22 October 2018

How to Crack WEP, WPA, & WPA2 Wireless with BackTrack 4 R2 & WiFite r68

I have previously posted an article on How to Crack WEP, WPA, & WPA2 Wireless with BackTrack4 (GUI Edition) using GRIM WEPA.

In this article I am going to show you how to crack a wireless network using “WiFite r68″. Unlike “GRIM WEPA” you can attack multiple networks at the same time with “WiFite r68″, and it is more considered more “automated”, where it does try different methods of crack in case one fails.

Before you begin

  1. You need to have BackTrack 4 R2 installed and running on VMWare Player. How to Install VMWare & Backtrack 4 R2
  2. Check if your wireless adapter is compatible with Backtrack from List of compatible adapters
  3. I am using the Alfa AWUS036H which is a very well known usb wireless adapter because of its good performance and cheap price.
  4. Make sure that your wireless adapter is plugged into your virtual machine. In VMWare goto the menu “Virtual Machine” -> “Removable Devices” -> “YOUR ADAPTER MUST BE TICKED”

Downloading & Installing WiFite r68

  1. Downloading “WiFite r68″: Goto http://code.google.com/p/wifite/ and download “wifite_r68.py”Wifite - Download
  2. Copy the file (wifite_r68.py) into the virtual machine by dragging & dropping it into the virtual machineWifite - Drag Vmware

Cracking the Wireless Network

  1. Launch Konsole and run the following command
    ./python wifite_r68.py

    Wifite - Run

  2. Select the settings that you wish to use.
    “interface”: is your wireless adapter.
    “encryption type”: WEP encryption is much easier to crack and doesn’t need a dictionary file, so it’s better to start with WEP.
    “channel”: make sure “all channels” is checked (colored red)
    “select targets from list” or “everyone”: “everyone” will try to crack any wireless router that it finds; “select targets from list” will ask you which router to attack.
    “minimum power”: 50 is ok.
    “dictionary”: is list of words that are tried while cracking a WPA or WPA2 protected network.
    “wep timeout” & “wpa timeout”: 10 & 5 should be ok.
    “wep options”: method of attacking. Select all 4 options (arp-replay, chop-chop, fragmentation, -p 0841)
    “change mac”: changes the mac address of your wireless adapter.
    “ignore fake-auth” & “anonymize all attacks”: keep them unchecked.
    “packets/sec”: keep it at 500.
  3. Now click the “h4x0r 1t n40″ and wait until the networks are displayedWifite - Searching Networks
  4. In case you selected “select targets from list” in the options before you start, then you will asked to select the network(s) to attack, otherwise if you selected “everyone” then the attack will start automatically.
  5. One attack method might work on one network but not the other. So different attack methods will be tried in case one fails (3 attack methods failed in my case but the “-p0841″ attack succeeded)
  6. The cracked key(s) will be displayed on the screen and stored in a file called “log.txt”Wifite - Cracked Network
  7. Wait until the end or press “Ctrl+C” to stop the attack

As mentioned in my previous articles that cracking a WPA or WPA2 network is directly related to the complexity of the password and the dictionary file that you are using. This means that you might be able to crack the password in a matter of seconds or not crack it at all. You can download dictionary files from the internet.

Conclusion

Wifite-r68 is very user friendly and more automated than manual cracking or “GRIM WEPA” cracking. If you failed to crack a WEP network using “Wifite-r68″ you can always try GRIM WEPA.

Feel free to ask questions or let me know if I have missed something by leaving a comment below.

References

How to Crack WEP, WPA, & WPA2 Wireless with BackTrack4 & GRIM WEPA

Main article: How to Protect Your Wireless Network

I have previously posted 2 articles on:

  1. How to Crack WEP Wireless with BackTrack 4 running on Windows
  2. How to Crack WPA & WPA2 Wireless with BackTrack 4 running on Windows

This article explains how to crack a WEP, WPA, or WPA2 using a Graphical User Interface (GUI) instead of writing codes. I would recommend that you check out the previous articles to understand the steps involved in the process.

Before you begin

  1. You need to have BackTrack installed and running on VMWare Player. How to Install VMWare & Backtrack 4
  2. Check if your wireless adapter is compatible with Backtrack 4 from List of compatible adapters
  3. I am using the Alfa AWUS036H which is a very well known usb wireless adapter because of its good performance and cheap price.
  4. Make sure that your wireless adapter is plugged into your virtual machine. In VMWare goto the menu “Virtual Machine” -> “Removable Devices” -> “YOUR ADAPTER MUST BE TICKED”

Downloading & Installing GRIM WEPA

First, we need to download and install “GRIM WEPA” inside Backtrack 4:

  1. Download: Goto http://code.google.com/p/grimwepa/ and download “grimstall.sh” & the latest version of “grimwepa”. In my case: it is “grimwepa_1.0.jar”
    GRIM WEPA - Download
  2. Copy the files into the virtual machine by dragging & dropping them into the virtual machine
    GRIM WEPA - Copy to VM
  3. Launch Konsole and run the following command
    ./grimstall.sh install /pentest/wireless/grimwepa/

    GRIM WEPA - Install

Running GRIM WEPA

Run:

grimwepa

  1. Select the wireless interface that you want to use to put in monitor mode. In my case: wlan0
    GRIM WEPA - Start
  2. Select the monitoring interface from. In my case: mon0
  3. Make sure “All Channels” is checked
  4. Hit “Refresh Targets” until the list of available networks appear.
  5. Hit “Stop scanning”
  6. Select the network that you wish to crack

Cracking a WEP Network

If the network that you have selected is WEP encrypted then follow these steps:

  1. Select “ARP-Replay” as the Attack method
  2. Tune the Injection rate to “600”
  3. Click “Start Attack” (if Captured IVs doesn’t increase then restart the attack)
  4. Cracking will automatically start when number of IVs collected reach 10,000. In case it wasn’t able to crack it at 10,000 then it will keep collecting more IVs and try to crack
  5. In the end it should show you the WEP key in the status bar as shown below

GRIM WEPA - WEP Cracked

Cracking a WPA/WPA2 Network

If the network that you have selected is WPA or WPA2 encrypted follow these steps:

  1. Click “Start Deauth + Handshake Capture Attack”. You need someone who is already using the wireless network that you are attacking, or you have to wait until someone connects to it. So you might need to keep it running for some time
    GRIM WEPA - WPA2 Start Handshake Capture
  2. Wait until you see “Handshake was captured!” GRIM WEPA - WPA2 Handshake Captured
  3. Now select the dictionary file that you wish to use to crack the password and click “Crack WPA (Dictionary Attack)”
  4. In case the password wasn’t cracked then you need to try another dictionary file
  5. In case the password was cracked then you should see it in the status bar as shown below GRIM WEPA - WPA2 Password Cracked

As mentioned in my previous articles that cracking a WPA or WPA2 network is directly related to the complexity of the password and the dictionary file that you are using. This means that you might be able to crack the password in a matter of seconds or not crack it at all.

Conclusion

GRIM WEPA is a GUI application used to automate the process of cracking a WEP, WPA, or WPA2. Cracking a WEP protected wireless network is almost guaranteed to succeed, easy, and fast to achieve. The success of cracking a WPA or WPA2 wireless network is directly related to the complexity of the password and the dictionary file that you’re using.

This is why you should set your home wireless network to be WPA2 protected with a long password that contains a variety of letters, capital letters, numbers, and symbols. Check How to Protect Your Wireless Network for more details.

Feel free to ask questions or let me know if I have missed something by leaving a comment below.

References

How to Crack WPA & WPA2 Wireless with BackTrack 4 running on Windows

Main article: How to Protect Your Wireless Network

Cracking a WPA or WPA2 wireless network is more difficult than cracking a WEP protected network because it depends on the complexity of the wireless password and on the attack method (Dictionary Attack or Brute Force Attack). Here you will learn step by step instructions how to crack the WPA2 which uses a pre-shared keys (PSK) of a wireless network. This also applies to WPA secured network.

Before you begin

  1. You need to have BackTrack installed and running on VMWare Player. How to Install VMWare & Backtrack 4
  2. Check if your wireless adapter is compatible with Backtrack 4 from List of compatible adapters
  3. I am using the Alfa AWUS036H which is a very well known usb wireless adapter because of its good performance and cheap price.
  4. Make sure that your wireless adapter is plugged into your virtual machine. In VMWare goto the menu “Virtual Machine” -> “Removable Devices” -> “YOUR ADAPTER MUST BE TICKED”

Start Cracking the WPA/WPA2 Password

Here are the basics steps we will be going through:

  1. Put your wireless interface in monitor mode on the specific AP channel
  2. Start airodump-ng to collect authentication handshake from the AP
  3. Use aireplay-ng to deauthenticate the wireless client to force a handshake with the AP
  4. Run aircrack-ng to crack the pre-shared key using a dictionary file

Launch the Konsole, which is the BackTrack’s built-in command line. It can be found in the lower left corner of the taskbar as showing in the image below.

BackTrack Konsole

Run the following command to get a list of your network interfaces:

airmon-ng

You may get something like “ath1″, “wlan0″, “wifi0″, or “ra0″…. This is called your interface.

In my case: (interface)=wlan0 (see image below)

Now run the following command to put your interface in monitor mode.

airmon-ng start (interface)

In my case

airmon-ng start wlan0

WPA2 Cracking 01

Now we can use the monitor interface which appears below the Driver column, call it (monitor). Most of the time (monitor)=mon0 as shown in the image above.

It’s time to view the list of available networks and pick one for cracking. Run:

airodump-ng (monitor)

In my case

airodump-ng mon0

Wait for some time for all the networks to load then press Ctrl+C to stop the updates. Now choose the wireless network that you wish to crack which has “WPA” or “WPA2″ encryption in the “ENC” column, and “PSK” in the “AUTH” column. “OPN” means that the network is open and you can connect to it without a key, WEP will not work here but you can check How to Crack WEP Wireless with BackTrack 4 running on Windows which takes less than 5 minutes to crack.

After selecting the network that you want to crack take note of the BSSID, and the channel (CH) values. In my case: (bssid)=68:7F:74:06:69:C7, and (channel)=11 as shown in the image below.

Now we are going to monitor and record the data passing through that network to a file. Run:

airodump-ng (monitor) --channel (channel) --bssid (bssid) -w (filename)

In my case

airodump-ng mon0 --channel 1 --bssid 68:7F:74:06:69:C7 -w linksys

Replace (monitor), (channel), and (bssid) with their respective values noted before. (filename) can be any name. I usually use a name similar to the name of the network which is “linksys” in this case.

WPA2 Cracking 02

The data is being collected and recorded now and you should get an output similar to the window in the background shown in the picture below. Leave that window running.

We now need to record the 4-way handshake that happens between the targeted wireless router (AP) and a client that is already authenticated.

We can either wait for a client to connect or disconnect an already connected user to force him to reconnect. In our case we are going to disconnect an already connected user. Don’t forget to note down the client mac address which we’ll call station. In my case (station)=00:C0:CA:25:AC:68. Launch a second Konsole window now and run:

aireplay-ng -0 1 -a (bssid) -c (station) (monitor)

In my case

aireplay-ng -0 1 -a 68:7F:74:06:69:C7 -c 00:C0:CA:25:AC:68 mon0

WPA2 Cracking 03

After you run this command you should see “WPA handshake: (bssid)” in the upper right corner of the first Konsole, in my case it is “WPA handshake: 68:7F:74:06:69:C7″. This means that you have collected the 4-way handshake, and you don’t need to be connected to the network anymore.

In case you didn’t see the handshake message try to run the same command again. It’s time to start cracking the collected password.

Cracking the Password

To crack the password you will need a file that contains list of passwords, this file is called a dictionary file. The more accurate the dictionary file and less complex the WPA or WPA2 wireless password; the better chance you have to crack the password. There are lots of dictionary files on the internet that you can download, for the purpose of the demo I am going to use the dictionary file that comes with aircrack-ng. It can be found under “/pentest/wireless/aircrack-ng/test”.

You can close all the Konsoles if you want and open a new one. Run:

aircrack-ng -w (passwordsfile) -b (bssid) (filename-01.cap)

In my case

aircrack-ng -w /pentest/wireless/aircrack-ng/test/password.lst -b 68:7F:74:06:69:C7 linksys-01.cap

The filename should be what you used in (filename) + “-01.cap”, if you are not sure about the (filename) enter “ls” to see list of all the files.

This command will start trying the passwords listed in the dictionary file that you provided until it finds a match. If the password wasn’t found then you need to use a better dictionary file. It is possible that the password can not be found at all in case it was long and complex enough! But in case there was a match then you should see something like:

WPA2 Cracking 04

The WPA or WPA2 password is what you see besides “KEY FOUND!” inside the brackets. In my case: thisisatest

Conclusion

The success of cracking a WPA or WPA2 wireless network is directly related to the complexity of the password and the dictionary file that you have. Another brute force attack method would be to try all possible permutations of letters, numbers, and symbols possible to crack the password. Although it will surely find the password in the end but it might take hundreds of years for the cracking process to complete which is why a dictionary attack is considered more efficient approach, you can check John the Ripper if you are interested in this method.

Feel free to ask questions or let me know if I have missed something by leaving a comment below.

References

How to Crack WEP Wireless with BackTrack 4 running on Windows

Cracking a wireless network protected with WEP security is very easy as described in How to Protect Your Wireless Network and takes around 5min to achieve. Here you will learn step by step instructions how to crack the WEP key of the wireless network.

Before you begin

  1. You need to have BackTrack installed and running on VMWare Player. How to Install VMWare & Backtrack 4
  2. Check if your wireless adapter is compatible with Backtrack 4 from List of compatible adapters
  3. I am using the Alfa AWUS036H which is a very well known usb wireless adapter because of its good performance and cheap price.
  4. Make sure that your wireless adapter is plugged into your virtual machine. In VMWare goto the menu “Virtual Machine” -> “Removable Devices” -> “YOUR ADAPTER MUST BE TICKED”

Start Cracking the WEP Password

Launch the Konsole, which is the BackTrack’s built-in command line. It can be found in the lower left corner of the taskbar as showing in the image below.

BackTrack Konsole

Run the following command to get a list of your network interfaces:

airmon-ng

You may get something like “ath1″, “wlan0″, “wifi0″, or “ra0″…. This is called your interface and you need to substitute it everywhere you see (interface) in the coming commands.

In my case: (interface)=wlan0 (see image below)

Now run the following commands to change the MAC address of your wireless adapter.

airmon-ng stop (interface)
ifconfig (interface) down
macchanger --mac 00:11:22:33:44:55 (interface)
airmon-ng start (interface)

In my case

airmon-ng stop wlan0
ifconfig wlan0 down
macchanger --mac 00:11:22:33:44:55 wlan0
airmon-ng start wlan0

Don’t forget to change (interface) with its value. Now your MAC address is changed to the fake new address 00:11:22:33:44:55

BackTrack WEP Commands 1

Now it is time to view the list of available networks and pick one for cracking. Run:

airodump-ng (interface)

In my case

airodump-ng wlan0

Wait for some time for all the networks to load then press Ctrl+C to stop the updates. Now choose the wireless network that you wish to crack which has “WEP” encryption in the “ENC” column. “OPN” means that the network is open and you can connect to it without a key, WPA & WPA2 will not work here but you can check How to Crack WPA & WPA2 Wireless with BackTrack 4 running on Windows if you wish to crack a WPA or WPA2 wireless network.

After selecting the network that you want to crack take note of the BSSID, the channel (CH), and ESSID values. In my case: (bssid)=00:1F:9F:4B:B3:DF, (channel)=1, and (essid)=barQ

BackTrack List of Networks

Now we are going to monitor and record the data passing through that network to a file. Run:

airodump-ng -c (channel) -w (filename) --bssid (bssid) (interface)

In my case

airodump-ng -c 1 -w barQ --bssid 00:1F:9F:4B:B3:DF wlan0

Replace (channel), (bssid), and (interface) with their respective values noted before. (filename) can be any name. I usually use the same name of the network which is “barQ” in this case.

BackTrack WEP Commands 2

The data now is being collected and recorded and you should get an output similar to the window in the background shown in the picture below. Leave that window running.

We now need to create traffic on that network to capture more data faster to speed up the cracking process. Launch a second Konsole window and run:

aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)

In my case

aireplay-ng -1 0 -a 00:1F:9F:4B:B3:DF -h 00:11:22:33:44:55 -e barQ wlan0

BackTrack WEP Command 3

You should get the message “Association successful :-)” which means that you are authenticated and ready to start generating traffic on that network to speed up the process. Run:

aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)

In my case

aireplay-ng -3 -b 00:1F:9F:4B:B3:DF -h 00:11:22:33:44:55 wlan0

BackTrack WEP Command 4

Now it is time to WAIT. We are creating router traffic to capture more data which will help us speed up our cracking process. After few minutes, the window might start showing “Read XXXXX packets” and might not, but the important thing to keep an eye on is the “#Data” value in the first window. We need it to go above “10,000”.

Wait until the “#Data” reaches a value above 10,000 which should take less than 2 minutes. you might need more than 10,000 depending on the security of the network but most of the time 10,000 should be enough.

Displaying the Key

Once you have collected more than 10,000 Data launch a third Konsole window and enter:

aircrack-ng -b (bssid) (filename-01.cap)

In my case

aircrack-ng -b 00:1F:9F:4B:B3:DF barQ-01.cap

The filename should be what you used in (filename) + “-01.cap”, if you are not sure about the (filename) enter “ls” to see list of all the files.

If you don’t have enough data then aircrack will ask you to collect more data. If you do then you should see something like:

BackTrack WEP Crack Successful

The WEP key is what you see besides “KEY FOUND!” inside the brackets without the colons “:” which is of the format “XXXXXXXXXX”

Note: The WEP key is the hex equivalent of the pass phrase that you type to connect to the wireless network. Entering the WEP key is more than enough to get you connected. The WEP ASCII password might be displayed if you collect more packets.

Conclusion

We have seen how easy it is to crack a WEP wireless network. This should give you the alert to change the security of your wireless network if it is still WEP.

Feel free to ask questions or let me know if I have missed something by leaving a comment below.

References

How to Protect Your Wireless Network

Many people don’t realize the importance of wireless network security while working on their wireless network. A wireless network can be easily hacked if it wasn’t properly protected.

Types of Wireless Network Security

The widely known wireless network security types are:

  1. No Security: Anyone can connect to the wireless network without a password
  2. WEP: WEP stands for Wired Equivalent Privacy which was the original encryption standard for wireless. Although it is better than having “No Security” at  all but it is a weak security protection which can be cracked using aircrack-ng in around 5 minutes as shown in How to Crack WEP Wireless with BackTrack 4 running on Windows
  3. WPA: Wi-Fi Protected Access (WPA or WPAv1) is a software or firmware improvement over WEP which bridges the gaps that WEP had. Although much tougher to crack than the WEP, but still possible especially with weak passwords as we can see in How to Crack WPA & WPA2 Wireless with BackTrack 4 running on Windows
  4. WPA2: Or WPAv2. Although WPA was considered a masterpiece of retro engineering, but it was still a compromise solution that suffered possible security flaw. WPA2 is a completely new security system that avoids the design flaws in WEP. However it can still be hacked in the same way as cracking the WPA as shown in How to Crack WPA & WPA2 Wireless with BackTrack 4 running on Windows

Wireless Security

In conjunction to the above mentioned security types you can extend your security measures by:

  1. MAC ID or MAC Address filtering: Most wireless routers support a feature which allows only specific MAC addresses to connect to the network. In other words you can specify which computers or wireless device can have access to the network. This option can be very difficult to manage especially in bigger networks, not to mention that a hacker can always manipulate the MAC address of his wireless adapter and connect to the network in case he knows one of the allowed addresses.
  2. RADIUS Server Authentication: A server that is responsible for receiving user connection requests, authenticating the user, and then returning all of the configuration information necessary for the client to deliver the service to the user. In other words it verifies network users through a server. This security mode is usually referred to as “WPA Enterprise”, “WPA2 Enterprise”, or “RADIUS”.
  3. Wireless intrusion prevention system: Is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention).

Conclusion

Unfortunately many of the wireless networks used at homes are still using the WEP security protection which makes it easily vulnerable to being hacked. If you have a wireless network for home use then WPA2 with a long complex password would be your best choice to protect your wireless network, however if you are administering a wireless network for an enterprise business then it is recommended to use “WPA2 Enterprise” with a RADIUS server, and install a “Wireless Intrusion Prevention System” to protect and monitor your wireless network.

Next Step

References