1/30/2015

SpeedGuide.net::HowToCrackWEPandWPAWirelessNetworks

Main

Broadband

Reviews

Articles

Main

Info

Articles

Reviews
Forums

Searchsite

Info

HomeArticlesSecurity

Broadband
Articles

Forums

HowToCrackWEPandWPAWirelessNetworks
CrackingWEP,WPAPSKandWPA2PSKwirelesssecurityusingaircrackng
2008.11.2110:53byPhilip
Keywords:aircrack,Wireless,WiFi,WPA,WEP,WPA2,NIC,hash,wordlist,security,SSID,channel

Login
Username:
Username

Password:

forgotyourpassword?

Shortcuts
BroadbandHardware
FAQs
Glossary
SGBroadbandTools
SGNetworkTools
SGPortsDatabase
SGSecurityScan
SGSpeedTest
TCP/IPAnalyzer
TCP/IPOptimizer

Introduction
Withthepopularityofwirelessnetworksandmobilecomputing,anoverallunderstandingofcommon
securityissueshasbecomenotonlyrelevant,butverynecessaryforbothhome/SOHOusersandIT
professionalsalike.ThisarticleisaimedatillustratingcurrentsecurityflawsinWEP/WPA/WPA2.
Successfullycrackingawirelessnetworkassumessomebasicfamiliaritywithnetworkingprinciples
andterminology,aswellasworkingwithcommandlinetools.AbasicfamiliaritywithLinuxcanbe
helpfulaswell.
Disclaimer:Attemptingtoaccessanetworkotherthanyourown,oroneyouhavepermissiontouse
isillegalinsomeU.S.jurisdictions.SpeedGuide,Inc.arenottobeheldliableforanydamages
resultingfromtheuseormisuseoftheinformationinthisarticle.
TosuccessfullycrackWEP/WPA,youfirstneedtobeabletosetyourwirelessnetworkcardin
"monitor"modetopassivelycapturepacketswithoutbeingassociatedwithanetwork.ThisNIC
modeisdriverdependent,andonlyarelativelysmallnumberofnetworkcardssupportthismode
underWindows.
OneofthebestfreeutilitiesformonitoringwirelesstrafficandcrackingWEP/WPAPSKkeysisthe
aircrackngsuite,whichwewillusethroughoutthisarticle.IthasbothLinuxandWindowsversions
(providedyournetworkcardissupportedunderWindows).Theaircrackngsitehasacomprehensive
listofsupportednetworkcardsavailablehere:NICchipsetcompatabilitylist.
IfyournetworkcardisnotsupportedunderWindows,onecanuseafreeLinuxLiveCDtobootthe
system.BackTrack3isprobablythemostcommonlyuseddistribution,sinceitrunsfromaLive
CD,andhasaircrackngandanumberofrelatedtoolsalreadyinstalled.
Forthisarticle,Iamusingaircrackngversion1.0onaLinuxpartition(FedoraCore10,2.632bit
kernel)onmySonyVaioSZ680laptop,usingthebuiltinIntel4965agnnetworkcard.Ifyou're
usingtheBackTrack3CDaircrackngisalreadyinstalled,withmyversionoflinuxitwasassimpleas
findingitwith:
yumsearchaircrackng
yuminstallaircrackng
TheaircrackngsuiteisacollectionofcommandlineprogramsaimedatWEPandWPAPSKkey
cracking.Theoneswewillbeusingare:
airmonngscriptusedforswitchingthewirelessnetworkcardtomonitormode
airodumpngforWLANmonitoringandcapturingnetworkpackets
aireplayngusedtogenerateadditionaltrafficonthewirelessnetwork
aircrackngusedtorecovertheWEPkey,orlaunchadictionaryattackonWPAPSKusing
thecaptureddata.

1.Setup(airmonng)
file:///C:/temp/help/howtocrackwepandwpawirelessnetworks2724.htm

1/8

1/30/2015

SpeedGuide.net::HowToCrackWEPandWPAWirelessNetworks

Asmentionedabove,tocapturenetworktrafficwihtoutbeingassociatedwithanaccesspoint,we
needtosetthewirelessnetworkcardinmonitormode.Todothatunderlinux,inaterminalwindow
(loggedinasroot),type:
iwconfig(tofindallwirelessnetworkinterfacesandtheirstatus)
airmonngstartwlan0(tosetinmonitormode,youmayhavetosubstitutewlan0for
yourowninterfacename)
Note:Youcanusethesucommandtoswitchtoarootaccount.
OtherrelatedLinuxcommands:
ifconfig(tolistavailablenetworkinterfaces,mynetworkcardislistedaswlan0)
ifconfigwlan0down(tostopthespecifiednetworkcard)
ifconfigwlan0hwether00:11:22:33:44:55(changetheMACaddressofaNICcaneven
simulatetheMACofanassociatedclient.NICshouldbestoppedbeforechaningMACaddress)
iwconfigwlan0modemonitor(tosetthenetworkcardinmonitormode)
ifconfigwlan0up(tostartthenetworkcard)
iwconfigsimilartoifconfig,butdedicatedtothewirelessinterfaces.

2.ReconStage(airodumpng)
Thisstepassumesyou'vealreadysetyourwirelessnetworkinterfaceinmonitormode.Itcanbe
checkedbyexecutingtheiwconfigcommand.Nextstepisfindingavailablewirelessnetworks,and
choosingyourtarget:
airodumpngmon0monitorsallchannels,listingavailableaccesspointsandassociated
clientswithinrange.Itisbesttoselectatargetnetworkwithstrongsignal(PWR
column),moretraffic(Beacons/Datacolumns)andassociatedclients(listedbelowallaccess
points).Onceyou'veselectedatarget,noteitsChannelandBSSID(MACaddress).Alsonote
anySTATIONassociatedwiththesameBSSID(clientMACaddresses).

runningairodumpngdisplaysallwirelessaccesspointsandassociatedclientsinrange,
aswellasMACaddresses,SSIDs,signallevelsandotherinformationaboutthem.

WEPismucheasiertocrackthanWPAPSK,asitonlyrequiresdatacapturing(between20kand40k
packets),whileWPAPSKneedsadictionaryattackonacapturedhandshakebetweentheaccess
pointandanassociatedclientwhichmayormaynotwork.

3.CaptureData(airodumpng)
Tocapturedataintoafile,weusetheairodumpngtoolagain,withsomeadditionalswitchesto
targetaspecificAPandchannel.Mostimportantly,youshouldrestrictmonitoringtoasinglechannel
tospeedupdatacollection,otherwisethewirelesscardhastoalternatebetweenallchannels.
Assumingourwirelesscardismon0,andwewanttocapturepacketsonchannel6intoatextfile
calleddata:
airodumpngc6bssid00:0F:CC:7D:5A:74wdatamon0(c6switchwouldcapture
dataonchannel6,bssid00:0F:CC:7D:5A:74istheMACaddressofourtargetaccesspoint,
wdataspecifiesthatwewanttosavecapturedpacketsintoafilecalled"data"inthecurrent
directory,mon0isourwirelessnetworkadapter)

Runningairodumpngonasinglechanneltargetingaspecificaccesspoint

Notes:
Youtypicallyneedbetween20,000and40,000datapacketstosuccessfullyrecoveraWEPkey.
Onecanalsousethe"ivs"switchwiththeairodumpngcommandtocaptureonlyIVs,insteadof
wholepackets,reducingtherequireddiskspace.However,thisswitchcanonlybeusediftargetinga
WEPnetwork,andrenderssometypesofattacksuseless.

file:///C:/temp/help/howtocrackwepandwpawirelessnetworks2724.htm

2/8

1/30/2015

SpeedGuide.net::HowToCrackWEPandWPAWirelessNetworks

4.IncreaseTraffic(aireplayng)optionalstepforWEP
cracking
Anactivenetworkcanusuallybepenetratedwithinafewminutes.However,slownetworkscan
takehours,evendaystocollectenoughdataforrecoveringtheWEPkey.
Thisoptionalstepallowsacompatiblenetworkinterfacetoinject/generatepacketstoincreasetraffic
onthewirelessnetwork,thereforegreatlyreducingthetimerequiredforcapturingdata.The
aireplayngcommandshouldbeexecutedinaseparateterminalwindow,concurrenttoairodump
ng.Itrequiresacompatiblenetworkcardanddriverthatallowsforinjectionmode.
Assumingyournetworkcardiscapableofinjectingpackets,inaseparateterminalwindowtry:
aireplayng3b00:0F:CC:7D:5A:74h00:14:A5:2F:A7:DEx50wlan0
3>thisspecifiesthetypeofattack,inourcaseARPrequestreplay
b.....>MACaddressofaccesspoint
h.....>MACaddressofassociatedclientfromairodump
x50>limittosending50packetspersecond
wlan0>ourwirelessnetworkinterface

aireplayngallowsforinjectingpacketstogreatlyreducethetimerequiredtorecovera
WEPkey

Notes:
Totestwhetheryournicisabletoinjectpackets,youmaywanttotry:aireplayng9wlan0.You
mayalsowanttoreadtheinformationavailablehere.
Toseeallavailablereplayattacks,typejust:aireplayng

5.CrackWEP(aircrackng)
WEPcrackingisasimpleprocess,onlyrequiringcollectionofenoughdatatothenextractthekey
andconnecttothenetwork.YoucancracktheWEPkeywhilecapturingdata.Infact,aircrackng
willreattemptcrackingthekeyafterevery5000packets.
ToattemptrecoveringtheWEPkey,inanewterminalwindow,type:
aircrackngdata*.cap(assumingyourcapturefileiscalleddata...cap,andislocatedinthe
samedirectory)

aircrackngcansuccessfullyrecoveraWEPkeywith1040kcapturedpackets.The
retreivedkeyisinhexadecimal,andcanbeentereddirectlyintoawirelessclientomitting
the":"separators

Notes:
Ifyourdatafilecontainsivs/packetsfromdifferentaccesspoints,youmaybepresentedwithalistto
choosewhichonetorecover.
Usually,between20kand40kpacketsareneededtosuccessfullycrackaWEPkey.Itmay
sometimesworkwithasfewas10,000packetswithshortkeys.

6.CrackWPAorWPA2PSK(aircrackng)
WPA,unlikeWEProtatesthenetworkkeyonaperpacketbasis,renderingtheWEPmethodof
penetrationuseless.CrackingaWPAPSK/WPA2PSKkeyrequiresadictionaryattackonahandshake
betweenanaccesspointandaclient.Whatthismeansis,youneedtowaituntilawirelessclient
associateswiththenetwork(ordeassociateanalreadyconnectedclientsotheyautomatically
reconnect).Allthatneedstobecapturedistheinitial"fourwayhandshake"associationbetween
theaccesspointandaclient.Essentially,theweaknessofWPAPSKcomesdowntothepassphrase.
Ashort/weakpassphrasemakesitvulnerabletodictionaryattacks.
TosuccessfullycrackaWPAPSKnetwork,youfirstneedacapturefilecontaininghandshakedata.
ThiscanbeobtainedusingthesametechniqueaswithWEPinstep3above,usingairodumpng.
Youmayalsotrytodeauthenticateanassociatedclienttospeedupthisprocessofcapturinga
handshake,using:
file:///C:/temp/help/howtocrackwepandwpawirelessnetworks2724.htm

3/8

1/30/2015

SpeedGuide.net::HowToCrackWEPandWPAWirelessNetworks

aireplayngdeauth3aMAC_APcMAC_Clientmon0(whereMAC_IPistheMAC
addressoftheaccesspoint,MAC_ClientistheMACaddressofanassociatedclient,mon0is
yourwirelessNIC).
Thecommandoutputlookssomethinglike:
12:34:56Waitingforbeakonframe(BSSID:00:11:22:33:44:55:66)onchannel6
12:34:56Sending64directedDeAuth.STMAC:[00:11:22:33:44:55:66][5:62ACKs]
Notethelasttwonumbersinbrackets[5:62ACKs]showthenumberofacknowledgements
receivedfromtheclientNIC(firstnumber)andtheAP(secondnumber).Itisimportanttohave
somenumbergreaterthanzeroinboth.Ifthefirstnumberiszero,thatindicatesthatyou'retoofar
fromtheassociatedclienttobeabletosenddeauthpacketstoit,youmaywanttotryaddinga
reflectortoyourantenna(evenasimplemanillafolderwithaluminumfoilstapledtoitworksasa
reflectortoincreaserangeandconcentratethesignalsignificantly),orusealargerantenna.

Simpleantennareflectorusingaluminumfoilstapledtoamanillafoldercanconcentrate
thesignalandincreaserangesignificantly.Forbestresults,you'llhavetoplacethe
antennaexactlyinthemiddleandchangedirectionasnecessary.Ofcoursethereare
betterreflectorsoutthere,aparabolicreflectorwouldofferevenhighergain,for
example.

Onceyouhavecapturedafourwayhandshake,youalsoneedalarge/relevantdictinaryfile
(commonlyknownaswordlists)withcommonpassphrases.Seerelatedlinksbelowforsomewordlist
links.
Youcan,thenexecutethefollowingcommandinalinuxterminalwindow(assumingboththe
dictionaryfileandcaptureddatafileareinthesamedirectory):
aircrackngwwordlistcapture_file(wherewordlistisyourdictionaryfile,and
capture_fileisa.capfilewithavalidWPAhandshake)
AdditionalNotes:
CrackingWPAPSKandWPA2PSKonlyneeds4packetsofdatafromthenetwork(ahandshake).
Afterthat,anofflinedictionaryattackonthathandshaketakesmuchlonger,andwillonlysucceed
withweakpassphrasesandgooddictionaryfiles.Agoodsizewordlistshouldbe20+Megabytesin
size,crackingastrongpassphrasewilltakehoursandisCPUintensive.
CrackingWPA/WPA2usuallytakesmanyhours,testingtensofmillionsofpossiblekeysforthe
chancetostumbleonacombinationofcommonnumeralsordictionarywords.Still,a
weak/short/common/humanreadablepassphrasecanbebrokenwithinafewminutesusingan
offlinedictionaryattack.Myrecordtimewaslessthanaminuteonanallcaps10character
passphraseusingcommonwordswithlessthan11,000testedkeys!Amodernlaptopcanprocess
over10Millionpossiblekeysinlessthan3hours.
WPAhashesthenetworkkeyusingthewirelessaccesspoint'sSSIDassalt.Thispreventsthe
statisticalkeygrabbingtechniquesthatbrokeWEP,andmakeshashprecomputationmoredificult
becausethespecificSSIDneedstobeaddedassaltforthehash.TherearesometoolslikecoWPAtty
thatcanuseprecomputedhashfilestospeedupdictionaryattacks.Thosehashfilescanbevery
effective(sicnethey'remuchlessCPUintensiveandthereforefaster),butquitebiginsize.The
ChurchofWiFihascomputedhashtablesforthe1000mostcommonSSIDsagainstamillion
commonpassphrasesthatare7Gband33Gbinsize...

Conclusion
Asdemonstratedabove,WEPcrackinghasbecomeincreasinglyeasierovertheyears,andwhatused
totakehundredsofthousandspacketsanddaysofcapturingdatacanbeaccomplishedtodaywithin
15minuteswithamere20kdataframes.
WPA/WPA2PSKencryptionisholdingitsgroundifusingastrong,longkey.However,weak
passphrasesarevulnerabletodictionaryattacks.WPA/WPA2maybeonborrowedtimeaswell,
accordingtosomerecentnews.

RelatedLinks
WPAWordlistsTorrentsearch
aircrackng
file:///C:/temp/help/howtocrackwepandwpawirelessnetworks2724.htm

4/8