Step by Step Backtrack 5

8/10/2019 Step by Step Backtrack 5

1/29


2/29

ep by Step Backtrack 5 and wireless Hacking basics

stalling Backtrack 5


3/29

ooting Of a DVD


4/29

stalling to the Hard drive


5/29

stalling and running with VMware


6/29

PA dictionary attack

etting a handshake and getting a data capture

ing aircrack and a dictionary to crack a WPA data capture


7/29

eaver

ep by Step Backtrack 5 and wireless Hacking basics

information in this book is for testing and educational purposes only; for use by network security

ministrators or testing the security of your own wireless connection.

ere are many different types of wireless attacks but in reality only two main types are used. I will

p by step through each. If you have Backtrack 5 installed the first chapter can be skipped directly t

ck you would like to use.

ere are different types of wireless attacks. Currently the main types of wireless hacks are WPA

tionary attack, and Reaver.

the past WEP used to be the main encryption used on routers but WEP was notoriously easy to crad is rarely seen any more. WPA or WPA2 which are really the same thing are the way in which rou

now encrypted and much harder to crack.

e way you think about these attacks are as important as the attacks themselves. There is no point an

ck option. Learning commands and typing them in a terminal window is a must.

ying multiple routers to play with is also a good idea. There are plenty to be found at yard sales an

ap meets on the cheap. Different manufactures do different things and have different setups so somve a weakness another will not.

e thing to mention also is that a internal wireless network adapter will not work with Backtrack an

reless attacks. This is not because the adapter is not supported it may or may not be. It is because m

reless chipsets do not support packet injections or the things required to do a wireless attack.

e most common wireless USB adapter currently used are the Alfa AWUS036H and the Alfa

WUS036NH. I have used both and both are good, but if possible get the Alfa AWUS036NH becaus

pports wireless N. While the Alfa AWUS036H supports wireless G.

stalling Backtrack 5

cktrack 5 is free to download and install and can be downloaded here. http://www.backtrack-linu

e Backtrack file is huge 4 GB depending on the type of file you download. There is three ways to

tall Backtrack, install to the hard drive, boot off a DVD or flash drive, or run it in virtualization.


8/29

e easiest way is to burn the Backtrack 5 ISO to a DVD or a flash drive and boot off of it. Of course

ce the computer restarts data can be lost if not stored correctly.

talling Backtrack to the Hard drive is the same as installing any Operating System, which everyon

miliar with.

nning it within virtualization is the most common way. Mainly because a familiar operating system

Windows can be run at the same time and files transferred between the two easily. This does take ources, and can add another layer of troubleshooting a problem if something happens.

e personally I run VMware Player with Backtrack 5 and Windows 7. If you are just starting out I w

ot off a disk or flash drive. This is a personal option and depends on your personal opinion.


9/29

ting Of a DVD

boot off a DVD or Flash drive the Backtrack 5 ISO will be needed. The download can be found h

p://www.backtrack-linux.org

O burning software will be needed such as Power ISO. You may already have a ISO burning capab

your burning software, if in doubt use Power ISO.

ce the ISO is downloaded and burning software is up simply burn the ISO image to a DVD. Then

DVD in the computer you which to boot off of and start the computer and boot off the DVD.

e default username and password for Backtrack is root then toor.

ep by Step Backtrack 5 ISO install

1.Download the Backtrack ISO http://www.backtrack-linux.org/downloads

2.Download PowerISO or any ISO burning utility if you do not have one.
http://www.backtrack-linux.org/downloads


10/29

http://www.poweriso.com/download.htm

3.Install PowerISO

4.Install a DVD into the DVD burner and open PowerISO.

5.Open the Backtrack image file in PowerISO then click burn and burn the Backtrackimage file to DVD.

6.Use the DVD to boot which ever computer you like into Backtrack.

int: Backtrack ISO can be made to boot off of a flash drive also.)
http://www.poweriso.com/download.htm


11/29

stalling to the Hard drive

e ISO will be needed to be burnt to a DVD to install to the hard drive. This is the same as the abov

oting off the DVD except once Backtrack 5 is up and running use the option to install it.


12/29

stalling and running with VMware

nning two operating systems at the same time is quite common now and done relatively easy. If you

w to this then booting off a DVD will be much simpler.

cktrack 5 VMware installation is fairly straight forward. There is two main ways Backtrack can btalled

1. VMware image (This is a pre-setup Backtrack install that can simply be opened in VMwa

2. ISO (can be installed in to VMware much like installing any operating system but takes mtime)

e first way with VMware image is the way that I like to usually run Backtrack and the easiest. For o do not know VMware is a way to run another operating system virtually within another operatintem. Basically if you are running Windows and want to run a Backtrack/Linux install at the same tiu can do this with VMware.

Mware works very well and as long as you have a fairly recent computer it should run fine. If you holder laptop or older computer then the ISO may be better. Mainly because a ISO can be burnt to any bootable device and booted off of. When Backtrack/Linux is booted off a ISO then it does not ndows in the back ground.

Mware workstation is not exactly cheap although there is a free version. There is a 30 day free triaMware Workstation if you want to check it out.


13/29

Mware player is the best bet because it is free and will run Backtrack. It does not have all the optioMware workstation but does work. http://www.vmware.com/products/player

e download for the newest Backtrack 5 installs and so can be found herehttp://www.backtrack-ux.org/downloads. Install VMware first then add the Backtrack VMware image software into it.

ep by step Backtrack 5 VMware installation

1.Download VMware www.vmware.com/products/player

2.Download the Backtrack VMware image file. http://www.backtrack-linux.org/downloand extract the files.

3.Install VMware: follow the default options

4.Once VMware is installed go to file, open, VMware Backtrack Image file location anclick on the file. Backtrack will open and come up to a logon screen. The user name is rand the password is toor. Once you are logged in type startx and Backtrack will open inGUI.
http://www.backtrack-linux.org/downloadshttp://www.vmware.com/products/player/overview.htmlhttp://www.backtrack-linux.org/downloadshttp://www.vmware.com/products/player


14/29

PA dictionary attack

PA and WPA 2 is the newest encryption for wireless devices, as far as cracking them they are the s

I will use WPA from here on.

dictionary attack is one of the easiest to understand but the least likely to find a password. This is

last resort because while it does work it depends on the dictionary used and the computing power

sically a data capture of the router is captured wirelessly when someone logs into the router. Then

tionary file with a bunch of names and combination of names/numbers is used to throw at the datapture until the password is found.

omeone knows the person then they may be able to guess the password but otherwise this can take

g time and never find anything. If you are stuck using this method, thinking about how the passwor

ght be structured will be crucial along with computing power. The data capture could be copied

ween multiple computers to split the things up. A to F on one G to Z on another. Cloud computing m

a option to harness someone else computing power and so on.

member using your mind with a dictionary attack is as important as the attack itself.

ere are other ways such as Rainbow Tables, or the video card attack, but the simplest or easiest w

ck WPA is to use Brute Force. The way this works basically is that there is a large dictionary that

e to throw as many combinations of words as possible at the WPA encryption until it cracks. If the

ssword is easy then it will find it quick, if it is a long paraphrase with many different number letter

mbinations then it will be much harder.

etting a handshake and getting a data capture


15/29

mmands used

mon-ng

mon-ng start wlan0

odump-ng mon0

cktrack should be up and running.


16/29

en two terminal windows

n the command "airmon-ng" to see if your USB adapter shows up, if it doesn't then some

ubleshooting as to why it is not will have to be done. For this example I am using a Alfa AWUS03

ich uses the RTL8187L chipset


17/29

ce you know the adapter is connected and operating run this command to get the adapter into moni

de.

mon-ng start wlan0


18/29

all goes well the screen will scroll by with some information then say enabled on mon0. sometime

l enable on mon1 or mon2 if it does use this.

w we want to see what router or access point (AP) are out there so we run this command.

odump-ng mon0


19/29

picture like the above should come up and show all the AP out there. Here we want to target the AP

nt and copy the BSSID. Use CTRL+C to stop the command and copy the BSSID.

w we want to leave the original terminal alone and move to the second open terminal. Here we ar

ng to setup the adapter to do a data capture on the AP point we selected. After we do this we will

wait for a wireless device to connect to the router and it will do a data capture. To do this we do t

lowing command.

odump-ng -c (channel) -w (Our file name) --bssid (bssid of AP) mon0

for me it would be

odump -c 1 -w MyWpaCatch --bssid 00:14:D1:EA:C4:3d mon0


20/29

en it should go into monitoring the AP for a data capture.


21/29

this point we could simply wait for someone to connect wirelessly to the router. It can be any devi

ir laptop, desktop or smart phone. If we wait then we stay in passive mode and no one can detect

there. The bottom terminal (in this example) will pop up and say WPA Handshake in the upper rig

en this happens.


22/29

ere is a way to speed this up if you know someone has a wireless device connected to the router b

henticating them or kicking them forcing them to reconnect. This will most likely be recorded by th

uter so this is not a passive method. To do this open another terminal window and type the followin

eplay-ng -0 5 -a (Target AP BSSID) mon0


23/29

me this would be

eplay-ng -0 5 -a 00:14:D1:EA:C4:3D mon0

ing aircrack and a dictionary to crack a WPA data capture

u should already have a WPA handshake file and Backtrack 5 running.

e default storage for a WPA handshake is under root and will be there under whatever name youled it. The dictionary that we will use is built into backtrack under the pentest/passwords/word

d is called darkc0de.lst.

tting a good dictionary can be hard there are some dictionaries within Backtrack 5 that I will use tplain the Brute Force method but there size is limited making them useless against all but the easie

ssphrase.

e will be using aircrack to do the cracking and the command to do this is:

crack-ng (file name) -w (dictionary location)


24/29

here the file name is the handshake file you captured and the dictionary location is the path to yourtionary. The location of where this two files are and their names will be up to you. as I said above

ual default location of the handshake file is under /root and is whatever you called it. We will be udarkc0de.lst dictionary for this example under the

ntestpasswords/wordlists directory.

the command for me to do this would be:

crack-ng rootmywpacatch-05.cap -wpentestpasswords/wordlists/darkc0de.lst

done right aircrack should start and begin to try to crack the WPA handshake capture with the dictio


25/29

he dictionary finds it, it will show as below if not then another dictionary will need to be used. Foample I edited the text dictionary file and put the password in to show what it looks like when it isnd.


26/29


27/29

eaver

aver is one of the best tools to come along in a while. Before WPA was implemented and WEP ru

reless encryption any network could be cracked easily. But when WPA became the standard it bec

ch harder with using the dictionary attack method the only real option. Then came Reaver.

aver works by a flaw found in routers called WPS. WPS makes it easy for wireless devices to fin

nnect to a router. The problem is the WPS has a flaw in it that lets someone go around the encryptio

a router has WPS enabled then cracking the encryption is no longer necessary. Think of it like ackdoor.

a router has WPS enabled it can be cracked in two to ten hours.

Fi Protected Setup, or WPS. Its a feature that exists on many routers, intended to provide an easy setup process, and

to a PIN thats hard-coded into the device. Reaver exploits a flaw in these PINs and the result is that, with enough tim

reveal your WPA or WPA2 password. Reaver does not attempt to take on the WPA encryption itself but goes around it

S and then displaying the password.

with other attacks there are some problems with this. Such as signal strength, a strong signal is alm

must. Also some routers can crash if too many pins get thrown at it to quickly much like a denial of

vice attack can crash a PC.

nding a WPS enabled router is the first step this used to be hard to do until the "wash" command ca

ng.

e wash command has been notorious for having problems and not working correctly. Basically t

ash command goes out and tells you if a router has WPS on it so you dont wast your time runnin

ver. I believe I have found a fix that has been working for me on both Backtrack 5 and Kali Linux.

st make a directory like this.

MKdir etcreaver then run the wash command wash -i mon0 -C

install reaver use the following command (Backtrack 5 r2 and higher have reaver pre-installe-get install reaver

e need the Bssid to run reaver so run the following commands. This is the same as above when doin

ng a data capture at the start.mon-ng start wlan0odump-ng mon0

py the BSSID and then run the following command.ver -i mon0 -b (The BSSID) vv


28/29

aver will now run and start a brute force attack against the Pin number of the router. Reaver does nrk with all routers only routers that have WPS installed which is around 50% of routers. Also rea

eds a good signal strength to run or it will have problems.


29/29

Documents

Step by Step Backtrack 5