|
1. Crack software introduction
WinAirCrackPack tool package is wireless LAN scanner and key crack tool, mainly including airodump and aircrack and other tools. It could monitor the data transmitting in the wireless network and collect them to calculate WEP/WPA keys.
2. Experimental environment system composing
Hardware environment
Choose a wireless router or an AP with WEP and WPA encryption function.
Two laptops with Centrino wireless network card (separately defined as STA1 and STA2, considering as valid wireless connection user)
A Raw socket wireless network card
A laptop (defined as STA3, an invader)
Software environment
Invader STA3: WinAirCrackPack tool packet.
Notice: STA3 starts in Control Panel—management tool—service, and start the service Wireless Zero Config.
3. Experimental Topography
4. Configure wireless router (according to actual network environment)
(1) STA1 connects wireless router (not encrypted by default). Right click the icon at the bottom of the screen, choose “View usable wireless network”. And there’re many usable wireless networks in the list, double click TP-Link to connect wireless router, and for a while connection succeeds.
(2) Open IE browser, enter IP address: 192.168.1.1 (wireless router acquiescence LAN IP address).
(3) Log on wireless router management interface (username: admin, password: admin).
Click the left side option “LAN port configuration” under “Network parameter”, set “IP address” as 192.168.1.8 and save it.
(4) Open browser and enter IP address 192.168.1.8, and login the wireless router management interface again (notice: this experiment chooses TP-LINK wireless router, other brand products like CISCO all have similar config option), click the option “Basic configuration” under “Wireless configuration” on the left side of the interface.
1) Choose “Mode” as “54Mbps(802.11g)”
2) Choose “Key format” as “ASCII”;
3) Choose “Key Type” as 64 bit;
4) Set “Key 1” as pjwep;
5) Click “Save”;
(5) When wireless router sets up WEP key, STA1 needs to reconnect wireless router (the password entered should be the same with the wireless router’s), and connection succeeds for a while.
(6) Open IE browser, enter IP: 192.168.1.8, login to the management interface of the wireless router again, click the option “DHCP service” under “DHCP server” on the left side of the interface. Click “Disable” and save, then click “Restart router” under “System tools”.
5. Download site for software cracking WEP and WPA keys:
http://www.xdowns.com/soft/1/66/2007/Soft_39170.html
Sniffer tool collection based on 802.11 has functions like WEP key crack.
aircrack.exe original aircrack program of WIN32 version.
airdecap.exe WEP/WPA decode program
airodump.exe data frames \catch program
Updater.exe aircrack update program of WIN32 version.
WinAircrack.exe graphic front of aircrack of WIN32 version
wzcook.exe WEPKEY record program in the cache of local wireless network card
And the goal of this experiment is to get proper data frame to initialize vector (IV), and crack for force to get WEP KEY. Therefore, we just need airodump.exe (for data frame capture) and Winaircrack.exe (to crack WEP KEY).
6. Install raw socket wireless network card
Notice: driver for raw socket wireless network card uses Atheros v4.2.1, and this card must use Atheros AR5001, AR5002, AR5004, AR5005 or AR5006 chip group, and the network cards listed below could all be used. And this experiment adopts Netgear 108M wireless network card (model: WG511T)
(1) Install driver for raw socket wireless network card on the laptop STA3. Insert the wireless network card, then choose “No, temporarily not” on the popup window, and click Next.
(2) Choose “Install from the list or specific position” and then click “Next”.
(3) Choose “not search” and then click “Next”.
(4) Click “Install from hard disk”, and on the prompt window, click “Browse” and choose E:\WinAircrackPack\atheros421@ (file net5211 under the directory, click “Open” and then “OK”.)
7. Crack WEP key
(1) Let STA1 and STA2 reconnect to the wireless router.
(2) Run airodump on STA3 laptop, which is used to capture data frame. And follow the prompt to choose “16” to crack all serial numbers of the wireless network card.
“a”. choose chip type, here we choose atheros chip.
“6”, signal channel, generally, 1,6,11 are usual channels, “0” could collect information of all channels;
“testwep” (this file name could be anything);
“y”, choose “y” when crack WEP, choose “n” when crack WPA.
(3) Press enter.
(4) When AP communication data flux is frequent to the utmost (such as use file copy of STA1 and STA2 to create the data flux), the incensement of the value to “Packets” would become faster. When it reaches about 300,000 “Packets” (such as use 104-bit RC4, encryption needs to capture 1000,000 packets), close airodump window, and start WinAircrack.
(5) Click the left side “General” to configure, choose “WEP” type of encryption, add captured file (testwep.ivs).
(6) Click the left side “Advanced”, choose the position where “Aircrack” is.
(7) After finishing all configurations, click the left side button “Aircrack the key”.
(8) Choose BSSID to crack the network (we choose “1” on this experiment), press enter and get the final WEP key.
8. Crack WPA key
(1) Modify the encryption type and method of the wireless router, and set to WPA-PSK authentication and TKIP encryption type.
(2) Run airodump on STA3 laptop, which is used to capture data packets, follow the prompt and take turns to choose “16”,”a”, “6”,“testwpa”(name this file randomly), “n”.
(3) Press Enter to the next interface.
(4) Let STA1 reconnect to the wireless router, airodump would capture the process of four times’ hand-shake between a wireless router and STA1.
(5) Start WinAircrack
(6) Click the left side “General” to set up, choose “WPA-PSK” as encryption type, add captured file (testwpa.cap).
(7) Click the left side “WPA” to configure, choose a dictionary file (password dictionary could be downloaded: such as lastbit.com/dict.asp )
(8) After all configurations, click the button “Aircrack the key” on the right bottom corner to display the window, then we would know one hand-shake process has been captured.
(9) Choose the BSSID of the network to crack (we choose “2”), press enter and after few minutes’ calculation, finally we could get WPA key.
9. One example the danger to network after cracking key.
Once invader knows the WEP key or WPA key of the wireless network, they could connect to local LAN, then invaders would have the authorities to access the whole network just as normal connected users, and they could attack deeply. Invaders could use some tools like IPBOOK,SuperScan to scan the computers within the LAN. And the files, directories or the whole hard drive in the computers could be copied or deleted, even worse, such as keyboard records, Trojan, spies or other malicious programs would be easily installed to your computer systems, which bring serious results.
(1) Introduction
When WEP and WPA key is cracked, invaders may use the password and other wireless access point (AP) to fabricate a network. When the fake AP signal is stronger than normal AP or user is close to the fake AP, normal user would naturally connect to the fabricated network, and for users, they could even not feel the difference. And it’s the time when they receive/send mails as normal; we could use the tools like CAIN to crack POP3 and telnet passwords or kinds of that.
(2) POP3 password crack
1) Open CAIN.
2) Click menu “Configure”
3) Choose a network adapter which is used to capture packet, click “OK”, choose “” and “” and then click “” to start monitoring raw packet.
4) User begins receiving mails, and this software could capture mail box’ login name and password.
(3) Dangers brought after crack
When hackers steal your mail box’s account name, password, IP addresses of POP3 server and SMTP server, they could directly visit your mail box, then all your mail information would be exposed completely.
|
Crack wireless network WEP/WPA key