WIRELESS SECURITY AND

PENTEST TUTORIAL
USING BACKTRACK
The tutorial about Network Security and Pentest using Backtrack that
covers Networking Basics, Wireless Networks Basics, Wireless Penetration
and Securing Wireless Networks.

Independent Study
by Nuno Freitas
27/05/2012

Nuno Freitas

Table of Contents

Executive Summary ... 2

Before the fun part Start ..... 3
ARP Protocol .. 4
Discovery of Networks ... 6
Wireless Networks ...... 7
Software ...... 11
Wireshark ........ 13
Wireless Deauthentication Attack ....... 21
Fake Authentication ........ 23
MAC Filtering ......... 27
Cracking WEP with a connected client (OPEN System) .... 29
Cracking WEP without a connected client (OPEN System) ....... 35
Cracking WEP (Shared Key Authentication) ..... 41
Cracking WPA (Dictionary Mode) ..... 46
Cracking WPA (Database Mode) ........ 50
Hidden ESSID ......... 55
Cracking WPA (Wi-Fi Protected Setup) ................. 57

Nuno Freitas

Executive Summary
Over the past months Ive been learning about Network Security. Ive started reading
documents like this and so Im writing this tutorial not to teach anyone how to break
into their neighbors network and get free internet or valuable information. No. Im
writing this because even not being an expert, I hope that this could be useful to those
who dont know where to begin learning about it.
Backtrack, currently in it fifth version, Backtrack 5, is an operating system based
on Ubuntu GNU/Linux distribution and it is aimed at digital forensics and penetration
testing use. It is named after backtracking, a search algorithm.
Backtrack have tons of tools that could be useful, Ill be talking about some that already
come with Backtrack and some other that you need to install if you are using an older
version than Backtrack 5 R2. Ill add to this document how to install those programs.
Through the Document lets imagine Im an attacker, attacking Wireless Networks.
In this tutorial Ill be using one Computer, with Windows 7 and VMware installed with
Backtrack 5 R2, the attacker computer.
I will use two routers through the Tutorials because my old Router (Conceptronic
c54brs4) doesnt support WPS to use against Reaver so Ill use a TP-LINK TLWR841ND.

Dont forget, the attacker pc must be using a Wireless Card that supports packet
injection in order to perform some attacks.

Nuno Freitas

My Setup

Router (Conceptronic C54BRS4)

Attacker Antenna (TP-LINK TLWN722N)

Router (TP-LINK TL-WR841ND)

Before the fun part start

Before we start the fun part I would like to write about some network basics. Thus, this
paper will be helpful even you dont have a really good knowledge of what it is a
network and how it works. Even if you know how a network works, you might find the
texts bellow interesting anyway.

Nuno Freitas

The ARP Protocol

In networks there are a variety of protocols. One of them is the ARP Protocol.
ARP stands for Address Resolution Protocol.

Before we start with the ARP Protocol, lets just remember what are Physical Addresses
and Logical Addresses.
Physical Addresses Its what we know as MAC (Media Access Control) which is
associated to a device. This address is composed by 48 bits (12 hexadecimal characters)
Logical Addresses They are what we often call as IP Address.
How does the ARP Protocol works?
In a network when a computer wants to find another one it has to know the IP of that
computer but the information inserted in the packets is the MAC Address of the
destination computer.
When you only know the IP you need to ask for the MAC. Using the ARP Protocol, that
resolves IP Addresses into MAC Addresses.
For example
Imagine a computer, lets just say Computer A, with an IP 192.168.2.105 and it wants
to communicate with a computer with an IP 192.168.2.100, Computer B.
4

Nuno Freitas

Computer A will check its ARP Table and if it doesnt possess Computer Bs MAC
Address it will send a message to the Address FF:FF:FF:FF:FF:FF asking the ARP
Address of Computer B.
(ARP REQUEST)
Then computer B will answer to Computer A sending him his Physical Address.
Computer A will add an Entry in its ARP Table with that same MAC Address
corresponding to Computers Bs IP. (ARP REPLY)
You can check your ARP Table by typing in a Command Prompt:
#arp -a

It is also possible to translate MAC Addresses into IP Addresses but the Protocol used
in that translation is the RARP Protocol (Reverse Address Resolution Protocol).
These are some of the most important Protocols in networking and some of the easiest
Protocols to understand.
Up ahead in this tutorial we will talk more about ARP Protocol.

Nuno Freitas

Discovery of Wireless Networks

When you want to perform a wireless attack you need to identify the network you are
attempting to access. Sometimes the attacker knows already what network he will
attempt to break, sometimes it doesnt so it is needed more time to figure it out.
Well, I wont talk about how to hack a corporation because the point of this tutorial is
not how to become a criminal or a hacktivist, I just want to show you how easily
someone can break through your network and get free internet or data and help you to
avoid that. So I will get to the point with a general idea of scanning and not what it
really is all about.
For the next tutorials we will be scanning the airwaves in monitor mode or promiscuous
mode which is a type of scan where you dont send any beacons or probes, instead of
that, you gather information from traffic that is already going on the air. Figuratively it's
like if your computer just sits down and read the traffic going on the airwaves and
interprets it.
To perform a passive scan a wireless card must be on monitor mode.
A card in monitor mode will read every wireless packet it can reach and try to
extrapolate data. As all wireless networks operate on the same frequency, the air is
usually flooded with packets from several different networks. The card picks up these
packets and deduces what network they belong to. This is different than just only trying
beacon or probe packets because there is always much more traffic than just those two
types of packets.
Not all wireless cards support monitor mode. The chipset of the card must support the
mode as well as the driver being used.
In the tutorials Ill be using airmon-ng which is a program in aircrack-ng suite, to put
the wireless card in monitor mode.
Before we start the hacking process there are some things you should read about if
youre a beginner. For example what are WEP and WPA encryptions? How do they
work? What is the 802.11n standard?
Lets find about that.

Nuno Freitas

Wireless Networks
There are two types of encryption in Wireless Networks, we have WEP that stands for
Wireless Equivalency Protocol and we have WPA which stands for Wi-Fi Protected
Access. In spite that WPA is more secure than WEP, both are vulnerable to different
types of attacks as we will see.

WEP (Wireless Equivalency Protocol)

WEP is not the best protection, however it is better than nothing, though generally not
as secure as the more sophisticated WPA/WPA2 encryption. A big problem is that if a
Cracker can sniff packets on a WEP encrypted network, it is only a matter of time until
the password is cracked.
If enough traffic can be intercepted by an attacker, then it can be broken by brute force
in a matter of minutes or even seconds. If that werent bad enough, the time it takes to
crack WEP only grows linearly with key length, but a 104-bit key doesnt provide any
significant protection over a 40-bit key when faced against a determined cracker. There
are several freely available programs that allow for the cracking of WEP thats why it is
indeed a broken solution, but it should be used over than nothing.
With WEP there are two different forms of authentication, shared key and open system.
In shared key, the client request authentication and the Wireless Access Point sends a
text which the client has to encrypt using the WEP key and send it back, if it matches
then the WAP (Wireless Access Point) authenticates and associates with the client.
In open system authentication any client can associate with the WAP. The client is
authenticated regardless of the key it possesses and begins to receive packets. The client
would need the correct key at this point to read the packets.
A WEP key is usually 128bit comprised of 26 hexadecimal values and a 24bit
Initialization Vector (IV). Each packet is encrypted using RC4 algorithm with the 26
hexadecimal values and a random IV. The packet is sent along with the IV in plain text.
The client then decrypts the packet using the hex key and the included IV.

Nuno Freitas

WPA (Wi-Fi Protected Access)

WPA
Wi-Fi Protected Access (WPA) is a software/firmware improvement over WEP.
All regular WLAN-equipment that worked with WEP are able to be simply upgraded
and no new equipment needs to be bought. WPA is a trimmed-down version of
the 802.11i security standard that was developed by the IEEE 802.11 to replace WEP.
The TKIP (Temporal Key Integrity Protocol) encryption algorithm was developed for
WPA to provide improvements to WEP that could be fielded as firmware upgrades to
existing 802.11 devices. The WPA profile also provides optional support for the AESCCMP algorithm that is the preferred algorithm in 802.11i and WPA2.
WPA Enterprise provides RADIUS based authentication using 802.1x.
WPA Personal uses a pre-shared Shared Key (PSK) to establish the security using an 8
to 63 character passphrase. The PSK may also be entered as a 64 character hexadecimal
string.
Weak PSK passphrases can be broken using a dictionary attacks by capturing the fourway handshake when the client connects to the network or reconnects after being
deauthenticated.
WPA Personal is secure when used with good passphrases or a full 64-character
hexadecimal key. They should also not use WPS (Wireless Protected Setup) since a
huge vulnerability was discovered and can be already exploited.

TKIP
This stands for Temporal Key Integrity Protocol and the acronym is pronounced as teekip. This is part of the IEEE 802.11i standard. TKIP implements per-packet key
mixing with a re-keying system and also provides a message integrity check. These
avoid the problems of WEP.

EAP
The WPA-improvement over the IEEE 802.1X standard already improved the
authentication and authorization for access of wireless and wired LANs. In addition to
this, extra measures such as the Extensible Authentication Protocol (EAP) have initiated
an even greater amount of security. This, as EAP uses a central authentication server.
Unfortunately, during 2002 a Maryland professor discovered some shortcomings.

Nuno Freitas

802.11i security
The newest and most rigorous security to implement into WLAN's today is the 802.11i
RSN-standard. This full-fledged 802.11i standard (which uses WPA2) does require the
newest hardware (unlike WPA), thus potentially requiring the purchase of new
equipment. This new hardware required may be either AES-WRAP (an early version of
802.11i) or the newer and better AES-CCMP-equipment.

WPA2
WPA2 is a Wi-Fi Alliance branded version of the final 802.11i standard. The primary
enhancement over WPA is the inclusion of the AES-CCMP algorithm as a mandatory
feature. Both WPA and WPA2 support EAP authentication methods using RADIUS
servers and pre-shared key (PSK).

CCMP
CCMP stands for Counter Mode with Cipher Block Chaining Message Authentication
Code Protocol also known as (CCM mode Protocol) is an encryption protocol designed
for Wireless Networks products that implement the standards of the IEEE
802.11i amendment to the original IEEE 802.11 standard. CCMP is an enhanced data
cryptographic encapsulation mechanism designed for data confidentiality and based
upon the Counter Mode with CBC-MAC (CCM) of the AES standard. It was created to
address the vulnerabilities presented by TKIP, a protocol in WPA, and WEP, a dated,
insecure protocol.

802.11b
802.11b has a maximum raw data rate of 11 Mbit/s and uses the same media access
method defined in the original standard. 802.11b products appeared on the market in
early 2000, since 802.11b is a direct extension of the modulation technique defined in
the original standard. The dramatic increase in throughput of 802.11b (compared to the
original standard) along with simultaneous substantial price reductions led to the rapid
acceptance of 802.11b as the definitive wireless LAN technology.
802.11b devices suffer interference from other products operating in the 2.4 GHz band.
Devices operating in the 2.4 GHz range include: microwave ovens, Bluetooth devices,
baby monitors and cordless telephones.

802.11g
In June 2003, a third modulation standard was ratified: 802.11g. This works in the
2.4 GHz band (like 802.11b), but uses the same OFDM based transmission scheme as
9

Nuno Freitas

802.11a. It operates at a maximum physical layer bit rate of 54 Mbit/s exclusive of

forward error correction codes, or about 22 Mbit/s average throughputs. 802.11g
hardware is fully backwards compatible with 802.11b hardware and therefore is
encumbered with legacy issues that reduce throughput when compared to 802.11a by
21%.
The then-proposed 802.11g standard was rapidly adopted by consumers starting in
January 2003, well before ratification, due to the desire for higher data rates as well as
to reductions in manufacturing costs. By summer 2003, most dual-band 802.11a/b
products became dual-band/tri-mode, supporting a and b/g in a single mobile adapter
card or access point. Details of making b and g work well together occupied much of
the lingering technical process; in an 802.11g network, however, activity of an 802.11b
participant will reduce the data rate of the overall 802.11g network.
Like 802.11b, 802.11g devices suffer interference from other products operating in the
2.4 GHz band, for example wireless keyboards.

802.11n
802.11n is an amendment which improves upon the previous 802.11 standards by
adding multiple-input multiple-output antennas (MIMO). 802.11n operates on both the
2.4 GHz and the lesser used 5 GHz bands. The IEEE has approved the amendment and
it was published in October 2009. Prior to the final ratification, enterprises were already
migrating to 802.11n networks based on the Wi-Fi Alliance's certification of products
conforming to a 2007 draft of the 802.11n proposal.

10

Nuno Freitas

Software
During these next tutorials Ill be using some programs under Backtrack 5, so lets give
a brief explanation about what are those programs all about and what type of tasks they
can be used for.

Aircrack-ng
Aircrack-ng is a network software suite consisting of a detector, packet
sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless
LANs.
It works with any wireless network interface controller whose driver supports raw
monitoring mode and can sniff 802.11b, 802.11g and 802.11n traffic. The program runs
under Linux and Windows.
Features
The aircrack-ng software suite includes:
aircrack-ng - Cracks WEP and WPA (Dictionary attack) keys.
airdecap-ng - Decrypts WEP or WPA encrypted capture files with known key.
airmon-ng - Placing different cards in monitor mode.
aireplay-ng - Packet injector (Linux, and Windows).
airodump-ng - Packet sniffer: Places air traffic into PCAP or IVS files and shows
information about networks.
airtun-ng - Virtual tunnel interface creator.
airolib-ng - Stores and manages ESSID and password lists; Increases the KPS of WPA
attacks
packetforge-ng - Create encrypted packets for injection.
airbase-ng - Incorporates techniques for attacking client, as opposed to Access Points
airdecloak-ng - removes WEP cloaking from pcap files
airdriver-ng - Tools for managing wireless drivers
tkiptun-ng - WPA/TKIP attack
airserv-ng - allows you to access the wireless card from other computers.
buddy-ng - the helper server for easside-ng, run on a remote computer
easside-ng - a tool for communicating to an access point, without the WEP key
wesside-ng - automatic tool for recovering WEP key

11

Nuno Freitas

Wireshark
Wireshark is a free and open-source packet analyzer.
It is used for network troubleshooting, analysis, software and communications
protocol development, and education. Originally named Ethereal, in May 2006 the
project was renamed Wireshark due to trademark issues.
Wireshark is very useful since you can analyze every packet individually and
understand what is going on the airwaves since that Wireshark distinguishes all types of
packets travelling the wireless field.
Wireshark is cross-platform, using the GTK+ widget toolkit to implement its user
interface, and using pcap to capture packets; it runs on various Unix-like operating
systems including Linux, Mac OS X, BSD, and on Microsoft Windows.

Pyrit
Pyrit allows creating massive databases, pre-computing part of the IEEE 802.11
WPA/WPA2-PSK authentication phase in a space-time-tradeoff. Exploiting the
computational power of Many-Core- and other platforms through ATI-Stream, Nvidia
CUDA, OpenCL and VIA Padlock, it is currently by far the most powerful attack
against one of the worlds most used security-protocols.
Pyrit is free software. Everyone can inspect copy or modify it and share derived work
under the GNU General Public License v3+. It compiles and executes on a wide variety
of platforms including FreeBSD, MacOS X and Linux as operation-system and x86-,
alpha-, arm-, hppa-, mips-, powerpc-, s390 and sparc-processors. Pyrit is a very good
tool, although its not included in Backtrack 5. In pyrit attack tutorial I will also explain
how to install it.

Reaver
Reaver implements a brute force attack against Wifi Protected Setup (WPS) using PINs in order
to recover WPA/WPA2 passphrases.
Reaver has been designed to be a robust and practical attack against WPS, and has been tested
against a wide variety of access points and WPS implementations.
On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10
hours, depending on the AP. In practice, it will generally take half this time to guess the correct
WPS pin and recover the passphrase.

12

Nuno Freitas

Wireshark
So, as you might read before, Wireshark is a packet analyzer. Lets learn how to work
with that tool.
Remember that Wireshark can work on every interface you have. For example you can
create a monitor mode interface and use it on Wireshark, that way you will get every
packet in the Wireless airwaves and get a big number of packets.
As you already saw with airodump-ng in Aircrack-ng suite it is very easy to get
thousands of packets in minutes or even seconds, it depends on the traffic of the
network. It would be a trouble to find some data frames in the middle of all the beacon
frames, but Wireshark have the ability to filter by type of packet or by MAC Address.
With this we get comfortable when we are trying to find specifically types of packet and
get to them faster.
First lets talk about WLAN frames, it will help is with Wireshark and with networking
at all if we understand this.
There are three types of frames: Management Frames, Control Frames and Data Frames.
1. Management frames: They are responsible for maintaining communication between
the access points and wireless clients. There are ten types of Management Frames:
-

Authentication - 802.11 authentication is a process whereby the access

point either accepts or rejects the identity of a wireless card. The Wireless
Card begins the process by sending an authentication frame containing its
identity to the access point. With open system authentication (the default),
the Wireless Card sends only one authentication frame, and the access point
responds with an authentication frame as a response indicating acceptance
(or rejection). With the optional shared key authentication, the Wireless Card
sends an initial authentication frame, and the access point responds with an
authentication frame containing challenge text. The Client must send an
encrypted version of the challenge text (using its WEP key) in an
authentication frame back to the access point. The access point ensures that
the Client has the correct WEP key (which is the basis for authentication) by
seeing whether the challenge text recovered after decryption is the same that
was sent previously. Based on the results of this comparison, the access point
replies to the Client with an authentication frame with the result of
authentication.

De-Authentication - A station sends a deauthentication frame to another

station if it wishes to terminate secure communications.

Association Request - 802.11 association enables the access point to

allocate resources for and synchronize with a Wireless Card. The client
begins the association process by sending an association request to an access
point. This frame carries information about the Wireless Card (supported
data rates, etc.) and the SSID of the network it wishes to associate with.
After receiving the association request, the access point considers associating

13

Nuno Freitas

with the Client, and (if accepted) reserves him some memory space and
establishes an association ID.
-

Association Response - An access point sends an association response frame

containing an acceptance or rejection notice to the Wireless Card requesting
association. If the access point accepts the radio Wireless Card, the frame
includes information regarding the association, such as association ID and
supported data rates. If the outcome of the association is positive, the Client
can utilize the access point to communicate with other Clients on the
network and systems on the distribution (i.e., Ethernet) side of the access
point.

Re-association Request - If a Wireless Card roams away from the currently

associated access point and finds another access point having a stronger
beacon signal, the Wireless Card will send a re-association frame to the new
access point. The new access point then coordinates the forwarding of data
frames that may still be in the buffer of the previous access point waiting for
transmission to the radio NIC. This is when there are several Access Points
broadcasting on the same network, not different Access points on different
networks.

Re-association Response - An access point sends a re-association response

frame containing an acceptance or rejection notice to the Wireless Card
requesting re-association. Similar to the association process, the frame
includes information regarding the association, such as association ID and
supported data rates.

Disassociation - A station sends a disassociation frame to another station if it

wishes to terminate the association. For example, a Wireless Card that is shut
down gracefully can send a disassociation frame to alert the access point that
the Wireless Card is powering off. The access point can then relinquish
memory allocations and remove the Wireless Card from the association
table.

Beacon - The access point periodically sends a beacon frame to announce its
presence and relay information, such as timestamp, SSID, and other
parameters regarding the access point to Wireless Cards that are within
range. Wireless Cards continually scan all 802.11 radio channels and listen
to beacons as the basis for choosing which access point is best to associate
with.

Probe Request - A station sends a probe request frame when it needs to

obtain information from another station. For example, a Wireless Card would
send a probe request to determine which access points are within range.

Probe Response - A station will respond with a probe response frame,

containing capability information, supported data rates, etc., when after it
receives a probe request frame.

14

Nuno Freitas

2. Control frames: Control frames are responsible for ensuring a proper exchange of
data between the access point and wireless clients. Control frames can have the
following sub-types:
- Request to Send (RTS)
- Clear to Send (CTS)
- Acknowledgement (ACK) Since 802.11 stations are not able to transmit and
receive at the same time, while a station is transmitting a frame, it is not able to
determine whether the frame was received or whether there was a collision.
Therefore, every time an 802.11 radio that received the frame will reply with a
14-octet acknowledgement (ACK) frame.
3. Data frames: Data frames carry the actual data sent on the wireless network. There
are no sub-types for data frames.
Now that it is explained the different types WLAN frames we are able to start with
Wireshark. This previous explanation about frames is important since in Wireshark you
will get hundreds of frames and you will need to filter them whether you need them or
not to simplify the process.
So, lets start with Wireshark. To start Wireshark, type wireskark& in the console.
But before we start sniffing the airwaves lets create a monitor mode device to sniff
every packet from every network in range. To do that just type:
#airmon-ng start wlan0
Wlan0 depends on your device, it could be wlan0, wlan1 It depends on the number of
Wireless cards you have connected and what you want to use.
To get used to it type:
#airmon-ng
The output will get from the shell will show you how many cards you have and their
Interface names.
After you have your Wireless card in monitor mode you will get a new interface, named
mon0, that new interface is a virtual interface which is nothing more than your wireless
card working on monitor mode.
Thats the interface we will use in Wireshark.
After you get Wireshark started you will get this window:

15

Nuno Freitas

This is the start window of Wireshark, to get started click in Interface List in Capture
below Wiresharks logo.

You will get the list of available devices that you can use to analyze packets going on
the network. Mon0 will monitor the airwaves on the available channels in your region
and eth1 or eth0 will monitor your wired network.
16

Nuno Freitas

This is Wireshark getting packets from the air. As you can see we have some ACK
frames, some data frames. You will get hundreds or even thousands of frames while you
are sniffing the packets. Imagine that we need to search for data frames well it would
be very difficult to find data frames in the middle of all the other frames, because there
are several types of frames and you are looking for only one type, thats where
Wireshark filter helps a lot.

17

Nuno Freitas

Wireshark Filters
Filter by Destination, Source and Port
eth.src With this filter you can filter by the source MAC Address (Ethernet).
Example: eth.src == 00:11:22:33:44:55
eth.dst With this filter you can filter by destination MAC Address (Ethernet).
Example: eth.dst == 00:11:22:33:44:55
wlan.addr This filter will filter packets by the source or destination MAC Address
(Wireless Card).
Example: wlan.addr == 00:11:22:33:44:55
wlan.sa With this filter you can filter by the source MAC Address (Wireless Card).
Example: wlan.sa == 00:11:22:33:44:55
wlan.da With this filter you can filter by destination MAC Address (Wireless Card).
Example: wlan.da == 00:11:22:33:44:55
wlan.bssid With this filter you can filter only the frames from an specific Access
Point by using the MAC Address (bssid).
Example: wlan.bssid == 00:11:22:33:44:55
ip.addr With this filter you can filter by source or destination IPv4 Address.
Example: ip.addr == 192.168.2.1
ip.dst With this filter you can filter by destination IPv4 Address.
Example: ip.addr == 192.168.2.1
ip.src With this filter you can filter by source IPv4 Address.
Example: ip.addr == 192.168.2.1
ipv6.addr With this filter you can filter by source or destination IPv6 Address.
Example: ipv6.addr == 2001::5
ipv6.src With this filter you can filter by source IPv6 Address.
Example: ipv6.addr == 2001::5
ipv6.dst With this filter you can filter by destination IPv6 Address.
Example: ipv6.dst == 2001::5
tcp.port With this filter you can filter packets by source or destination TCP port.
Example: tcp.port == 80
tcp.dstport With this filter you can filter packets by destination TCP port.
Example: tcp.dstport == 80

18

Nuno Freitas

tcp.srcport With this filter you can filter packets by source TCP port.
Example: tcp.srcport == 80
udp.port With this filter you can filter packets by source or destination UDP port.
Example: udp.port == 80
udp.dstport With this filter you can filter packets by destination UDP port.
Example: udp.dstport == 80
udp.srcport With this filter you can filter packets by source UDP port.
Example: udp.srcport == 80
Filter by Types of frames
wlan.fc.type == 0 With this filter you can filter only the Management frames.
wlan.fc.type == 1 With this filter you can filter only the Control frames.
wlan.fc.type == 2 With this filter you can filter only the Data frames.
Filter by Subtypes of frames
(wlan.fc.type == 0) && (wlan.fc.subtype == 1) With this filter you can filter only the
Authentication frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 2) With this filter you can filter only the
De-Authentication frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 3) With this filter you can filter only the
Association Request frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 4) With this filter you can filter only the
Association Response frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 5) With this filter you can filter only the
Re-Association Request frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 6) With this filter you can filter only the
Re-Association Response frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 12) With this filter you can filter only the
Dis-Association frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 8) With this filter you can filter only the
Beacon frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 9) With this filter you can filter only the
Probe Request frames.
(wlan.fc.type == 0) && (wlan.fc.subtype == 10) With this filter you can filter only the
Probe Response frames.
(wlan.fc.type == 1) && (wlan.fc.subtype == 1) With this filter you can filter only
Request to Send frames.
19

Nuno Freitas

(wlan.fc.type == 1) && (wlan.fc.subtype == 2) With this filter you can filter only
Clear to Send frames.
(wlan.fc.type == 1) && (wlan.fc.subtype == 3) With this filter you can filter only
Acknowledgement frames.
(wlan.fc.type == 2) With this filter you can filter only Data frames.
Filter Operators
!= - Exclude -With this operator you can exclude a filter option.
Image that you want to get all the Management Frames except Beacon Frames, you can
use (wlan.fc.type == 0) != (wlan.fc.subtype == 8)
&& - And- This operator can make a filter with two filter types.
If you want to filter only Authentication and De-Authentication frames, use
(wlan.fc.type == 0) == (wlan.fc.subtype == 1) && (wlan.fc.type == 0) == (wlan.fc.subtype == 2)

|| - Or Does exactly the same then AND but it will show filter 1 OR filter 2.

20

Nuno Freitas

Wireless Deauthentication Attack

Basically this attack sends disassociation packets to one or more clients which are
currently associated with a particular access point which make them lose connection to
the AP.
There are many reasons to perform a Deauth Attack:
-

Capturing WPA/WPA2 handshakes by forcing clients to re-authenticate.

Generate ARP requests (Windows clients sometimes flush their ARP cache
when disconnected)
Recovering a hidden ESSID.

Well there is no practical way to avoid those attacks. However it is simple to confirm if
you are being a victim of a Deauthentication Attack. To do that lets use Wireshark.
Well to get started I will use two computers in this example. One with Backtrack 5 and
the other with Windows 7. The Windows 7 machine is already connected to the
network, TP-LINK. The role that this machine is playing is simple, it will be the victim.
On the other hand I will use a second machine running Backtrack and it will be the
Attacker and the Monitor. I will be performing a Deauthentication attack and at the
same time monitoring the Airwaves for Deauthentication packets with Wireshark.
On your case, if you want to check if your being a victim of a Deauthentication attack
you can use a machine running Wireshark, which runs on Windows and Linux
So lets get started, first lets put our wireless card in Monitor mode.
#airmon-ng start wlan1
Then lets check the networks we can reach.
#airodump-ng mon0
Then attack your own network.

21

Nuno Freitas

#aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98 mon0

This command is sending deauthentication packets to the AP and making the AP to

Deauthenticate the Client.
Open Wireshark and start sniffing the airwaves.
Add the following filter to get only Deauthentication packets:
(wlan.fc.type == 0) && (wlan.fc.subtype == 12)

In Wiresharks output we get a bunch of Deauthentication packets, and as we can see

the Source Address of those packets is the APs Address and you cant know who is
performing the attack. This type of attack will be crucial in WPA Attacks as we will see
further on this tutorial.
22

Nuno Freitas

Fake Authentication
Fake Authentication is useful on WEP Attacks and it doesnt work under WPA
networks.
In WEP Cracking Attacks we will face two types of WEP Networks, one with Open
System Authentication and the other called Shared Key Authentication.
Open system Authentication is simple to perform Fake Authentications and you can
start whenever you want, however in Shared Key Authentication Networks you will
always need a connected client.
If the network doesnt have a connected client just wait until someone connects to the
network. We need someone from inside the network to show up because we will need a
140 bit keystream that will allow us to fake an authentication. Without that we cannot
authenticate. Remember that Open System authentication and Shared Key works
different.
Open System Fake Authentication
So, imagine that you already have your target figured it out.

In order for an access point to accept a packet, the source MAC address must already be
associated. If the source MAC address you are injecting is not associated with the
access point it will ignore the packet and sends out a "Deauthentication".
In this state, no new initialization vectors are created because the access point is
ignoring all the injected packets. The lack of association with the access point is the
single biggest reason why packet injection fails. At this point you are just connecting to
the access point and telling it you are here and want to talk to it, however this does not
give you any ability to transfer data.

23

Nuno Freitas

aireplay-ng -1 10 -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 mon0

Where -1 means fake authentication, 10 means re-association timing in seconds, -a is
the access point MAC address, and -h is the MAC address under which you act (either
your own or the spoofed one).
This is what the output should look like:

24

Nuno Freitas

Shared Key Fake Authentication

First of all, as always, put your wireless card in monitor mode.
#airmon-ng start wlan0
Then lets search for our network, WLAN will be the target Network.
#airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 -w wepska wlan0
Using this we will sniff all the packets from WLAN network and save them in files
called wepska. We will need to perform a deauthentication on an authenticated client in
order to capture the shared key 140 bit keystream.
If you try to fake authenticate as youve learned before you will get an error like the
following image shows
This means that the network you are attacking now uses Shared Key Authentication
system.

So, to fake authenticate in a Shared Key network we need to deauthenticate a client.

Run airodump-ng to sniff the target network:
#airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 -w wepska wlan0
25

Nuno Freitas

With this you are only looking at the targets network. As you saw before there was a
connected client, its MAC is 00:15:AF:A2:8D:98.
So lets deauthenticate him:
#aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 mon0

After you perform a deauthentication look to the top line in airodump-ng window there
is now a text saying 140 bytes keystream: 00:80:5A:28:B5:AB
This means we have captured the .xor file we were looking for to perform a fake
authentication.
Use the following command:
#aireplay-ng -1 0 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98
-y sharedkey-01-00:80:5A:28:B5:AB.xor wlan0

26

Nuno Freitas

With this weve managed to fake authenticate in a Shared Key network.

27

Nuno Freitas

Mac Filtering
In some cases you might find some security barriers, like MAC Filtering, which is still
easy to break. Imagine that you are trying to Fake Authenticate with an AP and you are
getting an Error like this:

MAC Filtering is enabled on this network. To get through this security trick we need a
legit MAC Address which have permission to connect with the AP.
Run airodump-ng and wait until someone connects to that network or if someones
already connected use its MAC Address to spoof your own.

As we can see there is one Client connected to WLAN, its MAC is

00:15:AF:A2:8D:98. Lets turn it as our own MAC Address as well:
28

Nuno Freitas

#macchanger -m 00:15:AF:A2:8D:98 wlan1

This command will change Wlan1 device MAC Address into 00:15:AF:A2:8D:98.
Even if the client keeps connected to the Network you can begin to fake authenticate.
#aireplay-ng -1 10 -a 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 mon0
This time dont forget to use the spoofed MAC in -h option.

This brief explanation on what is Fake Authentication will help you in WEP Cracking
that we will see later in this tutorial. With this information you shouldnt have any
trouble by doing this trick and performing WEP Cracking.

29

Nuno Freitas

Cracking WEP with a client connected (OPEN System)

The weakness of WEP resides in the IV. It is sent as plaintext with the packet which
basically means that anyone who grabs the packet can see the first 24bits of the code
that was encrypted. The RC4 encryption algorithm can only generate about 16 million
different codes based on the IV, meaning if you gather enough of these IVs you can
crack the code throughout a brute force attack. Also contributing to the WEPs
weakness is the discovery that some IVs are weaker than others and software can
recognize weak IVs and then use them to crack the key even quicker.
Once the theory of how to Crack WEP was proven possible, computer programs were
written that streamlined the process. There are two steps involved that programs take.
Once an encrypted wireless network is found and the client is in range, it begins to
intercept packets and logging the IVs. The packets contain encrypted data and are
worthless individually, but if enough IVs are logged the code can be cracked. Usually
about 50 000 IVs are needed to crack WEP. The number of IVs traveling is related to
network traffic, so if no one is connected to the network it will take days to get that
many, thats why you need to create artificial traffic, but in the other hand if someone is
already connected you can get a lot of IVs fast without any problems.
Of course there is a method of speeding up the collection of IVs, through a certain type
of packet injection although this technique its not supported by all Wireless Cards.
This type of packet injection is called ARP injection. With this technique the wireless
card sends out an ARP request to the access point which then responds with an ARP
response. This response contains an IV, which is then captured. This process is repeated
rapidly to generate numerous IVs. To perform this injection, the origin of the ARP
request must be associated with the AP, or else the AP will not respond. Software is
able to spoof the origin to make the request look like it came from an associated client,
not from the attackers computer.
As I told you I will be using a wireless security suite called aircrack-ng that comes with
Backtrack Linux distribution for WEP attacks. Aircrack-ng contains all the tools
necessary for discovering and cracking wireless networks.
First lets try to break a network with a connected client.
Once a network has been identified through any technique the basic steps to crack WEP
encrypted networks, and the programs used to accomplish with are:
1) Put the wireless card in passive monitor mode (airmon-ng)
2) Begin capturing packets that contain unique IVs and save them to the disk
(airodump-ng)
3) Inject ARP requests from an associated client to generate new packets (aireplayng)

30

Nuno Freitas

4) Once enough IVs have been captured, run a cryptographic attack to decipher the
WEP key (aircrack-ng)
In this case, I will attack my own network so it is like if the attacker, me, had already
identified the WEP encrypted network he wants to crack. The information he will need
to start collecting IVs is the BSSID of the access point and the channel it is operating
on. This information is easy to get using airodump-ng and it will also be used to capture
the IVs and save them into a file. In this case the BSSID of the network we are trying to
crack 00:80:5A:28:B5:AB is, the channel is 11, and we will call the output file wepkey.
Lets put our card in monitor mode, but first you need to know the Interface to use:
#airmon-ng

You have now a list of interfaces that you have on your machine. If you have only one
wireless card you will have only one interface, if you have two wireless cards connected
you have two interfaces. I might use different cards through all the tutorials, when you
see wlan1 and your Interface is wlan0 you use wlan0 instead of wlan1.
Remember Im making the attacks on my machine and it could be different from yours.
So I will use wlan0 for this tutorial. To put that Interface on monitor mode use:
#airmon-ng start wlan0
By now you have the wlan1 Interface and the system created a new interface called
mon0. Well this is a virtual interface, basically mon comes from monitor it means
that the interface mon0 is monitoring traffic.
Now lets sniff traffic from the network that we will attack, so use:
#airodump-ng wlan0

31

Nuno Freitas

As I told you before this network Im attacking is mine. My network is called WLAN so
by using airodump-ng I already know the BSSID, the Channel. Lets get started:
#airodump-ng --channel 11 --bssid 00:80:5A:28:B5:AB --write wepkey wlan0

As we can see the #Data means the number of unique IVs we caught so far and saved
in wepkey.cap. It is possible that airodump-ng create some .cap files like wepkey01.cap, wepkey-02.cap, thats why in the end we will use in aircrack-ng wepkey*.cap.
The #/s is the number of Unique IVs that we get per second. As you can see there is
no traffic at all in this network and doing the math if we will try to get 50 000 IVs, we
would need to wait 25 000 seconds, almost 7 hours to get enough IVs, so why dont we
start a packet injection technique to speed up the unique IVs collection?
We can do that using aireplay-ng:

32

Nuno Freitas

#aireplay-ng --arpreplay -b 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 wlan0

-b 00:80:5A:28:B5:AB is the access point MAC address
-h 00:15:AF:A2:8D:98 is the MAC address of the client that we will use as the arp
requester
This command will wait for an ARP Request coming from the network and flood the
airwaves with that ARP request but making it look like it is coming from the associated
client.
So if you are attacking a network that has only one client connected it could take a
while until you get an Arp request. If there is traffic coming from the network you
might have a chance to get it the simple way. Imagine the situation, there is a client
connected but he is not doing anything like if it was on stand-by mode, you can make
it the hard way by deauthenticating the client using the network forcing him to
communicating with the router. Use the following command:
#aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 wlan0
-0 means deauthentication attack
10 is the number of deauthentication packets it will send
-a 00:80:5A:28:B5:AB is the access point MAC address
-h 00:15:AF:A2:8D:98 is the MAC address of the client to be deauthenticated
When the client gets back to the network you might get some ARP requests. Well this is
a simple process. You get an Arp Request and you replay it. Thats what aireplay-ng 3 or aireplay-ng --arpreplay is doing. It waits for an ARP Request and replay, it gets
another one and Replay it again. And keeps doing it and consequently generating traffic
on the network. Remember that the traffic we are collecting are nothing but packets
collecting IVs that we will use to brute force the wep key.

33

Nuno Freitas

After you get the first Arp request you should be getting something like the image
above. Its just a matter of time until you get enough IVs to make a brute force attack.
Once you get around 50 000 you have a good chance of crack the network.
However if you fail, just repeat the process. Get more IVs and try again. Youll need
more IVs depending on how big is the key. There are 64-bit keys, 128-bit keys and 152bit keys, more bits means more password combinations possible and we might need
more IVs to crack the password. So if you fail with 50 000 get more IVs and you will
get the key.
As you know the captured data packets containing IVs are stored in the file that I called
wepkey outputted by airodump-ng. The program will write multiple files to the active
directory in different formats, but the one we are interested is the .cap files.
To perform the crack use wepkey*.cap since it could write more than one .cap file, for
example wepkey-01.cap, wepkey-02.cap
The attack starts with this command:
#aircrack-ng -b 00:80:5A:28:B5:AB wepkey*.cap wlan0

34

Nuno Freitas

So as you can see it found the WEP key of the network. The key I used for this example
was abcdef1234 and as you see in aircrack-ng output KEY FOUND!
[AB:CD:EF:12:34]
This was the example of how to break a WEP network with an already authenticated
client. When you dont have any clients connected to the network you want to break,
you should do a different type of attack, lets find out how we can do it.

The best way to avoid someone to get access to your

network its definitely not using WEP Encryption. Use
WPA.

35

Nuno Freitas

Cracking WEP without connected clients (OPEN System)

Lets see now how to get access if no one is connected to the Network.
This type of attack is only successful when we get some packets from the wired side of
the network. I mean its true that there are no clients connected over wireless, however
the AP has RJ45 ports and we need to get some traffic from there. Why?
Well, if there is no traffic there is no way possible to create traffic. You can try but the
AP will deduce that anyone is broadcasting traffic, but the client its not connected to
the network and the AP will throw away those packets and send a deauthentication
packet to that fake client.
However if we get some packets from the wired side and using either a chopchop attack
or a fragmentation attack we can get a fragment, which is a .xor file that contains useful
information that we could use to create an a packet to broadcast to the AP and it will
provoke the AP to answer with new packets (IVs).
That fake packet is received successfully by the AP because it sees that the information
contained on that packet is valid.
After we create that legit packet and injecting it in the air you will be able to resume the
attack as we did before using a client connected. When we got enough IVs, its time to
crack the password.
So, lets get started. First, put the wireless card in monitor mode. You know the drill:
#airmon-ng start wlan0
Then use:
#airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 wlan0
By now you dont really need to use the -w parameter because you might get few
packets. Its up to you.
Lets now associate with an access point, using a fake authentication:
#aireplay-ng -1 0 -e WLAN -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 wlan0
-1 means fake authentication attack
0 means the fake authentication attack wont stop until its succeeded
-e WLAN is the wireless SSID
36

Nuno Freitas

-a 00:80:5A:28:B5:AB is the access point MAC address

-h 74:EA:3A:90:C7:21 is our card MAC address

So I succeeded to perform a fake authentication into the AP.

Now I need to obtain the PRGA (Pseudo Random Generation Algorithm) file.
To obtain it we will need to perform a chopchop attack or a fragmentation attack.
This PRGA is not the WEP key and cannot be used to decrypt packets. However, it can
be used to create new packets for injection. The creation of new packets will be covered
later in the tutorial.
Either chopchop or fragmentation attacks can be used to obtain the PRGA bit file. The
result is the same, so use one of them, it doesnt really matter which one you used.
I will cover the chopchop technique. Start another console session and run:
#aireplay-ng -4 -b 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 wlan0
-4 means the chopchop attack
-b 00:80:5A:28:B5:AB is the access point MAC address
-h 74:EA:3A:90:C7:21 is the MAC address of our card and must match the MAC used
in the fake authentication
wlan0 is the wireless interface name

37

Nuno Freitas

So after you perform a fake authentication you need to wait until you get a packet to
perform an attack, I kept a console window performing fake authentications at every
second as you can see, so I dont get deauthenticated by any reason and another one
with the chopchop attack waiting for a packet to start.
When the console asks you Use this packet? press y and then ENTER to start the
chopchop attack.

Wait a few seconds for the chopchop attack to make its magic. The file replay_dec0917-223734.xor as you can see above can now be used in the next step to generate an
Arp packet.

38

Nuno Freitas

The objective is to have the access point rebroadcast the injected Arp packet. When it
rebroadcasts it, a new IV is obtained. All these new IVs will ultimately be used to crack
the WEP key.
Use the following command:
#packetforge-ng -0 -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -k 255.255.255.255
-l 255.255.255.255 -y replay_dec-0917-223734.xor -w arp-request

-0 means generate an arp packet

-a 00:80:5A:28:B5:AB is the access point MAC address
-h 74:EA:3A:90:C7:21 is MAC address of our card
-k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255)
-l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255)
-y replay_dec-0917-223734.xor is file to read the PRGA from
-w arp-request is name of file to write the arp packet to

The system will respond: Wrote packet to: arp-request

Lets close the console running airodump-ng and open a new one and start airodump-ng
again. This time you need to add the -w parameter so we can save the IVs we will
generate to a file. If you used it already in the first one then you dont need to close it.
So use airodump-ng like this:
#airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 -w wepkey wlan0
Lets call that file, wepkey.
On the console window you used to create the packet use this command:
#aireplay-ng -2 -b 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -r arp-request wlan0
After you start injecting arp requests from the packet you just created, the cracking
process will be just like cracking WEP with a previous associated client.
This will inject the packet we created in the air. After that the system will ask you if you
want to use that packet, press y and ENTER to start injecting arp requests.

39

Nuno Freitas

As you can see now we are getting a lot of data (IVs).

Remember once again, when you get around 50 000 IVs you have a good chance of
crack the network.
Dont worry if you fail, try again with more IVs. Remember that youll need more IVs
depending on how big is the key. There is no way to determine the size of the key so try
with 50 000 if you fail try with 200 000 and if you fail get more, and youll get there.
The point here is that you are doing it the right way if you fail is for bad luck and not
because youre doing it wrong.
All of the captured data packets containing IVs are stored in the file that I called wepkey
outputted by airodump-ng. The program will write multiple files to the active directory
in different formats, but we are looking for .cap files.
Airodump-ng creates more than one .cap file, I mean it creates wepkey-01.cap, wepkey02.cap
So, when youre ready, use the command:
#aircrack-ng -b 00:80:5A:28:B5:AB wepkey*.cap

40

Nuno Freitas

So as you can see it found the WEP key of the network. The key I used for this example
was 1234567890 and as you see in aircrack-ng output KEY FOUND!
[12:34:56:78:90]

As I told you before do not use WEP, although it is

better than nothing it is an unsecure method to
protect your network.

41

Nuno Freitas

Cracking WEP (Shared Key)

So, now lets crack a WEP network using Shared Key system.
For this example we will always need a connected client. If the network doesnt have a
connected client just wait until someone connects to the network. We need someone
from inside the network to show up because we will need a 140 bit keystream that will
allow us to fake an authentication. Without that we cannot authenticate. Remember that
Open System authentication and Shared Key works different.
So after we authenticate we need to perform a fragmentation or a chopchop attack to get
a fragment to create a packet to inject in the airwaves. After that is like cracking WEP
with Open System. Wait and get enough IVs to crack the password.
First of all, as always, put your wireless card in monitor mode.
#airmon-ng start wlan0
Then lets search for our network, WLAN will be the target Network.
#airodump-ng -c 11 --bssid 00:80:5A:28:B5:AB -w wepska wlan0

Using this we will sniff all the packets from WLAN network and save them in files
called wepska. We will need to perform a deauthentication on an authenticated client in
order to capture the shared key 140 bit keystream.

42

Nuno Freitas

After you perform a deauthentication look to the top line in airodump-ng window there
is now a text saying 140 bytes keystream: 00:80:5A:28:B5:AB
This means we have captured the .xor file we were looking for to perform a fake
authentication.
Use the following command:
#aireplay-ng -1 0 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98
-y wepska-01-00:80:5A:28:B5:AB.xor wlan0
Remember to always change the packets name from what I have to what you get. They
might be different.

Now we will perform a fragmentation attack. Use the next command:

#aireplay-ng -5 -a 00:80:5A:28:B5:AB wlan0
43

Nuno Freitas

Wait until you get a packet to use in the attack. When the system asks you Use this
packet? press y and then ENTER to use it, and you will get a fragment that we will
use to create an Arp Request.
Basically this is the same that we did before on WEP Open System without connected
clients.

As you can see in the output of the fragmentation attack you got now a file called
fragment-0921-140138.xor or something similar.
Lets now create an arp-request. Use the following command:

44

Nuno Freitas

#packetforge-ng -0 -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -k 255.255.255.255

-l 255.255.255.255 y fragment-0921-140138.xor -w arp-request

This command will create an arp-request based in that fragment. Now we need to inject
that packet in the airwaves and it will provoke the AP to respond to it with new IVs.
#aireplay-ng -2 -b 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -r arp-request wlan0
You should have the airodump-ng window sniffing them and saving the files, as I
used above those packets are being saved in the file wepska*.cap. When we got
enough IVs we will crack the WEP key. When we get around 50000 IVs use the
following command:

Ok, when you got enough IVs lets perform the bruteforce attack:
#aircrack-ng -b 00:80:5A:28:B5:AB wepska*.cap

45

Nuno Freitas

As you can see the key was successfully cracked. The key for this example as
1234567890 and as you can see in the image KEY FOUND: [12:34:56:78:90]. So this
is everything about WEP. Lets see now the WPA part of this tutorial.

Even being trickier to hack, WEP using Shared Key

encryption is still an unsecure Encryption to use on
your network. WPA is the solution

46

Nuno Freitas

Cracking WPA with Dictionary Attack (Aircrack-ng)

After WEP was proven to be completely breakable, WPA emerged as its successor, it
uses a much more advanced algorithm and does not have IVs. It doesnt matter if you
collect a big amount of packets, you cant crack it that way.
Most consumers use what is called WPA Personal, which utilizes a pre-shared key
(PSK), which is a common key shared across all devices used for authentication.
When a client wants to associate with a WPA encrypted network, a four-way handshake
takes place. Briefly what occurs is the client first seeks association with the AP, the AP
sends the client a bit of data which the client encrypts using the passphrase, SSID and
some other data. The client sends this back to the AP which then encrypts that. If it
match up the AP installs the main key on the client which is successfully associated and
able to decrypt the packets.
The packets are encrypted with this key, not the passcode. This is known as the fourway handshake between a client and the AP.
Unlike WEP, there is not enough information contained in the packets to find the key.
No matter how long an attacker sniffs the network and intercepts packets, he will never
be able to crack the passphrase. However, within the four-way handshake, there is
enough information to brute-force the passphrase.
The basic steps for cracking a WPA Personal encrypted network are:
1) Discover the network and be within range to intercept packets.
2) Start sniffing the network for the four way handshake and capture it when it arises.
3) Wait for a new client to authenticate or deauthenticate a current client.
4) Brute force the captured handshake file with a dictionary file.

So the first thing to do is to put your Wireless card on monitor mode:

#airmon-ng start wlan0
So next you will search for networks within range to intercept and inject packets.
#airodump-ng wlan0

47

Nuno Freitas

So lets break into WLAN.

WLANs BSSID it is 00:80:5A:28:B5:AB, its all that we need to start sniffing packets
waiting for the four-way handshake. To begin sniffing use the following command:
#airodump-ng --bssid 00:80:5A:28:B5:AB w wpakey wlan0
So we are now sniffing packets from WLAN network and saving them (-w) into a file
named wpakey. Just like for WEP networks we will need that file later and once again we
are interested in the *.cap file.
So, right now you either wait for a new client to connect to the network if no one is
connected already or you can deauthenticate that client forcing him to authenticate again
and by doing this you sniff the four-way handshake between the client and the Wireless AP.
Lets make it with an authenticated client already with the following MAC Address:
00:15:AF:A2:8D:98.

So lets deauthenticate the client with the next command:

48

Nuno Freitas

#aireplay-ng --deauth 25 a 00:80:5A:28:B5:AB c 00:15:AF:A2:8D:98 wlan1

When the client connects again, you will get the four-way handshake, you can see in
airodump-ng window that you got it in the top right side of the console window.

The number after --deauth is the number of deauthentication packets aireplay-ng will send.
A higher number will increase the probability of it working, but is less stealthy.
The deauthentication was done and now we have got the four-way handshake.

Once the handshake has been captured, the attacker can stop capturing all packets. The
information contained in the handshake is all that is needed to crack to WPA
passphrase.
Once the attacker has the handshake it is possible to crack the passphrase with
dictionary techniques. This technique uses a wordlist and goes through each word one at
a time, encrypting it with the other data gathered (the SSID and others) to see if it
matches. When a match occurs, the word from the list is the passphrase used.
This can be extremely time consuming depending on the complexity of the
passphrase, the size of the dictionary file and the speed of your CPU. An attacker is
limited by his processor speed to how many passwords he can try per second.
With dictionary files containing millions and millions of different combinations of
letters, words and numbers, the process could take a very long time.

49

Nuno Freitas

Fortunately, most consumers choose simple, easy to remember passphrases that can be
decrypted using smaller dictionary files containing common names and passwords.
The program aircrack-ng can be used to crack the handshake. The attacker must have a
word list on his system. Backtrack includes several wordlists of different sizes, and
larger ones can be downloaded from the internet.
To use a word list with aircrack-ng and our captured handshake use this command:
#aircrack-ng -w /pentest/passwords/wordlists/wpa.txt wpakey*.cap
The output will look like this when aircrack-ng gets the password:

It took a little bit more than 20 minutes to discover the Wireless AP passphrase. The
attacker has now the ability to get inside the network. It took 954864 guesses to
discover the password. The dictionary file that I used it could be considered as a big
dictionary, you might not be able to avoid a successful attack by a determined attacker,
but you sure can make his work a lot harder if you use a strong password.

50

Nuno Freitas

Cracking WPA using Pyrits Database Attack

The next type of attack that Ill cover is a type of attack where you can import many
dictionaries to a database and then perform an attack with all the imported. So first lets
install a suite called pyrit because it is not included in Backtrack.
Installing pyrit
Do the following at the terminal:
svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit_svn

Then do this:
sudo apt-get install libssl-dev
sudo apt-get install scapy
sudo apt-get install python-dev
Browse to pyrit directory:
cd /pyrit_svn/pyrit
And type:
sudo python setup.py build
sudo python setup.py install

Ok, now you have Pyrit installed and it should be up and running.

I will be use Pyrit with aircrack-ng.

So first of all, put the wireless card in monitor. Lets use aircrack-ng suite until we got
the handshake.
First use:
#airmon-ng start wlan0
Then use:
#airodump-ng wlan0

51

Nuno Freitas

So at this point you should get all the information about the network you will try to
attack. For this example we will attack a WPA encrypted network with WLAN as the
ESSID, 00:80:5A:28:B5:AB as the BSSID and working in channel 11.
Now we should begin sniffing only this network by using the following command:
#airodump-ng bssid 00:80:5A:28:B5:AB c 11 -2 wpahandshake wlan0
This will sniff the packets from WLAN and save them in a file called wpahandshake.
Once again I remember that we will be looking for the *.cap file in the end.
If a client is connected to the network make a deauthentication attack so the client needs
to re-authenticate and you get the handshake or if no one is connected, wait for someone
to do it.
#aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98 wlan1
Now that you have the handshake, lets use pyrit.
Lets analyze our handshake file, use the following command in the command line:
#pyrit wpahandshake*.cap analyze
Note that wpahandshake*.cap is the name of the files that airodump-ng save with
packets sniffed from the victims network, they could be wpahandshake-01.cap,
wpahandshake-02.cap
You should get a window like this:

52

Nuno Freitas

The output is that the Access Point have the mac 00:80:5A:28:B5:AB with WLAN as
the ESSID.
It also says that the file captured an handshake from the client with mac address
00:15:AF:A2:8D:98.
So now lets start working with Pyrits database.
As you may know guessing the password used in WPA-PSK and WPA2-PSK is a
computational intensive task. During this process, 100% of your CPU is being used to
compute what is known as the Pairwise Master Key, a 256bit key derived from the
ESSID and a Password using the PBKDF2-HMAC-SHA1 algorithm. One of the major
weaknesses of the WPA-PSK is that the Pairwise Master Key has no elements that are
unique to the moment of the key-negotiation between Access Point and Sation. It is
therefore possible to pre-compute the Pairwise Master Key and store it for later use.
This is where Pyrits database kicks in. It can store ESSIDs, passwords and their
corresponding Pairwise Master Keys, possibly growing to the size of hundreds of
millions of entries. Starting with a fresh installation of Pyrit, your database will most
probably be empty.
Issue the following command to get an overview:
#pyrit eval
And you will get this output:

root@bt:~# pyrit eval

Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com

53

Nuno Freitas
This code is distributed under the GNU General Public License v3+
Connecting to storage at 'file://'... connected.
Passwords available: 0

Lets use a command to import some passwords to our database:

#pyrit i /pentest/passwords/wordlists/wordlist.txt import_passwords
Note that /pentest/passwords/wordlists/wordlist.txt is the path where I have stored a
wordlist, you can use dozens of dictionary files, pyrit ensures that duplicate passwords
are not stored again in the database, it also doesnt store passwords that are not suitable
as a WPA/WPA2 password.
After you imported the passwords to the database, use this command again:
#pyrit eval
You should get an output like this:
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Connecting to storage at 'file://'... connected.
Passwords available: 989532

Now that we have some passwords in the database, we have to create an ESSID, for
that, use the following command:
#pyrit e WLAN create_essid
Note that WLAN is our victims ESSID
Pyrit output will say that ESSID WLAN was created successfully and if you use the
eval command again it will show you that WLANs ESSID dont have any password
pre-computed.
So we have already some passwords in the database, and we have an ESSID created, we
need to pre-compute the passwords to use with that ESSID. This process could take
some minutes. It depends on how many passwords you have imported to the database.
To pre-compute the passwords with the ESSID you just created use this command:
#pyrit batch
Pyrit will give the output Batchprocessing done when it completes the process.
We can now use the Pairwise Master Keys stored in the database to attack the same
handshake as in the example above. Instead of running a passthrough-attack, where
the database is not touched at all, we issue a database-attack like the following:
54

Nuno Freitas

#pyrit r wpahandshake*.cap attack_db

Dont forget that wpahandshake*.cap is the file where the handshake is stored and that
-r parameter tells pyrit to read the file wpahandshake*.cap. So you should have the
following output.

This process is much faster than a dictionary attack, as you can see the image above
Pyrit was trying 515375 passwords per second and gave us in the output that the
password is security. This process only takes more time pre-computing the passwords
with the ESSID, but will be useful when you have to use many dictionaries at the same
time.

Alright, Ive been telling you to use WPA and still it

got hacked. However it would take ages to hack a
good PSK with a HUGE dictionary. So always use a
strong password.

55

Nuno Freitas

Cracking a Network with Hidden ESSID (aircrack-ng + pyrit)

Cracking a network with a hidden ESSID is pretty simple, you have done already all the
steps in order to do it. It is possible to do it only with aircrack-ng, the reason Ive made
it with aircrack-ng and pyrit is because Ive already have the ESSID WLAN, which is
the ESSID Ive been using in these tutorials, programmed in pyrits database, which
makes the process faster than using aircrack-ngs dictionary attack. So, do not think that
it is only possible with pyrit. So, lets get going Ill show it on a WPA network, if you
will try on a WEP network its the same, but you need to perform the deauthentication
and then go back to WEPs method.
The first step in all of our tutorials:
#airmon-ng start wlan0
After this lets search for networks:
#airodump-ng wlan0

As you can see there is a network with a strange ESSID, it is something like <length: 1>
This is a hidden ESSID, and well be able to get the real ESSID by performing a
deauthentication to one of the connected clients.
Lets sniff only the hidden networks packets:
#airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 -w hiddenwpa wlan0
Lets deauthenticate a client now:
#aireplay-ng -0 10 a 00:80:5A:28:B5:AB c 00:15:AF:A2:8D:98 wlan0

So, now that you deauthenticated a client you should have something like this:

56

Nuno Freitas

As you can see the network ESSID now changed to WLAN, by doing this we also got a
handshake so lets now crack the password:
#pyrit -e WLAN -r hiddenwpa-01.cap attack_db

This time we needed to add the -e parameter since its an hidden ESSID, pyrit cant
guess it. And we have the password, it is security.

Hiding the ESSID is not enough.

57

Nuno Freitas

Attacking WPA Networks using Wi-Fi Protected Setup

Wi-Fi Protected Setup (WPS) is an optional certification program developed by the WiFi Alliance designed to ease set up of security-enabled Wi-Fi networks in home and
small office environment.
Wi-Fi Protected Setup supports methods (pushing a button or entering a PIN into a
wizard-type application) that are familiar to most consumers to configure a network and
enable security.
Reaver is an application that exploits WPS that I will use to cover this attack.
It implements a brute force attack against WPS entering PINs in order to recover
WPA/WPA2 passphrases.
The Pin is 8 digits long:

Doing the Math there would be 108 = (100 000 000) Pin combinations.
However an attacker can derive information about the correctness of parts the PIN from
the APs responses.
1. If the attacker receives an EAP-NACK message after sending M4, he knows that
the 1st half of the PIN was incorrect.
2. If the attacker receives an EAP-NACK message after sending M6, he knows that
the 2nd half of the PIN was incorrect.
This form of authentication dramatically decreases the maximum possible
authentication attempts needed from 108 = 100 000 000 to 104 + 104 = 20 000.
As the 8th digit of the PIN is always a checksum of digit one to digit seven, there are at
most 104 + 103 = 11 000 attempts needed to find the correct PIN.
Reaver has been designed to be a robust and practical attack against WPS, and has been
tested against a wide variety of access points and WPS implementations.

58

Nuno Freitas

Below there is a flowchart that explains the method used by the Bruteforce attack to the
WPS flaw:

On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 410 hours, depending on the AP. In practice, it will generally take half this time to guess
the correct WPS pin and recover the passphrase.
I want to make it clear this will only work on networks with WPS enabled. Since the
Router Ive been using doesnt have WPS I will use a new one with the same
configurations (ESSID and Passphrase).
59

Nuno Freitas

But you dont need to worry, Ill cover how to check if an AP has WPS enabled or not.
First of all, if you need, download Reaver. It doesnt come with Backtrack older
versions so you might have to install it, even though it is easy to do it.
You can download Reaver at http://code.google.com/p/reaver-wps/downloads/list
After you download extract Reaver folder to your desktop or whatever other folder you
want.
By the way Reaver is only supported on the Linux platform, requires the libpcap and
libsqlite3 libraries.
After you extracted the folder, browse to it. Lets do it like if I extracted to my Desktop
folder.
In the shell, browse to the following directory:
#cd /root/Desktop/reaver-1.3/src/
Within this directory you will find several files.
Lets start the installation, run the following command:
# ./configure
If you get this error: bash: ./configure: Permission denied
Use the command:
#chmod +x configure
This will give execution permission to the file configure
Try again, this time you wont have any problems.
# ./configure
Let it install, when it finishes use the following command:
# make
And then:
# make install
Ok, Reaver is installed.
Now we can have some fun with Reaver. Lets start the attack.

The first thing to do is to put your Wireless card on monitor mode:

60

Nuno Freitas

#airmon-ng start wlan1

Then lets sniff some beacon frames and save them in an output file:
#airodump-ng -w beacons mon0
Let airodump-ng run for a while, 1 minute is enough. Dont forget to use -w option to
save the packets youre getting in a file. What we want are Beacon frames, dont worry
about data packets.
Then you will run the following command:
# walsh -C -f beacons-*.cap
Walsh will look at the cap files that airodump-ng created with the beacon frames and
will give you a list of the networks that have WPS enabled.
In Reaver 1.4 Walsh, changed the name to Wash, so if youre getting any error, browse
the Reaver Installation Folder and see if you find Walsh or Wash script.

Then run:
#airodump-ng mon0

Check what channel is your target running

Now launch reaver:

61

Nuno Freitas

#reaver -i mon0 -b 54:E6:FC:99:DC:98 -c 1 vv

-vv enables verbose mode, and you can see the progress and the warnings.
-b is the bssid of the target network
-c the channel that the network is broadcasting on

62

Nuno Freitas

You can use aircracks fake authentication while running reaver, its up to you.
If you start getting blocked by the AP use macchanger command to change your mac
and start again.
After some hours running Reaver, you will get to the passphrase.

As you can see, we got the passphrase which in this case was security.

In this particular situation WPA is cracked even if you

have a good password. Although by disabling WPS on
your Router you will annul this flaw.

63

Nuno Freitas

Conclusions
I hope you all enjoyed this paper as much as I enjoyed writing it. Hopefully, by now
you understand better how insecure most of the Wireless Networks are in our days and
youll be careful next time you configure a Wireless AP.
When I started this Independent Study I had a rough idea of what I wanted to
research/learn about and it was a very rewarding experience. Ive learned more than I
was expecting and I really enjoyed the time I took learning and practicing.
I read books, websites watched videos from which I guided myself but still, I thought
about writing my own paper as a second method of study.
I took the leap after I found a paper like this one and I really wanted as retribution to
write a paper of mine, so other that are in the same situation that I was some months ago
could learn with a simple and pleasant reading since I wrote this paper as I was learning
from zero.

Any feedback will always be

appreciated. Feel free to contact me on
nunofreitas9@gmail.com

64