Crack a WEP / WPA key with Aircrack-ng suite

[The#Danger]

This tips highlights a simple case to crack WEP / WPA-PSK. The aim is to familiarize you with the weaknesses of the wireless network. It requires an 802.11b / g with drivers previously patched for injection.

Introduction of tools

• Airmon-ng
  Implement monitoring mode your wireless network card. Unnecessary here because airodump-ng does it automatically (provided that your card supports the mode!!)
  
• airodump-ng
  We can find wireless networks with airodump-ng, it also allows to capture the flow of these networks, needed to find the key.
  
• aireplay-ng
  This program will generate packages that will increase the traffic of the AP (Access Point). Often necessary to expose a WEP key.
  
• airolib-ng
  Manager essid and hash table, this significantly enhances the bruteforce earning him valuable time.
  
• packetforge-ng
  This tool will help us to develop an application (PRA in our case, but other protocols are available). By combining the attack with aireplay and this program, we can inject packets that will increase traffic accurately.
  
• Aircrack-ng
  Aircrack-ng, implements the attack FMS (and others as further KoreK). It can break the WEP / WPA-PSK.
  

[The#Danger]

Configure the card in monitor mode

If your card does not appear in airmon-ng, then dedicated to configuring the network interface.

airmon-ng

Once your wireless network card is displayed, select the monitoring mode by typing:

airmon-ng start my_card_wlan

my_card_wlan is your wireless network interface (eg, rausb0, ra0, wifi0)


Finding networking

Initially, we made an inventory of networks around.

airodump-ng my_card_wlan

Once the network is identified, we re airodump, specifying exactly the network on which it will listen:

airodump-ng-w-d datafile BSSID my_card_wlan - channel_number

W-datafile datafile written to the file. Remember though this important file.
D-BSSID research focuses only on the given bssid.
- channel_number defines a specific channel on which to listen.

Once your list in hand, note the important information:

• ESSID (or identifier) of the PA.
• BSSID (or mac address) of the PA.
• STATION client connected to the network (note the mac address!).

[The#Danger]

Changing MAC address

This preliminary step allows you to "bypass" filter mac, conducted by the AP for security reasons. However it is not often applied. Several methods are available, but the network interface must be disabled prior your_interface ifconfig down.

• ifconfig
  
  ifconfig - help
  ifconfig [interface] hw ether 01:23:45:67:89
• ip
  
  ip - help
  ip link set [interface] address 01:23:45:67:89
• macchanger
  
  macchanger - help
  macchanger-m 01:23:45:67:89 [interface]

Packet Injection

Here, the sensitive stage of our procedure. We will generate traffic. If we are faced with WEP encryption, then we will try to boost the traffic of our IVs until the contrary for WPA, only a bit of traffic is necessary.

WEP

If you do not have a station connected, perform a fragmentation attack.


Authentication

First step for successful injection must join lest the ap ignore our packages (check this step for any questions on IVs that do not)

aireplay-ng -1 0-e ESSID-a BSSID-b BSSID-h MAC_CLIENT my_card_wlan

MAC_CLIENT is the mac address of the workstation connected to the PA (yours if no station is connected!). Note: For all orders of aireplay-ng, if you specify the essid then you can omit options related to the BSSID (-a,-b ...)

If the "Association Successful" does not appear, is that the PA may be sensitive to aireplay-ng packages or simply allowed the mac address is already connected.
Try this alternative, however, which is offered on the official site.

aireplay-ng -1 6000-o 1-q 10-e ESSID-h MAC_CLIENT my_card_wlan

6000 re-authenticate every 6000 seconds. A long period allows sending packet bearing the active connection (see "-q").
O-1 sends a single packet type, the default sending multiple packets may blur the PA.
Q-10 sends packets to keep the active connection every 10 seconds.

[The#Danger]

Attack by ARP request
Probably the most widespread attack. It implements the same as those ARP requests sent by the AP, and reinjected to force the PA to respond, and thus to generate traffic.

aireplay-ng -3-e ESSID-h-r MAC_CLIENT datafile my_card_wlan

datafile is the file that was generated with airodump-ng. (Optional if run in parallel)
Note: Please do not hesitate deauthentifier station connected to collect ARP packets in case of difficulty.
Fragmentation Attack
Suffice it that IV is transmitted by the AP for the attack begins. Interesting though very little traffic continues (where no AP is connected). All played on the responses obtained by the AP to harvest 1500bytes of RAMP will be saved in a keystream (It's a game random characters, or pseudo-random combined with plaintext message to produce an encrypted message). We will then reuse with PRGA packetforge-ng.

aireplay-ng -5-e ESSID my_card_wlan

[The#Danger]

WPA/WPA2 - The attack follows on the wireless network, WPA/WPA2 encrypted. The goal here is to bruteforce the encryption after a deauthentification station, which will be obliged to reentamer authentication. Important since 4Way handshake (First steps of initializing the PSK) is realized. If the passphrase is greater than 8 characters, it becomes very difficult to pass the bruteforce. Thus, to secure its wireless network, a WPA passphrase and a variety of 63caractères will largely meet your neighbors.
The case of WEP encryption
Simply put ivs file (generated with airodump-ng) as an argument to aircrack-ng.

aircrack-ng-dump file.ivs

Note: The options to optimize the cracking of the key (as the ptw attack ... etc.) are included by default.

Use WPA hash tables
WPA hash tables calculate the PMK (Pairwise-MasterKey) used during authentication. To calculate the PMK, using the essid, size, and passphrase. That is exactly what happens in the hash, they will generate a PMK for each dictionary word, in this based on the essid (the So salt the hash). So for each essid, it has a single PMK.
These pre-computed tables are interesting in that we're dealing with identical ESSIDs (This is not the case in countries such as France, Belgium ... where the essid is often composed of ISP and identification "that looks random"). However if you are not affected by this, you can take a look at the project ChurchWifi , which offers downloading of tables generated with the 1000 Essid most common in the world. They may still be interesting when you know the essid but you do not yet have the handshake, and, unlike conventional attack dictionary you can calculate and save time. It was therefore in this case dealing with a collateral attack, where we identify a (the) target (s) and prepare the ground. The downside is that this table will be calculated prev-usable only with ESSIDs used in its creation, requiring you repeat this process for all new essid ...

Warning: Passwords are smaller than 8 or greater than 63 characters will be considered invalid
Make a complete check to correct any errors (AC will also reduce the size):

airolib ng wpa-db-clean all

Start creating the table:

airoblig wpa-db-ng batch

Simultaneously press Ctrl and "C" appears when the message "No free essid found" to end the session. And finally, the speed of breaking admires:

aircrack-ng wpa-db-r-e ESSID handshake.cap