Académique Documents
Professionnel Documents
Culture Documents
Search site
Main
Home » Articles » Security
Broadband
Reviews
Articles
Articles
Forums
Information How To Crack WEP and WPA Wireless Networks
Cracking WEP, WPA-PSK and WPA2-PSK wireless security using aircrack-ng
2008.11.21 10:53 by Philip
Keywords: aircrack, Wireless, Wi-Fi, WPA, WEP, WPA2, NIC, hash, wordlist, security, SSID, channel
Login
Username: Introduction
Username
With the popularity of wireless
Password:
networks and mobile computing, an
•••••••••
overall understanding of common
security issues has become not only
relevant, but very necessary for both
forgot your password?
home/SOHO users and IT
professionals alike. This article is
Shortcuts aimed at illustrating current security
flaws in WEP/WPA/WPA2.
Broadband Hardware
Successfully cracking a wireless
FAQs
network assumes some basic
Glossary familiarity with networking principles
SG Broadband Tools and terminology, as well as working
with command-line tools. A basic
SG Network Tools
familiarity with Linux can be helpful
SG Ports Database as well.
SG Security Scan
Disclaimer: Attempting to access a network other than your own, or one you have
SG Speed Test permission to use is illegal insome U.S. jurisdictions. Speed Guide, Inc. are not to be held
TCP/IP Analyzer liable for any damages resulting from the use or misuse of the information in this article.
TCP/IP Optimizer
To successfully crack WEP/WPA, you first need to be able to set your wireless network
card in "monitor" mode to passively capture packets without being associated with a
network. This NIC mode is driver-dependent, and only a relatively small number of
network cards support this mode under Windows.
One of the best free utilities for monitoring wireless traffic and cracking WEP/WPA-PSK
keys is the aircrack-ng suite, which we will use throughout this article. It has both Linux
and Windows versions (provided your network card is supported under Windows). The
aircrack-ng site has a comprehensive list of supported network cards available here: NIC
chipset compatability list.
If your network card is not supported under Windows, one can use a free Linux Live CD to
boot the system. BackTrack 3 is probably the most commonly used distribution, since it
runs from a Live CD, and has aircrack-ng and a number of related tools already installed.
For this article, I am using aircrack-ng version 1.0 on a Linux partition (Fedora Core
10, 2.6 32-bit kernel) on my Sony Vaio SZ-680 laptop, using the built-in Intel 4965agn
network card. If you're using the BackTrack 3 CD aircrack-ng is already installed, with my
version of linux it was as simple as finding it with:
airmon-ng - script used for switching the wireless network card to monitor mode
airodump-ng - for WLAN monitoring and capturing network packets
aireplay-ng - used to generate additional traffic on the wireless network
aircrack-ng - used to recover the WEP key, or launch a dictionary attack on WPA-
PSK using the captured data.
1. Setup (airmon-ng)
As mentioned above, to capture network traffic wihtout being associated with an access
point, we need to set the wireless network card in monitor mode. To do that under linux,
in a terminal window (logged in as root), type:
iwconfig (to find all wireless network interfaces and their status)
airmon-ng start wlan0 (to set in monitor mode, you may have to substitute
wlan0 for your own interface name)
ifconfig (to list available network interfaces, my network card is listed as wlan0)
ifconfig wlan0 down (to stop the specified network card)
ifconfig wlan0 hw ether 00:11:22:33:44:55 (change the MAC address of a NIC -
can even simulate the MAC of an associated client. NIC should be stopped before
chaning MAC address)
iwconfig wlan0 mode monitor (to set the network card in monitor mode)
ifconfig wlan0 up (to start the network card)
iwconfig - similar to ifconfig, but dedicated to the wireless interfaces.
airodump-ng mon0 - monitors all channels, listing available access points and
associated clients within range. It is best to select a target network with strong
signal (PWR column), more traffic (Beacons/Data columns) and associated clients
(listed below all access points). Once you've selected a target, note its Channel and
BSSID (MAC address). Also note any STATION associated with the same BSSID
(client MAC addresses).
WEP is much easier to crack than WPA-PSK, as it only requires data capturing (between
20k and 40k packets), while WPA-PSK needs a dictionary attack on a captured handshake
between the access point and an associated client which may or may not work.
Notes:
You typically need between 20,000 and 40,000 data packets to successfully recover a
WEP key.
One can also use the "--ivs" switch with the airodump-ng command to capture only IVs,
instead of whole packets, reducing the required disk space. However, this switch can only
be used if targeting a WEP network, and renders some types of attacks useless.
Assuming your network card is capable of injecting packets, in a separate terminal window
try:
aireplay-ng allows for injecting packets to greatly reduce the time required
to recover a WEP key
Notes:
To test whether your nic is able to inject packets, you may want to try: aireplay-ng -9
wlan0. You may also want to read the information available -here-.
To see all available replay attacks, type just: aireplay-ng
Notes:
If your data file contains ivs/packets from different access points, you may be presented
with a list to choose which one to recover.
Usually, between 20k and 40k packets are needed to successfully crack a WEP key. It
may sometimes work with as few as 10,000 packets with short keys.
To successfully crack a WPA-PSK network, you first need a capture file containing
handshake data. This can be obtained using the same technique as with WEP in step 3
above, using airodump-ng.
You may also try to deauthenticate an associated client to speed up this process of
capturing a handshake, using:
Once you have captured a four-way handshake, you also need a large/relevant dictinary
file (commonly known as wordlists) with common passphrases. See related links below for
some wordlist links.
You can, then execute the following command in a linux terminal window (assuming both
the dictionary file and captured data file are in the same directory):
Additional Notes:
Cracking WPA-PSK and WPA2-PSK only needs 4 packets of data from the network (a
handshake). After that, an offline dictionary attack on that handshake takes much longer,
and will only succeed with weak passphrases and good dictionary files. A good size wordlist
should be 20+ Megabytes in size, cracking a strong passphrase will take hours and is CPU
intensive.
Cracking WPA/WPA2 usually takes many hours, testing tens of millions of possible keys for
the chance to stumble on a combination of common numerals or dictionary words. Still, a
weak/short/common/human-readable passphrase can be broken within a few minutes
using an offline dictionary attack. My record time was less than a minute on an all-caps
10-character passphrase using common words with less than 11,000 tested keys! A
modern laptop can process over 10 Million possible keys in less than 3 hours.
WPA hashes the network key using the wireless access point's SSID as salt. This prevents
the statistical key-grabbing techniques that broke WEP, and makes hash precomputation
more dificult because the specific SSID needs to be added as salt for the hash. There are
some tools like coWPAtty that can use precomputed hash files to speed up dictionary
attacks. Those hash files can be very effective (sicne they're much less CPU intensive and
therefore faster), but quite big in size. The Church of WiFi has computed hash tables for
the 1000 most common SSIDs against a million common passphrases that are 7Gb and
33Gb in size...
Conclusion
As demonstrated above, WEP cracking has become increasingly easier over the years, and
what used to take hundreds of thousands packets and days of capturing data can be
accomplished today within 15 minutes with a mere 20k data frames.
WPA/WPA2-PSK encryption is holding its ground if using a strong, long key. However,
weak passphrases are vulnerable to dictionary attacks. WPA/WPA2 may be on borrowed
time as well, according to some recent news.
Related Links
aircrack-ng
Openwall wordlist collection
Wordlists mirror
wordlists - torrent search
the A.R.G.O.N. - wordlists
Church of WiFi hash tables
Network Protection
Broadcast on secured borderless networks with industry experts!
www.cisco.com/SBN
Yes, the aircrack suite will work under Vista as well. All commands need to be ran under
"elevated command prompt" (admininstrator priviledges), or you need to have UAC
(User Account Control) turned off.
The only potential problem under Windows is that fewer network adapters have
compatible drivers that support monitor mode.
Hello,
finnaly I got Back Track work (this allready took me a few time =) ) But now I typed in
"ifconfig" at the console but it doesn't show me a wirless interface. Do I need to install
any drivers ? Or does it simply not work with my Laptop's Wirless Card. It's a Intel
Wireless WiFi Link 5100. When I look at the compatibility list it should work I think :
Greetings Timothy
Intel wireless cards don't play well with Linux. Consider getting a D-Link card that uses
an Atheros chipset or get any other Atheros based card.
While it is true that Atheros-based NICs have the widest support, latest linux kernels
have improved Intel-based support.
I have had no problem running aircrack with my Intel 4965agn wireless NIC as
mentioned in the article.
To show me a wirless interface attached to your computer, you need to type: iwconfig.
Good luck
hey Phil,
so im wondering.. after this process, do i have to put my wireless card back in normal or
"managed" mode as i think its called? and if so how do i do so? thx a bunch in advance. i
havent done this crack process yet cuz i want all the intangibles covered as much as i
can but as soon as u reply, i will. cuz ur guide look legit and fool proof. thx again.
"ERROR: Neither the sysfs interface links nor the iw command is available"
Then again i'm running backtrack 3 from my usb dongle, I did not nor know how to
install the image to the USB so I beleive the installation is readonly. Is it possible to
install IW or how do I install backtrack to the USB dongle ?
Thanks for the article Phillip, I was wondering does one need to install a Linux OS on the
machine or can it be done from Virtual Box or similar software?
triniwasp, theoretically it's possible to run aircrack-ng under Windows if you have the
right driver for your network card.
Alternatively, you can run Backtrack 3 from a live CD, or you can install some other
version of Linux on a USB drive (or a second partition on your HDD).
Ultimately, it depends which OS supports the monitor/inject mode for your network
card.
Phillip,
When I attempt to capture after entering the commands I get the following message:
"airodump-ng --help" for help
Nor is there a data file in my home folder, do you have any idea what I'm doing wrong?
Thanks.
i have a ap in client mode because i dont have a wireless card. Its possible crack the
wires founded by my ap?
Greetings from London. When I do the aireplay --deauth command, is there any
indication that would tell me if it worked or not?
You can hide, and have hidden, behind the letter of the law.
Publishing this information is ethically criminal. Your disclaimer
clearly indicates you understand people will use this information
to do what ought not to be done. Namely hacking into networks
not their own. Shame on you speed guide !
WEP, for example, has very well known exploits, and anyone serious about securing
their network should be aware of the extent of such flaws.
The article above merely informs readers how this is accomplished, therefore allowing
them to make more educated choices when choosing encryption methods.
Phillip,
You have only to look at all the other posts here, in order to clearly understand what is
happening. Others posting here are helping each other hack private networks (not
protect themselves), whether you do or do not acknowledge this it doesn't change the
truth of the matter. Period.
Inormation can be used in different ways. The fact that there exists the possibility of it
being used unethically does not justify hiding it, and does not make it "shameful".
BFD
The best article I have read on using the aircrack suite. Thanks for posting, this
information needs to be known.
Dear Writer,
I am extremely thankful to you for this informative, clean, pin pointed and easy to
understand tutorial. It worked for me as piece of cake.
Before, I could reach at your article, I tried almost 50 Tutorials and 10 different Linux
Distros.. but my wireless RT2870 Chipset was not compatible for the said purpose.
Regards
Thank you again
by MD - 2009.12.04 22:27
Well, your tutorial was really easy to follow. Other ones at the default website and some
forums were really long and confusing for me, even I am using Linux for over 5 years. I
don't get why those people have written more commands and other shit.
1 |2|3
Related Articles: