This article presents Backtrack, a powerful freeware toolkit of software for web analysis that can successfully be employed by a network administrator in order to test the strength of security of its network. This article mainly concentrates on step-by-step tutorial how to control the strength of WPA (or WPA2) network key of a wireless access point.
a) What is Backtrack
Backtrack is a powerful freeware for testing of network security that contains a vast amount of tools that are useful for a network administrator. The program is available at no cost from www.backtrack.org where one may also obtain tutorials and different references to forums and courses. Backtrack has been created in order to test network security, however it can in principle also be employed for less legitimate purposes.
Backtrack allows an administrator to test if the key that he has set for a wireless access point is strong. The less time it takes for the software to brake the WPA (or WPA2) key, the weaker is the password.
- Network analysis tools of Backtrack toolkit:
Backtrack provides vast opportunities and comprises many widely used net analysis tools, for example:
- Dictionaries and brute-force tools (pentest-tools).
This links provides an overview of Backtrack (v.3) tools with a short description of each tool: http://backtrack.offensive-security.com/index.php/Tools.
b) How to make a Backtrack live-USB
In order to crate a bootable live-USB the following needs to be done:
Step 1: Download and install a freeware application UNetBootin that works under both Linux and Windows platforms- just pick the correct distribution. UNetBootin is available at http://unetbootin.sourceforge.net/.
Step 2: Use a USB flash drive that has enough capacity. In case of Backtrack v.3 a capacity of 1GB will satisfy the needs. From the image below one can see that this version of Backtrack only takes 636MB of space. Before running UNetBootin format the USB-drive (quickformat FAT).
Step 3: After running UNetBootin:
- choose Backtrack from the drop down list of distributions;
- choose a version of Backtrack, for example version 3;
- choose a device for Backup storage. In present example we need to choose USB-drive D;
- Backtrack download and installation commences. After that the live-USB is ready for use.
c) Using BackTrack to test the strength of your WPA or WPA2 key:
1. Running BackTrack from live-USB
In order to boot into BackTrack from the live-USB changes needed to be done to BIOS booting order or booting preferences so that the computer will first boot from an external USB device.
BIOS configuration varies from one manufacturer model of computer to the other, therefore this articles shall not expressly cover BIOS configurations. The following link provides an overview of keyboard key combinations that are used to enter BIOS menu on different computers: http://michaelstevenstech.com/bios_manufacturer.htm.
If according to BIOS boot order an external (USB) device is the first booting medium and provided the live-USB is connected to computer, upon startup the computer will boot into BackTrack and the following screen will appear:
Next you will see BackTrack loading:
2. Setting NIC to use modprobe function (in cases of Intel NIC)
Before one can start capture of network packets, the network interface card (hereinafter NIC) shall be set into modprobe mode which means that:
- NIC is capable to listen to traffic (is in monitor-mode)
- NIC is capable to inject packets into network flow (works with injection function)
In normal case both of those functions are enabled with the command airmon-ng start <NIC_name> (to find NIC name just enter command airmon-ng).
However the described “normal case” is rare in case of laptops because for some reason Intel NIC-s (such as wl3945 and iwl4965)) tend to have problems with getting into monitor-mode. Command kismet -c iwl3945,wlan0,Wifi –X will put such NIC into monitor-mode but the injection function will fail or will not work properly (a problem of channel-hopping can arise).
Modprobe function will help get this kind of problematic NIC into both monitor and injection mode.
Step 1: Discover the model of your NIC by entering airmon-ng command. The illustrative image shows that we have a computer with Intel iwl3945 NIC with a wifi interface of wlan0.
Step 2: Switch the NIC into ipwraw-mode with monprobe as shown on the illustrative image. You will need to know the name of the NIC. You already know the NIC name from the step 1 above. Those commands make the NIC work in raw-mode to capture and forward raw traffic.
Command iwconfig lets you control if the NIC is now set for monitor mode. You should also verify what channel the NIC is using.
3. Setting computer NIC to a certain channel
For the packet capturing and injection test to be successful you need to ensure that the NIC captures traffic on the same channel that is used by the wireless access point (the WPA key strength of which is being tested).
Kismet is an excellent tool to get an overview of the access point within the range and discover to what channel a particular access point is set. Kismet also lets you discover access points that are using WEP-encryption. It is widely known that WEP cracking takes seconds and is easy due to the fact that the complexness and length of the key does not impact much the time of a WEP key crack. Here is more information on WEP crack test: http://www.aircrack-ng.org/doku.php?id=simple_wep_crack.
To sort access points by WEP filer, press S key once you enter into Kismet. Then press w and all those access points that use WEP encryption will have a mark of Yes (Y) in the column titled “W”. See the example in the image below.
The command kismet –c <NIC>wifi0,kismet or in case of an Intel card set into modprobe function the command kismet –c <NIC>wlan0,Wifi shall be used to get an overview of the wireless access points in range
Illustrating image reveals that in the present example the test access point is set to channel 6.
Once we know the channel of the access point we need to set the NIC for the same channel. For that end the command airmon-ng <NIC> start wifi0 <channel no> is employed.
4. Performing computer NIC injection test
Injection test is necessary in order to verify the NIC of your computer is able to inject packets into traffic. The command to use is aireplay-ng. In the example below the attribute -9 means injection test, the attribute -e means the SSID or the name of the network of the access point and the attribute -a stands for BSSID or the physical address of the access point.
The illustrative image below reveals that the NIC of the computer is capable of injection and hence is in injection mode.
5. WPA or WPA2 crack: usage of pentest-tools, aircrack, airodump and aireplay
WPA or WPA2 crack entails two actions: catching the handshake (this means packets that the access point and the client computer exchange in order to identify each other) and analysis of its hash with the comparison of the hash of different password combinations. Once the combination’s hash is identical to the hash of the handshake, the WPA or WPA2 key is cracked.
Step 1: Catching the handshake
Now that the NIC of the computer is in monitoring mode (see point 2 of this article above) and set to the same channel as the wireless access point (see point 3 of this article above), one is ready to start catching the handshake.
You will need to employ the command airodump-ng whereby the attribute –c stands for channel to listen to, attribute --bssid for the BSSID of the access point and attribute –w stands for the file where the captured handshake will be stored. Last parameter is the interface of the NIC that listens to traffic.
After the above command is entered this screen appears:
In order to provoke handshake generation, a real client (computer) that connects to the wireless access point is needed. As this is not likely to happen, you will need to make an existing client to re-authenticate to the access point.
This is done by sending a DeAutchenticate packet to the wireless access point. The appropriate command is aireplay-ng. Attribute -0 stands for sending a DeAuthenticate packet, followed by the number of times to do so. Attribute –a stands for the physical address of the wireless access point. Last parameter is the interface of the NIC that listens to traffic.
If there are several real clients already acceded to the wireless access point, you can modify the above command so that you send a broadcast packet to all of those clients.
As a result of sending the DeAutchenticate packets one or several clients have re-authenticated to the wireless access point. This has enabled the NIC to catch the handshake as you can see from the image below.
Step 2: Crack the WPA or WPA2 key
There are several methods for WPA/WPA2 key crack. The present article presents 3 methods: dictionary attack, brute-force attack and a combination method with crunch-tool that unites both of the former methods.
- Dictionary attack
Dictionary attack is a rapid method to crack the key but it only works as long as the word that appears in password has an exact match in the dictionary that one uses.
BackTrack has two basic dictionaries that partially coincide. The smaller dictionary can be found at /pentest/wireless/airckrack-ng/test/password.lst and the bigger one is located at /pentest/wireless /cowpatty/dict.
You can either compare and merge the non-coinciding words of the both dictionaries to create one big dictionary. Alternatively, you can create your own wordlist or import it. As a rule you should use a dictionary that is appropriate to the geographic location of the wireless access point as people tend to derive passwords from their native language.
Then a command aircrack-ng is used to feed in the words of the dictionary. Attribute –w stands for the file (and correct path) of the dictionary and -b marks the BSSID. Last one marks the name of previously captured handshake. You can see from the illustrative image above how this command is used.
The screen below reveals the fact that the dictionary did not contain the words matching the password.
- Brute-force attack
Brute force can crack any password but the downside is that this may take literally a dozen of years and presupposes a high capability of CPU. This means that this method may not be the most efficient one.
To use brute-force one need to employ john the ripper that you will find in “pentest” folder of BackTrack. This powerful tool is started with a command john. In the following example the attribute --stdout=8 signals that the length of the password is 8 characters and the attribute --incremental:alpha means that the password that we search only contains small letters (no capital letters, no numbers, no special characters).
Output of john shall be fed as input to aircrack.
The screen shows the process of comparison and analysis of hashes.
- Crunch-tool and combination method
This method takes the good that the both the previous methods have and leaves put their drawbacks: it is fast and it lets you control the volume of the dictionary by adding new elements step by step.
Crunch tool lets you build a flexible combination of letters (or/and numbers or/and special characters).
The following illustrative image reveals a crunch wordlist that generates all possible word combinations with only two letters “a” and “b” that shall form a word that is exactly 8 letters long (from 8 to 8 letters). All possible combinations are save in dictionary (sonastik.txt) and band fed as input to aircrack-ng.
If such a simple combination does not give a result, one can complicate the word step by step, adding one character after another and prolonging the combination of length.
Crunch also lets you break a dictionary into parts that makes the work faster and lessens the CPU capacity requirements.
The following image reveals that crunch succeeded to break the 8-character password "abababab". It took around 15 seconds.
d) Sources used in research for this article: