GenCyber_WEP_cracking (2).docx

Wireless System Administration

Wireless Security Audit Tools - WEP/WPA cracking

Goal: In this lab you will explore wireless security tools on the Kali suite. These tools will be an introduction to WEP and WPA security.

1 of 13 GenCyber_WEP_cracking (2).docx

1 Gather and organize

1.1 Gather required equipment: • Alfa AWUS036NH • Linksys WRT54GL or other Access point capable of being configured for both WEP and WPA security • Kali Linux on raspberry pi • Wireless client (a smartphone works well)

2 Setup - Kali

In this section you will start Kali linux on your raspberry pi with the Alfa wireless adapter attached. This is your “attacking” station.

2.1 Kali Boot into Kali

2.2 Network Manager Stop Network Manager - kill it with fire:

# service network-manager stop

2.3 Monitor Mode - airmon-ng In this section you will place your raspberry pi into monitor mode using airmon-ng. Use man airmon-ng to find the correct commands.

1. List and kill all possible programs that could interfere with the wireless card when placing it into monitor mode.

2. Determine your external (USB) Alfa wireless interface:

# iwconfig

2 of 13 GenCyber_WEP_cracking (2).docx

3. Put your external (USB) Alfa wireless interface into monitor mode using airmon-ng. (Hint: the command used is very similar to the one we used the earlier this week to scan the wireless)

Note: channel number in the command is going to be the same channel listed on top of the Linksys AP your are using. Normally you would perform scans of the wireless environment to do this yourself, but for time we are providing the channel for you.

After running the command in step 3 you should have a new monitoring interface.

4. Determine your new wireless interface:

# iwconfig

Note: new interface is usually indicated by wlanXmon from the iwconfig output. X would be the interface number from the previous iwconfig output

3 Monitor mode - testing

Testing Monitor mode

Scenario: Making sure the “attacking” station (you raspberry pi) wireless card is in monitor mode.

3.1 Wireshark Use wireshark to test your wireless card.

Browse to the wireshark application under Applications >> 09 – Sniffing & Spoofing >> wireshark

3 of 13 GenCyber_WEP_cracking (2).docx

Select the new monitor interface you created in the previous section. Click on the blue fin in the top left corner of the application in order to start capturing packets on the monitor interface.

You should be able to see traffic that is produced by devices using the channel you set in the previous section. This is traffic that is not generated by you raspberry pi. However, most of this traffic is encrypted and cannot be viewed in plain text currently. You can close wireshark after this test.

3.2 airodump-ng Start airodump to take a basic site survey

# airodump-ng newInterface

Look for your ESSID, and verify that it is indeed running WEP

Using ctrl+c will send a break command to the program and end the program when you are finished.

4 of 13 GenCyber_WEP_cracking (2).docx

3.3 Capture Try to capture just the channel and look for just WEP encrypted networks

# airodump-ng -c CHANNEL --encrypt WEP newInterface

Verify that you are only capturing packets to and from your AP by making sure it’s the only AP listed. If not you have to specify a BSSID (MAC address of access point, this can be found in the originally airodump-ng command output):

# airodump-ng -c CHANNEL --encrypt WEP newInterface --bssid BSSID

You can stop airodump-ng using a Linux break command once you have verified that it is capturing correctly.

5 of 13 GenCyber_WEP_cracking (2).docx

4 WEP

Next we’re going to initiate the WEP attack itself. This will require us to get the #Data column up to anywhere from 5000 to 10,000 IVs.

This is going to be done with a standard attack that involves capturing a predictable packet (an ARP request) and re-playing it to force the connected clients to respond.

4.1 WEP - Capture - IVs Make a new directory:

# mkdir /dump

# mkdir /dump/GenCyber

# mkdir /dump/GenCyber/WEPattack

Now capture just the IVs to a file:

# airodump-ng -w /dump/GenCyber/WEPattack/wepattack.pcap -c CHANNEL --ivs newInterface --bssid BSSID

Leave this capture file running.

4.2 WEP - Associate First, In a separate terminal (or a new tab) run the following to Associate to an access point.

Note: this will work better if you run it on a different network card than the one you are using to capture the packets. Example: if you are using the Alfa to monitor/capture packets, use the internal wireless card or another Alfa to associate/de-associate. You will need to use the commands necessary to set this into monitor mode like you did in section 3. to Associate:

6 of 13 GenCyber_WEP_cracking (2).docx

Use man aireplay-ng to learn what the flags in the below command do.

# aireplay-ng -1 0 -a BSSID-OF-AP monY

Where monY is a different monitor interface than the one currently being used to capture IVs.

Look for the

“Association successful :-)”

4.3 WEP - ARP In a separate terminal (or a new tab) run the following command to listen for an ARP packet to replay.

Note: this will work better if you run it on a different network card than the one you are using to capture the packets and use the same one that you just associated with. Example: if you are using the Alfa to monitor/capture packets, use the internal wireless card or another Alfa to associate/de-associate.

7 of 13 GenCyber_WEP_cracking (2).docx

Use man aireplay-ng to learn what the flags in the below command do.

# aireplay-ng -3 -b BSSID monY

Note: If you don't see any ARPs, connect your smartphone to the access point and try web browsing. Use Key 1 as the password to connect your phone or laptop.

Note: If you are still having issues, try to re-associate: to Associate:

# aireplay-ng -1 0 -a BSSID-OF-AP monY

8 of 13 GenCyber_WEP_cracking (2).docx

4.4 WEP - Capturing You should have two windows open:

One listening/replaying ARP packets and one capturing the IVs generated from the wireless packets going in and out of the network.

Go back to your airodump-ng window, and the #Data should be climbing quickly.

When it reaches somewhere between 5000 and 10,000 you can stop it.

If the IV aren’t increasing, read the following: http://www.aircrack- ng.org/doku.php?id=i_am_injecting_but_the_ivs_don_t_increase&Dok uWiki=1943ff9484c75095683d41ac6313a148

9 of 13 GenCyber_WEP_cracking (2).docx

4.5 WEP - Cracking After the #DATA reaches between 5000 and 10,000 - Run the following to start WEP key recovery (you may need to select the proper network). In some instances, you may need to get #DATA above 15,000 in order to recover the key.

# aircrack-ng /dump/GenCyber/WEPattack/wepattack.pcap-0#.ivs

5 Bonus - Access Point - WPA

If you complete the WEP cracking you can try your hand at some WPA cracking.

In this section, you will setup your access point to run WPA on your wireless network.

Login to the router at http://192.168.1.1

Username/password => admin

Click the “Wireless” tab

Click the “Wireless Security” section

Set “Security Mode” to “WPA Personal” with TKIP

Set “Passphrase” to “blackhat”

5.1 Monitor mode - testing On the attacking machine, Look for our WPA access point:

# airodump-ng monX

10 of 13 GenCyber_WEP_cracking (2).docx

5.2 WPA - Capture In order for this attack to work, we actually need to have a client attached to our network already.

Use a smart phone, another laptop, or something else WPA-compatible to connect to your network.

Once you have a client attached, issue the following command:

# airodump-ng -w /dump/GenCyber/WEPattack/wpaattack.WPA --bssid YOUR_BSSID -c CHANNEL monX

5.3 WPA - Deauth Next we have to de-auth our client so we can capture the handshake.

In a new window on the attacking machine:

# aireplay-ng -0 30 -e YOUR_ESSID_MAC -c YOUR_CLIENT_MAC monX

11 of 13 GenCyber_WEP_cracking (2).docx

5.4 WPA - Handshake Once this runs, you should see “HANDSHAKE” near the top right part of the window. If not, re- authenticate with your device, and repeat the deauth flood until you do.

Once you get the handshake, You can now stop the airodump-ng scan with a CONTROL-C

12 of 13 GenCyber_WEP_cracking (2).docx

5.5 WPA - Cracking You will now try to crack the WPA password against a dictionary file located at: /usr/share/wordlists/rockyou.txt

In some cases, the rockyou file may be gzipped and you will need to uncompress it.

We’re going to be doing a CPU-based dictionary attack, which is the slowest ways to do it. In a security setting, you’d either use amazon’s cloud-based GPU instances, or you’d build a password-cracking rig. There are also fast methods by using pre-compile password files known as “rainbow tables” that match passwords with SSIDs.

In a new window type:

# aircrack-ng wpaattack.WPA-{highest number}.cap -w /usr/share/wordlists/rockyou.txt

Let this run for at least 10 mins, and by then you should have recovered your WPA passphrase (it’s in there)

13 of 13