Crack Password Wireless Fastweb

IntroductionWith the popularity of wireless networks and mobile computing, an overall understanding of common security issues has become not only relevant, but very necessary for both home/SOHO users and IT professionals alike. This article is aimed at illustrating current security flaws in /WPA/WPA2.Successfully cracking a wireless network assumes some basic familiarity with networking principles and terminology, as well as working with command-line tools.

1. Crack Password Wireless Fastweb Wifi

A basic familiarity with Linux can be helpful as well.Disclaimer: Attempting to access a network other than your own, or one you have permission to use is illegal insome U.S. Speed Guide, Inc. Are not to be held liable for any damages resulting from the use or misuse of the information in this article.To successfully crack /WPA, you first need to be able to set your wireless network card in 'monitor' mode to passively capture packets without being associated with a network. This mode is driver-dependent, and only a relatively small number of network cards support this mode under Windows.One of the best free utilities for monitoring wireless traffic and cracking WEP/WPA-PSK keys is the suite, which we will use throughout this article. It has both Linux and Windows versions (provided your network card is supported under Windows). The aircrack-ng site has a comprehensive list of supported network cards available here:.If your network card is not supported under Windows, one can use a free Linux Live CD to boot the system. Is probably the most commonly used distribution, since it runs from a Live CD, and has aircrack-ng and a number of related security auduting tools already installed.For this article, I am using aircrack-ng on another Linux distro (Fedora Core) on a Sony Vaio SZ-680 laptop, using the built-in Intel 4965agn network card.

If you're using the BackTrack CD aircrack-ng is already installed, with my version of linux it was as simple as finding it with:yum search aircrack-ngyum install aircrack-ngThe aircrack-ng suite is a collection of command-line programs aimed at and WPA-PSK key cracking. The ones we will be using are:airmon-ng - script used for switching the wireless network card to monitor modeairodump-ng - for monitoring and capturing network packetsaireplay-ng - used to generate additional traffic on the wireless networkaircrack-ng - used to recover the key, or launch a dictionary attack on WPA-PSK using the captured data.1. Setup (airmon-ng)As mentioned above, to capture network traffic wihtout being associated with an, we need to set the wireless network card in monitor mode. To do that under linux, in a terminal window (logged in as root), type:iwconfig (to find all wireless network interfaces and their status)airmon-ng start wlan0 (to set in monitor mode, you may have to substitute wlan0 for your own interface name)Note: You can use the su command to switch to a root account.Other related Linux commands:ifconfig (to list available network interfaces, my network card is listed as wlan0)ifconfig wlan0 down (to stop the specified network card)ifconfig wlan0 hw ether 00:11:22:33:44:55 (change the address of a - can even simulate the of an associated client. Should be stopped before chaning address)iwconfig wlan0 mode monitor (to set the network card in monitor mode)ifconfig wlan0 up (to start the network card)iwconfig - similar to ifconfig, but dedicated to the wireless interfaces.2.

Recon Stage (airodump-ng)This step assumes you've already set your wireless network interface in monitor mode. It can be checked by executing the iwconfig command. Next step is finding available wireless networks, and choosing your target:airodump-ng mon0 - monitors all channels, listing available access points and associated clients within range. It is best to select a target network with strong signal (PWR column), more traffic (Beacons/Data columns) and associated clients (listed below all access points). Once you've selected a target, note its Channel and BSSID ( address). Also note any STATION associated with the same BSSID (client addresses).running airodump-ng displays all wireless access points and associated clients in range, as well as addresses, signal levels and other information about them.is much easier to crack than WPA-PSK, as it only requires data capturing (between 20k and 40k packets), while WPA-PSK needs a dictionary attack on a captured handshake between the and an associated client which may or may not work.3. Capture Data (airodump-ng)To capture data into a file, we use the airodump-ng tool again, with some additional switches to target a specific AP and channel.

Crack Password Wireless Fastweb Wifi

Most importantly, you should restrict monitoring to a single channel to speed up data collection, otherwise the wireless card has to alternate between all channels. Crack WPA or PSK (aircrack-ng), unlike rotates the network key on a per- basis, rendering the method of penetration useless. Cracking a WPA-PSK/WPA2-PSK key requires a dictionary attack on a handshake between an and a client.

What this means is, you need to wait until a wireless client associates with the network (or deassociate an already connected client so they automatically reconnect). All that needs to be captured is the initial 'four-way-handshake' association between the and a client. Essentially, the weakness of WPA-PSK comes down to the passphrase. A short/weak passphrase makes it vulnerable to dictionary attacks.To successfully crack a WPA-PSK network, you first need a capture file containing handshake data.

This can be obtained using the same technique as with in step 3 above, using airodump-ng.You may also try to deauthenticate an associated client to speed up this process of capturing a handshake, using:aireplay-ng -deauth 3 -a MACAP -c MACClient mon0 (where MACIP is the address of the, MACClient is the address of an associated client, mon0 is your wireless ).The command output looks something like:12:34:56 Waiting for beakon frame (BSSID: 00:11:22:33:44:55:66) on channel 612:34:56 Sending 64 directed DeAuth. STMAC: 00:11:22:33:44:55:66 5:62 ACKsNote the last two numbers in brackets 5:62 ACKs show the number of acknowledgements received from the client (first number) and the AP (second number). It is important to have some number greater than zero in both. If the first number is zero, that indicates that you're too far from the associated client to be able to send deauth packets to it, you may want to try adding a reflector to your antenna (even a simple manilla folder with aluminum foil stapled to it works as a reflector to increase range and concentrate the signal significantly), or use a larger antenna.Simple antenna reflector using aluminum foil stapled to a manilla folder can concentrate the signal and increase range significantly. For best results, you'll have to place the antenna exactly in the middle and change direction as necessary. Of course there are better reflectors out there, a parabolic reflector would offer even higher gain, for example.Once you have captured a four-way handshake, you also need a large/relevant dictinary file (commonly known as wordlists) with common passphrases. See related links below for some wordlist links.You can, then execute the following command in a linux terminal window (assuming both the dictionary file and captured data file are in the same directory):aircrack-ng -w wordlist capturefile (where wordlist is your dictionary file, and capturefile is a.cap file with a valid handshake)Additional Notes:Cracking WPA-PSK and WPA2-PSK only needs 4 packets of data from the network (a handshake).

After that, an offline dictionary attack on that handshake takes much longer, and will only succeed with weak passphrases and good dictionary files. A good size wordlist should be 20+ Megabytes in size, cracking a strong passphrase will take hours and is CPU intensive.Cracking /WPA2 usually takes many hours, testing tens of millions of possible keys for the chance to stumble on a combination of common numerals or dictionary words. Still, a weak/short/common/human-readable passphrase can be broken within a few minutes using an offline dictionary attack. My record time was less than a minute on an all-caps 10-character passphrase using common words with less than 11,000 tested keys! A modern laptop can process over 10 Million possible keys in less than 3 hours.hashes the network key using the wireless 's as salt. This prevents the statistical key-grabbing techniques that broke, and makes hash precomputation more dificult because the specific needs to be added as salt for the hash.

There are some tools like coWPAtty that can use precomputed hash files to speed up dictionary attacks. Those hash files can be very effective (sicne they're much less CPU intensive and therefore faster), but quite big in size. The has computed hash tables for the 1000 most common against a million common passphrases that are 7Gb and 33Gb in size.7. Crack using the Vulnerability (Reaver)Many devices are aslo vulnerable to a WPS ( Protected Setup) vulnerability described in US-CERT TA12-006A Alert. Provides simplified mechanisms to secure wireless networks, most often using a PIN as a shared secret to authenticate clients and share the /WPA/WPA2 passwords and keys. The external PIN exchange mechanism is susceptible to brute-force attacks that allow for bypassing wireless security in a relatively short time (few hours). The only remedy is to turn off, or use an updated that specifically addresses this issue.A free Linux open-source tool called Reaver is able to exploit the vulnerability.

To launch an attack:1. Install Reaver -2.

Set your network adapter in monitor mode as described above, using:ifconfig wlan0 downiwconfig wlan0 mode monitorifconfig wlan0 upAlternatively, you can put your network card in monitor mode using: airmon-ng start wlan0 (this will produce an alternate adapter name for the virtual monitor mode adapter, usually mon0 )3. Before using Reaver to initiate a brute-force attack, you may want to check which access points in the area have enabled and are vulnerable to the attack. You can identify them using the 'wash' Reaver command as follows:wash -i mon0 -ignore-fcs4.

Run Reaver (it only requires two inputs: the interface to use, and the address of the target)reaver -i mon0 -b 00:01:02:03:04:05 -vvThere are a number of other parameters that one can explore to further tweak the attack that are usually not required, such as changing the delay between PIN attempts, setting the tool to pause when the stops responding, responding to the to clear out failed attempts, etc. The above example adds '-vv' to turn on full verbose mode, you can use '-v' instead for fewer messages. Reaver has a number of other switches (check with -help), for example ' -c11' will manually set it to use only channel 11, ' -no-nacks' may help with some APs.5. Spoof client address if needed.

In some cases you may want/need to spoof your address. Reaver supports spoofing with the - option, however, for it to work you will have to change the address of your card's physical interface (wlan0) first, before you specify the reaver option to the virtual monitor interface (usually mon0). To spoof the address:ifconfig wlan0 downifconfig wlan0 hw ether 00:11:22:33:44:55ifconfig wlan0 upairmon-ng start wlan0reaver -i mon0 -b.vv -mac=00:11:22:33:44:55An attack using Reaver typically takes between 4 and 8 hours (provided requests are not being limited by the AP), and returns the, WPS PIN and passphrase for the target network. Note that some routers may lock you out for a few minutes if they detect excessive failed PIN attempts, in such cases it may take over 24 hours.Notes:Some routers (including most popular Cisco/Linksys models) will NOT turn off even if turned off via the radio button in their web admin interface.

You may be able to turn it off using third-party, such as DD-WRT (wich does not support ).Reportedly, some models/vendors/ISPs all come configured with a default pin. Common pins are 12345670, 00005678, 01230000, etc. Reaver attempts known default pins first.Reaver comilation requires libpcap (pcap-devel) and sq3-devel (sqlite3-dev) installed, or you will get a 'pcap library not found' error.Troubleshooting TipsEven with the above tools properly installed, it is common to get a few errors/warnings during the attacks, usually related to timeouts, poor signal, or interface driver not supporting monitor/injection modes. Here are some points to consider:1. Is your adapter properly set in monitor mode?2.

Does the adapter driver support injection (is aireplay-ng working)?3. Do you have to spoof your address (if AP limits MACs, change both physical and virtual monitor interface)?4. Do you have a good signal to the AP?5. Do you see associated clients (for handshake capture)?6. Do you see pin count incrementing (Reaver cracking)?7.

Does the target AP support and is it enabled (for attacks, check with the 'wash' command)?Final ThoughtsAs demonstrated above, cracking has become increasingly easier over the years, and what used to take hundreds of thousands packets and days of capturing data can be accomplished today within 15 minutes with a mere 20k data frames. Simply put, cracking is trivial./WPA2-PSK is holding its ground if using a strong, long key.

However, weak passphrases are vulnerable to dictionary attacks. WPA/WPA2 may be on borrowed time as well, according to some.The vulnerability renders even /WPA2 secured wireless networks very vulnerable. An extensive list of vulnerable devices is available here:. Note that some routers (including most popular Cisco/Linksys models) will NOT turn off even if turned off via the radio button in their web admin interface. You may be able to turn it off using third-party, such as DD-WRT (which does not support ).Related Links- Torrent search- wordlists. When using backtrack 3 on my sony VGN-TZ160C which has the same network card chipset I got the'ERROR: Neither the sysfs interface links nor the iw command is available'when running airmon-ng start wlan0it tells me to install iw but I found no easy way to install it.Then again i'm running backtrack 3 from my usb dongle, I did not nor know how to install the image to the USB so I beleive the installation is readonly.

Is it possible to install IW or how do I install backtrack to the USB dongle?Thanks for pointing me in the right direction.