Attack
On the 'Net • • • • • • • •
http://www.aircrack-ng.org/ – Aircrack home page http://www.aircrack-ng.org/doku.php?id=tutorial – further tutorials http://www.remote-exploit.org/ – the BackTrack Linux home page http://backtrack.offensive-security.com/ – the official BackTrack Wiki page http://www.cotse.com/tools/wordlists.htm/ – a lot of wordlists from different languages http://ftp.sunet.se/pub/security/tools/net/Openwall/wordlists/ – a reasonably large wordlist http://www.madwifi.net/ – you can download the MadWifi patch drivers here http://www.aircrack-ng.org/doku.php?id=compatibility _drivers – list of supported wireless cards
than from your computer via the AP to the client, so you have to make sure that you are not only close enough to the AP, but also to the client. When they try to reconnect, airodump-ng should capture the four-way handshake and write it to the output file. Now, once the handshake has been captured, the only thing left to do is crack the key. This is done via opening a new console session and typing: bt ~ # aircrack-ng -w wordlist.txt output*.cap
About the Author
Stephen Argent is currently in Australia completing his studies, and hopes to proceed onto further advanced education programs afterwards. Stephen has taught himself a diverse range of computing skills, working for himself in many areas of computing for the past 8 years, ranging from password and data recovery, to Wireless cracking, amongst various other things, under both the Windows and Linux environments. He can be contacted by emailing: argentcomputers@lavabit.com.
section, I will explain this again. In a new console session, enter: bt ~ # airmon-ng stop ath0 bt ~ # airmon-ng start wifi0
Now, open up a second console session for airodump-ng, and type: bt ~ # airodump-ng -w test ath0
You should see something similar to what is presented in Figure 8 – a window detailing all available wireless networks in your radius. You will notice for this that the network alpha is on channel 11, so we will need to set the wireless card to monitor this channel only. To do this, go back to the airmon-ng console session we used previously. Type:
Now, at the bottom of the airodump-ng window, there should be a column of BSSID. We need to look for the BSSID of our AP here. In this case it is 00:4D: B5:7D:5E:74. Next to this, under STATION, we need to take note of the MAC address listed, as this is the physical address of the station that we will de-authenticate to grab our four-way handshake. In this case it is 00:18:DE:D7:9A:D5. If there are no stations listed, you will just have to wait until one connects, and then de-authenticate them if you need to (though ideally, the four-way handshake will be captured when they connect). To de-authenticate the station, open up a new console session and type: bt ~ # aireplay-ng -0 1 -a 00:4D:B5:7D: 5E:74 -c 00:18:DE:D7:9A:D5 ath0
bt ~ # airmon-ng stop ath0 bt ~ # airmon-ng start wifi0 11
Now, head back to the airodump-ng window and type:
The -0 is the de-authentication option, and 1 is the amount of de-auths to send. The -a option is obviously the AP's MAC address, and -c is the clients MAC. The console should say:
bt ~ # airodump-ng -c 11 -w output ath0
which specifies to listen on the channel 11 (though not needed because the card is only monitoring on channel 7 anyway), and dump to the output file.
40
hakin9 1/2008
12:00:00 Sending DeAuth to station – STMAC: 00:18:DE:D7:9A:D5
This packet is sent straight from your computer to the client, rather
www.hakin9.org/en
Remember that your wordlist has to be in the same directory as your capture file, which is also the working directory that the console is in (by default – the /root directory). Aircrack-ng will now use the wordlist to try and crack the password. Success should look like this:
Conclusion
As we can all see from this article, wireless networks are evidently very insecure by default. This information can be useful in checking the integrity and strength of your home WiFi network, or your businesses network if you are the Network Security Auditor for your workplace, and have permission to do so. Remember, doing this to networks that you are not the owner of is against the law in all countries. The techniques/procedures outlined in this article are often used by security professionals in demonstrations and tests. So until a more secure option is available, if wireless is the only option, then the best solution is to use a long, non-dictionary word (preferably a combination of words/letters/numbers in a randomly generated string) in a WPA or WPA2 key. There are various options though to protect your PC using both software and hardware WIDS (Wireless Intrusion Detection Systems). Some software titles that can achieve this are Network Chemistry, RFprotect, and Trend Micro Internet Security Pro 2008. However, the easiest and cheapest solution is simply to turn off your router when it is not in use. l