WPA Cracking with Rainbow Tables (with Aircrack-ng suite and coWPAtty • 1) Scanning for Vulnerable Networks • 2) Capturing Usable Packets • 3) Injection (Deauthentication of Connected Client) • 4) Hash Comparison with Rainbow Tables For Educational Purposes OnlyKurt WondraNovember 18th, 2010
Requirements For A Successful Attack Personal Router Aircrack-ng Suite Wireless Card Any personal, business, or enterprise router operating on WPA (TKIP/AES) or WPA2 (CCMP) with a weak password is vulnerable to this attack. This is illegal without complete ownership of the target router. The Aircrack-ng suite is an open source Linux package with tools for cracking WEP and WPA/WPA2. For ease of use, this entire suite of tools is included with the Backtrack 4 live CD. A wireless network card capable of monitor mode and packet injection. You can test your card for packet injection ability by running the command: aireplay-ng --test <deviceName> ‘ ‘ ‘
Introduction Although WiFi Protected Access (WPA) and WiFi Protected Access Revision 2 (WPA2) are not vulnerable to the same exploits that WEP is, a plain text WPA PSK (Preshared Key) can actually be gathered more quickly then WEP if the proper counter-measures are not in place on your Access Point. The primary reason an attack on RC4 (the stream cipher that governs WEP) is possible is because only 24 bits of Pseudo-random data is sent with the cleartext password as a payload. WPA however, uses a much stronger encryption scheme.
The Vulnerability (Cont) In addition to simply stronger encryption (by means of TKIP/AES), WPA uses a salted hash equivalent of the pre-shared key. A salt is pseudo-random bits of data added to the process of creating a password or passphrase. This effectively creates exponentially stronger passwords. A salt can be anything that the designer of the algorithm or key generation process decides to use – as long as it is seemingly random. In the case of WPA, the SSID is salted in to each and every password.
The Vulnerability (Cont) Once we (the security community) were able to determine that the salt for WPA PSK’s is the SSID of the router, we are able to start to develop tools to work along side the salt and develop patterns for successful key retrieval. It is important to note here the importance of a salt – if the process that derives the key remains hidden, the encryption can very nearly never be reversed. In the case of WPA, tools have been developed to use the known salt and compare the (still encrypted) hash we retrieve from the router with the hash of over a million words, phrases, common passwords, etc. Unlike WEP, there is simply no practical way to retrieve the password if it does not exists within our dictionary.
(Prep, 1A) Determining Interface Name Let’s get started. As mentioned previously, your wireless network card must support several different functions to perform this attack. Because of this, Backtrack may assign it one of several interface names. To determine the unique device name that Backtrack has assigned to your wireless device, type: [SAMPLE CODE] iwconfig [IMPLEMENTATION CODE] iwconfig
(2) Forcing device into Monitor Mode In order to gather the two required elements for a successful attack (MAC address and channel of the target router) we need to force our wireless card into monitor mode. We will simply be gathering readable information at this point. To change from managed (standard) mode to monitor mode we simply use the built-in tool ‘Airmon-ng’ of the Aircrack-ng suite: [SAMPLE CODE] airmon-ng start <INTERFACE> [IMPLEMENTATION CODE] airmon-ng start mon0
(3A) Scanning for Vulnerable Networks In order to capture the plain text WPA key of the router, you must first identify the target network. The Aircrack-ng suite makes this process a one-liner. To show all networks within wireless range, regardless of the security mechanisms that govern them (WEP/WPA/WPA2) type the following: [SAMPLE CODE] airodump-ng <INTERFACE> [IMPLEMENTATION CODE] airodump-ng mon0
(3B) Identifying Network Requirements On the screen to follow, you will be presented with advanced information regarding the wireless networks in range of your supported wireless network card. To successfully attack a WPA-protected AP, you must gather two elements using the screenshot below as a guide; the MAC address and channel of the target router. Guide to Gathering Required Information from the target AP: MAC Address:Yellow UnderlineCurrent Channel: Green Underline At this time I recommend copying or physically writing down the two required elements. In this case, the AP’s MAC Address is 00:17:3F:F3:A1:FC and the current channel it operates on: 1. Remember that a router can hop channels from time to time.
(3C) Airodump Command Requirements Before we can narrow down our results and target a specific AP, we must learn how to properly formulate an Airodump-ng command. Airodump-ng requires several aspects to be defined from the required elements we collected in Step 3B and previous steps. They are listed below and color-coordinated to match up with the next step for your convenience. Refer back to this table if you need help completing the command in step 3D with your configuration.
(3D) Targeting a Vulnerable Network Now that we've identified the WPA-protected network we wish to attack, we must run another scan using Airodump to narrow down our packet capture results to a single AP. We can then run Aircrack to compare the hash found in our dumpfile with the pre-computed hashes for over 1,000,000 words, phrases, and common passwords in our (salted) rainbow table. To get started, type the following: [SAMPLE CODE] airodump-ng -c <channel> -b <AP’s MAC> -w <Dumpfile> <int> [IMPLEMENTATION CODE] airodump-ng-c 1-b00:17:3F:F3:A1:FC-w WPASamplemon0
(4) Deauthentication with Aireplay Now that we are capturing all the information obtained from our scan (in step 4B) into a single dump file, we will communicate with the target router and tell it to send us an encrypted and hashed version of the clear text password. Technically speaking, we are looking for the TKIP “four-way handshake” with the Access Point. This is done with the following command: [SAMPLE CODE] Aireplay-ng -0 1 -a <AP’s MAC> -c <Connected Client> <INT> When a wireless client initially connects to the router, a handshake is given. We will force the client to disconnect and reconnect obtaining the four-way handshake. [IMPLEMENTATION CODE] aireplay-ng -0 1 -a 00:17:3F:F3:A1:FC -c 00:23:6C:92:C8:20mon0
(5A) Confirming Requirements Let’s confirm that we received a handshake. Switch back to the console where we ran Airodump-ng and confirm that: [ WPA handshake: 01:23:45:67:89:10] exists in the upper right-hand corner of your display. We’re almost done! Sit tight for just a few more steps. Note: Press Control + C on your keyboard to quit Airodump once you get a handshake.
(5B) Confirming Requirements, Cont In theory, everything that needs to be done with a persistent connection to the target router has been accomplished. If we wanted to, we could completely power off our target router and unplug our wireless network card. The rest of the work can be accomplished offline. As mentioned previously a FOUR-WAY handshake is required to successfully recover the WPA pre-shared key. You can optionally test for this with the -c switch as seen below. If you are confident, you have captured a valid four-way handshake, please proceed to Step 6. [SAMPLE CODE] cowpatty -c -r <path/to/dumpfile> [IMPLEMENTATION CODE] cowpatty -c -r /root/WPASample.cap
(6) Recovering the WPA PSK Let’s do what we came for! coWPAtty (included as part of Backtrack 4) is a tool that can be used to check the hash found in our dumpfile against the hash of a dictionary file. If they are identical, the key is then converted from hash to clear text and displayed in human-readable format. Assuming that the WPA PSK is in the dictionary, it will be displayed within about 7 minutes of running coWPAtty. This assumes that you are using the official 33GB rainbow tables from the Church of Wifi. Enter this final command to start the crack: [SAMPLE CODE] cowpatty -d <path/to/rainbowtable> -r <path/to/dumpfile> -s <SSID> [IMPLEMENTATION CODE] cowpatty -d /root/RTBelkin -r /root/WPASample.cap -s Belkin
(7) Identifying the WPA PSK That’s it! There’s the human-readable WPA Pre-shared Key (password). [SAMPLE CODE] cowpatty -d <path/to/rainbowtable> -r <path/to/dumpfile> -s <SSID> [IMPLEMENTATION CODE] cowpatty -d /root/RTBelkin -r /root/WPASample.cap -s Belkin
(8) The Old Way Prior to Rainbow tables (which pre-compute hashes for 1,000,000 words with the salt for each and every SSID already embedded, you could still perform this type of attack but it was much slower. In fact, using Rainbow tables is estimated to be 10,000 times faster than a traditional dictionary attack. That’s right: 10 to the 4th times faster! coWPAtty supports a traditional dictionary file when you replace the -d switch with the -f switch. Let’s see how long it’ll take to recover the passphrase “cobblestone” this time… [SAMPLE CODE] cowpatty -f <path/to/dictionary> -r <path/to/dumpfile> -s <SSID> [IMPLEMENTATION CODE] cowpatty -f /root/MillionWords -r /root/WPASample.cap -s Belkin
(9) Questions Are there any questions?