The Target
The target for this wireless security penetration test is my spare Netgear N600 router running DD-WRT firmware. The router operates over all the 802.11 standards up to N. (both 2.4GHz and 5GHz).The tools
- Software
- Aircrack-ng
- OS : Backbox
- hardware
- Thinkpad x201t (i7+8GB)
- Atheros AR9271 Wireless Card
- Client : HTC One XL
The test
First off, we need a monitor interface, luckily, airmon-ng (part of aircrack-ng) can virtualise a monitor interface from our managed wlan0 interface.If you can't see, i ran the command
airmon-ng start wlan0
This provided us with our monitor interface mon0.
Next we need to check our wireless network is in range, so run
airodump-ng mon0
This should provided a screen similar to the one below.
Before we proceed, I'm just going to briefly explain the screen above. You should be able to see 2 dynamic tables (that being tables which the values are not stationary and keep altering). The top table is all the routers in range, this is our main table for now, the bottom table is of all the devices talking to routers and what routers that they are talking to. To keep it brief, the main 2 columns on the top table we are interested in are the BSSID, the ENC and CH. These are the MAC address of the router, the encryption and the channel.
Our next command is based on the last, but we are going to narrow down to the specific network we are testing to easily see what devices are connected. The command is formatted as the following
airodump-ng --bssid {bssid of the router} --channel {channel the router is operating on} {interface}
So for me it was
airodump-ng --bssid 20:4E:7F:A5:2A:DC --channel 1 mon0
This gave me a output like the following screen shot
Now we can see the device connected, the bottom table is now the important one, the BSSID is still the routers MAC address, but the STATION is now the clients MAC address. We should be getting a decent number in the packets field as well for this to work. It shows we have a decent connection to both devices.
Quickly before we continue, re run the airodump-ng command with the -w option before the interface, after -w put the name of the file you wish to save to.
Now we can really begin, remember in the post about WPA, we talked a lot about the handshake, well now we are going to grab it. The only problem we have is that the connection between client and AP is already made, so we need to disconnect them. Since we are working in our own environment we could do it manually, but my phone is the other side of the room and i'm a lazy person, so we will use another part of the aircrack-ng suite, aireplay-ng.
aireplay-ng requires only a couple of parameters for this operation, first off, -0 (this is the number not the letter). This tells the program we are going to be de-authenticating clients from routers, next a number of times to send the de-authentication packets. I choose 100 as i can stop it when i begin to get results, which i did. Next we need the MAC address of the access point using the -a then the MAC address, then the MAC Address using the -c and then the MAC address. Finally we need the interface. Just to clear it up here's a example
aireplay-ng -0 {number of times to try} -a {AP MAC address} -c {client MAC address} {interface}
Which for me became
aireplay-ng -0 100 -a 20:4E:7F:A5:2A:DC -c E8:99:C4:A1:8E:7E mon0
In the screen above, at the end of the top line, it says we have a handshake, this should be on your screen as well if you have succeeded.
Now to find the files we captured, just to ensure they are there.
Now to crack it, and get the password back, if you want to know how this process will work, refer to my prior post on WPA encryption algorithms.
To do this we will use the final part of the aircrack-ng suite for today. This is aircrack-ng itself. aircrack-ng is a massive cracking application which will pick out the correct EAPOL packets and find the MIC+ANounce+SNounce etc. this can work on both WPA and WEP. So we need to build a command for it, the basic formation of the command is
aircrack-ng -a 2 -w {wordlist file} {your .cap file}
Mine was:
aircrack-ng -a 2 -w /home/spectr3/Desktop/wordlists/rockyoualtered.txt blogcap.cap
This wordlist i inserted the password into on line 440. aircrack-ng took less than a second to get to the password, try it and find it as correct. giving me this screen:
As you can see the password was "Haxx4Lulz".
Hopefully this week you have enjoyed the session, if you want to message me, my email is martyncprice@gmail.com (there is also a paypal account linked to it if anyone wants to donate for some 802.11ac equipment so i can test if "beam forming" has any effect on cracking WPA networks).
Hope to see you all again on Wednesday.
-Spectr3