Before we begin it's important to make sure that you have everything you need. For the sake of this tutorial I will be using a live Backtrack 5 USB drive,WiFi card compatible with aircrack-ng, two computers (although you can get away with just using one), and of course a wireless router.
Backtrack can be downloaded for free at http://www.backtrack-linux.org/
A list of compatible cards can be found here. If you're going to need a new card I would recommend this one:
Alfa AWUS036NHR - High-Gain 2000mw 2W 802.11 B/G/N Wireless USB Network Adaptor - Wireless-N 802.11n Wi-Fi - 150Mbps - 2.4 GHz - 5dBi Antenna - Long Range - Realtek Chipset - Strongest on the Market - NEWEST VERSION
It should work out of the box with Backtrack Linux.
Step 1 - Finding the name of your wireless interface
This step is easy enough. Type "airmon-ng" without the quotes into the terminal to find the interface name of your wireless card.
In this example the interface is wlan0. Your interface could very well be something different. Write down the name of the interface and keep it for reference.
Step 2 - Start your interface in monitor mode
The next step is to put the wireless card into monitor mode. In the last step we determined what the name of our wireless interface was. Type the following into the terminal, without quotes, where (interface) is the name of your interface. "airmon-ng start (interface)"
You might as well kill any processes that airmon-ng detects may cause trouble. Killing the processes is easy enough. Keep in mind that the PID will be different every time. In the screen shot below, 2836, and 2884 are the processes we want to kill. Just type "kill (pid)" into the terminal, without quotes, for each PID. Of course replacing (pid) with the number provided.
Step 3 - Find the access point and it's BSSID
For this step type the following into your trusty terminal, once again keeping in mind to replace (interface) with the correct name: "airodump-ng (interface)"
If you've followed all the previous instructions correctly, you should now have the following pop up:
The top column of BSSIDs correspond to access points. The station column on the bottom contains mac addresses that correspond to the clients connected to the access points. In this example there is a WEP connection by the name of "vulnerable". This is what I will be cracking. To stop airodump-ng you can press control-C(the information will still be on the screen and you can copy and paste from it easily).
If you are cracking WEP just take note of the BSSID of the access point, and the channel it's on (the CH column specifies the channel). If you are cracking WPA take note of the BSSID of the access point, the channel it's on(once again, the CH column specifies the channel), as well as the mac address of any clients connected to it. If the network you want to crack is WPA you can skip down to the WPA section now, otherwise continue reading for WEP cracking.
WEP Specific Section
Step 4 - Dump packets into file
Now that you have the necessary information, type the following into the terminal without the quotes: "airodump-ng -c (channel) -w (file name of your choice) --bssid (bssid) (interface)"
You should now be capturing data. When the amount of "#Data" becomes over 10000 you're generally good to go. Sometimes it takes a lot more though. The Data will rise depending on how much network traffic there is. If someone on the network jumps on youtube for example, you should have more than enough data in a very short period of time. If there isn't much network traffic you'll have to either wait, or use a method to get around it which I wont be covering in this tutorial.
Once the data has reached a sufficient amount it's time to crack it. This will be the last step. You're almost done.
Step 5 - Crack the Key
The final step is cracking the key. Type the following into the terminal without the quotes: "aircrack-ng -b (bssid) (file name from before)*.cap"
If you're successful you should get something that looks like this:
If it doesn't find the key right away, don't get discouraged, just wait for it to collect more data and try again.
WPA Specific Section
Step 4 - Start Dumping Data to File
This step is actually exactly the same as it is in the WEP section, except this time we're looking for the WPA handshake. Type the following into the terminal without the quotes: "airodump-ng -c (channel) -w (file name of your choice) --bssid (bssid) (interface)
We're looking for a WPA Handshake. When we capture it, it will show up in the upper right corner. It will appear whenever a client connects to the access point. If there is a client currently connected you can send a deauth packet to knock it offline and generally have it reconnect.
Open up a new terminal and don't touch the one capturing data. For this one you might want to run airodump-ng, close it with control-c, and then copy and paste the correct information into the command.
The deauth command is as follows without the quotes: "aireplay-ng -0 1 -a (BSSID) -c (mac address of client) (interface)"
In this command the -0 specifies the deauthentication, and the 1 is the amount of times to perform it.
You should now have the handshake. Go back to the terminal that's collecting data. If everything went as planned the upper right should now say "WPA handshake". You can close out of that, and it's time to crack the passphrase.
WPA isn't quite as easy to crack. You can use a word list, or a program like john the ripper to brute force the handshake. In this example I'm using a word list that comes with Backtrack 5. There are plenty of word lists out there, and a lot of them are going to be better than this one. Nevertheless.
Type the following into a terminal "aircrack-ng -w (wordlist) -b (bssid) (file name from before)*.cap" I believe the word list can be found in multiple places, but in this example I used "/rofs/pentest/wireless/aircrack-ng/test/password.lst".
If you are successful you should see something that looks like this:
If you're not so lucky you need either another word list or you need to use john the ripper. Assuming that your dump is in /root/ (it should be if you followed this tutorial exactly), to use john the ripper do the following:
Change the directory to /pentest/passwords/john/ by issuing the command "cd /pentest/passwords/john" without the quotes. From there type in the command "./john --incremental --stdout | aircrack-ng -b (bssid) -w - /root/(file)*.cap" without the quotes, and then wait for what might be an eternity for it to find the correct key.
For john the ripper can you specify the length and character types that it uses? Most BT Homehubs (Version 2 anyway, same as a Thomson Speedtouch apparently) by default have a WPA key which is 10 digits long and are hexidecimal (0-9,a-f).
ReplyDeleteYou can edit the minimum length in the configuration file and specify a custom character set. They explain how to do so in the official documentation. http://www.openwall.com/john/doc/EXAMPLES.shtml
Delete