WPA is an encryption scheme designed to secure the wireless network of your home or office from intruders and eavesdroppers. It is reportedly safer than WEP. There have been numerous attempts to break WEP and WPA encryption with mixed results. This tutorial discusses currently available techniques for testing the wireless network security. Be aware that breaking into your neighbor's network without permission is wrong.
What You Need
To test security of wireless networks, you can use the live CD Linux distribution called Backtrack. You can download its latest ISO image from Remote-Exploit.org and burn it with any CD burner program like InfraRecorder or CDBurnerXP. Alternatively, you can try the SliTaz Aircrack-NG distribution which is lighter and simpler than Backtrack.
Here's a list of what you need to crack WPA/WPA2:
- a very powerful computer
- a wireless card/adapter supported by Aircrack-NG
- Backtrack or SliTaz Aircrack-ng Distro
- A little knowledge of Linux
- Optional: WPA-PSK Rainbow Tables (7 GB or 33 GB)
- Optional: coWPAtty program
Reboot your computer with a Backtrack CD and you'll be presented with the KDE environment.
Surveying Wireless Networks with Kismet
Launch Konsole which is located right next to the KDE Start menu. Open
/usr/local/etc/kismet.conf in a text editor and edit the
source= line to include your wireless device. For example, for Broadcom 43xx based card, put
source=bcm43xx,eth1,bcm43xx. Refer to Kismet documentation section 12. Save kismet.conf and start kismet.
Once kismet starts detecting wireless networks around, press s and P to sort the network list by packet counts in descending order. Press Up or Down key to move to the target network and press i for network information or c for client list. Write down such information as:
- ESSID (wireless network name)
- BSSID (MAC address of access point)
- channel of wireless network
- MAC address of clients
Press x to close popup windows and Q to exit Kismet.
Brute-Force Dictionary Attack
This is the classic brute-force attack.
airmon-ng stop wlan0
airmon-ng start wlan0
The commands above put your wireless device in monitor mode. The monitor mode is the mode whereby your wireless card can listen to wireless traffic passively. Replace wlan0 with your wireless device name, such as eth1. Type iwconfig to make sure your card is in monitor mode.
airodump-ng -w test wlan0
Skip the step above if you used Kismet as in the previous section. Here airodump-ng is used to survey the wi-fi networks. Press Ctrl+C to stop airodump-ng. Copy BSSID (MAC address) of the target network.
airodump-ng -w logfile -c 3 --bssid A0:B1:C2:D3:E4:F5 wlan0
Sniff and log the target network (specified with --bssid option) on the specified channel (-c option) to the specified log file (-w option). Wait until WPA Handshake message appears on the screen. Then, stop airodump-ng by pressing Ctrl+C.
Optionally, if you see a client connected to the target network but no authentication handshake, then you can deauthenticate the client by running the following example command in a separate terminal:
aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 wlan0
where -a option specifies the access point and -c option specifies the client to deauthenticate. Hopefully, the command above will trick the client to renegotiate a 4-way authentication handshake with the access point. Otherwise, you'll have to wait until a handshake message shows up on airodump-ng outpout.
zcat /pentest/password/pico/cowpatty/final-wordlist.txt.gz > /tmp/wordlist.txt
aircrack-ng -a 2 -w /tmp/wordlist.txt logfile*.cap
Begin a brute-force dictionary attack using the saved log file(s) and the specified dictionary (-w option). Aircrack-ng will try every word in the dictionary until the correct passphrase is found. It may take hours or several days depending on the size of dictionary and the speed of your CPU to try every word in the dictionary. However, if the passphrase is not found in the dictionary or made up of random alphanumeric characters, then you are out of luck and just wasting your time. In this case, the dictionary attack won't be any good.
Finding a Good Dictionary
You need a good dictionary to crack WPA. Backtract 3 CD has wordlist files at the following locations: