WIRELESS SECURITY AND PENTEST TUTORIAL USING BACKTRACK

The tutorial about Network Security and Pentest using Backtrack that covers Networking Basics, Wireless Networks Basics, Wireless Penetration and Securing Wireless Networks.

Independent Study by Nuno Freitas

27/05/2012

Nuno Freitas

Table of Contents

Executive Summary ... 2 Before the fun part Start ..... 3 ARP Protocol .. 4 Discovery of Networks ... 6 Wireless Networks ...... 7 Software ...... 11 Wireshark ........ 13 Wireless Deauthentication Attack ....... 21 Fake Authentication ........ 23 MAC Filtering ......... 27 Cracking WEP with a connected client (OPEN System) .... 29 Cracking WEP without a connected client (OPEN System) ....... 35 Cracking WEP (Shared Key Authentication) ..... 41 Cracking WPA (Dictionary Mode) ..... 46 Cracking WPA (Database Mode) ........ 50 Hidden ESSID ......... 55 Cracking WPA (Wi-Fi Protected Setup) ................. 57

Nuno Freitas

Executive Summary
Over the past months Ive been learning about Network Security. Ive started reading documents like this and so Im writing this tutorial not to teach anyone how to break into their neighbors network and get free internet or valuable information. No. Im writing this because even not being an expert, I hope that this could be useful to those who dont know where to begin learning about it. Backtrack, currently in it fifth version, Backtrack 5, is an operating system based on Ubuntu GNU/Linux distribution and it is aimed at digital forensics and penetration testing use. It is named after backtracking, a search algorithm. Backtrack have tons of tools that could be useful, Ill be talking about some that already come with Backtrack and some other that you need to install if you are using an older version than Backtrack 5 R2. Ill add to this document how to install those programs. Through the Document lets imagine Im an attacker, attacking Wireless Networks. In this tutorial Ill be using one Computer, with Windows 7 and VMware installed with Backtrack 5 R2, the attacker computer. I will use two routers through the Tutorials because my old Router (Conceptronic c54brs4) doesnt support WPS to use against Reaver so Ill use a TP-LINK TLWR841ND.

Dont forget, the attacker pc must be using a Wireless Card that supports packet injection in order to perform some attacks.

Nuno Freitas

My Setup

Router (Conceptronic C54BRS4)

Attacker Antenna (TP-LINK TLWN722N)

Router (TP-LINK TL-WR841ND)

Before the fun part start

Before we start the fun part I would like to write about some network basics. Thus, this paper will be helpful even you dont have a really good knowledge of what it is a network and how it works. Even if you know how a network works, you might find the texts bellow interesting anyway.

Nuno Freitas

The ARP Protocol

In networks there are a variety of protocols. One of them is the ARP Protocol. ARP stands for Address Resolution Protocol.

Before we start with the ARP Protocol, lets just remember what are Physical Addresses and Logical Addresses. Physical Addresses Its what we know as MAC (Media Access Control) which is associated to a device. This address is composed by 48 bits (12 hexadecimal characters) Logical Addresses They are what we often call as IP Address. How does the ARP Protocol works? In a network when a computer wants to find another one it has to know the IP of that computer but the information inserted in the packets is the MAC Address of the destination computer. When you only know the IP you need to ask for the MAC. Using the ARP Protocol, that resolves IP Addresses into MAC Addresses. For example Imagine a computer, lets just say Computer A, with an IP 192.168.2.105 and it wants to communicate with a computer with an IP 192.168.2.100, Computer B.
4

Nuno Freitas

Computer A will check its ARP Table and if it doesnt possess Computer Bs MAC Address it will send a message to the Address FF:FF:FF:FF:FF:FF asking the ARP Address of Computer B. (ARP REQUEST) Then computer B will answer to Computer A sending him his Physical Address. Computer A will add an Entry in its ARP Table with that same MAC Address corresponding to Computers Bs IP. (ARP REPLY) You can check your ARP Table by typing in a Command Prompt: #arp -a

It is also possible to translate MAC Addresses into IP Addresses but the Protocol used in that translation is the RARP Protocol (Reverse Address Resolution Protocol). These are some of the most important Protocols in networking and some of the easiest Protocols to understand. Up ahead in this tutorial we will talk more about ARP Protocol.

Nuno Freitas

Discovery of Wireless Networks

When you want to perform a wireless attack you need to identify the network you are attempting to access. Sometimes the attacker knows already what network he will attempt to break, sometimes it doesnt so it is needed more time to figure it out. Well, I wont talk about how to hack a corporation because the point of this tutorial is not how to become a criminal or a hacktivist, I just want to show you how easily someone can break through your network and get free internet or data and help you to avoid that. So I will get to the point with a general idea of scanning and not what it really is all about. For the next tutorials we will be scanning the airwaves in monitor mode or promiscuous mode which is a type of scan where you dont send any beacons or probes, instead of that, you gather information from traffic that is already going on the air. Figuratively it's like if your computer just sits down and read the traffic going on the airwaves and interprets it. To perform a passive scan a wireless card must be on monitor mode. A card in monitor mode will read every wireless packet it can reach and try to extrapolate data. As all wireless networks operate on the same frequency, the air is usually flooded with packets from several different networks. The card picks up these packets and deduces what network they belong to. This is different than just only trying beacon or probe packets because there is always much more traffic than just those two types of packets. Not all wireless cards support monitor mode. The chipset of the card must support the mode as well as the driver being used. In the tutorials Ill be using airmon-ng which is a program in aircrack-ng suite, to put the wireless card in monitor mode. Before we start the hacking process there are some things you should read about if youre a beginner. For example what are WEP and WPA encryptions? How do they work? What is the 802.11n standard? Lets find about that.

Nuno Freitas

Wireless Networks
There are two types of encryption in Wireless Networks, we have WEP that stands for Wireless Equivalency Protocol and we have WPA which stands for Wi-Fi Protected Access. In spite that WPA is more secure than WEP, both are vulnerable to different types of attacks as we will see.

WEP (Wireless Equivalency Protocol)

WEP is not the best protection, however it is better than nothing, though generally not as secure as the more sophisticated WPA/WPA2 encryption. A big problem is that if a Cracker can sniff packets on a WEP encrypted network, it is only a matter of time until the password is cracked. If enough traffic can be intercepted by an attacker, then it can be broken by brute force in a matter of minutes or even seconds. If that werent bad enough, the time it takes to crack WEP only grows linearly with key length, but a 104-bit key doesnt provide any significant protection over a 40-bit key when faced against a determined cracker. There are several freely available programs that allow for the cracking of WEP thats why it is indeed a broken solution, but it should be used over than nothing. With WEP there are two different forms of authentication, shared key and open system. In shared key, the client request authentication and the Wireless Access Point sends a text which the client has to encrypt using the WEP key and send it back, if it matches then the WAP (Wireless Access Point) authenticates and associates with the client. In open system authentication any client can associate with the WAP. The client is authenticated regardless of the key it possesses and begins to receive packets. The client would need the correct key at this point to read the packets. A WEP key is usually 128bit comprised of 26 hexadecimal values and a 24bit Initialization Vector (IV). Each packet is encrypted using RC4 algorithm with the 26 hexadecimal values and a random IV. The packet is sent along with the IV in plain text. The client then decrypts the packet using the hex key and the included IV.

Nuno Freitas

WPA (Wi-Fi Protected Access)

WPA
Wi-Fi Protected Access (WPA) is a software/firmware improvement over WEP. All regular WLAN-equipment that worked with WEP are able to be simply upgraded and no new equipment needs to be bought. WPA is a trimmed-down version of the 802.11i security standard that was developed by the IEEE 802.11 to replace WEP. The TKIP (Temporal Key Integrity Protocol) encryption algorithm was developed for WPA to provide improvements to WEP that could be fielded as firmware upgrades to existing 802.11 devices. The WPA profile also provides optional support for the AESCCMP algorithm that is the preferred algorithm in 802.11i and WPA2. WPA Enterprise provides RADIUS based authentication using 802.1x. WPA Personal uses a pre-shared Shared Key (PSK) to establish the security using an 8 to 63 character passphrase. The PSK may also be entered as a 64 character hexadecimal string. Weak PSK passphrases can be broken using a dictionary attacks by capturing the fourway handshake when the client connects to the network or reconnects after being deauthenticated. WPA Personal is secure when used with good passphrases or a full 64-character hexadecimal key. They should also not use WPS (Wireless Protected Setup) since a huge vulnerability was discovered and can be already exploited.

TKIP
This stands for Temporal Key Integrity Protocol and the acronym is pronounced as teekip. This is part of the IEEE 802.11i standard. TKIP implements per-packet key mixing with a re-keying system and also provides a message integrity check. These avoid the problems of WEP.

EAP
The WPA-improvement over the IEEE 802.1X standard already improved the authentication and authorization for access of wireless and wired LANs. In addition to this, extra measures such as the Extensible Authentication Protocol (EAP) have initiated an even greater amount of security. This, as EAP uses a central authentication server. Unfortunately, during 2002 a Maryland professor discovered some shortcomings.

Nuno Freitas

802.11i security
The newest and most rigorous security to implement into WLAN's today is the 802.11i RSN-standard. This full-fledged 802.11i standard (which uses WPA2) does require the newest hardware (unlike WPA), thus potentially requiring the purchase of new equipment. This new hardware required may be either AES-WRAP (an early version of 802.11i) or the newer and better AES-CCMP-equipment.

WPA2
WPA2 is a Wi-Fi Alliance branded version of the final 802.11i standard. The primary enhancement over WPA is the inclusion of the AES-CCMP algorithm as a mandatory feature. Both WPA and WPA2 support EAP authentication methods using RADIUS servers and pre-shared key (PSK).

CCMP
CCMP stands for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol also known as (CCM mode Protocol) is an encryption protocol designed for Wireless Networks products that implement the standards of the IEEE 802.11i amendment to the original IEEE 802.11 standard. CCMP is an enhanced data cryptographic encapsulation mechanism designed for data confidentiality and based upon the Counter Mode with CBC-MAC (CCM) of the AES standard. It was created to address the vulnerabilities presented by TKIP, a protocol in WPA, and WEP, a dated, insecure protocol.

802.11b
802.11b has a maximum raw data rate of 11 Mbit/s and uses the same media access method defined in the original standard. 802.11b products appeared on the market in early 2000, since 802.11b is a direct extension of the modulation technique defined in the original standard. The dramatic increase in throughput of 802.11b (compared to the original standard) along with simultaneous substantial price reductions led to the rapid acceptance of 802.11b as the definitive wireless LAN technology. 802.11b devices suffer interference from other products operating in the 2.4 GHz band. Devices operating in the 2.4 GHz range include: microwave ovens, Bluetooth devices, baby monitors and cordless telephones.

Nuno Freitas

802.11g
In June 2003, a third modulation standard was ratified: 802.11g. This works in the 2.4 GHz band (like 802.11b), but uses the same OFDM based transmission scheme as 802.11a. It operates at a maximum physical layer bit rate of 54 Mbit/s exclusive of forward error correction codes, or about 22 Mbit/s average throughputs. 802.11g hardware is fully backwards compatible with 802.11b hardware and therefore is encumbered with legacy issues that reduce throughput when compared to 802.11a by 21%. The then-proposed 802.11g standard was rapidly adopted by consumers starting in January 2003, well before ratification, due to the desire for higher data rates as well as to reductions in manufacturing costs. By summer 2003, most dual-band 802.11a/b products became dual-band/tri-mode, supporting a and b/g in a single mobile adapter card or access point. Details of making b and g work well together occupied much of the lingering technical process; in an 802.11g network, however, activity of an 802.11b participant will reduce the data rate of the overall 802.11g network. Like 802.11b, 802.11g devices suffer interference from other products operating in the 2.4 GHz band, for example wireless keyboards.

802.11n
802.11n is an amendment which improves upon the previous 802.11 standards by adding multiple-input multiple-output antennas (MIMO). 802.11n operates on both the 2.4 GHz and the lesser used 5 GHz bands. The IEEE has approved the amendment and it was published in October 2009. Prior to the final ratification, enterprises were already migrating to 802.11n networks based on the Wi-Fi Alliance's certification of products conforming to a 2007 draft of the 802.11n proposal.

10

Nuno Freitas

Software
During these next tutorials Ill be using some programs under Backtrack 5, so lets give a brief explanation about what are those programs all about and what type of tasks they can be used for.

Aircrack-ng
Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11b, 802.11g and 802.11n traffic. The program runs under Linux and Windows. Features The aircrack-ng software suite includes: aircrack-ng - Cracks WEP and WPA (Dictionary attack) keys. airdecap-ng - Decrypts WEP or WPA encrypted capture files with known key. airmon-ng - Placing different cards in monitor mode. aireplay-ng - Packet injector (Linux, and Windows). airodump-ng - Packet sniffer: Places air traffic into PCAP or IVS files and shows information about networks. airtun-ng - Virtual tunnel interface creator. airolib-ng - Stores and manages ESSID and password lists; Increases the KPS of WPA attacks packetforge-ng - Create encrypted packets for injection. airbase-ng - Incorporates techniques for attacking client, as opposed to Access Points airdecloak-ng - removes WEP cloaking from pcap files airdriver-ng - Tools for managing wireless drivers tkiptun-ng - WPA/TKIP attack airserv-ng - allows you to access the wireless card from other computers. buddy-ng - the helper server for easside-ng, run on a remote computer easside-ng - a tool for communicating to an access point, without the WEP key wesside-ng - automatic tool for recovering WEP key

Wireshark
Wireshark is a free and open-source packet analyzer.

11

Nuno Freitas

It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues. Wireshark is very useful since you can analyze every packet individually and understand what is going on the airwaves since that Wireshark distinguishes all types of packets travelling the wireless field. Wireshark is cross-platform, using the GTK+ widget toolkit to implement its user interface, and using pcap to capture packets; it runs on various Unix-like operating systems including Linux, Mac OS X, BSD, and on Microsoft Windows.

Pyrit Pyrit allows creating massive databases, pre-computing part of the IEEE 802.11 WPA/WPA2-PSK authentication phase in a space-time-tradeoff. Exploiting the computational power of Many-Core- and other platforms through ATI-Stream, Nvidia CUDA, OpenCL and VIA Padlock, it is currently by far the most powerful attack against one of the worlds most used security-protocols. Pyrit is free software. Everyone can inspect copy or modify it and share derived work under the GNU General Public License v3+. It compiles and executes on a wide variety of platforms including FreeBSD, MacOS X and Linux as operation-system and x86-, alpha-, arm-, hppa-, mips-, powerpc-, s390 and sparc-processors. Pyrit is a very good tool, although its not included in Backtrack 5. In pyrit attack tutorial I will also explain how to install it.

Reaver
Reaver implements a brute force attack against Wifi Protected Setup (WPS) using PINs in order to recover WPA/WPA2 passphrases. Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations. On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

12

Nuno Freitas

Wireshark
So, as you might read before, Wireshark is a packet analyzer. Lets learn how to work with that tool. Remember that Wireshark can work on every interface you have. For example you can create a monitor mode interface and use it on Wireshark, that way you will get every packet in the Wireless airwaves and get a big number of packets. As you already saw with airodump-ng in Aircrack-ng suite it is very easy to get thousands of packets in minutes or even seconds, it depends on the traffic of the network. It would be a trouble to find some data frames in the middle of all the beacon frames, but Wireshark have the ability to filter by type of packet or by MAC Address. With this we get comfortable when we are trying to find specifically types of packet and get to them faster. First lets talk about WLAN frames, it will help is with Wireshark and with networking at all if we understand this. There are three types of frames: Management Frames, Control Frames and Data Frames. 1. Management frames: They are responsible for maintaining communication between the access points and wireless clients. There are ten types of Management Frames: Authentication - 802.11 authentication is a process whereby the access point either accepts or rejects the identity of a wireless card. The Wireless Card begins the process by sending an authentication frame containing its identity to the access point. With open system authentication (the default), the Wireless Card sends only one authentication frame, and the access point responds with an authentication frame as a response indicating acceptance (or rejection). With the optional shared key authentication, the Wireless Card sends an initial authentication frame, and the access point responds with an authentication frame containing challenge text. The Client must send an encrypted version of the challenge text (using its WEP key) in an authentication frame back to the access point. The access point ensures that the Client has the correct WEP key (which is the basis for authentication) by seeing whether the challenge text recovered after decryption is the same that was sent previously. Based on the results of this comparison, the access point replies to the Client with an authentication frame with the result of authentication. De-Authentication - A station sends a deauthentication frame to another station if it wishes to terminate secure communications. Association Request - 802.11 association enables the access point to allocate resources for and synchronize with a Wireless Card. The client begins the association process by sending an association request to an access point. This frame carries information about the Wireless Card (supported data rates, etc.) and the SSID of the network it wishes to associate with. After receiving the association request, the access point considers associating

13

Nuno Freitas

with the Client, and (if accepted) reserves him some memory space and establishes an association ID. Association Response - An access point sends an association response frame containing an acceptance or rejection notice to the Wireless Card requesting association. If the access point accepts the radio Wireless Card, the frame includes information regarding the association, such as association ID and supported data rates. If the outcome of the association is positive, the Client can utilize the access point to communicate with other Clients on the network and systems on the distribution (i.e., Ethernet) side of the access point. Re-association Request - If a Wireless Card roams away from the currently associated access point and finds another access point having a stronger beacon signal, the Wireless Card will send a re-association frame to the new access point. The new access point then coordinates the forwarding of data frames that may still be in the buffer of the previous access point waiting for transmission to the radio NIC. This is when there are several Access Points broadcasting on the same network, not different Access points on different networks. Re-association Response - An access point sends a re-association response frame containing an acceptance or rejection notice to the Wireless Card requesting re-association. Similar to the association process, the frame includes information regarding the association, such as association ID and supported data rates. Disassociation - A station sends a disassociation frame to another station if it wishes to terminate the association. For example, a Wireless Card that is shut down gracefully can send a disassociation frame to alert the access point that the Wireless Card is powering off. The access point can then relinquish memory allocations and remove the Wireless Card from the association table. Beacon - The access point periodically sends a beacon frame to announce its presence and relay information, such as timestamp, SSID, and other parameters regarding the access point to Wireless Cards that are within range. Wireless Cards continually scan all 802.11 radio channels and listen to beacons as the basis for choosing which access point is best to associate with. Probe Request - A station sends a probe request frame when it needs to obtain information from another station. For example, a Wireless Card would send a probe request to determine which access points are within range. Probe Response - A station will respond with a probe response frame, containing capability information, supported data rates, etc., when after it receives a probe request frame.

14

Nuno Freitas

2. Control frames: Control frames are responsible for ensuring a proper exchange of data between the access point and wireless clients. Control frames can have the following sub-types: - Request to Send (RTS) - Clear to Send (CTS) - Acknowledgement (ACK) Since 802.11 stations are not able to transmit and receive at the same time, while a station is transmitting a frame, it is not able to determine whether the frame was received or whether there was a collision. Therefore, every time an 802.11 radio that received the frame will reply with a 14-octet acknowledgement (ACK) frame. 3. Data frames: Data frames carry the actual data sent on the wireless network. There are no sub-types for data frames. Now that it is explained the different types WLAN frames we are able to start with Wireshark. This previous explanation about frames is important since in Wireshark you will get hundreds of frames and you will need to filter them whether you need them or not to simplify the process. So, lets start with Wireshark. To start Wireshark, type wireskark& in the console. But before we start sniffing the airwaves lets create a monitor mode device to sniff every packet from every network in range. To do that just type: #airmon-ng start wlan0 Wlan0 depends on your device, it could be wlan0, wlan1 It depends on the number of Wireless cards you have connected and what you want to use. To get used to it type: #airmon-ng The output will get from the shell will show you how many cards you have and their Interface names. After you have your Wireless card in monitor mode you will get a new interface, named mon0, that new interface is a virtual interface which is nothing more than your wireless card working on monitor mode. Thats the interface we will use in Wireshark. After you get Wireshark started you will get this window:

15

Nuno Freitas

This is the start window of Wireshark, to get started click in Interface List in Capture below Wiresharks logo.

You will get the list of available devices that you can use to analyze packets going on the network. Mon0 will monitor the airwaves on the available channels in your region and eth1 or eth0 will monitor your wired network.
16

Nuno Freitas

This is Wireshark getting packets from the air. As you can see we have some ACK frames, some data frames. You will get hundreds or even thousands of frames while you are sniffing the packets. Imagine that we need to search for data frames well it would be very difficult to find data frames in the middle of all the other frames, because there are several types of frames and you are looking for only one type, thats where Wireshark filter helps a lot.

17

Nuno Freitas

Wireshark Filters Filter by Destination, Source and Port eth.src With this filter you can filter by the source MAC Address (Ethernet). Example: eth.src == 00:11:22:33:44:55 eth.dst With this filter you can filter by destination MAC Address (Ethernet). Example: eth.dst == 00:11:22:33:44:55 wlan.addr This filter will filter packets by the source or destination MAC Address (Wireless Card). Example: wlan.addr == 00:11:22:33:44:55 wlan.sa With this filter you can filter by the source MAC Address (Wireless Card). Example: wlan.sa == 00:11:22:33:44:55 wlan.da With this filter you can filter by destination MAC Address (Wireless Card). Example: wlan.da == 00:11:22:33:44:55 wlan.bssid With this filter you can filter only the frames from an specific Access Point by using the MAC Address (bssid). Example: wlan.bssid == 00:11:22:33:44:55 ip.addr With this filter you can filter by source or destination IPv4 Address. Example: ip.addr == 192.168.2.1 ip.dst With this filter you can filter by destination IPv4 Address. Example: ip.addr == 192.168.2.1 ip.src With this filter you can filter by source IPv4 Address. Example: ip.addr == 192.168.2.1 ipv6.addr With this filter you can filter by source or destination IPv6 Address. Example: ipv6.addr == 2001::5 ipv6.src With this filter you can filter by source IPv6 Address. Example: ipv6.addr == 2001::5 ipv6.dst With this filter you can filter by destination IPv6 Address. Example: ipv6.dst == 2001::5 tcp.port With this filter you can filter packets by source or destination TCP port. Example: tcp.port == 80 tcp.dstport With this filter you can filter packets by destination TCP port. Example: tcp.dstport == 80

18

Nuno Freitas

tcp.srcport With this filter you can filter packets by source TCP port. Example: tcp.srcport == 80 udp.port With this filter you can filter packets by source or destination UDP port. Example: udp.port == 80 udp.dstport With this filter you can filter packets by destination UDP port. Example: udp.dstport == 80 udp.srcport With this filter you can filter packets by source UDP port. Example: udp.srcport == 80 Filter by Types of frames wlan.fc.type == 0 With this filter you can filter only the Management frames. wlan.fc.type == 1 With this filter you can filter only the Control frames. wlan.fc.type == 2 With this filter you can filter only the Data frames. Filter by Subtypes of frames (wlan.fc.type == 0) && (wlan.fc.subtype == 1) With this filter you can filter only the Authentication frames. (wlan.fc.type == 0) && (wlan.fc.subtype == 2) With this filter you can filter only the De-Authentication frames. (wlan.fc.type == 0) && (wlan.fc.subtype == 3) With this filter you can filter only the Association Request frames. (wlan.fc.type == 0) && (wlan.fc.subtype == 4) With this filter you can filter only the Association Response frames. (wlan.fc.type == 0) && (wlan.fc.subtype == 5) With this filter you can filter only the Re-Association Request frames. (wlan.fc.type == 0) && (wlan.fc.subtype == 6) With this filter you can filter only the Re-Association Response frames. (wlan.fc.type == 0) && (wlan.fc.subtype == 12) With this filter you can filter only the Dis-Association frames. (wlan.fc.type == 0) && (wlan.fc.subtype == 8) With this filter you can filter only the Beacon frames. (wlan.fc.type == 0) && (wlan.fc.subtype == 9) With this filter you can filter only the Probe Request frames. (wlan.fc.type == 0) && (wlan.fc.subtype == 10) With this filter you can filter only the Probe Response frames. (wlan.fc.type == 1) && (wlan.fc.subtype == 1) With this filter you can filter only Request to Send frames.
19

Nuno Freitas

(wlan.fc.type == 1) && (wlan.fc.subtype == 2) With this filter you can filter only Clear to Send frames. (wlan.fc.type == 1) && (wlan.fc.subtype == 3) With this filter you can filter only Acknowledgement frames. (wlan.fc.type == 2) With this filter you can filter only Data frames. Filter Operators != - Exclude -With this operator you can exclude a filter option. Image that you want to get all the Management Frames except Beacon Frames, you can use (wlan.fc.type == 0) != (wlan.fc.subtype == 8) && - And- This operator can make a filter with two filter types. If you want to filter only Authentication and De-Authentication frames, use
(wlan.fc.type == 0) == (wlan.fc.subtype == 1) && (wlan.fc.type == 0) == (wlan.fc.subtype == 2)

|| - Or Does exactly the same then AND but it will show filter 1 OR filter 2.

20

Nuno Freitas

Wireless Deauthentication Attack

Basically this attack sends disassociation packets to one or more clients which are currently associated with a particular access point which make them lose connection to the AP. There are many reasons to perform a Deauth Attack: Capturing WPA/WPA2 handshakes by forcing clients to re-authenticate. Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected) Recovering a hidden ESSID.

Well there is no practical way to avoid those attacks. However it is simple to confirm if you are being a victim of a Deauthentication Attack. To do that lets use Wireshark. Well to get started I will use two computers in this example. One with Backtrack 5 and the other with Windows 7. The Windows 7 machine is already connected to the network, TP-LINK. The role that this machine is playing is simple, it will be the victim. On the other hand I will use a second machine running Backtrack and it will be the Attacker and the Monitor. I will be performing a Deauthentication attack and at the same time monitoring the Airwaves for Deauthentication packets with Wireshark. On your case, if you want to check if your being a victim of a Deauthentication attack you can use a machine running Wireshark, which runs on Windows and Linux So lets get started, first lets put our wireless card in Monitor mode. #airmon-ng start wlan1 Then lets check the networks we can reach. #airodump-ng mon0 Then attack your own network.

21

Nuno Freitas

#aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98 mon0

This command is sending deauthentication packets to the AP and making the AP to Deauthenticate the Client. Open Wireshark and start sniffing the airwaves. Add the following filter to get only Deauthentication packets: (wlan.fc.type == 0) && (wlan.fc.subtype == 12)

In Wiresharks output we get a bunch of Deauthentication packets, and as we can see the Source Address of those packets is the APs Address and you cant know who is performing the attack. This type of attack will be crucial in WPA Attacks as we will see further on this tutorial.
22

Nuno Freitas

Fake Authentication
Fake Authentication is useful on WEP Attacks and it doesnt work under WPA networks. In WEP Cracking Attacks we will face two types of WEP Networks, one with Open System Authentication and the other called Shared Key Authentication. Open system Authentication is simple to perform Fake Authentications and you can start whenever you want, however in Shared Key Authentication Networks you will always need a connected client. If the network doesnt have a connected client just wait until someone connects to the network. We need someone from inside the network to show up because we will need a 140 bit keystream that will allow us to fake an authentication. Without that we cannot authenticate. Remember that Open System authentication and Shared Key works different. Open System Fake Authentication So, imagine that you already have your target figured it out.

In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated with the access point it will ignore the packet and sends out a "Deauthentication". In this state, no new initialization vectors are created because the access point is ignoring all the injected packets. The lack of association with the access point is the single biggest reason why packet injection fails. At this point you are just connecting to the access point and telling it you are here and want to talk to it, however this does not give you any ability to transfer data.

23

Nuno Freitas

aireplay-ng -1 10 -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 mon0 Where -1 means fake authentication, 10 means re-association timing in seconds, -a is the access point MAC address, and -h is the MAC address under which you act (either your own or the spoofed one). This is what the output should look like:

Shared Key Fake Authentication First of all, as always, put your wireless card in monitor mode. #airmon-ng start wlan0 Then lets search for our network, WLAN will be the target Network. #airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 -w sharedkey wlan0 Using this we will sniff all the packets from WLAN network and save them in files called wepska. We will need to perform a deauthentication on an authenticated client in order to capture the shared key 140 bit keystream.

24

Nuno Freitas

If you try to fake authenticate as youve learned before you will get an error like the following image shows This means that the network you are attacking now uses Shared Key Authentication system.

So, to fake authenticate in a Shared Key network we need to deauthenticate a client. Run airodump-ng to sniff the target network: #airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 -w sharedkey wlan0 With this you are only looking at the targets network. As you saw before there was a connected client, its MAC is 00:15:AF:A2:8D:98. So lets deauthenticate him: #aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 mon0

25

Nuno Freitas

After you perform a deauthentication look to the top line in airodump-ng window there is now a text saying 140 bytes keystream: 00:80:5A:28:B5:AB This means we have captured the .xor file we were looking for to perform a fake authentication. Use the following command: #aireplay-ng -1 0 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98 -y sharedkey-01-00:80:5A:28:B5:AB.xor wlan0

With this weve managed to fake authenticate in a Shared Key network.

26

Nuno Freitas

Mac Filtering
In some cases you might find some security barriers, like MAC Filtering, which is still easy to break. Imagine that you are trying to Fake Authenticate with an AP and you are getting an Error like this:

MAC Filtering is enabled on this network. To get through this security trick we need a legit MAC Address which have permission to connect with the AP. Run airodump-ng and wait until someone connects to that network or if someones already connected use its MAC Address to spoof your own.

As we can see there is one Client connected to WLAN, its MAC is 00:15:AF:A2:8D:98. Lets turn it as our own MAC Address as well:
27

Nuno Freitas

#macchanger -m 00:15:AF:A2:8D:98 wlan1

This command will change Wlan1 device MAC Address into 00:15:AF:A2:8D:98. Even if the client keeps connected to the Network you can begin to fake authenticate. #aireplay-ng -1 10 -a 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 mon0 This time dont forget to use the spoofed MAC in -h option.

This brief explanation on what is Fake Authentication will help you in WEP Cracking that we will see later in this tutorial. With this information you shouldnt have any trouble by doing this trick and performing WEP Cracking.

28

Nuno Freitas

Cracking WEP with a client connected (OPEN System)

The weakness of WEP resides in the IV. It is sent as plaintext with the packet which basically means that anyone who grabs the packet can see the first 24bits of the code that was encrypted. The RC4 encryption algorithm can only generate about 16 million different codes based on the IV, meaning if you gather enough of these IVs you can crack the code throughout a brute force attack. Also contributing to the WEPs weakness is the discovery that some IVs are weaker than others and software can recognize weak IVs and then use them to crack the key even quicker. Once the theory of how to Crack WEP was proven possible, computer programs were written that streamlined the process. There are two steps involved that programs take. Once an encrypted wireless network is found and the client is in range, it begins to intercept packets and logging the IVs. The packets contain encrypted data and are worthless individually, but if enough IVs are logged the code can be cracked. Usually about 50 000 IVs are needed to crack WEP. The number of IVs traveling is related to network traffic, so if no one is connected to the network it will take days to get that many, thats why you need to create artificial traffic, but in the other hand if someone is already connected you can get a lot of IVs fast without any problems. Of course there is a method of speeding up the collection of IVs, through a certain type of packet injection although this technique its not supported by all Wireless Cards. This type of packet injection is called ARP injection. With this technique the wireless card sends out an ARP request to the access point which then responds with an ARP response. This response contains an IV, which is then captured. This process is repeated rapidly to generate numerous IVs. To perform this injection, the origin of the ARP request must be associated with the AP, or else the AP will not respond. Software is able to spoof the origin to make the request look like it came from an associated client, not from the attackers computer. As I told you I will be using a wireless security suite called aircrack-ng that comes with Backtrack Linux distribution for WEP attacks. Aircrack-ng contains all the tools necessary for discovering and cracking wireless networks. First lets try to break a network with a connected client. Once a network has been identified through any technique the basic steps to crack WEP encrypted networks, and the programs used to accomplish with are: 1) Put the wireless card in passive monitor mode (airmon-ng) 2) Begin capturing packets that contain unique IVs and save them to the disk (airodump-ng) 3) Inject ARP requests from an associated client to generate new packets (aireplayng)

29

Nuno Freitas

4) Once enough IVs have been captured, run a cryptographic attack to decipher the WEP key (aircrack-ng) In this case, I will attack my own network so it is like if the attacker, me, had already identified the WEP encrypted network he wants to crack. The information he will need to start collecting IVs is the BSSID of the access point and the channel it is operating on. When this information is easy to get using airodump-ng and it will also be used to capture the IVs and save them to a file. In this case the BSSID of the network we are trying to crack 00:80:5A:28:B5:AB is, the channel is 11, and we will call the output file wepkey. Lets put our card in monitor mode, but first you need to know the Interface to use: #airmon-ng

Figure 1. Using Airmon-ng

You have now a list of interfaces that you have on your machine. If you have only one wireless card you will have only one interface, if you have two wireless cards connected you have two interfaces. I might use different cards through all the tutorials, when you see wlan1 and your Interface is wlan0 you use wlan0 instead of wlan1. Remember Im making the attacks on my machine and it could be different from yours. So I will use wlan1 for this tutorial. To put that Interface on monitor mode use: #airmon-ng start wlan0 By now you have the wlan1 Interface and the system created a new interface called mon0. Well this is a virtual interface, basically mon comes from monitor it means that the interface mon0 is monitoring traffic. When you are using the commands you could use mon0 instead of wlan1, it doesnt make difference. Lets go back to the tutorial
30

Nuno Freitas

Now lets sniff traffic from the network that we will attack, so use: #airodump-ng wlan0

Figure 2. Using Airodump-ng to check for the network to attack

As I told you before this network Im attacking is mine. My network is called WLAN so by using airodump-ng I already know the BSSID, the Channel. Lets get started: #airodump-ng --channel 11 --bssid 00:80:5A:28:B5:AB --write wepkey wlan0

Figure 3. Using Airodump-ng on the target network

As we can see the #Data means the number of unique IVs we caught so far and saved in wepkey.cap. It is possible that airodump-ng create some .pcap files like wepkey01.cap, wepkey-02.cap, thats why in the end we will use in aircrack-ng wepkey*.cap.

31

Nuno Freitas

The #/s is the number of Unique IVs that we get per second. As you can see there is no traffic at all in this network and doing the math if we will try to get 50 000 IVs, we would need to wait 25 000 seconds, almost 7 hours to get enough IVs, so why dont we start a packet injection technique to speed up the unique IVs collection? We can do that using aireplay-ng: #aireplay-ng --arpreplay -b 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 wlan0 -b 00:80:5A:28:B5:AB is the access point MAC address -h 00:15:AF:A2:8D:98 is the MAC address of the client that we will use as the arp requester This command will wait for an ARP Request coming from the network and flood the airwaves with that ARP request but making it look like it is coming from the associated client. An ARP request is when for example the router asks something like Who got this ip? and a computer answers I got that IP, here is my MAC Address: A1:B2:C3:D4:E5:F5. So if you are attacking a network that has only one client connected it could take a while until you get an Arp request. If there is traffic coming from the network you might have a chance to get it the simple way. Imagine the situation, there is a client connected but he is not doing anything like if it was on stand-by mode, you can make it the hard way by deauthenticating the client using the network forcing him to communicating with the router. Use the following command: #aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 wlan0 -0 means deauthentication attack 10 is the number of deauthentication packets it will send -a 00:80:5A:28:B5:AB is the access point MAC address -h 00:15:AF:A2:8D:98 is the MAC address of the client to be deauthenticated When the client gets back to the network you will get some ARP requests. Well this is a simple process. You a Arp Request and you Replay it. Thats what aireplay-ng -3 or aireplay-ng --arpreplay is doing. It waits for an ARP Request and replay, it gets another one and Replay it again. And keeps doing it and consequently generating traffic on the network. Remember that the traffic we are collecting are nothing but packets collecting IVs that we will use to brute force the wep key.

32

Nuno Freitas

Figure 4. Capturing Packets Airodump-ng

After you get the first Arp request you should be getting something like the image above. Its just a matter of time until you get enough IVs to make a brute force attack. Once you get around 50 000 you have a good chance of crack the network. However if you fail, just repeat the process. Get more IVs and try again. Youll need more IVs depending on how big is the key. There are 64-bit keys, 128-bit keys and 152bit keys, more bits means more password combinations possible and we might need more IVs to crack the password. So if you fail with 50 000 get more IVs and you will get the key. As you know the captured data packets containing IVs are stored in the file that I called wepkey outputted by airodump-ng. The program will write multiple files to the active directory in different formats, but the one we are interested is the .cap files. To perform the crack use wepkey*.cap since it could write more than one .cap file, for example wepkey-01.cap, wepkey-02.cap The attack starts with this command: #aircrack-ng -b 00:80:5A:28:B5:AB wepkey*.cap wlan0

33

Nuno Freitas

Figure 5. Using Brute force to crack WEP

So as you can see it found the WEP key of the network. The key I used for this example was abcdef1234 and as you see in aircrack-ng output KEY FOUND! [AB:CD:EF:12:34] This was the example of how to break a WEP network with an already authenticated client. When you dont have any clients connected to the network you want to break, you should do a different type of attack, lets find out how we can do it.

The best way to avoid someone to get access to your network its definitely not using WEP Encryption. Use WPA.

34

Nuno Freitas

Cracking WEP without connected clients (OPEN System)

Lets see now how to do it if no one is connected to the Network. This type of attack is only successful when we get some packets from the wired side of the network. I mean its true that there are no clients connected over wireless, however the AP has RJ45 ports and we need to get some traffic from there. Why? Well, if there is no traffic there is no way possible to create traffic. You can try but the AP will deduce that anyone is broadcasting traffic, but the client its not connected to the network and the AP will throw away those packets and send a deauthentication packet to that fake client. However if we get some packets from the wired side and using either a chopchop attack or a fragmentation attack we can get a fragment, which is a .xor file that contains useful information that we could use to create an a packet to broadcast to the AP and it will provoke the AP to answer with new packets (IVs). That fake packet is received successfully by the AP because it sees that the information contained on that packet is valid. After we create that legit packet and injecting it in the air you will be able to resume the attack as we did before using a client connected. When we got enough IVs, its time to crack the password. So, lets get started. First, put the wireless card in monitor mode. You know the drill: #airmon-ng start wlan0 Then use: #airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 wlan0 By now you dont really need to use the -w parameter because you might get few packets. Its up to you. Lets now associate with an access point, using a fake authentication: #aireplay-ng -1 0 -e WLAN -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 wlan0 -1 means fake authentication attack 0 means the fake authentication attack wont stop until its succeeded -e WLAN is the wireless SSID
35

Nuno Freitas

-a 00:80:5A:28:B5:AB is the access point MAC address -h 74:EA:3A:90:C7:21 is our card MAC address

Figure 6. Perform a Fake Authentication

So I succeeded to perform a fake authentication into the AP. Now I need to obtain the PRGA (Pseudo Random Generation Algorithm) file. To obtain it we will need to perform a chopchop attack or a fragmentation attack. This PRGA is not the WEP key and cannot be used to decrypt packets. However, it can be used to create new packets for injection. The creation of new packets will be covered later in the tutorial. Either chopchop or fragmentation attacks can be used to obtain the PRGA bit file. The result is the same, so use one of them, it doesnt really matter which one you used. I will cover the chopchop technique. Start another console session and run: #aireplay-ng -4 -b 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 wlan0 -4 means the chopchop attack -b 00:80:5A:28:B5:AB is the access point MAC address -h 74:EA:3A:90:C7:21 is the MAC address of our card and must match the MAC used in the fake authentication wlan0 is the wireless interface name

36

Nuno Freitas

Figure 7. Performing chopchop attack

So after you perform a fake authentication you need to wait until you get a packet to perform an attack, I kept a console window performing fake authentications at every second as you can see, so I dont get deauthenticated by any reason and another one with the chopchop attack waiting for a packet to start. When the console asks you Use this packet? press y and then ENTER to start the chopchop attack.

Figure 8. Result of chopchop attack

37

Nuno Freitas

Wait a few seconds for the chopchop attack to make its magic. The file replay_dec0917-223734.xor as you can see above can now be used in the next step to generate an Arp packet. The objective is to have the access point rebroadcast the injected Arp packet. When it rebroadcasts it, a new IV is obtained. All these new IVs will ultimately be used to crack the WEP key. Use the following command: #packetforge-ng -0 -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -k 255.255.255.255
-l 255.255.255.255 -y replay_dec-0917-223734.xor -w arp-request

-0 means generate an arp packet -a 00:80:5A:28:B5:AB is the access point MAC address -h 74:EA:3A:90:C7:21 is MAC address of our card -k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255) -l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255) -y replay_dec-0917-223734.xor is file to read the PRGA from -w arp-request is name of file to write the arp packet to

The system will respond: Wrote packet to: arp-request Lets close the console running airodump-ng and open a new one and start airodump-ng again. This time you need to add the -w parameter so we can save the IVs we will generate to a file. If you used it already in the first one then you dont need to close it. So use airodump-ng like this: #airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 -w wepkey wlan0 Lets call that file, wepkey. On the console window you used to create the packet use this command: #aireplay-ng -2 -b 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -r arp-request wlan0 After you start injecting arp requests from the packet you just created, the cracking process will be just like cracking WEP with a previous associated client. This will inject the packet we created in the air. After that the system will ask you if you want to use that packet, press y and ENTER to start injecting arp requests.

38

Nuno Freitas

Figure 6. Injecting artificial packets

As you can see now we are getting a lot of data (IVs). Remember once again, when you get around 50 000 IVs you have a good chance of crack the network. Dont worry if you fail, try again with more IVs. Remember that youll need more IVs depending on how big is the key. There is no way to determine the size of the key so try with 50 000 if you fail try with 200 000 and if you fail get more, and youll get there. The point here is that you are doing it the right way if you fail is for bad luck and not because youre doing it wrong. All of the captured data packets containing IVs are stored in the file that I called wepkey outputted by airodump-ng. The program will write multiple files to the active directory in different formats, but we are looking for .cap files. Airodump-ng creates more than one .cap file, I mean it creates wepkey-01.cap, wepkey02.cap So, when youre ready, use the command: #aircrack-ng -b 00:80:5A:28:B5:AB wepkey*.cap

39

Nuno Freitas

Figure 7. Using aircrack-ng to get the WEP key

So as you can see it found the WEP key of the network. The key I used for this example was 1234567890 and as you see in aircrack-ng output KEY FOUND! [12:34:56:78:90]

As I told you before do not use WEP, although it is better than nothing it is an unsecure method to protect your network.

40

Nuno Freitas

Cracking WEP (Shared Key)

So, now lets crack a WEP network using Shared Key system. For this example we will always need a connected client. If the network doesnt have a connected client just wait until someone connects to the network. We need someone from inside the network to show up because we will need a 140 bit keystream that will allow us to fake an authentication. Without that we cannot authenticate. Remember that Open System authentication and Shared Key works different. So after we authenticate we need to perform a fragmentation or a chopchop attack to get a fragment to create a packet to inject in the airwaves. After that is like cracking WEP with Open System. Wait and get enough IVs to crack the password. First of all, as always, put your wireless card in monitor mode. #airmon-ng start wlan0 Then lets search for our network, WLAN will be the target Network. #airodump-ng -c 11 --bssid 00:80:5A:28:B5:AB -w wepska wlan0

Figure 8. Using airodump-ng to scan for networks

Using this we will sniff all the packets from WLAN network and save them in files called wepska. We will need to perform a deauthentication on an authenticated client in order to capture the shared key 140 bit keystream.

41

Nuno Freitas

Figure 9. Performing a deauth to a client

After you perform a deauthentication look to the top line in airodump-ng window there is now a text saying 140 bytes keystream: 00:80:5A:28:B5:AB This means we have captured the .xor file we were looking for to perform a fake authentication. Use the following command: #aireplay-ng -1 0 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98 -y wepska-01-00:80:5A:28:B5:AB.xor wlan0 Remember to always change the packets name from what I have to what you get. They might be different.

Figure 10. Performing a Fake authentication

42

Nuno Freitas

Now we will perform a fragmentation attack. Use the next command: #aireplay-ng -5 -a 00:80:5A:28:B5:AB wlan0

Figure 11. Performing a fragmentation in order to get a fragment of a packet to create an arp-request

Wait until you get a packet to use in the attack. When the system asks you Use this packet? press y and then ENTER to use it, and you will get a fragment that we will use to create an Arp Request. Basically this is the same that we did before on WEP Open System without connected clients.

Figure 12. Getting the fragment

43

Nuno Freitas

As you can see in the output of the fragmentation attack you got now a file called fragment-0921-140138.xor or something similar. Lets now create an arp-request. Use the following command: #packetforge-ng -0 -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -k 255.255.255.255 -l 255.255.255.255 y fragment-0921-140138.xor -w arp-request

This command will create an arp-request based in that fragment. Now we need to inject that packet in the airwaves and it will provoke the AP to respond to them with new IVs. #aireplay-ng -2 -b 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -r arp-request wlan0 You should have the airodump-ng window sniffing them and saving the files, as I used above those packets are being saved in the file wepska*.cap. When we got enough IVs we will crack the WEP key. When we get around 50000 IVs use the following command:

Figure 13. Sending the arp-request

Ok, when you got enough IVs lets perform the bruteforce attack: #aircrack-ng -b 00:80:5A:28:B5:AB wepska*.cap

44

Nuno Freitas

Figure 14. Using aircrack-ng

As you can see the key was successfully cracked. The key for this example as 1234567890 and as you can see in the image KEY FOUND: [12:34:56:78:90]. So this is everything about WEP. Lets see now the WPA part of this tutorial.

Even being trickier to hack, WEP using Shared Key encryption is still an unsecure Encryption to use on your network. WPA is the solution

45

Nuno Freitas

Cracking WPA with Dictionary Attack (Aircrack-ng)

After WEP was proven to be completely breakable, WPA emerged as its successor, it uses a much more advanced algorithm and does not have IVs. It doesnt matter if you collect a big amount of packets, you cant crack it that way. Most consumers use what is called WPA Personal, which utilizes a pre-shared key (PSK), which is a common key shared across all devices used for authentication. When a client wants to associate with a WPA encrypted network, a four-way handshake takes place. Briefly what occurs is the client first seeks association with the AP, the AP sends the client a bit of data which the client encrypts using the passphrase, SSID and some other data. The client sends this back to the AP which then encrypts that. If it match up the AP installs the main key on the client which is successfully associated and able to decrypt the packets. The packets are encrypted with this key, not the passcode. This is known as the fourway handshake between a client and the AP. Unlike WEP, there is not enough information contained in the packets to find the key. No matter how long an attacker sniffs the network and intercepts packets, he will never be able to crack the passphrase. However, within the four-way handshake, there is enough information to brute-force the passphrase. The basic steps for cracking a WPA Personal encrypted network are: 1) Discover the network and be within range to intercept packets. 2) Start sniffing the network for the four way handshake and capture it when it arises. 3) Wait for a new client to authenticate or deauthenticate a current client. 4) Brute force the captured handshake file with a dictionary file.

So the first thing to do is to put your Wireless card on monitor mode: #airmon-ng start wlan0 So next you will search for networks within range to intercept and inject packets. #airodump-ng wlan0

46

Nuno Freitas

Figure 15. Using airodump-ng

So lets break into WLAN. WLANs BSSID it is 00:80:5A:28:B5:AB, its all that we need to start sniffing packets waiting for the four-way handshake. To begin sniffing use the following command: #airodump-ng --bssid 00:80:5A:28:B5:AB w wpakey wlan0 So we are now sniffing packets from WLAN network and saving them (-w) into a file named wpakey. Just like for WEP networks we will need that file later and once again we are interested in the *.cap file. So, right know you either wait for a new client to connect to the network if no one is connected already or you can deauthenticate that client forcing him to authenticate again and by doing this you sniff the four-way handshake between the client and the Wireless AP. Lets make it with an authenticated client already with the following MAC Address: 00:15:AF:A2:8D:98.

Figure 16. Looking for a client to deauth

47

Nuno Freitas

So lets deauthenticate the client with the next command: #aireplay-ng --deauth 25 a 00:80:5A:28:B5:AB c 00:15:AF:A2:8D:98 wlan1 When the client connects again, you will get the four-way handshake, you can see in airodump-ng window that you got it in the top right side of the console window.

Figure 17. Sending Deauth packets

The number after --deauth is the number of deauthentication packets aireplay-ng will send. A higher number will increase the probability of it working, but is less stealthy. The deauthentication was done and now we have got the four-way handshake.

Once the handshake has been captured, the attacker can stop capturing all packets. The information contained in the handshake is all that is needed to crack to WPA passphrase. Once the attacker has the handshake it is possible to crack the passphrase through brute force or dictionary techniques. This technique uses a word list and goes through each word one at a time, encrypting it with the other data gathered (the SSID and others) to see if it matches. When a match occurs, the word from the list is the passphrase used. This can be extremely time consuming depending on the complexity of the passphrase, the size of the dictionary file and the speed of your CPU. An attacker is limited by his processor speed to how many passwords he can try per second. With dictionary files containing millions and millions of different combinations of letters and words, the process could take a very long time.
48

Nuno Freitas

Fortunately, most consumers choose simple, easy to remember passphrases that can be decrypted using smaller dictionary files containing common names and passwords. The program aircrack-ng can be used to crack the handshake. The attacker must have a word list on his system. Backtrack includes several wordlists of different sizes, and larger ones can be downloaded from the internet. To use a word list with aircrack-ng and our captured handshake use this command: #aircrack-ng -w /pentest/passwords/wordlists/wpa.txt wpakey*.cap The output will look like this when aircrack-ng gets the password:

Figure 18. Key found w/ Dictionary attack

It took a little bit more than 20 minutes to discover the Wireless AP passphrase. The attacker has now the ability to get inside the network. It took 954864 guesses to discover the password. The dictionary file that I used it could be considered as a big dictionary, you might not be able to avoid a successful attack by a determined attacker, but you sure can make his work a lot harder if you use a strong password.

49

Nuno Freitas

Cracking WPA using Pyrits Database Attack

The next type of attack that Ill cover is a type of attack where you could import many dictionaries to data base and then perform an attack with all the passwords on that database. So first lets install a suite called pyrit because it is not included in Backtrack. Installing pyrit Do the following at the terminal: svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit_svn

Then do this: sudo apt-get install libssl-dev sudo apt-get install scapy sudo apt-get install python-dev Browse to pyrit directory: cd /pyrit_svn/pyrit And type: sudo python setup.py build sudo python setup.py install

Ok, now you have Pyrit installed and it should be up and running.

I will be use Pyrit with aircrack-ng. So first of all, put the wireless card in monitor. Lets use aircrack-ng suite until we got the handshake. First use: #airmon-ng start wlan0 Then use: #airodump-ng wlan0

50

Nuno Freitas

Figure 19. Using airodump-ng

So at this point you should get all the information about the network you will try to attack. For this example we will attack a WPA encrypted network with WLAN as the ESSID, 00:80:5A:28:B5:AB as the BSSID and performing in channel 11. Now we should begin sniffing only this network by using the following command: #airodump-ng bssid 00:80:5A:28:B5:AB c 11 -2 wpahandshake wlan0 This will sniff the packets from WLAN and save them in a file called wpahandshake. Once again I remember that we will be looking for the *.cap file in the end. If a client is connected to the network make a deauthentication attack so the client needs to re-authenticate and you get the handshake or if no one is connected, wait for someone to do it. #aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98 wlan1 Now that you have the handshake, lets use pyrit. Lets analyze our handshake file, use the following command in the command line: #pyrit wpahandshake*.cap analyze Note that wpahandshake*.cap is the name of the files that airodump-ng save with packets sniffed from the victims network, they could be wpahandshake-01.cap, wpahandshake-02.cap You should get a window like this:

51

Nuno Freitas

Figure 20. Analyzing handshake with Pyrit

The output is that the Access Point have the mac 00:80:5A:28:B5:AB with WLAN as the ESSID. It also says that the file captured an handshake from the client with mac address 00:15:AF:A2:8D:98. So now lets start working with Pyrits database. As you may know guessing the password used in WPA-PSK and WPA2-PSK is a computational intensive task. During this process, 100% of your CPU is being used to compute what is known as the Pairwise Master Key, a 256bit key derived from the ESSID and a Password using the PBKDF2-HMAC-SHA1 algorithm. One of the major weaknesses of the WPA-PSK is that the Pairwise Master Key has no elements that are unique to the moment of the key-negotiation between Access Point and Sation. It is therefore possible to pre-compute the Pairwise Master Key and store it for later use. This is where Pyrits database kicks in. It can store ESSIDs, passwords and their corresponding Pairwise Master Keys, possibly growing to the size of hundreds of millions of entries. Starting with a fresh installation of Pyrit, your database will most probably be empty. Issue the following command to get an overview: #pyrit eval And you will get this output:

52

Nuno Freitas
root@bt:~# pyrit eval Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+ Connecting to storage at 'file://'... connected. Passwords available: 0

Lets use a command to import some passwords to our database: #pyrit i /pentest/passwords/wordlists/wordlist.txt import_passwords Note that /pentest/passwords/wordlists/wordlist.txt is the path where I have stored a wordlist, you can use dozens of dictionary files, pyrit ensures that duplicate passwords are not stored again in the database, it also doesnt store passwords that are not suitable as a WPA/WPA2 password. After you imported the passwords to the database, use this command again: #pyrit eval You should get an output like this:
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+ Connecting to storage at 'file://'... connected. Passwords available: 989532

Now that we have some passwords in the database, we have to create an ESSID, for that, use the following command: #pyrit e WLAN create_essid Note that WLAN is our victims ESSID Pyrit output will say that ESSID WLAN was created successfully and if you use the eval command again it will show you that WLANs ESSID dont have any password pre-computed. So we have already some passwords in the database, and we have an ESSID created, we need to pre-compute the passwords to use with that ESSID. This process could take some minutes. It depends on how many passwords you have imported to the database. To pre-compute the passwords with the ESSID you just created use this command: #pyrit batch Pyrit will give the output Batchprocessing done when it completes the process.

53

Nuno Freitas

We can now use the Pairwise Master Keys stored in the database to attack the same handshake as in the example above. Instead of running a passthrough-attack, where the database is not touched at all, we issue a database-attack like the following: #pyrit r wpahandshake*.cap attack_db Dont forget that wpahandshake*.cap is the file where the handshake is stored and that -r parameter tells pyrit to read the file wpahandshake*.cap. So you should have the following output.

Figure 21. Cracking WPA with Pyrit database attack

This process is much faster than a dictionary attack, as you can see the image above Pyrit was trying 515375 passwords per second and gave us in the output that the password is security. This process only takes more time pre-computing the passwords with the ESSID, but will be useful when you have to use many dictionaries at the same time.

Alright, Ive been telling you to use WPA and still it got hacked. However it would take ages to hack a good PSK with a HUGE dictionary. So always use a strong password.

54

Nuno Freitas

Cracking a Network with Hidden ESSID (aircrack-ng + pyrit)

Cracking a network with a hidden ESSID is pretty simple, you have done already all the steps in order to do it. It is possible to do it only with aircrack-ng, the reason Ive made it with aircrack-ng and pyrit is because Ive already have the ESSID WLAN, which is the ESSID Ive been using in these tutorials, programmed in pyrits database, which makes the process faster than using aircrack-ngs dictionary attack. So, do not think that it is only possible with pyrit. So, lets get going Ill show it on a WPA network, if you will try on a WEP network its the same, but you need to perform the deauthentication and then go back to WEPs method. The first step in all of our tutorials: #airmon-ng start wlan0 After this lets search for networks: #airodump-ng wlan0

Figure 22. Searching for the network that has an hidden essid

As you can see there is a network with a strange ESSID, it is something like <length: 1> This is a hidden ESSID, and well be able to what is the real ESSID by performing a deauthentication to one of the connected clients. Lets sniff only the hidden networks packets: #airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 -w hiddenwpa wlan0 Lets deauthenticate a client now: #aireplay-ng -0 10 a 00:80:5A:28:B5:AB c 00:15:AF:A2:8D:98 wlan0

55

Nuno Freitas

So, now that you deauthenticated a client you should have something like this:

Figure 23. Performing a deauthentication to a client to uncover the ESSID and to obtain an handshake

As you can see the network ESSID now changed to WLAN, by doing this we also got a handshake so lets now crack the password: #pyrit -e WLAN -r hiddenwpa-01.cap attack_db

Figure 24. Getting network's password with pyrit

This time we needed to add the -e parameter since its an hidden ESSID, pyrit cant guess it. And we have the password, it is security.

Hiding the ESSID is not enough.

56

Nuno Freitas

Attacking WPA Networks using Wi-Fi Protected Setup

Wi-Fi Protected is an optional certification program developed by the Wi-Fi Alliance designed to ease set up of security-enabled Wi-Fi networks in home and small office environment. Wi-Fi Protected Setup supports methods (pushing a button or entering a PIN into a wizard-type application) that are familiar to most consumers to configure a network and enable security. Reaver is an application that exploits WPS that I will use to cover this attack. It implements a brute force attack against WPS entering PINs in order to recover WPA/WPA2 passphrases. The Pin is 8 digits long:

Doing the Math it would be 108 = (100 000 000) Pin combinations. However an attacker can derive information about the correctness of parts the PIN from the APs responses. 1. If the attacker receives an EAP-NACK message after sending M4, he knows that the 1st half of the PIN was incorrect. 2. If the attacker receives an EAP-NACK message after sending M6, he knows that the 2nd half of the PIN was incorrect. This form of authentication dramatically decreases the maximum possible authentication attempts needed from 108 = 100 000 000 to 104 + 104 = 20 000. As the 8th digit of the PIN is always a checksum of digit one to digit seven, there are at most 104 + 103 = 11 000 attempts needed to find the correct PIN. Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations. On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 410 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

57

Nuno Freitas

Below there is a flowchart that explains the method used by the Bruteforce attack to the WPS flaw:

On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 410 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase. I want to make it clear this will only work on networks with WPS enabled. Since the Router Ive been using doesnt have WPS I will use a new one with the same configurations (ESSID and Passphrase).
58

Nuno Freitas

But you dont need to worry, Ill cover how to check if an AP has WPS enabled or not. First of all download Reaver. It doesnt come with Backtrack so you have to install it, even though it is easy to do it. You can download Reaver at http://code.google.com/p/reaver-wps/downloads/list After you download extract Reaver folder to your desktop or whatever other folder you want. By the way Reaver is only supported on the Linux platform, requires the libpcap and libsqlite3 libraries. After you extracted the folder, browse to it. Lets do it like if I extracted to my Desktop folder. In the shell, browse to the following directory: #cd /root/Desktop/reaver-1.3/src/ Within this directory you will find several files. Lets start the installation, run the following command: # ./configure If you get this error: bash: ./configure: Permission denied Use the command: #chmod +x configure This will give execution permission to the file configure Try again, this time you wont have any problems. # ./configure Let it install, when it finishes use the following command: # make And then: # make install Ok, Reaver is installed. Now we can have some fun with Reaver. Lets start the attack.

The first thing to do is to put your Wireless card on monitor mode:

59

Nuno Freitas

#airmon-ng start wlan1 Then lets sniff some beacon frames and save them in an output file: #airodump-ng -w beacons mon0 Let airodump-ng run for a while, 1 minute is enough. Dont forget to use -w option to save the packets youre getting in a file. What we want are Beacon frames, dont worry about data packets. Then you will run the following command: # walsh -C -f beacons-*.cap Walsh will look at the cap files that airodump-ng created with the beacon frames and will give you a list of the networks that have WPS enabled.

Then run: #airodump-ng mon0

Check what channel is your target running Now launch reaver:

60

Nuno Freitas

#reaver -i mon0 -b 00:24:17:DB:BF:F6 -c 1 vv -vv enables verbose mode, and you can see the progress and the warnings. -b is the bssid of the target network -c the channel that the network is broadcasting on

61

Nuno Freitas

You can use aircracks fake authentication while running reaver, its up to you. If you start getting blocked by the AP use macchanger command to change your mac and start again. After some hours running Reaver, you will get to the passphrase.

As you can see, we got the passphrase which in this case was security.

In this particular situation WPA is cracked even if you have a good password. Although by disabling WPS on your Router you will annul this flaw.

62

Nuno Freitas

Conclusions
When I started this Independent Study I had a rough idea of what I wanted to research/learn about and it was a very rewarding experience. Ive learned more than I was expecting and I really enjoyed the time I took learning and practicing. I read books, websites watched videos from which I guided myself but still, I thought about writing my own paper as a second method of study. I took the leap after I found a paper like this one and I really wanted as retribution to write a paper of mine, so other that are in the same situation that I was some months ago could learn with a simple and pleasant reading since I wrote this paper as I was learning from zero.

63