9.4.5.4. Aircrack-ng
No wireless pen-test kit is complete without the ability to crack WEP. The Aircrack-ng suite of tools provides all of the functionality necessary to successfully crack WEP. The Aircrack-ng suite consists of the following tools:
• Airmon-ng is a script to place the WLAN interface into rfmon (monitor) mode, with the option of setting a specific channel. You can also shut down interfaces with the
stop command.
• Airodump-ng is a packet capture utility for raw 802.11 frames, and in particular, WEP initialization vectors to be used with aircrack-ng; writing only IVs to file saves considerable space.
• Packetforge-ng is used create encrypted packets for injection. ARP packets are most common, but User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), null, and custom packets are also possible. Creating a packet requires a PRGA file from a chopchop or fragmentation attack.
• Aireplay-ng is designed to perform injection attacks (including deauthentication and fake authentication) for the purpose of creating artificial traffic to be used for WEP cracking. Included are interactive packet replay, ARP request replay, chopchop, and fragmentation attacks. There is also a useful injection test utility to ensure that your card properly supports injection.
• Airdecap-ng decrypts WEP/WPA encypted capture files (assuming you have the key). This tool is particularly useful if you have an encrypted capture file you wish to scan for usernames, passwords, and other valuable data.
• Aircrack-ng uses the FMS/KoreK method and the PTW attack to crack WEP.
One of the very nice features of aircrack-ng is the ability to crack WEP without any authenticated clients. You can do this with the fragmentation attack. This attack tries to
obtain 1500 bytes of PRGA, and then uses the PRGA to generate packets for injection. The second method to obtain PRGA is the chopchop attack. A demonstration of clientless WEP cracking using both attacks is shown in the remainder of this section.
Epic FailWhile it is possible to crack WEP encrypted networked with no authenticated clients, the network must at least have some data flowing across it. For example, if one of the wired clients on the network is generating traffic such as ARP requests, you will be able to capture that data and use it for cracking the network. If the wireless network is completely stand-alone and there is no traffic whatsoever going across the network, you will not be able to collect the necessary data for cracking the WEP encryption.
Before you proceed any further, you'll want to make sure that you are capturing traffic. Airodump-ng is an excellent choice, as it is included in the aircrack-ng suite; however, any packet analyzer capable of writing in pcap format (Wireshark, Kismet, etc.) will also work. First, configure your card with the airmon-ng script:
airmon-ng stop wlan0
airmon-ng start wlan0 <channel #>
airodump-ng –w <capture file> mon0
The airmon-ng script places the wlan0 interface in monitor mode (you can specify channel number as well). The airodump-ng command writes to a named capture file and captures on the specified interface. By default, airodump-ng hops on all channels; however, there is an option to lock on to a specific channel if desired. This is recommended if you know your target's channel so that the card does not spend time looking for packets on other channels.
Airodump-ng's display shows the number of packets and IVs that have been collected, as shown in
Fig. 9.12. You can either keep airodump-ng running or stop it to update your filters; but either way, you'll need it running later. The syntax for using this to just record IVs and stay on a specific channel would be
airodump-ng -w capfile --ivs --channel 6 mon0.
Before we go any further, let's add one step that will save us some time down the road. We will take advantage of the export command to set some variables; this will save us typing the same MAC addresses over and over again:
export AP=00:1B:2F:DE:E9:42
export WIFI=74:F0:6D:53:09:29
In future commands (within the same terminal window session), we can use
$AP and
$WIFI to reference the MAC addresses of our target AP and our WLAN card, respectively.
Our next goal is to associate and authenticate to the target AP:
aireplay-ng -1 0 –e [Target_SSID] –a $AP –h $WIFI wlan0
• –1 specifies the fake authentication attack.
• 0 is reassociation timing (in seconds).
• e is the SSID of the target AP.
• –a is the MAC address of the access point.
• –h is the MAC address of the source wireless interface (either real or spoofed).
• wlan0 is the interface.
Once we have successfully completed fake authentication as shown in
Fig. 9.13, we can begin the fragmentation attack. This attack is designed to gather eight bytes of the keystream from a captured data packet and inject arbitrary, known data to the AP. Assuming the AP responds back, more keystream material can be captured. The procedure is repeated until 1500 bytes of PRGA are acquired. To start the attack:
aireplay-ng -5 –b $AP –h $WIFI mon0
• –5 is the fragmentation attack.
• –b is the MAC address of the access point.
• –h is the MAC address of the source wireless interface.
When you run the attack, type y to select the data packet when prompted. Aireplay-ng will then try to obtain the 1500 bytes of PRGA. Take note of the fragment∗.xor filename, where the PRGA is stored. This attack is shown in
Fig. 9.14.
If the fragmentation attack does not work, you may consider using the chopchop attack. This attack decrypts the packet byte by byte. The basic procedure is to chop off the last byte, assume it is 0, correct the packet, and send it to the AP. If the assumption is correct, the packet is valid and the AP will broadcast the packet because it's a multicast packet. If the assumption is incorrect, the AP drops the packet and the procedure starts all over again with the assumption value of 1–255. This attack does not decrypt the key, but rather, like the fragmentation attack, attempts to obtain sufficient keystream data. To begin the chopchop attack:
aireplay-ng -4 –b $AP –h $WIFI mon0
• –4 is the chopchop attack.
• –b is the MAC address of the access point.
• –h is the MAC address of the source wireless interface.
Similar to the fragmentation attack, the chopchop attack stores its data in a fragment∗.xor file.
Fig. 9.15 shows the results of the aireplay-ng chopchop attack.
Once the appropriate data has been collected from either the fragmentation attack or the chopchop attack, we can use packetforge-ng to generate an encrypted packet for use in injection:
packetforge-ng –0 –a $AP –h $WIFI –k [Destination_IP] –l [Source_IP] –y [PRGA_File] –w [filename]
• –0 generates an ARP packet.
• –a is the MAC address of the access point.
• –h is the MAC address of the source wireless interface.
• –k is the destination IP.
• –y is the PRGA file, fragment∗.xor.
• –w is the filename given to the written packet (“fake,” for example).
Most access points do not care what IP address is used for the destination and/or source IP. It is common, then, to use 255.255.255.255. Here is the response you are looking for from packetforge-ng:
Wrote packet to: fake
TipThe PRGA is used to encrypt known data into a packet that will be accepted on the network. While you cannot decrypt packets using the PRGA, you can encrypt them, thus giving you the ability to inject packets onto the network.
If airodump-ng is still collecting all packets, you may want to retailor the command line to filter out the packets you don't need. Furthermore, it is recommended to start airodump-ng in its own window so as to be able to monitor the progress of IV collection. Remember, if you want to use the export variables (
$AP and
$WIFI), you'll have to re-create them for each terminal session.
TipRemember, you can use --ivs to capture only initialization vectors. This reduces the overall size of the capture file.
The next step is to inject the ARP packet that we created with packetforge-ng:
aireplay-ng -2 –r [filename] mon0
• –2 specifies the interactive packet replay attack.
• –r [filename] extracts the packet(s) from the specified filename (in this case, we're using our packetforge-ng created packet with the name fake).
Similar to the fake authentication, type y to select the packet. Aireplay-ng will then show how many packets it is injecting.
Fig. 9.16 shows the execution of the interactive packet replay attack.
If you return to the Airodump-ng window, you can confirm that injection is taking place. The #Data column should be rising quickly, and the #/s column should show
the rate of injection (300+ packets per second is considered “ideal”). Furthermore, the total number of packets in the #Data column should be roughly equal to the “station” packets (which makes sense, as we're injecting the ARP packet and artificially creating the IVs!).
Fig. 9.17 shows the Aireplay-ng replay attack in progress.
A number of factors affect the rate of injection, most of which are controllable to some extent or another. The first among them is the type of wireless adapter you have chosen to use. It is a simple fact of life that some cards inject faster than others. Your control to this variable is to find a card that supports faster injection. Second, it is a matter of impossibility that if you are using one wireless adapter to both inject and capture packets, your card cannot do both at the same time. Inevitably, you will lose some packets due to this configuration. Other than using a second card, this variable is not controllable; however, this loss is generally negligible. A third problem that is known to affect the injection rate is the distance from the access point, which is a simple matter of signal attenuation. As you increase your distance from the AP, a lesser rate of injection can be expected. For obvious reasons, you want to get as close as reasonably possible to the AP; however, being too close can also cause packet loss from high transmit power or discovery by security guards (which does qualify as a physical security component when reporting to your client). Finally, if you are using an internal antenna, consider using an external antenna (if your card
supports one). If you're already using an omnidirectional antenna, consider using one of a directional variety. Either or both of these options will likely help to increase your rate of injection.
Fig. 9.18 shows airodump-ng in the process of collecting injected packets.
The final step is to create one last console window and run aircrack-ng:
aircrack-ng –b $AP [Capture_file]
• –b selects the target AP we're interested in cracking.
• [Capture file] is the name specified when starting airodump-ng (multiple files can be specified).
In versions prior to 1.0, aircrack-ng gathers the unique IVs from the capture file and attempts to crack the key using FMS/KoreK attacks. You can change the fudge factor to increase the likelihood and speed of the crack. The default fudge factor is 2, but you can adjust this from 1 to 4. A higher fudge factor cracks the key faster, but the program makes more “guesses,” so the results aren't as reliable. Conversely, a lower fudge factor may take longer, but the results are more reliable.
You should set the WEP strength to 64, 128, 256, or 512, depending on the WEP strength used by the target access point. A good rule is that it takes around 500,000 unique IVs to crack the WEP key. This number will vary, and it can range from as low as 100,000 to perhaps more than 500,000. In versions 0.9 and 0.9.1, you can initiate the optional PTW attack with the –z switch.
TipThe number of unique IVs that you need varies drastically depending on a number of factors. You can consider the following as a
rough guideline:
• FMS/KoreK 64-bit – 250,000 unique IVs
• FMS/KoreK 128-bit – 1,500,000 unique IVs
• PTW 64-bit – 20,000 packets
• PTW 128-bit – 40,000–85,000 packets
In newer versions, aircrack-ng changed its default attack mode to the aforementioned PTW attack. Rather than relying on weak or unique IVs, you can randomly choose the IV of these packets. This significantly reduces the number of IVs to crack the WEP key. In testing, probability of success is 50 percent with 40,000 IVs and rises to 95 percent with 85,000 IVs.
Regardless of the method by which WEP is cracked, once found, the key is displayed in hex format (see
Fig. 9.19). In this example, the PTW attack finds the key in less than a second with less than 15,000 IVs, a number that is highly unlikely using the FMS/KoreK attacks, even under the best circumstances.
9.4.5.6. CoWPAtty
CoWPAtty by Joshua Wright is a tool to automate the offline dictionary attack to which WPA-PSK networks are vulnerable. CoWPAtty is available at
http://www.willhackforsushi.com/Cowpatty.html and is very easy to use. Unlike WEP, you don't need to capture a large amount of traffic; you need to capture only one complete four-way EAPOL handshake and have a dictionary file that includes the WPA-PSK passphrase. Unfortunately, until better attacks are conceived, this is a necessary evil.
You can capture the complete four-way EAPOL handshake by either waiting for a client to connect (if you're patient or want to work with stealth) or by deauthenticating a connected client. This is done using the same Aireplay-ng deauthentication attack after which you capture the handshake when the client reconnects. Unlike WEP, there is no such thing as clientless WPA cracking. Remember that no handshake can be collected, and therefore WPA cannot currently be cracked if there are no clients.
Fig. 9.21 shows a Airmon-ng session with an indicator in the upper right showing that a WPA handshake has been captured.
Once you have captured the four-way EAPOL handshake, simply type
cowpatty in the terminal window. This displays the CoWPAtty options. Using CoWPAtty is fairly straightforward. You must provide the path to your word list, the dump file where you captured the EAPOL handshake, and the SSID of the target network.
cowpatty –f WORDLIST –r DUMPFILE –s SSID As stated in the Core technologies section of this chapter, each passphrase is hashed with 4096 iterations of the HMAC-SHA1 and 256 bits of the output is the resulting hash. Furthermore, the SSID is seeded into the passphrase hash, so changing the SSID changes the resulting hash. Depending on your computer, you may expect anywhere from 200 to 450+ passphrases per second. This can be painfully slow; however, there is a much better answer. CoWPAtty version 4 also supports the use of precomputed hash files as opposed to a dictionary file or word list. By using a precomputed hash table or creating our own, you can make CoWPAtty at least three orders of magnitude faster.
Precomputed tables have already been made available by the Church of WiFi (
www.churchofwifi.org) in both 7
GB and 40
GB varieties. The 7
GB tables were created using a dictionary file of 172,000 words and the 1000 most common SSIDs according to
WiGLE.net. The 40
GB tables were created using a file consisting of more than 1 million actual passwords and the 1000 most common SSIDs.
If you know your target SSID and it is not among the 1000 most common, simply generate your own table. Creating your own hash table is easy using the genpmk tool included with CoWPAtty:
genpmk –f WORDLIST –d OUTPUT HASH FILE –s SSID
The time you invest in creating a hash table is largely a result of the size of the dictionary or password file you're using and your computer's resources. A short word list can take a matter of seconds. Using genpmk to create one hash table with the 1-million-password file will take hours (depending, of course, on your computer's specifications). This time can be substantially reduced by using cloud computing to assist in your hash generation. In one example, a security researcher used Amazon's cloud computing services to generate a huge list of hashes very quickly. The use of cloud computing will become more and more viable as these resources continue to increase and provide vast computing power at low costs.
Epic FailIt is important to remember that your dictionary or word list must be in the Unix file format. The Windows file format typically includes a carriage return at the end of each line which will render your resulting hashes useless! This issue was encountered multiple times when the Church of WiFi tables were being created.
If you're wondering about the possibility of computing true rainbow tables in the sense of creating hashes for every character in the keyspace, consider the following math: If you limited yourself to alphanumeric characters and no “special” characters (62 characters), the total keyspace for an eight-character password is in excess of 218 trillion. Considering that our 172,000 word file creates a single 7.2
MB hash file,
the keyspace is 1.26 trillion times larger. Our answer is in the petabyte range (a petabyte is 1000 terabytes), which is not an insignificant amount of storage capacity. Adding special characters doesn't make it anymore ridiculous, and that's only one table for one SSID.
NoteWhile storage capacity in the petabytes is unreasonable today, storage continues to become larger and less expensive. It's not unreasonable to think that someday precomputed hash tables could be done for every conceivable password combination. Even building the hash tables is getting faster and faster with capabilities such as Nvidia's CUDA where the processor on graphics cards is used to help in the hash computation. By loading a machine with multiple powerful graphics cards and using technology like CUDA, hash generation (and real-time brute-force attacks) is becoming faster and faster.
Using CoWPAtty with your precomputed hash table is as simple as replacing the word list (option -f) with the hash file (option -d):
cowpatty –d HASH FILE –r DUMPFILE –s SSID This execution of CoWPAtty is shown in
Fig. 9.22. Visually, CoWPAtty responds the same way with a hash file as it does with a dictionary or word file, except that it does it much, much faster (see
Fig. 9.23). In this particular case, the passphrase we were looking for was in the dictionary file and the entire process of searching the precomputed hash table through 850,000 passphrases was complete in less than 30
seconds.
CoWPAtty USAGE
How to use:
cowpatty [options]
Input fields:
[
options] is one or more of the following options:
• -r – Packet Capture File
• -s – Network SSID (Use quotes if there are spaces in the SSID)
• -c – Checks for valid 4-way frames without cracking
Typical output: