Rogue access points and weak passwords are the bane of any network administrator’s life: all it takes is one user setting up a consumer-grade wireless router in the cube farm so he or she can use a PDA or whatever and you’ve got yourself a potentially serious security risk. It’s quite possible that the wireless signal is leaking out into the street, and anyone passing by could get access to your network – even if they are using WEP, WPA or WPA2 encryption.
But it’s not just rogue APs that are a worry. If you’re not using WPA-Enterprise or WPA-Enterprise (both of which use a RADIUS server) in your organization, then any wireless networks you are running using WEP, WPA or WPA2 are also at risk.
That’s where Aircrack-ng can be useful. This open source suite of applications can help you locate all the access points in your offices, check that the networks are protected by encryption, and test the strength of the keys or passphrases that are in use. If any networks uses WEP encryption, it will usually find the relevant WEP key in under a couple of minutes, demonstrating that WEP is totally ineffective.
Before you can start you’ll need to download and install Aircrack-ng. On an eeePC running Ubuntu you can do this via Synaptic. On any other device you can check you can find it at http://www.aircrack-ng.org/doku.php?id=downloads.
In order carry out attacks on wireless networks efficiently you’ll almost certainly need to patch your wireless drivers to support packet injection – patches and details of how to do this can be found at http://www.aircrack-ng.org/doku.php?id=install_drivers. At the time of writing a suitable Madwifi driver and patch for the eeePC’s built in wireless card had been released but then withdrawn, but it’s likely that an “official” one will be available very soon. Pre-patched drivers are also included with some live Linux security distributions such as BackTrack2, and can be used with many laptops and wireless cards.
Capture Packets with Monitor Mode
Once you’ve got the necessary patched drivers installed, the next step is to put the wireless card into monitor (also known as RFMON) mode so that it can capture packets without associating with any particular network.
The way to do this varies slightly from one driver to another, but for cards using Madwifi drivers the best way to do this is to become root and from a terminal session type:
airmon-ng stop ath0
(replacing ath0 with the name of the active wireless interface displayed by iwconfig)
airmon-ng start wifi0
Issuing another iwconfig command should confirm a new interface – probably ath0 – has been placed in monitor mode.
Now, to scan for access points, type:
This will show you any networks detected, the MAC addresses of the access points (BSSID), the MACs of any computers which are connected to them (STATION), and the wifi channels they are operating on. If the access point is broadcasting its name (ESSID), this will also be shown. (see Figure 1.)
Audit Wireless Access Points
If you find any rogue access points, at this point you can take steps to find their owners and make sure they are closed down. But what about your official ones? How secure are they?
Here’s how to find out.
Firstly, if they wireless networks are secured by WEP, then as mentioned above the answer is “not secure at all.” Here’s proof:
First, make a note of the channel of the WEP protected access point you want to test from the Airodump-ng window. In the case above the channel (CH) is channel 1.
Next, quit airodump-ng by doing a control-c , then restart it by typing:
airodump-ng -c X -w mycapture ath0
changing the X for the channel number of your access point. This will start capturing data which you will use to crack the WEP key, in a file called mycapture-01.cap in your home directory.
Next you’ll need to inject some traffic onto the network. To do this you can use Aircrack-ng’s packet injection tool, Aireplay-ng, to monitor the network and wait for an ARP request, and then re-inject (or replay) this ARP request over and over again. This stimulates a response from the access point, until enough packets have been collected to crack the WEP key.
How many is enough? 40,000 packets will be enough 50 per cent of the time, while 85,000 packets gives you a 95% chance of success.
To inject the ARP requests onto the network, you’ll first need to look in the Airodump-ng window and make a note of the MAC addresses of the base station and a connected client.
Then start aireplay, by typing:
aireplay-ng -3 –b 'base station MAC address' –h 'client Mac address' ath0
(The -3 in the command tells aireplay-ng to search for ARP requests and then replay them)
As soon as an ARP request is received, aireplay-ng will start injecting it back onto the network, and airodump-ng will start collecting packets in the file mycapture-01.cap. (see Figure 2.)
To crack the key, all that’s required is to start Aircrack-ng, and tell it to work on the data in mycapture-01.cap using a statistical attack known as PTW, which is activated using the –z option:
aircrack-ng –z mycapture-01.cap
Wait a minute or two, and in most cases you’ll have the WEP key to the network. If you can do that, then so can a hacker. The moral of the story is never, ever rely on WEP for any sort of network protection. (see Figure 3.)
Find Weak WPA Passphrases
But what about WPA (both the original WPA and the later WPA2)? WPA is much more secure than WEP, and there are no statistical attacks that can methodically break WPA in the way that WEP can be broken.
But there is a weakness: like any encryption system, you can always carry out a brute force attack trying every possible passphrase in turn to try to find the correct one. In practice this is not possible – it would take billions of years to try every possible passphrase. So all that is practicable it to test whether an “obvious” passphrase has been used, by trying possible passphrases from a word list. If the passphrase is “non-guessable” – ideally a long random string of upper and lower case characters and symbols – then a brute force attack using a word list will not succeed. If the brute force attack does succeed, then it’s time to change the passphrase to something more complex.
When a client authenticates with a WPA protected access point, packets of information are exchanged between the two devices. If these packets can be captured, they are a convenient point to mount the brute force attack, which Aircrack-ng can carry out very easily at a rate in the order of 500 tries per second.
The first stage then is to capture the authentication packets which are exchanged when a client signs on. You can set up Airodump-ng to listen on the appropriate channel for an association by issuing the same command as before:
airodump-ng -c X -w mycapture ath0
Since a client may sign on at the start of the day and remain connected until evening, it is often convenient to disconnect a client that is already connected, and wait for it to reconnect automatically a few seconds later. You can do this using aireplay-ng by injecting a deauth (disassociate) packet onto the network using the -0 option, followed by the number of deauth packets you want to send. To inject 8 packets, for a good chance of success, the command would be:
aireplay -0 8 –a [base station MAC] –c [client device MAC] ath0
As the client re-associates, airodump-ng will capture the handshake. (see Figure 4.)
[Note: If airodump-ng finds an access point which does not broadcast its network name (ESSID) then sending deauth packets to force a client to re-associate with allow airodump-ng to discover the hidden ESSID as the client re-associates.]
The next step is to subject the captured association packets to the brute force attack. Assuming you have a suitable list of possible passphrases in a file called passwordlist.txt in your home folder, use:
aircrack-ng -w passwordlist.txt -b [base station MAC] mycapture-01.cap
Brute force attacks take time, but since this is an offline attack Aircrack can be left to run anywhere until it finds the password or exhausts all the possibilities from the password list. It’s up to you to decide how large and complex a password file you want to use, but if you are lucky, Aircrack-ng will find a match and you’ll see a message like the one in Figure 5.
All in all, Aircrack-ng is one of the most useful open source wireless auditing tools around. This article has covered the basics, with which you can hunt for rogue access points and check any WPA (or WPA2) pre shared key protected networks to ensure that the passphrases are not easily crackable. Once you’ve mastered this then explore the software suite or read the manuals: there are many more options and applications in the suite than covered here that can also be useful for more complex auditing tasks.