What is the 4-way handshake?
The 4-way handshake is the way in which a client can authenticate with the access point without revealing the key and without having to re-transmit the key after successful authentication. The process itself is very complex and the details are out of scope for this post. All you need to know when cracking WPA is that you require at least 2 parts of the 4-way handshake. This diagram shows the process and the details of each phase are explained on:
You will require a good password list. The list I will be using contains 185million passwords and can be downloaded from:
http://www.seedpeer.me/details/6028904/Custom-WPA-wordlist.html
There is also a 13GB wordlist containing almost 1 Billion passwords optimized for WPA that can be downloaded from:
http://www.proxybay.pw/torrent/5945498/WPA-PSK_WORDLIST_3_Final_(13_GB).rar
The software I will be using is the aircrack suit and pyrit. If you are running Backtrack or Kali Linux these come pre-installed, otherwise can be downloaded from:
http://www.aircrack-ng.org/
https://code.google.com/p/pyrit/
Capture the handshake
First step is to put your wireless interface in monitor mode. This can be achieved with the command:
sudo airmon-ng start wlan0
Replace wlan0 with your wireless interface. This will create a new interface in ifconfig called mon0.
Next start sniffing the airwaves and saving captured packets to an output file with the command:
sudo airodump-ng mon0 --write output
In order to obtain the needed 4-way handshake you can either wait for a client to connect or the much faster method is to kick an already authenticated client off the network and wait for them to re-connect. In this case I will be attacking the AP "00:04:ED:B1:02:DA"(super_happy_fun_slide) as there is already an authenticated client "00:22:43:22:23:8F" on this network.
How do we kick them off if we are not on the network? To disconnect a client we send the access point a special packet called a "de-auth". This stands for deauthentication packet and is used in wireless networks when a client wishes to disconnect. In our case we send a deauth to the AP and either choose the client to deauth or we can deauth all clients that are connected. A Few seconds later the clients auto connect kicks in and re-authenticates them. This is where we ninja the handshake required.
Make sure your airodump is still running and writing out the packets. To de-auth a single client run this command:
sudo aireplay-ng -0 1 -a 00:04:ED:B1:02:DA -c 00:22:43:22:23:8F mon0
To deauth all connect clients leave out the -c option:
sudo aireplay-ng -0 1 -a 00:04:ED:B1:02:DA mon0
Note in some versions of aircrack you may need to append --ignore-negative-one to the end of the command. Also to note is that in some cases a single de-auth may not work. You can send an unlimited amount by replaceing the 1 with a higher number or use 0 to send unlimited de-auths like so:
sudo aireplay-ng -0 0 -a 00:04:ED:B1:02:DA -c 00:22:43:22:23:8F mon0 --ignore-negative-one
Taken from the aircrack website these command options are:
- -0 means deauthentication
- 1 is the number of deauths to send (you can send multiple if you wish); 0 means send them continuously
- -a 00:14:6C:7E:40:80 is the MAC address of the access point
- -c 00:0F:B5:34:30:30 is the MAC address of the client to deauthenticate; if this is omitted then all clients are deauthenticated
- mon0 is the interface name
We see the de-auth received a reply so now we can check airodump for the handshake:
As you can see in the top right corner we can see the line:
WPA handshake: 00:04:ED:B1:02:DA
Cracking the key
Now that we have the handshake we can begin cracking it. The first thing I like to do is check that the handshake is actually valid and good to perform an attack with. Pyrit can do this with the command:
pyrit -r output-02.cap analyze
Note: Airodump appends -01.cap to the end of you filenames. If you have the same filename in your directory you are outputting to then it will increment the number to be -02.cap and so on. In my cause I already had output-01.cap in my directory hence the name output-02.cap.
As you can see out capture file has 1 valid handshake from the AP we de-authed. The reason I like to use pyrit to crack keys is that is supports GPU processing. This means we can go from 1000 password attempts a second to around 100,000 with a decent GPU. In my case I am using a Radeon 5870. It takes a bit of playing around to get pyrit working with your GPU but for ATI cards the OpenCL drivers should work and for NVIDIA the CUDA drivers should work. Run a pyrit benchmark with the command:
pyrit benchmark
As you can see, all 4 of my CPU cores pull about 500 a second and my GPU computes a massive 80,000 a second. I have pushed this up to 95,000 before by closing all running programs.
There are two options to cracking with a wordlist with pyrit. The first is to simply run the handshake through the wordlist. For each word pyrit needs to calculate what is called the Pairwise Master Key or PMK. This is fine if you have a unique access point name like Super happy fun slide. By say you have a generic name like netgear. You can pre-compute all of these PMKs and put them in a database so you dont have to pre-compute them for the next netgear you crack. In the past I have computed 900,000,000 passwords and it took about 4 - 5 hours. Once they where in the DB it took about 5 minutes to get through all of them. That is an excellent time payoff if there are a lot of APs with the same name in your area. I might cover pre-computing the PMKs into a DB in a later post.
Start the cracking process with the command:
pyrit -r output-02.cap -i Custom-WPA attack_passthrough
-r = your file containing the handshake
-i = input file. AKA the wordlist
attack_passthrough = compute pmks on the fly directly from the wordlist and dont use a database.
One thing to note is that if you have multiple handshakes in the one file pyrit will ask you which one to you wish to crack. You can also specify an access point manually with the command:
pyrit -r output-02.cap -i Custom-WPA -b 00:04:ed:b1:02:da attack_passthrough
No comments:
Post a Comment