ĵ > Stealing Passwords With Wireshark

Stealing Passwords With Wireshark

      Project 15: Cracking WPA 20 Points

 

Warning: Only use this on networks you own.  Cracking into networks without permission is a crimedont do it!

What You Will Need

  • A wireless access point
  • A computer running any OS with any wireless NIC to be the client
  • A different computer with a Linksys WUSB54G Wi-Fi card, or another Wi-Fi card that is compatible with the BackTrack 2 live CD operating system
  • A Backtrack 2 Live CD

Choose Your Access Point/Router

  1. There are four Access Point/Routers available in S37: Linksys, D-Link, Belkin, and Buffalo.  Choose one and use the corresponding instructions below to set up a secure Wireless Local Area Network (WLAN).  If you are working at home, you can use any wireless router that supports WPA (they all do, unless your equipment is very old).

      Linksys Router

Restoring the Access Point to Factory Default Settings

  1. Get the blue Linksys BEFW11S4 router from the closet.  Plug in the power cord.  Do not plug in any Ethernet cables yet. 
  2. Press the little red RESET button on the back and hold it in for ten seconds.  This resets the router back to its factory default settings.

Connecting a Wired Client Computer to the Router

  1. Choose one computer to be the Wired Client.  Disconnect the blue Ethernet cable from the back of the Wired Client.  Take another cable and connect the Wired Client to port 1 on the router.  Check the front panel of the router: the light under number 1 should light up, but the Internet light should be dark.
  2. On the Wired Client, click Start, All Programs, Accessories, Command Prompt.  Type in this command and press the Enter key.

      IPCONFIG

      You should see an IP address starting with 192.168.1, as shown below.  There are other network adapters present with other IP addresses, but one of them should start with 192.168.1.  If you dont have an IP address like that, restart the Wired Client computer.

Ethernet adapter Local Area Connection 2: 

        Connection-specific DNS Suffix  . :

        IP Address. . . . . . . . . . . . : 192.168.1.101

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.1.1

 
 
 
 
 

 

  1. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key.

      PING 192.168.1.1

      You should see replies, and you should see the front panel lights on the router blink.  The Wired Client is now connected to the router as a client.

Changing the Subnet on the Router

  1. The LAN in S214 uses the 192.168.1.0 subnet, which is the same as the default subnet for the Linksys router.  The router wont be able to connect to the LAN unless it uses a different subnet for its clients, so we need to change the router to a different subnet.

On the Wired Client. open a browser and go to this address: 192.168.1.1

  1. A box pops up asking for a user name and password.  Leave the User Name blank and enter a password of admin
  2. In the Linksys page, on the Setup tab, change the Local IP Address to 192.168.10.1, as shown to the right on this page.
  3. Scroll to the bottom of the page and click the Save Settings button.
  4. A popup box appears saying Next time, log in the router with the new IP address.  Click OK.
  5. Now that the router has a new address, the Wired Client needs a new IP address too to connect to it.  To force a DHCP renew, unplug the network cable from port 1 on the router, wait a couple of seconds, and plug it in again.
 

  1. On the Wired Client , in the Command Prompt window, type in this command and press the Enter key.

      IPCONFIG

      You should see an IP address starting with 192.168.10.  If you dont have an IP address like that, restart the Wired Client computer.

  1. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key.

      PING 192.168.10.1

      You should see replies, and you should see the front panel lights on the router blink.  The Wired Client is now connected to the router again as a client.

Setting the SSID and Channel on the Access Point/Router

 

SSID: _______________________ 

Channel: 1

 

Make up a new SSID to be your networks name.  Write it in the box to the right on this page.  Don't use any spaces in the name.

  1. On the Wired Client. open a browser and go to this address: 192.168.10.1

A box pops up asking for a user name and password.  Leave the User Name blank and enter a password of admin

  1. In the Linksys page, click the Wireless tab.  Click the blue Basic Wireless Settings tab.  In the Wireless line, click Enable.  Enter your SSID in the Wireless Network Name(SSID): box.
  2. Select a Wireless Channel of 1 C 2.417 GHZ, as shown to the right on this page.  At the bottom of the page, click Save settings.
 

Setting WPA Security on the Access Point/Router

On the Wired Client, a browser should still be open, showing address 192.168.10.1

    1. If the browser window is not still open, open a new one, go to 192.168.10.1, and log in with User Name blank and a password of admin
  1. In the Linksys page, click the Wireless tab.  Click the blue Wireless Security tab.  In the Wireless Security line, click Enable.  Select a Security Mode: of WPA Pre-Shared Key.  Enter a WPA Shared Key of password as shown to the right on this page.  At the bottom of the page, click Save settings.

Connecting the Router to the Rooms LAN

  1. Find the blue cable attached to the wall that used to be plugged into the Wired Client.  Plug it into the WAN port on the router.  The Internet front panel light should come on.

On the Wired Client, a browser should still be open, showing address 192.168.10.1

    1. If the browser window is not still open, open a new one, go to 192.168.10.1, and log in with User Name blank and a password of admin
  1. In the Linksys page, at the upper right, click the Status tab.  At the bottom of the screen, click the DHCP Renew button.  The router should now show an Internet IP Address starting with 192.168.1 as shown to the right on this page.  If it does not, click the the DHCP Renew button again.
  1. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key.

      PING YAHOO.COM

      You should see replies, and you should see the front panel lights on the router blink.  The Wired Client is now connected to the Internet through the router.

Skip ahead to the Connecting a Wireless Client to the Access Point/Router section.

 

      Belkin Router

Restoring the Access Point to Factory Default Settings

  1. Get the gray Belkin router from the closet.  Plug in the power cord.  Do not plug in any Ethernet cables yet. 
  2. Use a pin or paper clip to press the little RESET button on the back and hold it in for ten seconds.  This resets the router back to its factory default settings.

Connecting a Wired Client Computer to the Router

  1. Choose one computer to be the Wired Client.  Disconnect the blue Ethernet cable from the back of the Wired Client.  Take another cable and connect the Wired Client to port 1 on the router.  Check the front panel of the router: the light under number 1 should light up, but the WAN light should be dark.
  2. On the Wired Client, click Start, All Programs, Accessories, Command Prompt.  Type in this command and press the Enter key.

      IPCONFIG

      You should see an IP address starting with 192.168.2, as shown below.  There are other network adapters present with other IP addresses, but one of them should start with 192.168.2.  If you dont have an IP address like that, restart the Wired Client computer.

Ethernet adapter Local Area Connection 2: 

        Connection-specific DNS Suffix  . :

        IP Address. . . . . . . . . . . . : 192.168.2.2

  1. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. 
     
     
     
     
     

      PING 192.168.2.1

 

SSID: _______________________ 

Channel: 11

 

You should see replies, and you should see the front panel lights on the router blink.  The Wired Client is now connected to the router as a client.

Setting the SSID and Channel on the Access Point/Router

  1. Make up a new SSID to be your networks name.  Write it in the box to the right on this page.  Don't use any spaces in the name.
  2. On the Wired Client. open a browser and go to this address: 192.168.2.1
  3. A Belkin page opens.  In the upper right, click the Log in button. 
  4. A Login screen appears.  Leave the Password box empty and click the Submit button.  If the browser displays a Security Warning box, click Continue.

 

On the left side of the screen, click Channel and SSID

  1. In the Wireless > Channel and SSID page, enter your SSID in the SSID box.
  2. Select a Wireless Channel of 11, as shown to the right on this page.  At the bottom of the page, click Apply Changes.

Setting WPA Security on the Access Point/Router

  1. On the Wired Client, a browser should still be open, showing address 192.168.2.1

 In the left pane, in the Wireless section, click Security.  In the Security Mode box, select WPA-PSK (no server).  Enter a "Pre-shared key (PSK)" of password as shown to the right on this page.  At the bottom of the page, click Apply Changes.

 

Connecting the Router to the Rooms LAN

  1. Find the blue cable attached to the wall that used to be plugged into the Wired Client.  Plug it into the Connection to Modem port on the router.  The WAN front panel light should come on.
  2. On the Wired Client, a browser should still be open, showing address 192.168.2.1
  3. In the Belkin page, on the left side, in the Internet WAN section, click Connection Type
  4. In the WAN > Connection Type screen, accept the default selection of Dynamic and click the Next button.
  5. In the WAN > Connection Type > Dynamic IP screen, leave the Host Name box empty and click the Apply Changes button.
  6. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key.

      PING YAHOO.COM

      You should see replies, and you should see the front panel lights on the router blink.  The Wired Client is now connected to the Internet through the router.

Skip ahead to the Connecting a Wireless Client to the Access Point/Router section.  

      D-Link Router

Restoring the Access Point to Factory Default Settings

  1. Get the gray D-Link router from the closet.  Plug in the power cord.  Do not plug in any Ethernet cables yet. 
  2. Use a pin or paper clip to press the little RESET button on the back and hold it in for ten seconds.  This resets the router back to its factory default settings.

Connecting a Wired Client Computer to the Router

  1. Choose one computer to be the Wired Client.  Disconnect the blue Ethernet cable from the back of the Wired Client.  Take another cable and connect the Wired Client to port 1 on the router.  Check the front panel of the router: the light under number 1 should light up, but the WAN light should be dark.
  2. On the Wired Client, click Start, All Programs, Accessories, Command Prompt.  Type in this command and press the Enter key.

      IPCONFIG

      You should see an IP address starting with 192.168.0, as shown below.  There are other network adapters present with other IP addresses, but one of them should start with 192.168.0.  If you dont have an IP address like that, restart the Wired Client computer.

Ethernet adapter Local Area Connection 2: 

        Connection-specific DNS Suffix  . :

        IP Address. . . . . . . . . . . . : 192.168.0.100

  1. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. 
     
     
     
     

      PING 192.168.0.1

      You should see replies, and you should see the front panel lights on the router blink.  The Wired Client is now connected to the router as a client.

Setting the SSID and Channel on the Access Point/Router

 

SSID: _______________________ 

Channel: 6

 

Make up a new SSID to be your networks name.  Write it in the box to the right on this page.  Don't use any spaces in the name.

  1. On the Wired Client. open a browser and go to this address: 192.168.0.1
  2. A box pops up asking for a user name and password.  Enter a user name of admin and leave the password blank.  Click the OK button. 

 

On the left side of the screen, click Wireless

  1. Enter your SSID in the SSID box, as shown to the right on this page.
  2. Select a Wireless Channel of 6, as shown to the right on this page. 
 

WEP Key: ________________________

Setting WPA Security on the Access Point/Router

  1. In the Security: box, select WPA.
  2. In the Passphrase: box, enter password
  3. In the Confirmed Passphrase: box, enter password
  4. At the bottom of the page, click Apply. A message appears saying The device is restarting.  Click Continue

Connecting the Router to the Rooms LAN

  1. Find the blue cable attached to the wall that used to be plugged into the Wired Client.  Plug it into the WAN port on the router.  The WAN front panel light should come on.
  2. On the Wired Client, a browser should still be open, showing the D-Link page.
  3. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key.

      PING YAHOO.COM

      You should see replies, and you should see the front panel lights on the router blink.  The Wired Client is now connected to the Internet through the router.

 

      Buffalo Router with OpenWRT Firmware

Restoring the Access Point to Factory Default Settings

  1. Get the Buffalo router labeled "OpenWRT" from the closet.  Plug in the power cord.  Do not plug in any Ethernet cables yet. 
  2. Use a pen to hold the little INIT button on the bottom.  Unplug the power cord.  Plug the power cord back in and hold the INIT button down for 30 seconds.  This resets the router back to its default settings.

Connecting a Wired Client Computer to the Router

  1. Choose one computer to be the Wired Client.  Disconnect the blue Ethernet cable from the back of the Wired Client.  Take another cable and connect the Wired Client to port 1 on the router.  Check the front panel of the router: the light under number 1 should light up, but the WAN light should be dark.
  2. On the Wired Client, click Start, All Programs, Accessories, Command Prompt.  Type in this command and press the Enter key.

      IPCONFIG

      You should see an IP address starting with 192.168.11, as shown below.  There are other network adapters present with other IP addresses, but one of them should start with 192.168.11.  If you dont have an IP address like that, restart the Wired Client computer.

Ethernet adapter Local Area Connection 2: 

        Connection-specific DNS Suffix  . :

        IP Address. . . . . . . . . . . . : 192.168.11.175

  1. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key. 
     
     
     
     

      PING 192.168.11.1

      You should see replies, and you should see the back panel lights on the router blink.  The Wired Client is now connected to the router as a client.

Setting the SSID and Channel on the Access Point/Router

 

SSID: _______________________ 

Channel: 6

 

Make up a new SSID to be your networks name.  Write it in the box to the right on this page.  Don't use any spaces in the name.

  1. On the Wired Client. open a browser and go to this address: 192.168.11.1
  2. An "OpenWrt Admin Console" page opens.  At the top, click Network.  A box pops up asking for a user name and password.  Enter a user name of root and type in a password of password
  3. Click the OK button. 

 

In the light blue menu bar, below the "OpenWrt Admin Console" header, click Wireless

  1. Enter your SSID in the ESSID box, as shown to the right on this page.
  2. Select a Wireless Channel of 6, as shown to the right on this page. 
  3. At the bottom of the page, click the "Save Changes" button.  Click the "Apply Changes" link.

Setting WPA Security on the Access Point/Router

In the Encryption Settings: section near the bottom of the page, select an "Encryption Type" of WPA (PSK), as shown to the right on this page..

  1. In the WPA PSK box, enter password, as shown to the right on this page.
  2. At the bottom of the page, click the "Save Changes" button.  Click the "Apply Changes" link.

Connecting the Router to the Rooms LAN

  1. Find the blue cable attached to the wall that used to be plugged into the Wired Client.  Plug it into the WAN port on the router. 
  2. On the Wired Client, in the Command Prompt window, type in this command and press the Enter key.

      PING YAHOO.COM

      You should see replies, and you should see the front panel lights on the router blink.  The Wired Client is now connected to the Internet through the router.

 

Connecting a Wireless Client to the Access Point/Router

  1. Find a machine with a wireless NIC to use as the Wireless Client computer.  Machines S214-15, 16, and 17 have wireless NICs, and there are also USB wireless NICs available that can be attached to other stations. 
  2. Disconnect the blue Ethernet cable from the back of your Wireless Client computer to ensure that it uses only the wireless connection.

In the lower right of the desktop, find the Wireless Network Connection icon, as shown to the right on this page.   It shows a computer with radio waves coming from it.  Right-click that icon and click View available wireless networks.

  1. Find your SSID in the list and click it, as shown to the right on this page.  Click the Connect. button 
In the Wireless network connection box, enter the

WEP Key

you wrote in the box on a previous page of these instructions. 

Put the same key in the second box and click

Connect

.

  1. Wait while your Wireless Client connects.  When the connection is made, you should see the word Connected next to your SSID, as shown to the right on this page.

    1. On the Wireless Client, click Start, All Programs, Accessories, Command Prompt.  Type in this command and press the Enter key.

        IPCONFIG

        You should see an IP address starting with 192.168.10

    1. On the Wireless Client, in the Command Prompt window, type in this command and press the Enter key.

        PING 192.168.10.1

        You should see replies, and you should see the front panel lights on the router blink.  The Wireless Client is now connected to the router as a wireless client. 

     

    Getting the BackTrack 2 CD

    1. You need a BackTrack 2 CD.  Your instructor handed them out in class.  If you are working at home, you download it from

             http://www.remote-exploit.org/backtrack.html

    Plugging in the USB NIC

    1. Connect the USB cable from the Linksys WUSB54G ver. 4 NIC.

    Booting the Hacker Computer from the BackTrack 2 CD

    1. Insert the bt2 CD and restart your "Hacker Computer".  If it won't boot from the CD, press F2 to enter the BIOS settings page and set it to boot from the CD.  If it asks for a BIOS Password, press the Enter key.
    2. You should see a message beginning ISOLONUX.  At the boot: prompt, press the Enter key.  Several pages of text scroll by as Linux boots.
    3. When you see a page with a bt login: prompt, type in this username and press the Enter key:

    root

    1. At the Password: prompt, type in this password and press the Enter key:

    toor

    Konsole

    button

    Firefox

    button

    At the bt ~ # prompt, type in this command and press the Enter key:

    xconf

    1. At the bt ~ # prompt, type in this command and press the Enter key:

    startx

    1. A graphical desktop should appear, with a start button showing the letter K on a gear in the lower left, as shown to the right on this page. 

    Downloading a Word List

    1. A dictionary attack uses a list of possible pre-shared keys.  We'll use a simple, small list that will make the attack fast, although less thorough.
    2. Click the Firefox button, as shown to the right on this page.
    3. In Firefox, go to www.cotse.com/tools/wordlists.htm

     

    A Web page with many wordlists appears, as shown to the right on this page.  Right-click common-p and click "Save Link As".

    1. In the "Save As" box, select a "Save in folder:" of root, as shown to the right on this page.  Click the Save button.

     

     

     

     

     

     

     

     

     

     

     

    Starting the wifi-0 Device

    1. Click the Konsole button, as shown above on this page.
    2. In the "Shell C Konsole" window, type in this command, and then press the Enter key:

      airmon-ng stop rausb0

    1. In the "Shell C Konsole" window, type in this command, and then press the Enter key:

      airmon-ng start wifi0

      We have now stopped the wireless card and restarted it with the special MadWiFi drivers, which are necessary for cracking WEP.  Now the card is monitoring on all channels.

     

    Capturing Packets to View the Available Networks

    1. Click the Konsole button to open a new Konsole window, titled "Shell C Konsole <2>".
    2. In the "Shell C Konsole <2>" window, type in this command, and then press the Enter key:

      airodump-ng Cw test rausb0

      This command opens a window showing all local networks, as shown below on this page.  The columns in the output of immediate importance for cracking WPA are explained below:

      BSSID The MAC address of the access point

          CH The channel (1 through 11 are used in the USA)

          ENC, CIPHER, AUTH These values specify the encryption method, and should say WPA, TKIP, PSK for the pre-shared key method we are cracking.

          ESSID The name of the network

     
     
     
     
     
     
     
     
     
     

    BSSID:  ______________________________________ 

    CH: __________ 

    ESSID: ______________________________________

     

    Write the BSSID, CH, and ESSID of the access point you want to crack into in the box to the right on this page.  Note that the BSSID, STATION, etc. information at the bottom of the screen refers to the client, not the Access Point.

    1. Press Ctrl+C to stop the Airodump capture.  If it won't stop, use the mouse to close the "Shell C Konsole <2>" window.  Then click the Konsole button to open a new "Shell C Konsole <2>" window.

    Restarting Monitoring on the Correct Channel

    1. Click the "Shell C Konsole" window to make it activethis is the window you used for the airmon-ng commands.
    2. In the "Shell C Konsole" window, type in this command, and then press the Enter key:

      airmon-ng stop rausb0

    1. In the "Shell C Konsole" window, type in this command, and then press the Enter key:

      airmon-ng start wifi0 11

      Replace 11with the CH number you wrote in the box above on this page.  Now the card is monitoring only the channel we are interested in.

    Resuming Packet Capture

    1. Click the "Shell C Konsole <2>" window to make it activethis is the Konsole window you used for the airodump-ng command.
    2. In the "Shell C Konsole <2>" window, type in this command, and then press the Enter key:

      airodump-ng Cc 11 Cw output rausb0

      Replace 11 with the CH number you wrote in the box above on this page.  Now the card is monitoring only the channel we are interested in.  This captures packets on the desired channel, and dumps into the file output.cap

     

    STATION:____________________________________

     


    At the top of the airodump-ng output, information about the access point is displayed.  At the bottom is information about associated clients, as shown below on this page.  Find the STATION address for a client associated with your access point, and write it in the box to the right on this page.  If you don't have any associated station, go to your Wireless Client, disconnect, and reconnect to the access point.

     

    Performing a Deauthentication Attack

    1. We need to capture a four-way handshake from a client authenticating, to get the data we will use to crack WPA.  We could just wait for a client to authenticate, but that might take a long time.  The easier way is to force a deauthentication, after which the client will reauthenticate.
    2. Click the "Shell C Konsole" window to make it activethis is the window you used for the airmon-ng commands.
    3. In the "Shell C Konsole" window, type in this command, and then press the Enter key:

      aireplay-ng Chelp

      This shows a help message, explaining the options available for aireplay-ng.  Notice the section at the bottom showing "Attack modes", as shown to below.  The attack we will use now is deauthenticate, using the -0 10 switch, to send ten deauthentication frames.

    1. In the "Shell C Konsole" window, type in this command, and then press the Enter key: 
       
       
       
       
       
       
       
       
       
       
       
       

      aireplay-ng -0 10 Ca 00:11:50:1E:43:87 Cc 00:12:17:75:A0:19 rausb0

      Replace 00:11:50:1E:43:87 with the BSSID you wrote in the box on a previous page of these instructions (the access point's hardware address).

      Replace 00:12:17:75:A0:19 with the STATION you wrote in the box on a previous page of these instructions (the Wireless Client's MAC address).

      You should see an "Sending deauth to station" message, as shown above on this page.

    1. Go look at your Wireless Client.  It may have automatically reconnected, or it may now be disconnected.  If it is disconnected, reconnect it manually.  But most people set their Wi-Fi networks to be remembered and automatically reconnect, so they won't even notice this attack in progress.
     

    Performing a Dictionary Attack on the Captured Handshake

    1. Now we will capture an ARP request, and replay it to force the Access Point to pump out a lot of IVs.
    2. In the "Shell C Konsole" window, type in this command, and then press the Enter key:

      aircrack-ng -w common-p.htm output*.cap

    1. You should see a list of BSSID values, and your target network should be labeled with "WPA (1 handshake)", as shown below on this page.  If there is no captured handshake, repeat the deauthentication and reauthentication process. 
    2. Enter the index number of your target network and press the Enter key.  Aircrack simply tries each password on the list in alphabetical order, as shown below on this page.
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     

    When it finds your password, you should see the message "KEY FOUND! [ password ]", as shown below on this page. 

     


     

    Saving the Screen Image on the Desktop

    1. On the Hacker Computer, from the Backtrack 2 desktop, click Start, Screenshot.
    2. In the Screenshot window, click the "Save As" button.
    3. In the "Save as C Screenshot" window, in the unlabelled box on the upper right, click the arrow and select /root/desktop.

    Firefox

    button

    In the "Save as C Screenshot" window, in the Location: box, type in a filename of  
    Yourname-Proj15.jpg

    1. Click the Save button.  Your file should appear on the desktop.

    Starting Firefox

    1. On the Hacker Computer, at the lower left of the desktop, click the "Firefox button", as shown to the right on this page.

    Turning in your Project

    1. Firefox opens.  Go to a Web-based email service you feel comfortable using in S214 C it should be one with a password you don't use anywhere else.
    1. Email the JPEG image to me as an attachment.  Send the message to cnit.123@gmail.com with a subject line of Proj 15 From Your Name.  Send a Cc to yourself.

    Credits

      I got a lot of this from "Wireless Vulnerabilities and Cracking with the Aircrack Suite", by Stephen Argent, in the magazine hakin9, Issue 1/2008.  There is a lot more information about cracking WEP and WPA in that article, it's great! 

      Last modified 4-8-08

    CNIT 124 - Bowne Page of 18

Ϊҳ | ղ |

All Rights Reserved Powered by ĵ

Copyright © 2011
ĵ磬ַϵtousu#anggang.com
ض