User Tools

Site Tools


cracking_wpa

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
cracking_wpa [2008/01/26 15:35] – Expanded how to use Wireshark for analysis darkaudaxcracking_wpa [2022/01/02 21:34] (current) – Fixed dead links mister_x
Line 1: Line 1:
 ====== Tutorial: How to Crack WPA/WPA2 ====== ====== Tutorial: How to Crack WPA/WPA2 ======
-Version: 1.14 January 262008\\+Version: 1.20 March 072010\\
 By: darkAudax By: darkAudax
- 
  
 ===== Introduction ===== ===== Introduction =====
  
-This tutorial walks you through cracking WPA/WPA2 networks which use pre-shared keys.  I recommend you do some background reading to better understand what WPA/WPA2 is.  The [[http://aircrack-ng.org|Wiki]] links page has a [[links#wpa_wpa2_information|WPA/WPA2 section]].   he best document describing WPA is [[http://www.hsc.fr/ressources/articles/hakin9_wifi/index.html.en|Wi-Fi Security - WEP, WPA and WPA2]].  This is the [[http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_EN.pdf|link]] to download the PDF directly.  The [[wpa_capture|WPA Packet Capture Explained tutorial]] is a companion to this tutorial. +This tutorial walks you through cracking WPA/WPA2 networks which use pre-shared keys.  I recommend you do some background reading to better understand what WPA/WPA2 is.  The [[http://aircrack-ng.org|Wiki]] links page has a [[links#wpa_wpa2_information|WPA/WPA2 section]].   The best document describing WPA is [[https://web.archive.org/web/20120805090041/http://www.hsc.fr/ressources/articles/hakin9_wifi/index.html.en|Wi-Fi Security - WEP, WPA and WPA2]].  This is the [[https://web.archive.org/web/20120917034330/http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_EN.pdf|link]] to download the PDF directly.  The [[wpa_capture|WPA Packet Capture Explained tutorial]] is a companion to this tutorial. 
  
 WPA/WPA2 supports many types of authentication beyond pre-shared keys.  [[aircrack-ng]] can ONLY crack pre-shared keys.  So make sure [[airodump-ng]] shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it. WPA/WPA2 supports many types of authentication beyond pre-shared keys.  [[aircrack-ng]] can ONLY crack pre-shared keys.  So make sure [[airodump-ng]] shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it.
Line 16: Line 15:
  
 The impact of having to use a brute force approach is substantial.  Because it is very compute intensive, a computer can only test 50 to 300 possible keys per second depending on the computer CPU.  It can take hours, if not days, to crunch through a large dictionary.  If you are thinking about generating your own password list to cover all the permutations and combinations of characters and special symbols, check out this [[http://lastbit.com/pswcalc.asp|brute force time calculator]] first.  You will be very surprised at how much time is required. The impact of having to use a brute force approach is substantial.  Because it is very compute intensive, a computer can only test 50 to 300 possible keys per second depending on the computer CPU.  It can take hours, if not days, to crunch through a large dictionary.  If you are thinking about generating your own password list to cover all the permutations and combinations of characters and special symbols, check out this [[http://lastbit.com/pswcalc.asp|brute force time calculator]] first.  You will be very surprised at how much time is required.
 +
 +**IMPORTANT** This means that the passphrase must be contained in the dictionary you are using to break WPA/WPA2.  If it is not in the dictionary then aircrack-ng will be unable to determine the key.
  
 There is no difference between cracking WPA or WPA2 networks.  The authentication methodology is basically the same between them.  So the techniques you use are identical. There is no difference between cracking WPA or WPA2 networks.  The authentication methodology is basically the same between them.  So the techniques you use are identical.
  
 It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.
- 
-I would like to acknowledge and thank the [[http://trac.aircrack-ng.org/wiki/Team|Aircrack-ng team]] for producing such a great robust tool.  
  
 Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.
Line 34: Line 33:
  
 Ensure all of the above assumptions are true, otherwise the advice that follows will not work.  In the examples below, you will need to change "ath0" to the interface name which is specific to your wireless card. Ensure all of the above assumptions are true, otherwise the advice that follows will not work.  In the examples below, you will need to change "ath0" to the interface name which is specific to your wireless card.
- 
-In the examples, the option "double dash bssid" is shown as "- -bssid" Remember to remove the space between the two dashes when using it in real life.  This also applies to  "- -ivs", "- -arpreplay", "- -deauth", "- -channel", "- -arp" and "- -fakeauth". 
  
 ===== Equipment used ===== ===== Equipment used =====
- 
-To follow this tutorial at home, you must have two wireless cards. 
  
 In this tutorial, here is what was used: In this tutorial, here is what was used:
Line 67: Line 62:
   - Use aireplay-ng to deauthenticate the wireless client   - Use aireplay-ng to deauthenticate the wireless client
   - Run aircrack-ng to crack the pre-shared key using the authentication handshake   - Run aircrack-ng to crack the pre-shared key using the authentication handshake
- 
  
 ==== Step 1 - Start the wireless interface in monitor mode ==== ==== Step 1 - Start the wireless interface in monitor mode ====
  
 The purpose of this step is to put your card into what is called monitor mode.  Monitor mode is the mode whereby your card can listen to every packet in the air.  Normally your card will only "hear" packets addressed to you.  By hearing every packet, we can later capture the WPA/WPA2 4-way handshake.  As well, it will allow us to optionally deauthenticate a wireless client in a later step. The purpose of this step is to put your card into what is called monitor mode.  Monitor mode is the mode whereby your card can listen to every packet in the air.  Normally your card will only "hear" packets addressed to you.  By hearing every packet, we can later capture the WPA/WPA2 4-way handshake.  As well, it will allow us to optionally deauthenticate a wireless client in a later step.
 +
 +The exact procedure for enabling monitor mode varies depending on the driver you are using. To determine the driver (and the correct procedure to follow), run the following command:
 +
 +   airmon-ng
 +
 +On a machine with a Ralink, an Atheros and a Broadcom wireless card installed, the system responds:
 +
 +   Interface       Chipset         Driver
 +   
 +   rausb0          Ralink RT73     rt73
 +   wlan0           Broadcom        b43 - [phy0]
 +   wifi0           Atheros         madwifi-ng
 +   ath0            Atheros         madwifi-ng VAP (parent: wifi0)
 +
 +The presence of a [phy0] tag at the end of the driver name is an indicator for mac80211, so the Broadcom card is using a mac80211 driver. **Note that mac80211 is supported only since aircrack-ng v1.0-rc1, and it won't work with v0.9.1.**
 +Both entries of the Atheros card show "madwifi-ng" as the driver - follow the madwifi-ng-specific steps to set up the Atheros card.
 +Finally, the Ralink shows neither of these indicators, so it is using an ieee80211 driver - see the generic instructions for setting it up.
 +
 +=== Step 1a - Setting up madwifi-ng ===
  
  
Line 132: Line 145:
 In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.  Only the madwifi-ng drivers show the card MAC address in the AP field, other drivers do not.  So everything is good.   It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.  Only the madwifi-ng drivers show the card MAC address in the AP field, other drivers do not.  So everything is good.   It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.
  
-To match the frequency to the channel, check out: +To match the frequency to the channel, check out: http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132 .  This will give you the frequency for each channel.
-http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels then select the "Wifi Channel Selection and Channel Overlap" tab.  This will give you the frequency for each channel.+
  
 +=== Step 1b - Setting up mac80211 drivers ===
 +
 +Unlike madwifi-ng, you do not need to remove the wlan0 interface when setting up mac80211 drivers. Instead, use the following command to set up your card in monitor mode on channel 9:
 +
 +   airmon-ng start wlan0 9
 +
 +The system responds:
 +
 +   Interface       Chipset         Driver
 +   
 +   wlan0           Broadcom        b43 - [phy0]
 +                                   (monitor mode enabled on mon0)
 +
 +Notice that airmon-ng enabled monitor-mode //on mon0//. So, the correct interface name to use in later parts of the tutorial is mon0. Wlan0 is still in regular (managed) mode, and can be used as usual, provided that the AP that wlan0 is connected to is on the same channel as the AP you are attacking, and you are not performing any channel-hopping.
 +
 +To confirm successful setup, run "iwconfig". The following output should appear:
 +
 +   lo        no wireless extensions.
 +
 +   eth0      no wireless extensions.
 +   
 +   wmaster0  no wireless extensions.
 +   
 +   wlan0     IEEE 802.11bg  ESSID:""
 +             Mode:Managed  Frequency:2.452 GHz  Access Point: Not-Associated
 +             Tx-Power=0 dBm
 +             Retry min limit:  RTS thr:off   Fragment thr=2352 B
 +             Encryption key:off
 +             Power Management:off
 +             Link Quality: Signal level: Noise level:0
 +             Rx invalid nwid: Rx invalid crypt: Rx invalid frag:0
 +             Tx excessive retries: Invalid misc:  Missed beacon:0
 +   
 +   mon0      IEEE 802.11bg  Mode:Monitor  Frequency:2.452 GHz  Tx-Power=0 dBm
 +             Retry min limit:  RTS thr:off   Fragment thr=2352 B
 +             Encryption key:off
 +             Power Management:off
 +             Link Quality: Signal level: Noise level:0
 +             Rx invalid nwid: Rx invalid crypt: Rx invalid frag:0
 +             Tx excessive retries: Invalid misc:  Missed beacon:0
 +
 +
 +Here, mon0 is seen as being in monitor mode, on channel 9 (2.452GHz). Unlike madwifi-ng, the monitor interface has no Access Point field at all. Also notice that wlan0 is still present, and in managed mode - this is normal. Because both interfaces share a common radio, they must always be tuned to the same channel - changing the channel on one interface also changes channel on the other one.
 +
 +=== Step 1c - Setting up other drivers ===
 +
 +For other (ieee80211-based) drivers, simply run the following command to enable monitor mode (replace rausb0 with your interface name):
 +
 +   airmon-ng start rausb0 9
 +
 +The system responds:
 +
 +   Interface       Chipset         Driver
 +   
 +   rausb0          Ralink          rt73 (monitor mode enabled)
 +
 +At this point, the interface should be ready to use.
  
 ==== Step 2 - Start airodump-ng to collect authentication handshake ==== ==== Step 2 - Start airodump-ng to collect authentication handshake ====
  
-The purpose of this step is run airodump-ng to capture the 4-way authentication handshake for the AP we are interested in.  +The purpose of this step is to run airodump-ng to capture the 4-way authentication handshake for the AP we are interested in.  
  
 Enter: Enter:
Line 146: Line 215:
 Where: Where:
   *-c 9 is the channel for the wireless network   *-c 9 is the channel for the wireless network
-  *- -bssid 00:14:6C:7E:40:80 is the access point MAC address.  This eliminate extraneous traffic.+  *-''''-bssid 00:14:6C:7E:40:80 is the access point MAC address.  This eliminates extraneous traffic.
   *-w psk is the file name prefix for the file which will contain the IVs.   *-w psk is the file name prefix for the file which will contain the IVs.
   *ath0 is the interface name.   *ath0 is the interface name.
  
-Important: Do NOT use the "- -ivs" option.  You must capture the full packets.+Important: Do NOT use the "-''''-ivs" option.  You must capture the full packets.
  
 Here what it looks like if a wireless client is connected to the network: Here what it looks like if a wireless client is connected to the network:
Line 183: Line 252:
 To see if you captured any handshake packets, there are two ways.  Watch the airodump-ng screen for " WPA handshake: 00:14:6C:7E:40:80" in the top right-hand corner.  This means a four-way handshake was successfully captured.  See just above for an example screenshot. To see if you captured any handshake packets, there are two ways.  Watch the airodump-ng screen for " WPA handshake: 00:14:6C:7E:40:80" in the top right-hand corner.  This means a four-way handshake was successfully captured.  See just above for an example screenshot.
  
-use Wireshark and apply a filter of "eapol" This displays only eapol packets you are interested in.  Thus you can see if capture contains 0,1,2,3 or 4 eapol packets.+Use Wireshark and apply a filter of "eapol" This displays only eapol packets you are interested in.  Thus you can see if capture contains 0,1,2,3 or 4 eapol packets.
  
  
 ==== Step 3 - Use aireplay-ng to deauthenticate the wireless client ==== ==== Step 3 - Use aireplay-ng to deauthenticate the wireless client ====
  
-This step is optional.  You only perform this step if you opted to actively speed up the process.  The other constraint is that there must be a wireless client currently associated with the AP.  If there is no wireless client currently associated with the AP, then move onto the next step and be patient.  Needless to say, if a wireless client shows up later, you can backtrack and perform this step.+This step is optional.  If you are patient, you can wait until airodump-ng captures a handshake when one or more clients connect to the AP.  You only perform this step if you opted to actively speed up the process.  The other constraint is that there must be a wireless client currently associated with the AP.  If there is no wireless client currently associated with the AP, then you have to be patient and wait for one to connect to the AP so that a handshake can be captured.  Needless to say, if a wireless client shows up later and airodump-ng did not capture the handshake, you can backtrack and perform this step.
  
-What this step does is send a message to the wireless client saying that that it is no longer associated with the AP.  The wireless client will then hopefully reauthenticate with the AP.  The reauthentication is what generates the 4-way authentication handshake we are interested in collecting.  This what we use to break the WPA/WPA2 pre-shared key.+This step sends a message to the wireless client saying that that it is no longer associated with the AP.  The wireless client will then hopefully reauthenticate with the AP.  The reauthentication is what generates the 4-way authentication handshake we are interested in collecting.  This is what we use to break the WPA/WPA2 pre-shared key.
  
 Based on the output of airodump-ng in the previous step, you determine a client which is currently connected.  You need the MAC address for the following.  Open another console session and enter: Based on the output of airodump-ng in the previous step, you determine a client which is currently connected.  You need the MAC address for the following.  Open another console session and enter:
Line 198: Line 267:
 Where: Where:
   * -0 means deauthentication   * -0 means deauthentication
-  * 1 is the number of deauths to send (you can send muliple if you wish)+  * 1 is the number of deauths to send (you can send multiple if you wish)
   * -a 00:14:6C:7E:40:80 is the MAC address of the access point   * -a 00:14:6C:7E:40:80 is the MAC address of the access point
   * -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing   * -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
Line 211: Line 280:
 === Troubleshooting Tips === === Troubleshooting Tips ===
  
-  *  The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them.+  *  The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them.  To confirm the client received the deauthentication packets, use tcpdump or similar to look for ACK packets back from the client.  If you did not get an ACK packet back, then the client did not "hear" the deauthentication packet.
  
  
Line 284: Line 353:
 It can sometimes be tricky to capture the four-way handshake.  Here are some troubleshooting tips to address this: It can sometimes be tricky to capture the four-way handshake.  Here are some troubleshooting tips to address this:
  
-  * Your monitor card must be in the same mode as the both the client and Access Point.  So, for example, if your card was in "B" mode and the client/AP were using "G" mode, then you would not capture the handshake.  This is especially important for new APs and clients which may be "turbo" mode and/or other new standards.+  * Your monitor card must be in the same mode as the both the client and Access Point.  So, for example, if your card was in "B" mode and the client/AP were using "G" mode, then you would not capture the handshake.  This is especially important for new APs and clients which may be "turbo" mode and/or other new standards.  Some drivers allow you to specify the mode.  Also, iwconfig has an option "modulation" that can sometimes be used.  Do "man iwconfig" to see the options for "modulation". For information, 1, 2, 5.5 and 11Mbit are 'b', 6, 9, 12, 18, 24, 36, 48, 54Mbit are 'g'.
   * Sometimes you also need to set the monitor-mode card to the same speed.  IE auto, 1MB, 2MB, 11MB, 54MB, etc.   * Sometimes you also need to set the monitor-mode card to the same speed.  IE auto, 1MB, 2MB, 11MB, 54MB, etc.
   * Be sure that your capture card is locked to the same channel as the AP.  You can do this by specifying "-c <channel of AP>" when you start airodump-ng.   * Be sure that your capture card is locked to the same channel as the AP.  You can do this by specifying "-c <channel of AP>" when you start airodump-ng.
Line 292: Line 361:
   * Make sure to use the drivers specified on the wiki.  Depending on the driver, some old versions do not capture all packets.   * Make sure to use the drivers specified on the wiki.  Depending on the driver, some old versions do not capture all packets.
   * Ideally, connect and disconnect a wireless client normally to generate the handshake.   * Ideally, connect and disconnect a wireless client normally to generate the handshake.
-  * If you use the deauth technique, send the absolute minimum of packets to cause the client to reauthenticate.  Normally this is a single deauth packet.  Sending an excessive amount may cause the client to fail to reconnect and thus does not generate the four-way handshake.   As well, use directed deauths, not broadcast.+  * If you use the deauth technique, send the absolute minimum of packets to cause the client to reauthenticate.  Normally this is a single deauth packet.  Sending an excessive number of deauth packets may cause the client to fail to reconnect and thus it will not generate the four-way handshake.   As well, use directed deauths, not broadcast.  To confirm the client received the deauthentication packets, use tcpdump or similar to look for ACK packets back from the client.  If you did not get an ACK packet back, then the client did not "hear" the deauthentication packet.
   * Try stopping the radio on the client station then restarting it.   * Try stopping the radio on the client station then restarting it.
   * Make sure you are not running any other program/process that could interfere such as connection managers, Kismet, etc.   * Make sure you are not running any other program/process that could interfere such as connection managers, Kismet, etc.
   * Review your captured data using the [[wpa_capture|WPA Packet Capture Explained tutorial]] to see if you can identify the problem.  Such as missing AP packets, missing client packets, etc.   * Review your captured data using the [[wpa_capture|WPA Packet Capture Explained tutorial]] to see if you can identify the problem.  Such as missing AP packets, missing client packets, etc.
  
-Unfortunately, you sometimes need to experiment a bit to get your card to properly capture the four-way handshake.  The point is, if you don't get it the first time, have patience and experiment a bit.  It can be done!+Unfortunately, sometimes you need to experiment a bit to get your card to properly capture the four-way handshake.  The point is, if you don't get it the first time, have patience and experiment a bit.  It can be done!
  
 Another approach is to use Wireshark to review and analyze your packet capture.  This can sometimes give you clues as to what is wrong and thus some ideas on how to correct it.  The [[wpa_capture|WPA Packet Capture Explained tutorial]] is a companion to this tutorial and walks you through what a "normal" WPA connection looks like.  As well, see the [[faq|FAQ]] for detailed information on how to use Wireshark. Another approach is to use Wireshark to review and analyze your packet capture.  This can sometimes give you clues as to what is wrong and thus some ideas on how to correct it.  The [[wpa_capture|WPA Packet Capture Explained tutorial]] is a companion to this tutorial and walks you through what a "normal" WPA connection looks like.  As well, see the [[faq|FAQ]] for detailed information on how to use Wireshark.
Line 305: Line 374:
 When using Wireshark, the filter "eapol" will quickly display only the EAPOL packets.  Based on what EAPOL packets are actually in the capture, determine your correction plan. For example, if you are missing the client packets then try to determine why and how to collect client packets. When using Wireshark, the filter "eapol" will quickly display only the EAPOL packets.  Based on what EAPOL packets are actually in the capture, determine your correction plan. For example, if you are missing the client packets then try to determine why and how to collect client packets.
  
-To dig deep into the packet analysis, you must start airodump-ng without a BSSID filter and specify the capture of the full packet, not just  IVs.  Needless to say, it must be locked to the AP channel.  The reason for eliminating the BSSID filter is to ensure all packets including acknowledgements are capture.  With a BSSID filter, certain packets are dropped from the capture.+To dig deep into the packet analysis, you must start airodump-ng without a BSSID filter and specify the capture of the full packet, not just  IVs.  Needless to say, it must be locked to the AP channel.  The reason for eliminating the BSSID filter is to ensure all packets including acknowledgments are captured.  With a BSSID filter, certain packets are dropped from the capture.
  
-Every packet sent by client or AP must be acknowledged.  This is done with an "acknowledgement" packet which has a destination MAC of the device which sent the original packet.  If you are trying to deauthenticate a client, one thing to check is that you receive the "ack" packet.  This confirms the client received the deauth packet.  Failure to receive the "ack" packet likely means that the client is out of transmission range.  Thus failure.+Every packet sent by client or AP must be acknowledged.  This is done with an "acknowledgment" packet which has a destination MAC of the device which sent the original packet.  If you are trying to deauthenticate a client, one thing to check is that you receive the "ack" packet.  This confirms the client received the deauth packet.  Failure to receive the "ack" packet likely means that the client is out of transmission range.  Thus failure.
  
 When it comes to analyzing packet captures, it is impossible to provide detailed instructions.  I have touched on some techniques and areas to look at.  This is an area which requires effort to build your skills on both WPA/WPA2 plus how to use Wireshark.   When it comes to analyzing packet captures, it is impossible to provide detailed instructions.  I have touched on some techniques and areas to look at.  This is an area which requires effort to build your skills on both WPA/WPA2 plus how to use Wireshark.  
Line 320: Line 389:
  
 Check the "I Cannot Capture the Four-way Handshake!" troubleshooting tip. Check the "I Cannot Capture the Four-way Handshake!" troubleshooting tip.
- 
cracking_wpa.1201358142.txt.gz · Last modified: 2008/01/26 15:35 by darkaudax