GenCyber_WEP_cracking (2).docx 1 of 13 Wireless System Administration Wireless Security Audit Tools - WEP/WPA cracking Goal: In this lab you will explore wireless security tools on the Kali suite. These tools will be an introduction to WEP and WPA security.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
GenCyber_WEP_cracking (2).docx
1 of 13
Wireless System Administration
Wireless Security Audit Tools - WEP/WPA cracking
Goal: In this lab you will explore wireless security tools on the Kali suite. These tools
will be an introduction to WEP and WPA security.
GenCyber_WEP_cracking (2).docx
2 of 13
1 Gather and organize
1.1 Gather required equipment:
• Alfa AWUS036NH
• Linksys WRT54GL or other Access point capable of being configured for both WEP and
WPA security
• Kali Linux on raspberry pi
• Wireless client (a smartphone works well)
2 Setup - Kali
In this section you will start Kali linux on your raspberry pi with the Alfa wireless adapter
attached. This is your “attacking” station.
2.1 Kali
Boot into Kali
2.2 Network Manager
Stop Network Manager - kill it with fire:
# service network-manager stop
2.3 Monitor Mode - airmon-ng
In this section you will place your raspberry pi into monitor mode using airmon-ng. Use man
airmon-ng to find the correct commands.
1. List and kill all possible programs that could interfere with the wireless card when
placing it into monitor mode.
2. Determine your external (USB) Alfa wireless interface:
# iwconfig
GenCyber_WEP_cracking (2).docx
3 of 13
3. Put your external (USB) Alfa wireless interface into monitor mode using airmon-ng.
(Hint: the command used is very similar to the one we used
the earlier this week to scan the wireless)
Note: channel number in the command is going to be the same
channel listed on top of the Linksys AP your are using.
Normally you would perform scans of the wireless
environment to do this yourself, but for time we are
providing the channel for you.
After running the command in step 3 you should have a new monitoring interface.
4. Determine your new wireless interface:
# iwconfig
Note: new interface is usually indicated by wlanXmon from
the iwconfig output. X would be the interface number from
the previous iwconfig output
3 Monitor mode - testing
Testing Monitor mode
Scenario: Making sure the “attacking” station (you raspberry pi) wireless card is in monitor
mode.
3.1 Wireshark
Use wireshark to test your wireless card.
Browse to the wireshark application under Applications >> 09 – Sniffing & Spoofing >>
wireshark
GenCyber_WEP_cracking (2).docx
4 of 13
Select the new monitor interface you created in the previous section. Click on the blue fin in the
top left corner of the application in order to start capturing packets on the monitor interface.
You should be able to see traffic that is produced by devices using the channel you set in the
previous section. This is traffic that is not generated by you raspberry pi. However, most of this
traffic is encrypted and cannot be viewed in plain text currently. You can close wireshark after
this test.
3.2 airodump-ng
Start airodump to take a basic site survey
# airodump-ng newInterface
Look for your ESSID, and verify that it is indeed running WEP
Using ctrl+c will send a break command to the program and end the program when you are
finished.
GenCyber_WEP_cracking (2).docx
5 of 13
3.3 Capture
Try to capture just the channel and look for just WEP encrypted networks
# airodump-ng -c CHANNEL --encrypt WEP newInterface
Verify that you are only capturing packets to and from your AP by making sure it’s the only AP
listed. If not you have to specify a BSSID (MAC address of access point, this can be found in the
originally airodump-ng command output):
# airodump-ng -c CHANNEL --encrypt WEP newInterface --bssid
BSSID
You can stop airodump-ng using a Linux break command once you have verified that it is
capturing correctly.
GenCyber_WEP_cracking (2).docx
6 of 13
4 WEP
Next we’re going to initiate the WEP attack itself. This will require us to get the #Data column
up to anywhere from 5000 to 10,000 IVs.
This is going to be done with a standard attack that involves capturing a predictable packet (an
ARP request) and re-playing it to force the connected clients to respond.
4.1 WEP - Capture - IVs
Make a new directory:
# mkdir /dump
# mkdir /dump/GenCyber
# mkdir /dump/GenCyber/WEPattack
Now capture just the IVs to a file:
# airodump-ng -w /dump/GenCyber/WEPattack/wepattack.pcap -c
CHANNEL --ivs newInterface --bssid BSSID
Leave this capture file running.
4.2 WEP - Associate
First, In a separate terminal (or a new tab) run the following to Associate to an access point.
Note: this will work better if you run it on a different network card than the one you are using
to capture the packets. Example: if you are using the Alfa to monitor/capture packets, use the
internal wireless card or another Alfa to associate/de-associate. You will need to use the
commands necessary to set this into monitor mode like you did in section 3.
to Associate:
GenCyber_WEP_cracking (2).docx
7 of 13
Use man aireplay-ng to learn what the flags in the below command do.
# aireplay-ng -1 0 -a BSSID-OF-AP monY
Where monY is a different monitor interface than the one currently being used to capture IVs.
Look for the
“Association successful :-)”
4.3 WEP - ARP
In a separate terminal (or a new tab) run the following command to listen for an ARP packet to
replay.
Note: this will work better if you run it on a different network card than the one you are using
to capture the packets and use the same one that you just associated with. Example: if you are
using the Alfa to monitor/capture packets, use the internal wireless card or another Alfa to
associate/de-associate.
GenCyber_WEP_cracking (2).docx
8 of 13
Use man aireplay-ng to learn what the flags in the below command do.
# aireplay-ng -3 -b BSSID monY
Note: If you don't see any ARPs, connect your smartphone to the access point and try web
browsing. Use Key 1 as the password to connect your phone or laptop.
Note: If you are still having issues, try to re-associate:
to Associate:
# aireplay-ng -1 0 -a BSSID-OF-AP monY
GenCyber_WEP_cracking (2).docx
9 of 13
4.4 WEP - Capturing
You should have two windows open:
One listening/replaying ARP packets and one capturing the IVs generated from the wireless
packets going in and out of the network.
Go back to your airodump-ng window, and the #Data should be climbing quickly.
When it reaches somewhere between 5000 and 10,000 you can stop it.
If the IV aren’t increasing, read the following:
http://www.aircrack-
ng.org/doku.php?id=i_am_injecting_but_the_ivs_don_t_increase&Dok
uWiki=1943ff9484c75095683d41ac6313a148
GenCyber_WEP_cracking (2).docx
10 of 13
4.5 WEP - Cracking
After the #DATA reaches between 5000 and 10,000 - Run the following to start WEP key
recovery (you may need to select the proper network). In some instances, you may need to get
#DATA above 15,000 in order to recover the key.
# aircrack-ng /dump/GenCyber/WEPattack/wepattack.pcap-0#.ivs
5 Bonus - Access Point - WPA
If you complete the WEP cracking you can try your hand at some WPA cracking.
In this section, you will setup your access point to run WPA on your wireless network.
Login to the router at http://192.168.1.1
Username/password => admin
Click the “Wireless” tab
Click the “Wireless Security” section
Set “Security Mode” to “WPA Personal” with TKIP
Set “Passphrase” to “blackhat”
5.1 Monitor mode - testing
On the attacking machine, Look for our WPA access point:
# airodump-ng monX
GenCyber_WEP_cracking (2).docx
11 of 13
5.2 WPA - Capture
In order for this attack to work, we actually need to have a client attached to our network
already.
Use a smart phone, another laptop, or something else WPA-compatible to connect to your
network.
Once you have a client attached, issue the following command:
# airodump-ng -w /dump/GenCyber/WEPattack/wpaattack.WPA --bssid
YOUR_BSSID -c CHANNEL monX
5.3 WPA - Deauth
Next we have to de-auth our client so we can capture the handshake.
In a new window on the attacking machine:
# aireplay-ng -0 30 -e YOUR_ESSID_MAC -c YOUR_CLIENT_MAC monX
GenCyber_WEP_cracking (2).docx
12 of 13
5.4 WPA - Handshake
Once this runs, you should see “HANDSHAKE” near the top right part of the window. If not, re-
authenticate with your device, and repeat the deauth flood until you do.
Once you get the handshake, You can now stop the airodump-ng scan with a CONTROL-C
GenCyber_WEP_cracking (2).docx
13 of 13
5.5 WPA - Cracking
You will now try to crack the WPA password against a dictionary file located at:
/usr/share/wordlists/rockyou.txt
In some cases, the rockyou file may be gzipped and you will need to uncompress it.
We’re going to be doing a CPU-based dictionary attack, which is the slowest ways to do it. In a
security setting, you’d either use amazon’s cloud-based GPU instances, or you’d build a
password-cracking rig. There are also fast methods by using pre-compile password files known
as “rainbow tables” that match passwords with SSIDs.
In a new window type:
# aircrack-ng wpaattack.WPA-{highest number}.cap -w
/usr/share/wordlists/rockyou.txt
Let this run for at least 10 mins, and by then you should have recovered your WPA passphrase
(it’s in there)
Related Documents
