So you want to crack WEP or WPA networks? First of all, it is highly recommended that you do NOT use a Windows OS to accomplish this, it’s so much easier and straightforward on Backtrack. Even if you have no prior experience with Backtrack/Linux, it is way less of a hassle in the end, trust me. Okay then, let’s get started.
Initial Backtrack Setup
First, you will need to download Backtrack 5 (or 5 R1).
There are various methods to getting Backtrack 5 up and running on your computer:
Live CD/USB
This is the simplest/quickest way to get up and running with Backtrack. Use UNetBootin to create the bootable device and make sure to allocate memory/space for a live USB if you don’t want to lose any saved files/settings upon reboot.
Tutorial here.
Persistent USB with Full Disk Encryption
This method is a little more formal/technical to set up persistence and encryption using partitions. It’s similar as to how you would install Backtrack on a hard drive but for a USB.
Tutorial here.
Dual Boot Windows and Backtrack 5
This method involves partitioning your hard drive and installing Backtrack on that newly created partition. However, you should never install a Windows OS after Backtrack/Linux useless you know what you’re doing and have backed up your shit beforehand. This is because Windows will overwrite your Backtrack boot loader and it’s a pain in the ass to fix.
Tutorial here.
Same but with full disk encryption.
Virtual Machine
Virtual Machines are particularly useful for testing out various/multiple OS and programs while still running/using your everyday OS. VM’s are isolated from the host OS as to not damaged or corrupt it while testing/messing around. But, you must have an external USB wireless adapter to crack WEP or WPA (e.g. Alfa AWUS036H).
Tutorial here.
Wireless Adapters with Compatible Chipsets
First, check here if your internal/external wireless card/adapter is compatible with Backtrack and capable of injection/monitor mode.
The Alfa AWUS036H
If you want a USB wireless adapter that’s been tried, tested and proven to work exceedingly well with Backtrack get the Alfa AWUS036H. It’s a great little device that costs roughly $30 bucks and is well worth the small investment. I own one myself and am quite pleased with it so far. And, if you want stealth in public or convenience of not carrying around an adapter, do what I did, I just slapped some velcro on the back (I don't like the suction cup holder it comes with) of the Alfa/laptop and if placed correctly with a short USB cable, it's hardly noticeable both in appearance and weight. Also, for setting the adapter the max power setting for the Alfa AWUS036H check out this video by Vivek on Securitytube. They normally come set at 20dBm when the max is 30dBm.
Types of Adapter Antennas
Omni-Directional Antennas
These are very good if you’re constantly on the move or war driving as they are usually very compact and still give you a decent amount of networks with good signal strength. The Alfa AWUS036H comes with a 5dBi Omni antenna, although they do also offer a much larger 9dBi antenna. I own both of these and I’ve made a nice little comparison for your viewing pleasure. Side note: The signal values are not static in reality, they tend to constantly vary by less than 5dBm. I’d recommend sticking with the 5dBi and get a directional antenna instead. Also, if you want a larger image size, just save it to your desktop then view it.
Directional Antennas
You have two options when it comes to directional antennas; a yagi or a panel/grid. Since the signal is directed/focused you’ll pick up fewer networks at any given time versus an Omni antenna but the signal strength will be much greater. I’d personally recommend getting a 24dBi directional grid antenna, it should be around $50 but try to get one at your local store as the antenna is fairly large and paying an extra $20+ for shipping and handling fees would really suck.
Automated Cracking of WEP and WPA
Learning to crack WEP/WPA manually helps you better understand what’s really going on behind the scenes when you crack networks but it gets really tedious typing or even pasting commands into a terminal after a while. So if you just want to plug n' play with minimal effort, Gerix or Fern Wifi Cracker are great tools to use for beginners and advanced users alike. But I prefer Gerix and as such, will not be discussing Fern below. Also you should know, WEP takes only a few minutes to crack on average so start with those networks. WPA can be impossible to crack if you use a strong enough password and also you will need a decent ATI graphics card and wordlist for it to be practical/possible to crack WPA yourself. An alternative is to use Middle's WPA cracking service, he's a reputable member who offers a great service for those who need it.
Gerix Wifi Cracker
Gerix is a great program, very easy to use even for beginners. The attacks offered for WEP are categorized in three sections by: no-client, with clients and with clients in access point and Ad-Hoc mode. In case you didn’t know, a client is a computer connected to the network. No client attacks include ChopChop (used for lower signal networks) and Fragmentation (for stronger signal networks). With clients attacks include ARP request replay, ARP request and Fragmentation. Although, you should be aware that if a client disconnects from the network while cracking, you’ll stop generating IV’s and the attack will fail. I haven’t messed around with the last category yet but attacks include Caffe-Latte and Hirte. Here’s a video tutorial on cracking WEP with Gerix.
For WPA, all that’s needed is to capture the handshake, tell Gerix the location of your dictionary and you can get cracking using normal dictionary, pyrit or rainbow tables.
And for a bonus, Gerix has a built in database that stores the ESSID, BSSID and the key for each cracked network. Pretty sweet, eh?
Manually Cracking WEP and WPA Using Terminal
For those of you who really want to learn the inner workings of wireless hacking, Vivek from Securitytube has an extensive wireless megaprimer for all you academics out there. I personally haven’t seen anyone get more detailed on concepts, theory and implementation then he does. It can get a bit dull watching these for hours on end so it’s best that you spread them out to let your brain process all the information. For a written tutorial check this out.
So, What Can You Do Once You’re On The Network?
The two most popular things people like to do once on a network is to either, attempt to gain root level access to other computers on the network or launch a Man In The Middle (MITM) attack to attain logins and passwords.
Gaining Root/Spawning a Shell
Two easy ways of accomplishing this, first using Metasploit’s db_autopwn feature that scans a host(s) and looks for vulnerabilities and uses the corresponding exploits automatically in an attempt to gain access. Or you can try out the Social Engineering Toolkit and its Java Applet Attack, the premise is to redirect a computer to your custom cloned webpage and have a java applet pop up looking as legit as possible and if the applet is run by the user, you’re in.
MITM
There is a great bash script written by comaX over on the Backtrack forums, this basically completely automates the MITM process. All you need to do is download the script and run it on Backtrack when connected to a network and there's even a nice little video showing the process.
A little copy pasta from the OP there regarding the script features plus an important side note.
You may now be wondering how to protect yourself against these attacks? Simple, just use a strong/random WPA password, keep your OS/programs updated and make sure protect ARP cache/stop ARP attacks is enabled in your firewall settings to protect against MITM.
Keep Backtrack Up to Date!
You can use this update script created by sickness over on the Backtrack forums, allowing you to update specific packages or everything all at once.
Alternatively, open up terminal and type:
apt-get update
apt-get upgrade
Other Useful Links Worth Checking Out
Metasploit.
S.E.T.
Similar link/info compilation threads.
And I want to give a special thanks to all of the authors of these tutorials on here forums and around the interwebs, without you people, I and a vast majority of others out there would have never learned of the many wonders of wireless hacking. So thank you for all your great work and contributions!
Initial Backtrack Setup
First, you will need to download Backtrack 5 (or 5 R1).
There are various methods to getting Backtrack 5 up and running on your computer:
Live CD/USB
This is the simplest/quickest way to get up and running with Backtrack. Use UNetBootin to create the bootable device and make sure to allocate memory/space for a live USB if you don’t want to lose any saved files/settings upon reboot.
Tutorial here.
Persistent USB with Full Disk Encryption
This method is a little more formal/technical to set up persistence and encryption using partitions. It’s similar as to how you would install Backtrack on a hard drive but for a USB.
Tutorial here.
Dual Boot Windows and Backtrack 5
This method involves partitioning your hard drive and installing Backtrack on that newly created partition. However, you should never install a Windows OS after Backtrack/Linux useless you know what you’re doing and have backed up your shit beforehand. This is because Windows will overwrite your Backtrack boot loader and it’s a pain in the ass to fix.
Tutorial here.
Same but with full disk encryption.
Virtual Machine
Virtual Machines are particularly useful for testing out various/multiple OS and programs while still running/using your everyday OS. VM’s are isolated from the host OS as to not damaged or corrupt it while testing/messing around. But, you must have an external USB wireless adapter to crack WEP or WPA (e.g. Alfa AWUS036H).
Tutorial here.
Wireless Adapters with Compatible Chipsets
First, check here if your internal/external wireless card/adapter is compatible with Backtrack and capable of injection/monitor mode.
The Alfa AWUS036H
If you want a USB wireless adapter that’s been tried, tested and proven to work exceedingly well with Backtrack get the Alfa AWUS036H. It’s a great little device that costs roughly $30 bucks and is well worth the small investment. I own one myself and am quite pleased with it so far. And, if you want stealth in public or convenience of not carrying around an adapter, do what I did, I just slapped some velcro on the back (I don't like the suction cup holder it comes with) of the Alfa/laptop and if placed correctly with a short USB cable, it's hardly noticeable both in appearance and weight. Also, for setting the adapter the max power setting for the Alfa AWUS036H check out this video by Vivek on Securitytube. They normally come set at 20dBm when the max is 30dBm.
Types of Adapter Antennas
Omni-Directional Antennas
These are very good if you’re constantly on the move or war driving as they are usually very compact and still give you a decent amount of networks with good signal strength. The Alfa AWUS036H comes with a 5dBi Omni antenna, although they do also offer a much larger 9dBi antenna. I own both of these and I’ve made a nice little comparison for your viewing pleasure. Side note: The signal values are not static in reality, they tend to constantly vary by less than 5dBm. I’d recommend sticking with the 5dBi and get a directional antenna instead. Also, if you want a larger image size, just save it to your desktop then view it.
Directional Antennas
You have two options when it comes to directional antennas; a yagi or a panel/grid. Since the signal is directed/focused you’ll pick up fewer networks at any given time versus an Omni antenna but the signal strength will be much greater. I’d personally recommend getting a 24dBi directional grid antenna, it should be around $50 but try to get one at your local store as the antenna is fairly large and paying an extra $20+ for shipping and handling fees would really suck.
Automated Cracking of WEP and WPA
Learning to crack WEP/WPA manually helps you better understand what’s really going on behind the scenes when you crack networks but it gets really tedious typing or even pasting commands into a terminal after a while. So if you just want to plug n' play with minimal effort, Gerix or Fern Wifi Cracker are great tools to use for beginners and advanced users alike. But I prefer Gerix and as such, will not be discussing Fern below. Also you should know, WEP takes only a few minutes to crack on average so start with those networks. WPA can be impossible to crack if you use a strong enough password and also you will need a decent ATI graphics card and wordlist for it to be practical/possible to crack WPA yourself. An alternative is to use Middle's WPA cracking service, he's a reputable member who offers a great service for those who need it.
Gerix Wifi Cracker
Gerix is a great program, very easy to use even for beginners. The attacks offered for WEP are categorized in three sections by: no-client, with clients and with clients in access point and Ad-Hoc mode. In case you didn’t know, a client is a computer connected to the network. No client attacks include ChopChop (used for lower signal networks) and Fragmentation (for stronger signal networks). With clients attacks include ARP request replay, ARP request and Fragmentation. Although, you should be aware that if a client disconnects from the network while cracking, you’ll stop generating IV’s and the attack will fail. I haven’t messed around with the last category yet but attacks include Caffe-Latte and Hirte. Here’s a video tutorial on cracking WEP with Gerix.
For WPA, all that’s needed is to capture the handshake, tell Gerix the location of your dictionary and you can get cracking using normal dictionary, pyrit or rainbow tables.
And for a bonus, Gerix has a built in database that stores the ESSID, BSSID and the key for each cracked network. Pretty sweet, eh?
Manually Cracking WEP and WPA Using Terminal
For those of you who really want to learn the inner workings of wireless hacking, Vivek from Securitytube has an extensive wireless megaprimer for all you academics out there. I personally haven’t seen anyone get more detailed on concepts, theory and implementation then he does. It can get a bit dull watching these for hours on end so it’s best that you spread them out to let your brain process all the information. For a written tutorial check this out.
So, What Can You Do Once You’re On The Network?
The two most popular things people like to do once on a network is to either, attempt to gain root level access to other computers on the network or launch a Man In The Middle (MITM) attack to attain logins and passwords.
Gaining Root/Spawning a Shell
Two easy ways of accomplishing this, first using Metasploit’s db_autopwn feature that scans a host(s) and looks for vulnerabilities and uses the corresponding exploits automatically in an attempt to gain access. Or you can try out the Social Engineering Toolkit and its Java Applet Attack, the premise is to redirect a computer to your custom cloned webpage and have a java applet pop up looking as legit as possible and if the applet is run by the user, you’re in.
MITM
There is a great bash script written by comaX over on the Backtrack forums, this basically completely automates the MITM process. All you need to do is download the script and run it on Backtrack when connected to a network and there's even a nice little video showing the process.
A little copy pasta from the OP there regarding the script features plus an important side note.
Spoiler (Click to View)
You may now be wondering how to protect yourself against these attacks? Simple, just use a strong/random WPA password, keep your OS/programs updated and make sure protect ARP cache/stop ARP attacks is enabled in your firewall settings to protect against MITM.
Keep Backtrack Up to Date!
You can use this update script created by sickness over on the Backtrack forums, allowing you to update specific packages or everything all at once.
Alternatively, open up terminal and type:
apt-get update
apt-get upgrade
Other Useful Links Worth Checking Out
Metasploit.
Spoiler (Click to Hide)
S.E.T.
Similar link/info compilation threads.
Spoiler (Click to Hide)
And I want to give a special thanks to all of the authors of these tutorials on here forums and around the interwebs, without you people, I and a vast majority of others out there would have never learned of the many wonders of wireless hacking. So thank you for all your great work and contributions!
This comment has been removed by a blog administrator.
ReplyDelete