cracking_wpa
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
cracking_wpa [2007/09/04 16:12] – added how to filter eapol packets with Wireshark darkaudax | cracking_wpa [2022/01/02 21:34] (current) – Fixed dead links mister_x | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Tutorial: How to Crack WPA/WPA2 ====== | ====== Tutorial: How to Crack WPA/WPA2 ====== | ||
- | Version: 1.07 September 4, 2007\\ | + | Version: 1.20 March 07, 2010\\ |
By: darkAudax | By: darkAudax | ||
- | |||
===== Introduction ===== | ===== Introduction ===== | ||
- | This tutorial walks you through cracking WPA/WPA2 networks which use pre-shared keys. I recommend you do some background reading to better understand what WPA/WPA2 is. The [[http:// | + | This tutorial walks you through cracking WPA/WPA2 networks which use pre-shared keys. I recommend you do some background reading to better understand what WPA/WPA2 is. The [[http:// |
WPA/WPA2 supports many types of authentication beyond pre-shared keys. [[aircrack-ng]] can ONLY crack pre-shared keys. So make sure [[airodump-ng]] shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it. | WPA/WPA2 supports many types of authentication beyond pre-shared keys. [[aircrack-ng]] can ONLY crack pre-shared keys. So make sure [[airodump-ng]] shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it. | ||
Line 16: | Line 15: | ||
The impact of having to use a brute force approach is substantial. | The impact of having to use a brute force approach is substantial. | ||
+ | |||
+ | **IMPORTANT** This means that the passphrase must be contained in the dictionary you are using to break WPA/ | ||
There is no difference between cracking WPA or WPA2 networks. | There is no difference between cracking WPA or WPA2 networks. | ||
It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. | It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. | ||
- | |||
- | I would like to acknowledge and thank the [[http:// | ||
Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | ||
Line 31: | Line 30: | ||
* You are using drivers patched for injection. | * You are using drivers patched for injection. | ||
* You are physically close enough to send and receive access point and wireless client packets. | * You are physically close enough to send and receive access point and wireless client packets. | ||
- | * You are using v0.9 of aircrack-ng. If you use a different version then some of the command options may have to be changed. | + | * You are using v0.9.1 or above of aircrack-ng. If you use a different version then some of the command options may have to be changed. |
Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change " | Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change " | ||
- | |||
- | In the examples, the option " | ||
===== Equipment used ===== | ===== Equipment used ===== | ||
- | |||
- | To follow this tutorial at home, you must have two wireless cards. | ||
In this tutorial, here is what was used: | In this tutorial, here is what was used: | ||
Line 67: | Line 62: | ||
- Use aireplay-ng to deauthenticate the wireless client | - Use aireplay-ng to deauthenticate the wireless client | ||
- Run aircrack-ng to crack the pre-shared key using the authentication handshake | - Run aircrack-ng to crack the pre-shared key using the authentication handshake | ||
- | |||
==== Step 1 - Start the wireless interface in monitor mode ==== | ==== Step 1 - Start the wireless interface in monitor mode ==== | ||
The purpose of this step is to put your card into what is called monitor mode. Monitor mode is the mode whereby your card can listen to every packet in the air. Normally your card will only " | The purpose of this step is to put your card into what is called monitor mode. Monitor mode is the mode whereby your card can listen to every packet in the air. Normally your card will only " | ||
+ | |||
+ | The exact procedure for enabling monitor mode varies depending on the driver you are using. To determine the driver (and the correct procedure to follow), run the following command: | ||
+ | |||
+ | | ||
+ | |||
+ | On a machine with a Ralink, an Atheros and a Broadcom wireless card installed, the system responds: | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | The presence of a [phy0] tag at the end of the driver name is an indicator for mac80211, so the Broadcom card is using a mac80211 driver. **Note that mac80211 is supported only since aircrack-ng v1.0-rc1, and it won't work with v0.9.1.** | ||
+ | Both entries of the Atheros card show " | ||
+ | Finally, the Ralink shows neither of these indicators, so it is using an ieee80211 driver - see the generic instructions for setting it up. | ||
+ | |||
+ | === Step 1a - Setting up madwifi-ng === | ||
Line 132: | Line 145: | ||
In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card. Only the madwifi-ng drivers show the card MAC address in the AP field, other drivers do not. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. | In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card. Only the madwifi-ng drivers show the card MAC address in the AP field, other drivers do not. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. | ||
- | To match the frequency to the channel, check out: | + | To match the frequency to the channel, check out: http://www.cisco.com/en/US/ |
- | http://www.rflinx.com/help/calculations/# | + | |
+ | === Step 1b - Setting up mac80211 drivers === | ||
+ | |||
+ | Unlike madwifi-ng, you do not need to remove the wlan0 interface when setting up mac80211 drivers. Instead, use the following command to set up your card in monitor mode on channel 9: | ||
+ | |||
+ | | ||
+ | |||
+ | The system responds: | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | Notice that airmon-ng enabled monitor-mode //on mon0//. So, the correct interface name to use in later parts of the tutorial is mon0. Wlan0 is still in regular (managed) mode, and can be used as usual, provided that the AP that wlan0 is connected to is on the same channel as the AP you are attacking, and you are not performing any channel-hopping. | ||
+ | |||
+ | To confirm successful setup, run " | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | Retry min limit: | ||
+ | | ||
+ | Power Management: | ||
+ | Link Quality: | ||
+ | Rx invalid nwid: | ||
+ | Tx excessive retries: | ||
+ | |||
+ | | ||
+ | Retry min limit: | ||
+ | | ||
+ | Power Management: | ||
+ | Link Quality: | ||
+ | Rx invalid nwid: | ||
+ | Tx excessive retries: | ||
+ | |||
+ | |||
+ | Here, mon0 is seen as being in monitor mode, on channel 9 (2.452GHz). Unlike madwifi-ng, the monitor interface has no Access Point field at all. Also notice that wlan0 is still present, and in managed mode - this is normal. Because both interfaces share a common radio, they must always be tuned to the same channel - changing the channel on one interface also changes channel on the other one. | ||
+ | |||
+ | === Step 1c - Setting up other drivers === | ||
+ | |||
+ | For other (ieee80211-based) drivers, simply run the following command to enable monitor mode (replace rausb0 with your interface name): | ||
+ | |||
+ | | ||
+ | |||
+ | The system responds: | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | |||
+ | At this point, the interface should be ready to use. | ||
==== Step 2 - Start airodump-ng to collect authentication handshake ==== | ==== Step 2 - Start airodump-ng to collect authentication handshake ==== | ||
- | The purpose of this step is run airodump-ng to capture the 4-way authentication handshake for the AP we are interested in. | + | The purpose of this step is to run airodump-ng to capture the 4-way authentication handshake for the AP we are interested in. |
Enter: | Enter: | ||
Line 146: | Line 215: | ||
Where: | Where: | ||
*-c 9 is the channel for the wireless network | *-c 9 is the channel for the wireless network | ||
- | *- -bssid 00: | + | *-'''' |
*-w psk is the file name prefix for the file which will contain the IVs. | *-w psk is the file name prefix for the file which will contain the IVs. | ||
*ath0 is the interface name. | *ath0 is the interface name. | ||
- | Important: Do NOT use the "- -ivs" option. | + | Important: Do NOT use the "-'''' |
Here what it looks like if a wireless client is connected to the network: | Here what it looks like if a wireless client is connected to the network: | ||
- | CH 9 ][ Elapsed: 4 s ][ 2007-03-24 16:58 | + | CH 9 ][ Elapsed: 4 s ][ 2007-03-24 16:58 ][ WPA handshake: 00: |
BSSID PWR RXQ Beacons | BSSID PWR RXQ Beacons | ||
Line 163: | Line 232: | ||
00: | 00: | ||
+ | |||
+ | In the screen above, notice the "WPA handshake: 00: | ||
Here it is with no connected wireless clients: | Here it is with no connected wireless clients: | ||
Line 177: | Line 248: | ||
=== Troubleshooting Tip === | === Troubleshooting Tip === | ||
- | It can sometimes be tricky to capture | + | See the [[cracking_wpa# |
- | To see if you captured any handshake packets, | + | To see if you captured any handshake packets, |
+ | |||
+ | Use Wireshark and apply a filter of " | ||
==== Step 3 - Use aireplay-ng to deauthenticate the wireless client ==== | ==== Step 3 - Use aireplay-ng to deauthenticate the wireless client ==== | ||
- | This step is optional. | + | This step is optional. If you are patient, you can wait until airodump-ng captures a handshake when one or more clients connect to the AP. You only perform this step if you opted to actively speed up the process. |
- | What this step does is send a message to the wireless client saying that that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP. The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. | + | This step sends a message to the wireless client saying that that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP. The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. |
Based on the output of airodump-ng in the previous step, you determine a client which is currently connected. | Based on the output of airodump-ng in the previous step, you determine a client which is currently connected. | ||
Line 194: | Line 267: | ||
Where: | Where: | ||
* -0 means deauthentication | * -0 means deauthentication | ||
- | * 1 is the number of deauths to send (you can send muliple | + | * 1 is the number of deauths to send (you can send multiple |
* -a 00: | * -a 00: | ||
* -c 00: | * -c 00: | ||
Line 207: | Line 280: | ||
=== Troubleshooting Tips === | === Troubleshooting Tips === | ||
- | * The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them. | + | * The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them. To confirm the client received the deauthentication packets, use tcpdump or similar to look for ACK packets back from the client. |
Line 214: | Line 287: | ||
The purpose of this step is to actually crack the WPA/WPA2 pre-shared key. To do this, you need a dictionary of words as input. | The purpose of this step is to actually crack the WPA/WPA2 pre-shared key. To do this, you need a dictionary of words as input. | ||
- | There is a small dictionary that comes with aircrack-ng - " | + | There is a small dictionary that comes with aircrack-ng - " |
Open another console session and enter: | Open another console session and enter: | ||
Line 273: | Line 346: | ||
EAPOL HMAC : 4E 27 D9 5B 00 91 53 57 88 9C 66 C8 B1 29 D1 CB | EAPOL HMAC : 4E 27 D9 5B 00 91 53 57 88 9C 66 C8 B1 29 D1 CB | ||
+ | |||
+ | ===== Troubleshooting Tips ===== | ||
+ | |||
+ | ==== I Cannot Capture the Four-way Handshake! ==== | ||
+ | |||
+ | It can sometimes be tricky to capture the four-way handshake. | ||
+ | |||
+ | * Your monitor card must be in the same mode as the both the client and Access Point. | ||
+ | * Sometimes you also need to set the monitor-mode card to the same speed. | ||
+ | * Be sure that your capture card is locked to the same channel as the AP. You can do this by specifying "-c <channel of AP>" | ||
+ | * Be sure there are no connection managers running on your system. | ||
+ | * You are physically close enough to receive both access point and wireless client packets. | ||
+ | * Conversely, if you are too close then the received packets can be corrupted and discarded. | ||
+ | * Make sure to use the drivers specified on the wiki. Depending on the driver, some old versions do not capture all packets. | ||
+ | * Ideally, connect and disconnect a wireless client normally to generate the handshake. | ||
+ | * If you use the deauth technique, send the absolute minimum of packets to cause the client to reauthenticate. | ||
+ | * Try stopping the radio on the client station then restarting it. | ||
+ | * Make sure you are not running any other program/ | ||
+ | * Review your captured data using the [[wpa_capture|WPA Packet Capture Explained tutorial]] to see if you can identify the problem. | ||
+ | |||
+ | Unfortunately, | ||
+ | |||
+ | Another approach is to use Wireshark to review and analyze your packet capture. | ||
+ | |||
+ | In an ideal world, you should use a wireless device dedicated to capturing the packets. | ||
+ | |||
+ | When using Wireshark, the filter " | ||
+ | |||
+ | To dig deep into the packet analysis, you must start airodump-ng without a BSSID filter and specify the capture of the full packet, not just IVs. Needless to say, it must be locked to the AP channel. | ||
+ | |||
+ | Every packet sent by client or AP must be acknowledged. | ||
+ | |||
+ | When it comes to analyzing packet captures, it is impossible to provide detailed instructions. | ||
+ | |||
+ | |||
+ | ==== aircrack-ng says "0 handshakes" | ||
+ | |||
+ | Check the "I Cannot Capture the Four-way Handshake!" | ||
+ | |||
+ | |||
+ | ==== aircrack-ng says "No valid WPA handshakes found" ==== | ||
+ | |||
+ | Check the "I Cannot Capture the Four-way Handshake!" |
cracking_wpa.txt · Last modified: 2022/01/02 21:34 by mister_x