Auditing Wi-Fi Protected Access (WPA) Pre-Shared Key Mode
Several methods can be used to capture the wireless traffic that contains the WPA-PSK four-way handshake of interest. tcpdump allows for network monitoring and data acquisition, but it does not readily provide meaningful AP data. Kismet is arguably the best tool for wireless data capture, auditing traffic, network detection and general wireless sniffing. Specifically, Kismet can log the packet data into a dump file required for this demonstration, but it is overkill for this situation. The most elegant method of capture is to use airodump, which is part of the Aircrack 2.1 suite written by Christopher Devine. Aircrack can handle large capture files and displays meaningful AP information to include SSID, total number of unique IVs and packet size. Aircrack is available in the Tar File Gzipped format (tgz). Install by following these steps to build the Aicrack suite of tools; the specific tool of interest in this situation is airodump:
# tar zxvf aircrack-2.1.tgz # cd aircrack-2.1 # make
With the tools compiled, wireless traffic now can be captured. The wireless NIC first must be placed in rf monitor mode. For example, if using the patched version of the Orinoco driver, the following commands would be issued, where <AP channel> is the channel of interest:
# iwpriv eth0 monitor 1 <AP channel>
The wireless NIC then is enabled:
# ifconfig wlan0 up
Finally, commands to capture traffic would be issued:
# airodump wlan0 datafilename
Airodump continuously displays the AP SSID and packet capture information on the specified channel. To reduce the amount of captured data, the MAC address of the AP may be appended after the datafilename. To exit airodump, use the Ctrl-C command.
Although airodump happily captures traffic, the four-way handshake is not captured until a client-to-AP association occurs. This is a random occurrence from the attacker's point of view, but forced reassociations can be accomplished by executing a death attack using a tool such as void11 that forces the de-authentication of wireless clients from their associated APs. The wireless client automatically attempts reassociation, which allows the capture of the WPA-PSK four-way handshake. Assuming the handshake has been captured, it is time to execute the brute-force dictionary attack.
coWPAtty requires that OpenSSL be installed on your system. After downloading coWPAtty, install it using the following steps:
# tar zxvf Cowpatty-2.0.tar.gz # cd cowpatty # make
You now have built the coWPAtty binary. Execute the binary by supplying the libpcap that includes a captured four-way handshake, a dictionary file of passphrases from which to guess and the SSID of the network. The options are:
-f: dictionary file
-r: packet capture file
-s: network SSID
The binary is executed with the following command:
# ./cowpatty -r datafilename \ -f dictionaryfile -s SSID
If there is no WPA four-way exchange, the following message is displayed:
End of pcap capture file, incomplete TKIP four-way exchange. Try using a different capture.
If the file did contain the four-way handshake, the following is displayed:
coWPAtty 2.0 - WPA-PSK dictionary attack. <email@example.com> Collected all necessary data to mount crack against passphrase. Loading words into memory, please be patient ... Done (XX words). Starting dictionary attack. Please be patient.
coWPAtty continues the intensive and relatively slow process of testing each dictionary word as a passphrase by using the PBKDF2 function and making 4096 SHA-1 passes on each passphrase in the supplied data set. coWPAtty updates its progress until it reports either it has found the WPA-PSK passphrase or it was unable to identify the WPA-PSK passphrase from the supplied dictionary file. As noted in the documentation, coWPAtty is not fast, due to the number of repetitions required for each passphrase. Expect approximately 45 keys per second in actual use.
For users who care to demonstrate this tool but are unable to capture the network data, coWPAtty includes a sample packet capture file, named eap-test.dump, that was generated from an AP with SSID somethingclever and a PSK of family movie night. To demonstrate the attack utilizing the supplied file, enter the following command ensuring that the supplied dictionary has the phrase somethingclever included:
# ./cowpatty -r eap-test.dump \ -f dictionaryfile -s somethingclever
Practical Task Scheduling Deployment
July 20, 2016 12:00 pm CDT
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.Register Now!
- SUSE LLC's SUSE Manager
- My +1 Sword of Productivity
- Murat Yener and Onur Dundar's Expert Android Studio (Wrox)
- Managing Linux Using Puppet
- Non-Linux FOSS: Caffeine!
- Doing for User Space What We Did for Kernel Space
- SuperTuxKart 0.9.2 Released
- Google's SwiftShader Released
- Parsing an RSS News Feed with a Bash Script
- SourceClear Open