Cracking WPA-PSK... with Aircrack-ng & BackTrack 3

by Mister Cool

WPA/WPA2 is a leading method of securing one's wireless network.

It is well documented that WEP is, by design, vulnerable to various types of attacks.  I would like to share with you today a method of cracking a WPA-PSK password on a wireless network.

The main tools utilized are BackTrack 3 (a.k.a., BT3), a live-Linux security distribution freely available at: old.kali.org/backtrack-images

and the Aircrack-ng suite (a set of tools for auditing wireless networks, included in the live CD pre-installed).

First, a little background on WPA-PSK.  Many home and small office users today utilize the WPA (Wi-Fi Protected Access) - Pre-Shared Key (PSK), a.k.a., "Personal," option to secure their wireless networks.  The Pre-Shared Key is a password or passphrase created by the administrator of the network, generally ranging from 8-63 ASCII characters (although it can be 64 hexadecimal digits).  This plain text password (also called the Master Key, or key) is mixed or "salted" with the wireless network name (a.k.a., the SSID "Service Set Identifier"), to create a 256-bit value called a "hash."  This hash value, commonly referred to as a Pairwise Master Key (PMK), is shared between an access point and a client, and will essentially be used to a low for the encryption of all network traffic.

In simple terms, WPA is basically a security protocol and the PSK is a password/key.

For more on how hash functions and keys work, see:

• xs4all.nl/~rjoris/wpapsk.html
• tldp.org/HOWTO/8021X-HOWTO/intro.html
• sid.rstack.org/pres/0810_BACon_WPA2_en.pdf

Most wireless networks use what's called an Open System Authentication to connect to an Access Point (AP).  The steps are:

1. The computer asks the AP for authentication.
2. The AP responds: O.K., you're authenticated.
3. The computer asks the AP for association.
4. The AP responds: O.K., you are now connected.

What's known as a "four-way handshake" occurs during this connection process when utilizing WPA, and is what enables us to perform a WPA crack.  The more specific term for what happens during the handshake is called Extensible Authentication Protocol (EAPOL) authentication and, if WPA is in use, you will be denied at Step 2 without the password.

Please go to: wi-fiplanet.com/tutorials/article.php/3667586

for details on different types of wireless protection, and for an exacting explanation of what occurs during the four-way handshake process.

The method of cracking a WPA password is slightly different than that of cracking Wired Equivalent Privacy (WEP).  All wireless networks transmit data packets through the air.  For a WEP crack, we would need to capture a large number of these packets (usually at least 40,000 to 85,000) which contain the Initialization Vectors (IV) necessary to break the WEP password.  Unlike WEP in WPA, the only thing that will enable us to even start the attack at all is what's called the "four-way handshake" between the client and the AP.  Collecting more packets after we capture this "handshake" will not increase the chances of successfully recovering a WPA password.

The main method of attack with this type of wireless encryption is ultimately a standard dictionary attack.  The WPA password can only be found if there is an exact match in the dictionary (a.k.a., wordlist) you are using.  There are many wordlists and dictionary files available out there, I utilized a word list I found within BackTrack 3 for this tutorial.

Visit: packetstormsecurity.org/Crackers/wordlists

for a robust selection of freely downloadable wordlists.

A WPA key is only as strong as the user who sets out to make it.  And therein lies the weakness in WPA: The human element.  If the password is a common word in the dictionary, it is very possible to recover.  If a password is aardvark, it will probably be found when we implement a dictionary attack.  If the password is aardvark1, the same dictionary attack will most likely fail as the 1 is not likely to be found in most wordlists.

The single most important thing to remember when attempting a dictionary attack is this: The attack will only be as good as the wordlist/dictionary file you use.  If the password is not in the wordlist, you will not crack the password.

A WPA-PSK key is a required minimum of eight characters long and, though we could attempt a brute force attack, it could take hundreds of years to crack, even at that length, depending on factors such as the power of the computer, upper and lower case letters, numbers, and special characters.

For a sample brute force time calculator visit: lastbit.com/pswcalc.asp

The main difference between WPA and WPA2 is that WPA uses the older Temporal Key Integrity Protocol (TKIP) encryption-type scheme, while WPA2 utilizes the newer Advanced Encryption Standard (AES) encryption scheme which employs Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP).

For details on CCMP, visit: pcmag.com/encyclopedia_term/0,2542,t=AES-CCMP&i=37582,00.asp and searchmobilecomputing.techtarget.com/sDefinition/O,,sid40_gci1319465,00.html

WPA and WPA2 personal are essentially the same for our purposes, as the method to recover these passwords is identical.

See: networkworld.com/columnists/2006/091106-wireless-security.html and openxtra.co.uk/articles/wpa-vs-80211i.php

for a more detailed explanation of WPA vs. WPA2.

Now, let's try our hand at cracking a WPA-PSK encrypted wireless network with this simple exercise.  In this particular example I used:

• A Toshiba Satellite L35-S2151 Laptop as the attacking PC (any computer with a supported wireless card should work).
• An Atheros pre-installed wireless card (model AR5005G, many other cards are supported, see aircrack-ng.org/doku.php?id=compatibility_drivers.
• The BackTrack 3 Live CD.
• A target AP transmitting through a Linksys WCG200 Cable Gateway.
• Dell Inspiron 1000 as the client associated to the AP (a.k.a., the "client").

Our Goals

• Set the wireless card in Monitor Mode with airmon-ng.
• Sniff for networks with airodump-ng.
• Find a client associated with the target AP, and start a capture file with airodump-ng.
• Deauthenticate the client from the AP using aireplay-ng and, upon client reconnection, capture the WPA handshake.
• Use the capture file containing the handshake in aircrack-ng to find the key.

Now to the Good Stuff

Start your computer with the BackTrack 3 Live CD, and open a command shell (lower-left tool bar, second icon in).

1.)  Set your card in "Monitor Mode".  This is necessary to allow your PC to listen to every wireless packet.  This monitor mode also allows you to optionally inject packets into a network.  Injection is useful to create network traffic if the network is not particularly busy.  Injection is not absolutely needed to capture the handshake, but I have found it helps in finding associated clients.  First, to stop the wireless card at the command prompt type:

$ sudo airmon-ng stop ath0

Where ath0 is our interface (Atheros wireless card).  Next, to start the wireless card in monitor mode type:

$ sudo airmon-ng start wifi0 6

We must use wifi0 instead of ath0 as we are using the Madwifi drivers which are specific to the Atheros cards.  The 6 at the end is the channel the card will operate on.  We generally want to match this to the channel of our target AP.  The output should indicate the interface ath0 is now in monitor mode.

2.)  Now, to see what networks are out there, type:

$ airodump-ng ath0

This will show all the networks in range.  The output will look something like:

[ CH 3 ] [ Elapsed: 52 s ] [ 2009-01-18 21:28 ] BSSID PWR Beacons #Data #/s CH MB ENC CIPHER AUTH ESSID 00:18:F9:1A:13:30 35 244 4 0 6 54 WPA TKIP PSK linksys 00:1D:7E:2C:E7:BF 23 109 3 0 11 54 WPA2 CCMP PSK 2600 00:1F:90:E3:19:26 7 18 1 0 1 54 WEP WEP NETGEAR BSSID STATION PWR Rate Lost Packets Probes 00:18:F9:1A:13:30 00:12:50:47:1A:DA 32 54-54 0 15

Where, notably: BSSID (Basic Service Set Identifier) = AP MAC address; STATION = client MAC address; CH = channel of AP (note the CH in the upper-left will be hopping, this is showing the channels that are being scanned for networks); MB = Network Speed (54 is wireless G); ENC = the encryption type, usually: OPN (open), WEP, WPA, WPA2; CIPHER = the cipher used (WEP, TKIP, CCMP), usually TKIP with WPA and CCMP with WPA2; AUTH = authentication used (we're looking for PSK); ESSID (Extended Service Set Identifier) = Network Name (sometimes referred to simply as an SSID ).

As you can see, there were three wireless networks found.  We are in luck as we have an associated client on the "linksys" network to target for our attack.

Optional: If you wish to do an injection test open a new shell and type:

$ sudo aireplay-ng -9 ath0

I often use this as it sometimes causes associated clients not showing in our output to show up.  If successful, you will get as part of the output message: "Injection is working!"

3.)  Next, we want to focus on our target AP.  In this case, the "linksys" network.  Open a new shell and type:

$ sudo airodump-ng -c 6 -w capturefile --bssid 00:18:F9:1A:13:30 ath0

Where -c = channel of the AP; -w = the capture file (any name will do, in this case "capturefile"); --bssid = target AP MAC Address; and of course ath0 = our interface.

The output will look almost the same as our original output above, but with just the one AP showing.  The captured information will be saved to our capture file, located within the "Home" icon on the desktop.

4.)  Now, we need to capture the hand shake.  We will attempt to deauthenticate the client from the AP and, when it reconnects, we will capture the handshake!  Open a new shell and type:

$ sudo aireplay-ng -0 5 -a 00:18:F9:1A:13:30 -c 00:12:50:47:1A:DA ath0

Where -0 = the deauthentication attack; 5 = the number of tries for the deauthentication attack (I have found good success with 5, but this can be any number.  However, too high a number may cause the client to fail to reconnect!); -a = AP MAC address (BSSID): -c = client (Destination) MAC address; and ath0 our interface.

Be patient, sometimes the output will indicate that the interface (ath0) is on a different channel than the AP.  If this is the case, keep trying the command.  You will eventually get the interface and AP on the same channel.  Further, once the command runs, it does not always immediately capture the handshake.  You may have to enter the command more than once.  A successful capture of the handshake will show in this case as:

[WPA handshake: OO:18:F9:1A:13:30]

in the upper-right corner next to the date and time of our original output screen.

5.)  Now for the crack!  Open a new shell and type:

$ aircrack-ng capturefile-01.cap -w /pentest/wireless/aircrack-ng/test/password.lst

Where capturefile-01.cap = the capture file; -w = tells the program to run a wordlist; and /pentest/wireless/aircrack-ng/test/password.lst = the location of a wordlist that is included in the Aircrack-ng suite for testing.  This dictionary file is not very big, but suitable for our testing purpose.

If the key is found the output will read similar to:

KEY FOUND! [ password ]

In this case the WPA-PSK password was "password" and we cracked it!

For more detailed information on the entire Aircrack-ng suite visit: aircrack-ng.org

Sometimes the dictionary files themselves are huge, and the cracking process can take hours, even days!  But the computations can be sped up by pre-computing the original hash value (the PMK we discussed earlier).  This is easily accomplished by using either coWPAtty (included on the BackTrack 3 CD, see: wirelessdefence.org/Contents/coWPAttyMain.htm

for more details, or using a "special" form of Rainbow Table.

A Rainbow Table is a lookup table (similar to a multiplication table) that can be used to recover the plain-text password from a password "hash."  These tables employ a time-memory trade off, in that the potential hashes are all pre-computed, so that they do not have to be calculated during a dictionary attack.  This pre-computation drastically decreases the amount of computing power and time needed to find the correct key.  The only caveat is that the time must be spent to do the initial pre-computation.  Simply put in reference to these tables, it's much easier to do the calculations for the hash values once and store them for later use, than it is to calculate them every time they are needed.

See: Free Rainbow Tables for more details on how these tables work.

Note that a traditional Rainbow Table will not work to crack a WPA password, as the original hash value is salted with the SSID.  A set of hashes can only be pre-computed for one specific SSID at a time with any given dictionary file.

If the network name (SSID) was "linksys," and the dictionary file was wordlist.txt, the pre-computed hashes would only work utilizing another SSID of "linksys".  If the SSID was "2600", then the same pre-computed hashes will not work.

This is why the Church of Wi-Fi has pre-computed hashes in what they call a "special" Rainbow Table (actually a PMK lookup table) against a 172,000 word dictionary for 1,000 common SSIDs.  While these files are rather large, ranging from 7-33 GB, they can dramatically decrease the time needed to find the correct password.

See: renderlab.net/projects/WPA-tables for more information on these tables.

In conclusion, this is just a simple penetration test of WPA-PSK encryption.

While not impenetrable, it can be near impossible to break if the password is random enough.  The main lesson to be learned is that if you use this type of encryption, you should make your password something not found in a dictionary and somewhat random, and your network will remain relatively secure, for now.

There are several random password generators out there, try one of these out for maximum security: grc.com/passwords.htm and kurtm.net/wpa-pskgen

And if you use "password" as your key, then you might as well not secure your network at all!