How To Crack WPA / WPA2. Introduction. There is a new version of this article here. Previously, we showed you how to secure your wireless with industrial strength RADIUS authentication via WPA- Enterprise. It turns out that there's a little back- story there. So, in traditional Tarentino fashion, now that we've already seen the ending, let's back up to the beginning: cracking WPA- PSK. Wi- Fi Protected Access (WPA) was created to solve the gaping security flaws that plagued WEP. Perhaps the most predominant flaw in WEP is that the key is not hashed, but concatenated to the IV, allowing completely passive compromise of the network. With WEP, you can literally sit in your car listening for packets on a network. Once you have captured enough of them, you can extract the key and connect to the network. A Complete Guide. This tutorial will show you how to crack WPA2 and WPA secured wireless networks. Please note that this is not the Reaver attack. Bled in Wi-Fi devices, a weak encryp-. Wi-Fi security – WEP, WPA and WPA2 Guillaume Lehembre Difficulty Wi-Fi (Wireless Fidelity) is one of today’s leading. WPA solves this problem by rotating the key on a per- packet basis, which renders the above method useless. However, nothing is perfectly secure, and WPA- PSK is particularly vulnerable during client association, during which the hashed network key is exchanged and validated in a "four- way handshake". The Wi- Fi Alliance, creators of WPA, were aware of this vulnerability and took precautions accordingly. Instead of concatenating the key in the IV (the weakness of WEP), WPA hashes they key using the wireless access point's SSID as a salt.
The benefits of this are two- fold. First, this prevents the statistical key grabbing techniques that broke WEP by transmitting the key as a hash (cyphertext). It also makes hash precomputation via a technique similar to Rainbow Tables more difficult because the SSID is used as a salt for the hash. WPA- PSK even imposes a eight character minimum on PSK passphrases, making bruteforce attacks less feasible. So, like virtually all security modalities, the weakness comes down to the passphrase. WPA- PSK is particularly susceptible to dictionary attacks against weak passphrases. In this How To, we'll show you how to crack weak WPA- PSK implementations and give you some tips for setting up a secure WPA- PSK AP for your SOHO. Note: The techniques described in this article can be used on networks secured by WPA- PSK or WPA2- PSK. References to "WPA" may be read "WPA/WPA2". How To Crack WPA / WPA2 (2. Introduction. The world has changed since Brandon Teska's original WPA/WPA2 Cracking tutorial was written in 2. While there are some wireless networks still using WEP, there has been a mass migration to WPA2- AES wireless security. A key reason for this move is 8. WPA2/AES security enabled in order to access link rates over 5. Mbps. Cracking techniques have changed too. While most techniques still use some form of dictionary- based exploits, the power of the cloud has also been brought to bear on password cracking. In fact, Dan Goodin's excellent article over on Ars prompted Tim to ask me to revisit the original article and update it to include the new methods Dan described. So here I am. Brandon's article provides a good WPA primer, so I won't repeat that here. The key things that you need to know are: The information we need to capture is contained in transmissions between AP and STA (client) known as the "four- way handshake"The techniques used to recover the passphrase are primarily forms of dictionary attacks. So, let's just jump in after a few "need to knows": Setup. To crack WPA- PSK, we'll use the venerable Back. Track Live- CD SLAX distro. It's free to download, but please consider donating, since this really is the Swiss Army knife of network security. As you can see from my system specs in Table 1, it doesn't take much computing power to run WPA cracks. Attacking System Specs. Model. Dell Latitude D6. Processor. Intel Core. Duo T7. 10. 0 (1. GHz)Wireless Adapter. Intel Wi. Fi Link 5. AGNOSBack. Track 5 R3 KDE 3. Target Wireless Access Point. NETGEAR WNDR4. 50. SSID: 9. 10. 5Girard. Ch. 6)Target AP MAC2. E: 7. F: 0. C: 0. C3. Target AP Client MAC0. BCTable 1: Attacking System Specs. Back. Track 5 R3 is the current version over at backtrack- linux. First, download, the Back. Track ISO. I decided to boot Back. Track as a USB thumb drive with 4 GB of persistence. For this I used a 1. GB USB thumbdrive and Linux. Live USB Creator. Recon with Kismet. Open up Kismet, the venerable wireless surveillance tool (Backtrack > Information Gathering > Wireless Analysis > WLAN Analysis > Kismet). Upon opening Kismet you will need to select your wireless interface, which you can grab by typing "iwconfig" in a terminal. Kismet is a great surveillance tool, but that is only one of its many talents. It captures raw packets while operating, which we can use later to attack weak PSKs, having captured a client connection while listening. It also has some interesting alerts built in, to warn you of potential evil- doers within wireless range. To top it off, Kismet is completely passive and therefore undetectable. In Part 1 of our original WEP cracking series, Humphrey Cheung wrote a great introduction to recon with Kismet. Recon for WEP cracking and WPA cracking is very similar, so I won't repeat all that information here. Instead, I'll just point out a few settings and options that I find useful as well as explain a bit of the interface. I would add, however, that Kismet is very versatile and customizable with great context- sensitive help menus. In the main network list, access points are color coded by encryption method, which we also see indicated in the "C" column. Green (N) indicates no encryption method, while Red (W) indicates WEP encryption. Yellow (O) indicates other, usually meaning WPA / WPA2. You can see that highlighted an SSID provides more details about that specific AP. Figure 1: Kismet Information Screen. The other interesting parts of the Network List display for our purposes include the T, Ch and the Pkts columns. The Ch column, as one might expect, is the channel of the access point. We'll need this information later if we employ an active attack. The Pkts column lists the number of packets captured by Kismet for a particular access point. While not completely relevant, it gives us a decent ball- park measurement of both network load and proximity. Higher network load usually translates to higher number of connected clients, which increases the chance that we could capture a client association passively. Kismet defaults to autofit mode, where you can sort the networks and bring up the Network Details page by highlighting an AP and hitting enter. The Network Details page list all sorts of interesting information about the network most notably the WPA encryption scheme, BSSID and number of clients associated with the access point. Pressing c while in the Network Details view will bring up the connected Clients List. The Client List shows all the nodes with traffic associated with the access point. This is one reason it's nearly useless to set MAC filters at a router. In seconds, Kismet can give an observer your client MACs, which can then be easily configured to the attacker's network adapter. The client list can also be shown on the main page by selecting "Client Details" under View as shown in Figure 1 above. Passive Attack. In a passive attack, all we need to do is listen on a specific channel and wait for a client to authenticate. Kismet is the weapon of choice here, although airodump- ng works too. Kismet gives you much more control and information than airodump- ng, but unfortunately doesn't provide notification to alert you of a successful WPA- PSK association four- way handshake. Airodump- ng does, but gives you less dynamic control of the capture card's behavior and very little information (compared to Kismet). General Kismet recon and capture steps for a passive WPA- PSK attack are: Start Kismet. Sort the networks (Ex: by channel, press "s" then "c")Lock channel hopping onto the channel of interest (highlight the target AP and press "L")Wait until a client connects to capture the association.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
October 2016
Categories |