'Sniffer Pro', then saving as a TcpDump file works too.
I have captured wpa handshake and I tried some wordlist with aircrack
but aircrack didn't find the password... If anyone can help my here is my cap file http://www.4shared.com/file/195846133/1b793e0/cap_file.html and this is my email : tony.nahhat@yahoo.com please help me
is there any way to hack wpa using an ethernet cable...???
The first pc connected internet via ethernet cable from my office I want to connect the second pc via a wireless card but i dont know the WPA password in my office
I found the key (00:34:66:11:05) but I don’t understand it. Please help me!
"is there any way to hack wpa using an ethernet cable...???
The first pc connected internet via ethernet cable from my office I want to connect the second pc via a wireless card but i dont know the WPA password in my office" Well, you can simply connect to the router's IP address and try the default password (there is a list of over 800 routers in our hardware database). Once in its administration interface, you can change/view the WPA key.
"I found the key (....) but I don’t understand it. Please help me!"
The key is in hex format... Depending on your operating system, you may have to type it witout the colons. Oher than that, just connect to the wireless network and type the key.
I have backtrack4 with Alpha network card but when try to hack wep key i dont get enought data packets from target AP.... i hope u will help me
You should look into the aireplay-ng command to increase thaffic, as pointed out in the article (if your NIC can inject packets). You can type aireplay-ng -? for additional switches. It works better when you clone the MAC address of an associated client. Otherwise, it's just a matter of time to collect more packets passively.
I miss complitly understand the way so what the point is it to hacker the wireless lan or to injoy it pls explain
if the channel is 1, can it be hack or not
Specter:
The security of your local wireless network is an important concept. Understanding how it can be hacked helps make more educated decisions about protecting it. Hacking a wireless network can expose the local computers and all shared information to an attacker, or, more commonly outsiders can use your wireless lan to connect to the internet without your knowledge. Hypothetically, imagine a neighbor's kid hacks into your Wireless LAN and uses P2P to download illegal files or spread viruses... There is a potential you can be held accountable for the information that passes through your equipment. All channels are equally vulnerable to an attack, what makes a difference is the type of security/encryption used and the length of the key.
HELLO thanks for all the help but where i can get that dictionary and handshake and where i have to put that dictionary in backtrack 3? plz help me or give me your yahoo or hotmail id or your number i really want to crack wpa-psk you don't know how important is this for me so plz help me
Nice article, definitely makes me aware that I want WPA at least.
So, a question: Does not broadcasting your SSID make it any more secure? Cheers, DV8
Hi Philip,
This may be repeated question, how to get the network interface name under the windows environment, e.g. Windows 7 or Vista. Thanks
So, a question: Does not broadcasting your SSID make it any more secure?
Actually, no. The other computers that use the network will be putting the SSID in their packets anyway. Read: http://blogs.technet.com/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx where the question is answered tom
Hi Philip, i have the same intel wifi as you
however when i type iwconfig it only shows root@bt:~# iwconfig lo no wireless extensions. eth0 no wireless extensions. it does not detect my intel wifi built in card, what should i do? Thanks in Advance!
I'd try: ifconfig
Also, look in /etc/network/interfaces to see what network adapters have been configured, your wireless card doesn't seem to be configured properly.
ThAnkz So Much 4 ThiS Easy 2TorIal.........
It wOrk GooD 4 me... im using Fedora 13 and Intel 5100 wifi card...
If you want hacking tips, while there are some here that may help you, stop asking here if you are that lacking in creativity/sense/originality.
This was meant as a guide to EDUCATE PEOPLE TO THE PROBLEMS WITH USING WIFI. Seriously, do you think ANY network is secure? NO! And yes, that includes wired networks. THERE IS ALWAYS SOMETHING THAT WILL ALLOW YOU SOME SORT OF ACCESS. People, get a grip on your own lack of intelligence or skill, and THINK ABOUT WHAT YOU ARE TRYING TO DO. Then post to the appropriate places to get your desired response. Seriously, I thought people were getting smarter....
How can anyone claim this information is based on educational purposes
nobody in the real world would any of this unless its for illegal purposes if you lost you wireless password why bother cracking it when you can just reset the router and bingo then setup a new wireless key its common sense to know which passwords are likely to be secure if you don't what are you doing setting up wireless in the first place just buy a longer cable plus you speed will be faster by using wireless you are losing speed so why bother using wireless in your home just by longer cables i know they can get messy but there is always a place to hide cables i can understand using wireless when your out but not at home where you router is less then 100 yards |
