By now, pretty much everyone has heard that it is easy to hack into WEP protected networks. As we have seen in our Cracking WEP article
, it is terribly easy. (There have been advances in cracking WEP since that article was published, it is even easier now) Yeah, WiFi is inherently insecure, but we need it... Right? Well if you ask your local security guy how you can protect your home WiFi network, surely they will come back and say: "WPA or WPA2 cannot be cracked, use it". They are wrong.
By simply installing a patch to your existing hardware, WPA came in as the "Saving Grace" for wireless networking. It corrected almost every security problem either created or ignored by WEP. However, WPA was not perfect. The method in which WPA initializes its encryption scheme is subject to capture and offline brute force attacks. Consequently, it's actually easier to crack WPA which uses a weak password than it is to crack WEP. This article will walk you through the process of retreiving and cracking a WPA network key. In this guide I will skim over some of the powerful things that you can do with graphics cards. By focusing on my personal setup, you will see it can be done with limited off the shelf equipment.
The first decision is to decide what you want your setup to be. I personally chose to go with a setup using GeForce card with CUDA support (http://www.nvidia.com/object/cuda_learn_products.html ). You will need to check on the programs you want to use to make sure that they support the graphics card that you choose.
The setup I ultimately decided going with is an EVGA 780i motherboard that has dual SLI support (can support tri SLI). I ended up going with two GeForce GTX260 cards to utilize the SLI capability. I also upgraded my power supply to a Corsair 850W to power everything in my machine.
After building the setup, feel free to go play some games, then come back to this guide. I mean you have work to do!
The BackTrack 4 Release is a perfect platform for you to have some fun with your new setup. For a guide on configuring Backtrack 4 with CUDA and a in depth tutorial on CUDA tools, check out this 25 page guide on it by Pureh@te on the offensive-security website.
Finally lets take a look at my favorite GPU tool Pyrit, which will allow you to run a pass-through dictionary attack against WPA encryption (http://code.google.com/p/pyrit/) running it through coWPatty (http://www.willhackforsushi.com/Cowpatty.html).
Using this you can take a capture file with a WPA 4-way handshake and do a pass-through to try to crack it with your dictionary using coWPatty. Make sure you use a dictionary with words in length starting from 8 and ending in 63 letters long. Any longer or shorter is just a waste because of the requirements of WPA passphrase's. One thing to keep in mind is that to be able to crack the passphrase you must have the passphrase in your dictionary file.
The first step will be to put your card into monitor mode. After that, fire up airodump. I happen to know the router BSSID and channel so here is what I did below.
airodump-ng -c (routers channel) - - bssid (routers bssid) -w (cap filename) interface
Airodump will then load up as shown below. You can see the router and data coming from it. You can see a client is connected, which is important since you will need to get the 4-way handshake to crack the WPA passphrase.
Next it is time to send a de-authentication packet to the client to make it reconnect to the router allowing you to grab that 4-way handshake.
Aireplay-ng -0 (de-authentication attack) 5 (number of de-authentication packets to send) -a (router bssid) -c (client essid) interface
If all goes well, you will see in your airodump window in top right corner showing you have received a WPA handshake. I have circled it in red below. If you don't see this just repeat the last step and de-authenticate the client again.
After that I like to make sure that my graphic cards are working properly. You can either run a benchmark or list cores in pyrit. In the below picture I show the benchmark option
To run benchmark: pyrit benchmark
To list cores: pyrit list_cores
Below is the command for running pyrit in a pass-through mode through coWPatty. The great thing about this is you can run it with your dictionary file and not mess around with making a rainbow table or anything. If you do not have a dictionary file for WPA, you can grab one from the backtrack repository. Command is as follows for the pass-through mode.
pyrit -e (router essid) -f (path to the dictionary file) passthrough | (path to coWPatty) -d - -s (router essid) -r (name of capture file)
Note: I had installed the latest version of coWPatty manually. The default location you would put after the pipe (|) in backtrack would be /pentest/wireless/cowpatty/cowpatty
If all goes well you well, you will start to see it go through passphrases in your dictionary file as shown below.
And if all goes well in the end, you will end up with a passphrase as shown below.
It was able to run 15,479.28 passphrases per second, which is an amazing upgrade from the 300 something I was getting with my 2.0 GHz dual core processor. This is also using the stock graphic cards that are not over-clocked.
Backtrack - http://www.remote-exploit.org/backtrack.html