Cracking Wep and Wpa wireless network

This article will cover how to test the security about your wireless access point.Cracking the wep and wpa key.
The Slackware 12.2 with kernel 2.6.27.7-smp, card wireless with chipset Intel 3945 ABG and aircrack-ng suite will be used.

It is recommended that you get permissions from the owner prior to crack the access point.

I would not advise the use of a compatible version for Windows. This is because it has a limited operating system support and you can only capture packets passively. Windows is virtually useless for wireless activities due to the huge number of restrictions.

The first step is to determine the chipset of your wireless card .One to obtain this information is “dmesg” .This command can quite often contain detailed messages indicating what card was detected and the chipset. Alternatively, you can use “lspci” if the card is a PCI card.

Once you have determined the chipset in your wireless card, use Compatible Cards to find out whether the chipset is compatible with the aircrack-ng suite.
Iwl3945 is the new driver for the Intel PRO/Wireless 3945ABG wireless chipset.

For linux, sometimes, you need to patch the drivers order to get the advanced features such as monitor mode and injection capability.

For kernel 2.6.27 and newer the driver Iwl3945 is included and no special patch is needed.
Before starting, you need to install the iw program.It's important to create a monitor interface.
The iw program, however, relies on the libnl library to work. Therefore you will need to install both libnl and iw in order to be able to use airmon-ng.

Wep Cracking

Step 1 - Start the wireless interface in monitor mode on AP channel

We need to put our card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air.

airmon-ng start wlan0 6

Substitute the channel number that your AP runs on for “6” in the command above. This is important. You must have your wireless card locked to the AP channel for the following steps in this tutorial to work correctly.
You will notice that the interface mon0 has been created and is now on in monitor mode.

Step 2 - Test Wireless Device Packet Injection

This step ensures that your card is close to your AP and can inject packets to it.

Aireplay-ng -9 -a mon0

where:
-9 means injection test
-a filter Access Point MAC address
mon0 is the wireless interface in monitor mode.
You should see: Injection is working!

Step 3 - Start airodump-ng to capture the IVs

Open another console session and start airodump-ng to capture the Ivs. Initialization vector is a block of bits which allows you to determine the WEP key from the specific access point.

Airodump-ng -c 6 –bssid -w output mon0

where:
-c 6 is the channel for the wireless network
--bssid set access point MAC address.
-w capture is file name prefix for the file which will contain the Ivs.

You should see the field #Data increase second by second.

Step 4 Start aireplay-ng in ARP request replay attack

Start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network.

aireplay-ng -3 -b -h mon0

where:
-3 specific a Arp request replay attack.
-b set access point MAC address.
-h set Source MAC address.

This step is usefull to increase rapidly the Ivs.

Step 6 - Run aircrack-ng to obtain the WEP key

Now we need to obtain the WEP key from the IVs gathered in the previous steps.
Start another console session and enter:

aircrack-ng -b output*.cap

where:
output*.cap selects all files captured from this Ap.

Above you can see the PTW method.
PTW method successfully determines the WEP key and is quicker compared to other method.But only works successfully with arp request/reply packets.
If you are using the PTW attack, then you will need about 20,000 packets for 64-bit and 40,000 to 85,000 packets for 128 bit.

If the passwork is correct you'll obtain: Key found!

WPA Cracking

In terms of WPA authentication methodology, only plain brute force techniques can be used to crack the key.So collecting IVs, does not speed up the attack. The only thing that does give the information to start an attack is the handshake between client and AP.There is no difference between cracking WPA or WPA2 networks. The authentication methodology is basically the same between them. So the techniques you use are identical.

Step 1 - Start the wireless interface in monitor mode

Airmon-ng start wlan0 6

Step 2 - Start airodump-ng to collect authentication handshake

Now we run airodump-ng to capture the 4-way authentication handshake for the AP we are interested in.

airodump-ng -c 6 –bssid MacAp -w output mon0

If airodump has successfully captured the four-way handshake, you will see in the top right-hand corner:” WPA handshake:MacAp”.

Step 3 - Use aireplay-ng to deauthenticate the wireless client

If you don't see “WPA handshake:MacAp” in the top right-hand corner, you should forced the client deauthentication.This step sends a message to the wireless client saying that that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP.
The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. This is what we use to break the WPA/WPA2 pre-shared key:

Aireplay-ng -0 1 -a -c mon0

Where:
-0 means deauthentication
1 is the number of deauths to send (I suggest you don't send multiple)
-c of the client you are deauthing

Step 4 - Run aircrack-ng to crack the pre-shared key

To crack the WPA/WPA2 pre-shared key. To do this, you need a dictionary of words as input.

Aircrack-ng -w -b output*.cap

If the passwork is correct you'll obtain: Key found!

Conclusion
As you've seen the WEP authentication methodology is basically easy to crack.
As for the wpa we know that when we set the router's security parameter as default the key wpa is an alfanumeric key.The only chance to crack this key is included it in the dictionary.

The majority of the dictionaries that you can find on the Internet are made up of words in human language therefore not really useful for this, unless the user changes the password on purpose.

However, one could think of creating a dictionary ad hoc with alphanumeric password(John the ripper).But for an alphanumeric password of the minimum length 8 you have 18340105584896 possibilities.

I can do about 900 keys/sec on my 2 T5670, means it would take me 461 years.
So in order to get a safe Ap from external threats I suggest you to use WPA, composed of random characters (63 characters will be unbreakable) with an Ap filter about Mac address that would be able to connect with that.
Any constructive feedback are welcome.
Have fun!