340 likes | 978 Views
By: Dennis Maldonado. Wireless Hacking, Cracking WPA/WPA2. Tools. BackTrack Linux 5 R2 – Our attacker machine Aircrack-ng suite – Suite of tools used to recover wireless encryptions keys and carry all sorts of attacks against wireless networks . Notes.
E N D
By: Dennis Maldonado Wireless Hacking,Cracking WPA/WPA2
Tools • BackTrack Linux 5 R2 – Our attacker machine • Aircrack-ng suite –Suite of tools used to recover wireless encryptions keys and carry all sorts of attacks against wireless networks.
Notes • AP = Access Point = Wireless Router • Start backtrack GUI with “startx” • Click the second icon on the bottom left of backtrack to start a terminal.
How this works. • When clients connect to a WPA/WPA2 encrypted network, they have a 4-way handshake with the router. • We need this 4-way handshake to recover the password. • We can crack the password offline once we get the handshake • Attack is completely passive on the router.
Start wireless card in monitor mode airmon-ng start wlan0 • Tool used for putting your card into monitor mode • wlan0 = Wireless interface. You can find your wireless interface by typing “iwconfig” You should see “monitor mode enabled on mon0” somewhere.
Finding a vulnerable AP airodump-ng mon0 • Tool used to listen to wireless routers in the area • Look for any wireless networks that say WPA2 • Remember their BSSID and Channel
Capture packets from the victim AP airodump-ng–-bssid00:13:10:73:FC:C5 –c 6 –w dump mon0 • --bssidis the mac address of the router • -c is the channel of the router • -w is where to save the dump file • dump is the file name Keep that running in it’s own terminal until a client connects
Capturing the WPA Handshake • Wait until a client connects • Alternatively, force a connected client to disconnect, making them reconnect and capturing their handshake. • Will go into detail on that later…
How to know when you get the handshake • In airodump-ng, look in the top left. • You should see “WPA handshake <bssid>” • If you do, dance. • Now you are ready to crack. • Stop airodump-ng by pressing Control + c
Cracking the captured handshake • aircrack-ng will crack the password. We specify the bssid, the dump file, and a wordlist to guess the password with. • Wordlist = /pentest/database/sqlmap/txt/wordlist.txt • aircrack-ng –w <list> –b 00:13:10:73:FC:C5 dump*.cap • Aircrack-ng –w /pentest/databas
How to protect yourself • Choose WPA2 • WPA2 can have up to 63 characters. Use them! • Use Numbers, lower-upper case, special characters