Friday, June 24, 2011

Cracking WEP/WPA/2 networks with Aircrack-ng [Linux]

Now that you have hopefully installed the Aircrack-ng suite and familiarized yourself with some basic Linux commands, we can start cracking WEP and WPA1/2 networks to see the differences in security Wired Equivalent Privacy (WEP) and Wi-fi Protected Access (WPA) provide.



Notice: This is purely for educational value, do not attempt this on a network you do not PERSONALLY own. If you do this on a public or private network that you do not have authorization to do so on, it is illegal and you will probably get caught.

Now, lets start. Open up a new terminal and lets begin (all typed commands are underlined; read the notes section for optional commands):


  1. Make sure you have a "monitoring" interface, this means that your network interface (the thing that interacts with networks) can scan for open/encrypted networks.
    To check what interfaces you have, type "iwconfig" into your terminal and it will list out which interfaces are currently up, and which mode they are in (look for "mode: managed" or "mode: monitor").
    Check out my blog post about networking in Linux for more on "iwconfig" and the different modes available.

    Type:

    airmon-ng start [interface]

    if your interface is in "managed" or any other mode (ad-hoc, etc) it needs to be switched into monitor mode. Sometimes it will create a new interface for the monitoring, for example, my wireless is "wlan0" and it creates "wlan0mon" or "mon0" for monitoring.
    Once it is in "monitor" mode, you can begin.
     
  2. Make sure you can inject packets into the chosen network (find a network with Kismet (I'll review Kismet later) or your network manager (either Wicd, or network-manager), or with the "airodump-ng [interface]" command in a new terminal. This creates a new .cap file, though).
    Type:

    aireplay-ng -9 -e [network name] -a [your MAC address] [interface]

    This makes sure that you can use your network card to input packets (data) into the targeted network. Your NIC (network interface card) must support injection.
     
  3. If you can inject, start dumping captured IVs (Initialization Vectors) into a .cap (capture) file with command:

    airodump-ng (-c x) --bssid [target network MAC] -w [output prefix] [interface]

    Note: -c x is channel x, where x is 1-11 and not necessary, although, if you know the channel, I would suggest doing the correct channel.
    This will bring up a nice interface with your targeted network, the BSSID (MAC that you entered), the "PWR," or how close you are (lower is better!), the "Beacons," which networks send automatically, the #Data, which is the data packets that have been sent over the network (which you have just started capturing!), the #/s which is data packets/s (higher is better for capturing faster!), the "CH," or channel (I'll go over this later), the "MB," the "ENC," or encryption (WEP/WPA/OPEN), the CIPHER (related to the ENC), the AUTH (pass-key or other), and finally the ESSID which is the English or ASCII network name that humans understand more easily than a Hex BSSID.

  4. Now we have to do a "fake authentication" on the network.  This is pretty self explanatory, but it authenticates you with the access point. If you didn't run this, the access point would return "deauthenticated" packets, not allowing you to inject packets back into the system.

    Type:

    aireplay-ng -1 0 -e [network name] -a [target network MAC] -h [your MAC address] [interface]

    It should respond "Association successful :-)" if not, try again until it works.
    This may take a while, so don't fret if it doesn't work right away. I've had to do this three or four times or more with new terminals and locations until I finally got it, it's just luck sometimes.
     
  5. Reinject ARP (Address Resolution Protocol) packets back into the network to create network activity. To review ARP, check out my ARP information post and read it thoroughly, it isn't long and gives a good explaination what ARP is all about. What we're basically doing is sending fake messages to create data packets on the network so we can record and crack their password!

    Type:

    aireplay-ng -3 -b [target network MAC] -h [your MAC address] [interface]

    It should say "Read xxxx packets (got xxxx ARP requests), sent xxxx packets..." and network activity should increase.
     
  6. Crack the WEP key! Type:

    aircrack-ng -b [target network MAC] *.cap

    Note: you can enter the ACTUAL file name instead of "*.cap" if you know it, or whatever "output prefix" you entered, then *.cap (all in a line, since it concatinates -xxxxx_xxxx after the prefix and before .cap).
     
  7. Crack the WPA/WPA2 key (if you're not cracking WEP)! Type:

    aircrack-ng -w [password list] -b [target network MAC] *.cap

    Note: You must have captured the WPA handshake, and again, substitute your capture file accordingly.
For WEP cracking, this should run a terminal with "Tested xxxx keys (got xxxx IVs) and a bunch of gibberish HEX underneath. You can run this while you inject packets. It should find the key eventually unless the network admin or creator disconnects the network or you go out of range of it. Sometimes it only takes as little as 5000 keys, and other times 250,000 keys.
My record is about 2-3 minutes while sitting on a toilet in a flea market; it's fun to see how quickly WEP is broken, so remember ALWAYS use WPA2 with a non-dictionary passkey. You can review more tips about securing your home network at my post here.

For WPA cracking, it runs through a list of passwords (in Backtrack 5 there is a darkc0de.lst with almost a million, if not more, passwords) and checks every one for a match; thus taking quite a bit longer, and if the password is not in the list, impossible to crack through this method.

For further in-depth reading on cracking WEP networks, check out this paper.
    The aircrack-ng suite includes the below programs, try playing around with them. If you enter the name then --help or -h, usually (almost always) a help page appears with all the commands you can enter.

    Name     ---     What program does

    aircrack-ng     Cracks WEP and WPA (Dictionary attack) keys.
    airdecap-ng     Decrypts WEP or WPA encrypted capture files with known key.
    airmon-ng     Placing different cards in monitor mode.
    aireplay-ng     Packet injector (Linux, and Windows [with Commview drivers]).
    airodump-ng     Packet sniffer: Places air traffic into PCAP or IVS files and shows information about networks.
    airtun-ng     Virtual tunnel interface creator.
    airolib-ng     Stores and manages ESSID and password lists; Increases the KPS of WPA attacks
    packetforge-ng     Create encrypted packets for injection.
    Tools         Tools to merge and convert.
    airbase-ng     Incorporates techniques for attacking client, as opposed to Access Points
    airdecloak-ng     removes WEP cloaking from pcap files
    airdriver-ng     Tools for managing wireless drivers
    airolib-ng     stores and manages ESSID and password lists and compute Pairwise Master Keys
    airserv-ng     allows you to access the wireless card from other computers.
    buddy-ng     the helper server for easside-ng, run on a remote computer
    easside-ng     a tool for communicating to an access point, without the WEP key
    tkiptun-ng     WPA/TKIP attack
    wesside-ng     automatic tool for recovering wep key.

    Last updated at 10:30am on July 27th, 2011.

    29 comments:

    1. I'm not sure what your target audience is, but perhaps this post could benefit from more of an introduction to the relevant concepts, such as what WEP and WPA are, what a channel is, what it means for a network card to be in monitor mode, and so on. I think that someone that is only just beginning to learn how to crack, say, a WEP network, has a good chance of being unaware of these things.

      Another note is that just giving a command without explaining each of the command line parameters that you use plays into making the reader memorize rather than learn. Granted, the user should be checking man pages or documentation or other sources, but I think that accessibility should be a concern for anyone writing a blog post that is intended to be educational, unless it is for your own personal reference.

      ReplyDelete
    2. @anon, thanks for the feedback, I'll definitely keep updating this as time goes on. Right now I'm on vacation and writing them up, so the content will DEFINITELY increase, partly due to more time and partly due to people like you giving me good feedback. I'm keeping a list of suggestions and information that people want, and I'll take note of your comments, thanks!

      ReplyDelete
    3. Posts like this make me want to learn Linux. This would be VERY useful to me!

      ReplyDelete
    4. @Anthony, that's what my blog is about! Linux is very easy to pick up on. Check out my overview of Linux commands for some simple Linux work.

      What OS do you use right now? I'm planning on writing up a guide to dual-boot Windows/BT5 and to install a full BT5 Ubuntu, which one would you be interested in?

      ReplyDelete
    5. I get this error:


      ioctl(SIOCSIWMODE) failed: Invalid argument

      ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
      ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
      sure RFMON is enabled: run 'airmon-ng start eth1 <#>'
      Sysfs injection support was not found either.

      when I run airodump-ng on either eth1 or wlan1 (broadcom and rosewill wireless adapters respectively)

      I googled around a lot and tried a few things, but I'm pretty new to Linux. Any tips?

      ReplyDelete
    6. @Evan, I've never used aircrackng with an Ethernet connection, so I'm not sure if there's any difference... but as for your wireless, go to the Aircrackng site and check out the compatible wireless adapters... yours may not be compatible with aircrack, which is sad to say.

      What command does that error appear on? Does your test injection works? Your card may not be good enough for packet injection.

      ReplyDelete
    7. If that's the case, which wireless USB adapter would you recommend if I just wanted something very cheap that works? My apartment doesn't provide wired internet and I'm pretty low on cash. :(

      ReplyDelete
    8. @Evan:

      Most people recommend the alfa 1000mw usb adapter. It's very well known among the wardriving and wifi cracking "community".

      Here's an amazon link: http://www.amazon.com/Alfa-802-11b-Wireless-Original-9dBi/dp/B001O9X9EU

      If you can afford it, you won't regret it

      ReplyDelete
    9. @Evan, check out Anon's suggestion. I don't know much about USB adapters but that looks good.

      ReplyDelete
    10. Great post Marshall! Loved it.

      Can't wait to get cracki.... TESTING!! i ment testing the security of WEP networks. Especially in Airports like the Schiphol Airport because I looove testing myself a good security. Especially when there's no free wi-fi around.

      Unfortunately i have to wait a bit :( My network card is a Broadcom 4331 and so far there's no Linux driver. Curs you Broadcom!

      Anyway i'm going to add hackavision.com to my blogroll if you don't mind. Cheers!

      ReplyDelete
    11. Great Post marshall! I would like to know tho is aircrack -ng the only package i need to do all of this? Im fairly new in linux world and im using ubuntu 11.10 also, once im in a network how do you browse files on other computers connected to the same network?

      ReplyDelete
    12. whenever I do it I get to step 2 and get "cannot execute binary file" do you know how I can fix it?

      ReplyDelete
    13. @Tarnasus Good luck and have fun, but watch out, if you get caught you're pretty much SOL... and I don't recommend doing it in big places.

      @AnonNov2nd The Aircrack-ng (new generation) package should have all of the thing necessary to do this!

      @AnonNov12th Did you install Aircrack-ng correctly? Try reinstalling it.

      ReplyDelete
    14. cool post...been in IT for a couple years and i do network security and pen testing. this is a good guide for newbies. i noticed i had probs capturing IV's in the begining... something you could have injected into this post is what to do when your not capturing IV's. maybe you did and i just skipped over it unwittingly. in any case i like this thread. keep up the good educational work.

      ReplyDelete
    15. Darkcode.lst doesn't have the wpa2,
      How do I crack this wpa2?

      ReplyDelete
      Replies
      1. What do you mean? Darkcode.lst is a list of passwords that are used to bruteforce, what do you mean it "doesn't have the wpa2?"

        Delete
    16. First Chenge your MAC adress

      ReplyDelete
    17. darkcode.lst is a list of combinations to find the pass that you attack the network, without a list of words not can you hack a network.

      ReplyDelete
    18. Very interesting and important, am getting myself acquainted with your elucidation. Thanks

      ReplyDelete
    19. I have a question//\\?
      Why is it that when cracking .cap files for WPA (with valid handshakes) that if the word.lst does not contain the whole passphrase that it cant decrypt it? i set up backtrack and a router with WEP encryption hacked in a matter of mins. first time. but after many try's no luck on WPA (my own router running dd-wrt). i used two words from the darkc0de.lst "drank" and "boobies" but aircrack couldn't find it.

      +? so is there a way to modify aircrack-ng (if you were a programer with the know how) to decrypt only half the password, or parts of it at a time? Why cant it decrypt just the "d" in "drank", verify that d is correct, save its progress and just move along to "r". and ultimately resulting in a password with a word.lst with only a-z, numbers and special characters!#$#$^.

      now i don't have a full understanding on how the decryption takes place aka what raw data the computer is processing. but just an idea. maybe if it were that simple, they would just have it??

      ReplyDelete
    20. I have a question//\\?
      Why is it that when cracking .cap files for WPA (with valid handshakes) that if the word.lst does not contain the whole passphrase that it cant decrypt it? i set up backtrack and a router with WEP encryption hacked in a matter of mins. first time. but after many try's no luck on WPA (my own router running dd-wrt). i used two words from the darkc0de.lst "drank" and "boobies" but aircrack couldn't find it.

      +? so is there a way to modify aircrack-ng (if you were a programer with the know how) to decrypt only half the password, or parts of it at a time? Why cant it decrypt just the "d" in "drank", verify that d is correct, save its progress and just move along to "r". and ultimately resulting in a password with a word.lst with only a-z, numbers and special characters!#$#$^.

      now i don't have a full understanding on how the decryption takes place aka what raw data the computer is processing. but just an idea. maybe if it were that simple, they would just have it??

      ReplyDelete
    21. Nice tutorial, keep up the good work. Its amazing to me how many people are interested in cracking wep. The wpa part is interesting as well, but what many newbs will quickly find, dictionary attacks can take 5mins or 5million years lol. Now is the time to find reaver, if you want to crack Wpa/Wpa2, reaver is a good tool to learn, and its readily available (apt-get install reaver), in linux as any tools.

      ReplyDelete
      Replies
      1. Reaver IS really cool-- but as far as I know Reaver has not been updated in awhile. The last time I tried to use it I could not get it up and working but I've been considering trying to get it working and write up something about it as WPS is very insecure and definitely something that needs more coverage.

        Delete
    22. How to write symbol " & " in aireplay ?

      ReplyDelete
    23. escape it with '\' no ''

      ReplyDelete
    24. got ACK, ARP and packets in bound, but aircrack attempt stil failed even the data reached more than 15000, any idea?

      ReplyDelete
    25. to whom it may concern_The owner of this blog.

      Bro this is some very good advice so far the only thng that works or worked for me.so many pple claim to give advice to mediocre linux users like i and leave other steps out only giving approximately 64% guidance.

      My question to you and other advanced computer users is DO I REALI HAVE TO STUDY COMPUTET SCIENCE TO GET TO YOUR LEVEL OF COMPUTER KNOWLEDGE?i mean im already double majoring in mechanics nd economics but i have just developed this passion nd love for computers that i just wanba persue.wanna know everythng ther but i dnt wanna go study as im already fouble majoring.

      IF u dnt mind i wud love your guidance in building my progress in acquiring your skills and expetise via e-mail chats via my very own address at sk-dezl@yahoo.com.
      hope to here from you son bro.cheers

      ReplyDelete