Friday, September 2, 2011

No Access Point? No Problem!: How to get a WPA\WPA2 keys 4-way handshake using Airbase-ng

Today we are going to look into how to get a WPA\WPA2 keys 4-way handshake from a client using Airbase-ng without them being connected or near their access point. This is useful as a lot of machines will throw beacon probes out for old access points they've connected to (you will see them while running airodump-ng at the bottom right). This means it is looking for that Access Point and wants to connect to it. What we will do with Airbase-ng is pretend we are that access point and let it attempt to connect to us.

So for this tutorial I will be using:
- One Attacker Box running BackTrack 5
- One laptop running XP or 7 pre-configured to connect to a SSID of linksys with a WPA2 key set

Step 1: Going in to Monitor Mode

With that said let's first get things setup on the hacking machine by setting our wireless card into monitor mode using airmon-ng. since my wireless interface is "wlan0" I would use the command "airmon-ng start wlan0". This will give us a virtual interface called "mon0" which is in monitor mode

Airmon-ng setting wlan0 to monitor mode.

Step 2a: Setting up the fake AP (Single Known Target Method)

Use this method if you know the Targets AP ESSID or you only want to attack that one; otherwise use Step 2b instead but still read this section to get a better understanding first. Next let's taking a moment to look at the help options for airbase-ng, pictured below.

Airbase-ng Help

So now let's set up our options here. For this attack I'm going to use the following command.(Note: This is case sensitive so pay close attention to this)

airbase-ng -F ./Desktop/WPA-attack.cap --essid linksys -Z 2 -c 1 -i mon0 mon0

I owe you a little explanation of what the command does. here's quick break down of what this command does as per the help screen.

usage: airbase-ng <options> <replay interface>
  • -F prefix : write all sent and received frames into pcap file
  • --essid <ESSID> : specify a single ESSID (short -e)
  • -Z type : same as -z, but for WPA2. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
  • -c channel : sets the channel the fake AP is going to run on
  • -i iface : capture packets from this interface
So, basically this command will set up mon0 to listen and answer (-i mon0 mon0) as a WPA2-TKIP access Point (-Z 2) running on channel 1 (-c 1) with the SSID of linksys (--essid linksys) and log all packets to a log file on the desktop (-F ./Desktop/WPA-attack.cap).

Airbase-ng in Action

Above is a console picture of it in action. As you can see in the last 3 lines the machine is attempting to authenicate to our fake AP, once you see this line once it is safe to open another terminal and try to open the pcap file (in my case ./Desktop/WPA-attack.cap-01.cap) with aircrack-ng to confirm you got a handshake.

Aircrack-ng shows we have the handshake!

So on this note, we see we got a handshake!

Step 2b: Setting up the fake AP (Unknown Target Method)

Warning: This method will attempt to attack every probe it sees! if you didn't know the ESSID of the client or just wanted to attack everyone in the area (airport or coffee shop anyone?) use this type of command.

airbase-ng -P -C 500 -Z 2 -c 1 -i mon0 -F ./Desktop/Probe_hits mon0

It's Pretty much the same as the one from step 2 expect instead of using "--essid linksys" we used "-P -C 500" (case sensitive. So note they are uppercase switches)

usage: airbase-ng <options> <replay interface>
  • -F prefix : write all sent and received frames into pcap file
  • -P : respond to all probes, even when specifying ESSIDs
  • -C seconds : enables beaconing of probed ESSID values (requires -P)
  • -Z type : same as -z, but for WPA2. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
  • -c channel : sets the channel the AP is running on
  • -i iface : capture packets from this interface

Airbase-ng Responding to all beacons.

With this approach I changed the victims wireless connection settings from linksys to "testing" as you can see it found it, repeated it, and allow the client to connect. Thus also getting the handshake same as above.

Step 3a: Cracking it with Cowpatty and rainbow tables

This is my preferred method of cracking WPA/WPA2. However Cowpatty (even the install on backtrack) will by default not detect the 4-way handshake obtained with these methods unless you patch it. You can patch it with an article I wrote on how to do this step-by-step or via a script that I coded for that, both of which can be found here. With Cowpatty patch just use the following command:

Command to crack using Cowpatty.

cowpatty -r ./Desktop/WPA-attack.cap-01.cap -s linksys -d linksysHashTable

In this command the -r points cowpatty to the Capture file with the handshake. The -s is used to indicate the ESSID to the program. Finally, the -d points to my rainbow table for this SSID. If you need rainbow tables for Cowpatty the I recommend you checkout the church of WiFi set from renderlabs webpage as they have a free set containing 33GB of tables made from the top 1,000 SSIDs seen on WiGLE (Wireless Geographic Logging Engine) which is a community for wardrivers to upload their GPS wardriving data and mapped on the site for all to see.

If that image isn't encourgement to get your rainbow tables I don't know what is. Cracked after 395,442 try in about 2.5 seconds!!! So worth the download and space to keep these handy. If the SSID is one not in the kit you can make it following this post here.

Step 3b: Cracking it with aircrack-ng using a Dictionary

In this attack we will use Aircrack-ng with a the default dictionary that comes with BackTrack (located under /pentest/password/wordlist/darkc0de.lst). This is just to show you a second method and give you something to compare the time difference on rainbow table vs. dictionary attacks. To run it just do the following:

aircrack-ng ./Desktop/WPA-attack.cap-01.cap -w /pentest/password/wordlist/darkc0de.lst

Aircrack-ng target selection
On mine it was number two but just hit the number next to the network with the handshake you are attacking. You should see it start to run the attack.

Aircrack-ng Finished Cracking
As you can see this worked too but it took 16 mins instead of 2 seconds. Whichever method is easier for you, that's the one to use. Hope this helps some people, if you have any questions feel free to leave a question in the comments area.

Enjoy and stay out of trouble! ;-)