Auditing Wi-Fi Protected Access (WPA) Pre-Shared Key Mode
Several methods can be used to capture the wireless traffic that contains the WPA-PSK four-way handshake of interest. tcpdump allows for network monitoring and data acquisition, but it does not readily provide meaningful AP data. Kismet is arguably the best tool for wireless data capture, auditing traffic, network detection and general wireless sniffing. Specifically, Kismet can log the packet data into a dump file required for this demonstration, but it is overkill for this situation. The most elegant method of capture is to use airodump, which is part of the Aircrack 2.1 suite written by Christopher Devine. Aircrack can handle large capture files and displays meaningful AP information to include SSID, total number of unique IVs and packet size. Aircrack is available in the Tar File Gzipped format (tgz). Install by following these steps to build the Aicrack suite of tools; the specific tool of interest in this situation is airodump:
# tar zxvf aircrack-2.1.tgz # cd aircrack-2.1 # make
With the tools compiled, wireless traffic now can be captured. The wireless NIC first must be placed in rf monitor mode. For example, if using the patched version of the Orinoco driver, the following commands would be issued, where <AP channel> is the channel of interest:
# iwpriv eth0 monitor 1 <AP channel>
The wireless NIC then is enabled:
# ifconfig wlan0 up
Finally, commands to capture traffic would be issued:
# airodump wlan0 datafilename
Airodump continuously displays the AP SSID and packet capture information on the specified channel. To reduce the amount of captured data, the MAC address of the AP may be appended after the datafilename. To exit airodump, use the Ctrl-C command.
Although airodump happily captures traffic, the four-way handshake is not captured until a client-to-AP association occurs. This is a random occurrence from the attacker's point of view, but forced reassociations can be accomplished by executing a death attack using a tool such as void11 that forces the de-authentication of wireless clients from their associated APs. The wireless client automatically attempts reassociation, which allows the capture of the WPA-PSK four-way handshake. Assuming the handshake has been captured, it is time to execute the brute-force dictionary attack.
coWPAtty requires that OpenSSL be installed on your system. After downloading coWPAtty, install it using the following steps:
# tar zxvf Cowpatty-2.0.tar.gz # cd cowpatty # make
You now have built the coWPAtty binary. Execute the binary by supplying the libpcap that includes a captured four-way handshake, a dictionary file of passphrases from which to guess and the SSID of the network. The options are:
-f: dictionary file
-r: packet capture file
-s: network SSID
The binary is executed with the following command:
# ./cowpatty -r datafilename \ -f dictionaryfile -s SSID
If there is no WPA four-way exchange, the following message is displayed:
End of pcap capture file, incomplete TKIP four-way exchange. Try using a different capture.
If the file did contain the four-way handshake, the following is displayed:
coWPAtty 2.0 - WPA-PSK dictionary attack. <email@example.com> Collected all necessary data to mount crack against passphrase. Loading words into memory, please be patient ... Done (XX words). Starting dictionary attack. Please be patient.
coWPAtty continues the intensive and relatively slow process of testing each dictionary word as a passphrase by using the PBKDF2 function and making 4096 SHA-1 passes on each passphrase in the supplied data set. coWPAtty updates its progress until it reports either it has found the WPA-PSK passphrase or it was unable to identify the WPA-PSK passphrase from the supplied dictionary file. As noted in the documentation, coWPAtty is not fast, due to the number of repetitions required for each passphrase. Expect approximately 45 keys per second in actual use.
For users who care to demonstrate this tool but are unable to capture the network data, coWPAtty includes a sample packet capture file, named eap-test.dump, that was generated from an AP with SSID somethingclever and a PSK of family movie night. To demonstrate the attack utilizing the supplied file, enter the following command ensuring that the supplied dictionary has the phrase somethingclever included:
# ./cowpatty -r eap-test.dump \ -f dictionaryfile -s somethingclever
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
|Trying to Tame the Tablet||May 08, 2013|
- Using Salt Stack and Vagrant for Drupal Development
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- New Products
- Validate an E-Mail Address with PHP, the Right Way
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- New Products
- RSS Feeds
- Tech Tip: Really Simple HTTP Server with Python
- I like your topic on android
30 min ago
- Reply to comment | Linux Journal
51 min 10 sec ago
- This is the easiest tutorial
7 hours 5 min ago
- Ahh, the Koolaid.
12 hours 44 min ago
- git-annex assistant
18 hours 43 min ago
- direct cable connection
19 hours 6 min ago
- Agreed on AirDroid. With my
19 hours 16 min ago
- I just learned this
19 hours 20 min ago
19 hours 50 min ago
- not living upto the mobile revolution
22 hours 42 min ago
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.