Understanding How ARP Works
The Address Resolution Protocol (ARP) offers the ability to translate any IP address that is routable on your local subnet (i.e., you can send data to it) into the MAC address that the host is using to communicate on the subnet. In other words, it allows a host to ask “What MAC address has IP w.x.y.z ?”
Examining ARP Packet Structure
Using our knowledge of protocol analyzers, we examine the structure of an ARP packet. Open Wireshark (ex Ethereal) and begin a pcap (Capture>Options>Capture Filter : arp > Start).
- If you’re using Windows/*nix, open a command-line prompt and issue the command arp –d (This will allow you to manually delete the entries in your ARP cache and then force your system to ARP the local gateway to resolve the IP address needed to forward the ping to www.yahoo.com)
- Now issue ping www.yahoo.com.
- First, there is the ARP request, which is sent to a broadcast address and then
- the ARP reply. This reply is sent back the initial requestor as a Unicast.
- The first 2 bytes of the ARP data within the Ethernet frame (at offset 0) identify the Hardware Type (in our example our hardware is Ethernet---represented by 0x0001 code confirmed also from wireshark see in Wireshark's "Address Resolution Protocol" section).
- The next 2 bytes(at offset 16 in frame) denote the Protocol Type (In this case, we see it's IP ptrotocol---denoted by 0x0800 code) address ARP is attempting to resolve.
- The next 2 bytes(at offset 32 in frame) denote the lengths of a hardware address (6 bytes/octets=48bits for MAC) and of a protocol address (4 bytes for IP), respectively.
- Next is the Operation byte. This field regard ARP protocol is 0x01 for an ARP lookup request, and 0x02 for an ARP lookup reply. In this case, we are looking at an ARP request packet(see Wireshark output).
- Following the operation byte, we have 6 bytes (48 bits) denoting the Sending Hardware Address (SAP) (the sender’s MAC address. In our example my gateway router).
- Following this, we have 4 bytes (32 bits) the Sending Protocol Address (the sender’s IP address).
- Next is the meat of our request Target MAC: 6 bytes all set to 0, indicating that we want to know what MAC address(in our case my PC's MAC address) belongs to the following 4 bytes . Those final 4 bytes (Target IP) of the ARP packet indicate the IP address that we want to resolve to a MAC. The ARP reply is shown below in Figure ARP_Reply_Packet
Note in the reply that the target hardware and protocol addresses and the sender hardware and protocol addresses have traded positions in the analogous packet structure. Also note:
- Opcode now is 0x0002 (in fact 2 is the code for a reply packet) and that
- the formerly null value for the target hardware address (my PC) has been replaced with the requested MAC address ("Sender MAC address" in Wireshark's output).
NOTE---There are other useful commands for maintaining your ARP cache.
- By using the command arp –s , you can permanently add an entry to the ARP cache.
- Add the string pub to the end of the command and your system will act as an ARP server, answering ARP requests even for IPs that aren’t yours.
- Finally, to view the full contents of your ARP cache, execute arp –a.harrykar@harrykar-desktop:~$ arp Address HWtype HWaddress Flags Mask Iface 192.168.1.1 ether 00:22:33:64:2e:94 C eth0 harrykar@harrykar-desktop:~$ arp -a ? (192.168.1.1) at 00:22:33:64:2e:94 [ether] on eth0
When ARP replies are received, they are added to the local host’s ARP cache. On most systems, ARP cache entries:
- will time-out within a relatively short period of time (2 minutes on a Windows host) if no data is received from that host.
- Additionally, regardless of how much data is received, all entries will time-out after approximately 10 minutes on a Windows host.
Attacking the Data Link Layer
We can begin to examine the methods used by attackers to mount attacks using weaknesses in the protocols.
Passive versus Active Sniffing
The basis for a large number of network-based attacks is passive sniffing. Normally, network cards will process packets that are sent to a MAC address or broadcast; however, in a hubbed network, there are many more packets than just those addressed to the system that reach the network card. Passive sniffing involves using a sniffer (e.g., as Wireshark or tcpdump) to monitor these incoming packets.
Passive sniffing relies on a feature of network cards called promiscuous mode. When placed in promiscuous mode, a network card will pass all packets on to the operating system, rather than just those Unicast or broadcast to the host. Passive sniffing worked well during the days that hubs were used.The problem is that there are few of these devices left. Most modern networks use switches. That is where active sniffing comes in.
Active sniffing relies on injecting packets into the network that causes traffic that should not be sent to your system. Active sniffing is required to bypass the segmentation that switches provide. Switches maintain their own ARP cache in a special type of memory known as Content Addressable Memory (CAM), keeping track of which hosts are connected to which switch port.
The terms active and passive sniffing have also been used to describe wireless network sniffing. They have analogous meanings. Passive wireless sniffing involves sending no packets, and monitoring the packets sent by others. Active sniffing involves sending out multiple network probes to identify APs.
In both cases (wired and wireless), passive sniffing offers considerable stealth advantages over active sniffing.
ARP poisoning is the primary means of performing active sniffing on switched Ethernet.
ARP poisoning involves convincing a host that the IP of another host on the network actually belongs to you, as illustrated in Figure ARP_Poisoning
Another important factor is selecting what IP address you want to redirect to your system to. By spoofing the default gateway’s IP address, all hosts on your subnet will route their transmissions through your system. This method, however, is not very stealthy; you have to poison the ARP cache of every host on your subnet. On the other end of the spectrum, you have the option to poison the ARP cache of a single host on your network. This can be useful if you are attempting to perform a targeted attack and require as much stealth as possible.
When attempting to maintain stealth, be certain not to spoof the IP of another client machine on your subnet. Both Linux and Windows client machines will pop up messages notifying any logged-in user that another host is attempting to use their IP. To conduct the attack at the most rudimentary level, we can add a static entry to the ARP table for another host’s IP:
application with the ability to poison A more advanced method is to use an application with the ability to poison the ARP cache. Cain and Abel (for Windows), will automatically detect the IP address of the gateway and begin poisoning all hosts on the subnet with a single click. Running Cain and Abel, you have the choice of either using the default configuration by clicking the radioactive symbol (third icon in the toolbar beneath the menu), or configure it by clicking the network card icon (second icon in the toolbar beneath the menu). If we click on the network card icon and go to the “ARP Poisoned Routing” tab, you will see the options shown in Figure Cain_Abel.
The options of interest when spoofing ARP entries to route traffic through ourselves are the Pre-Poisoning and Poisoning options. Pre-poisoning and using ARP request packets increase your chances of successfully poisoning ARP caches.
Another effective ARP poisoner is WinArpAttacker, WinArpAttacker functions slightly better than Cain and Abel at sniffing LAN traffic. Upon running WinArpAttacker, select the Scan option and scan the local LAN, and select the attack option and choose to SniffLan.
You will see the packet counts increase as WinArpAttacker routes packets from the hosts through your machine, as seen in Figure WinArpAttacker
ARP flooding is another ARP Cache Poisoning technique aimed at network switches. While not effective on all switches, some will drop into a hub-like mode when the CAM table is flooded. This occurs because the switch is too busy to enforce its port security features and broadcasts all network traffic to every computer in the network. This technique is particularly useful in MITM attacks, where the goal is to impersonate one of the hosts in a connection.
In WinArpAttacker, conducting an ARP flood is as simple as clicking the checkboxes next to the host you wish to flood, clicking on the attack icon in the toolbar, and selecting the Flood option.
One method to ensure that all traffic on a network will pass through your host is to change the routing table of the host you wish to monitor. This may be possible by sending a fake route advertisement message via the RIP, declaring yourself as the default gateway. If successful, all traffic will be routed through your host. Make sure that you have enabled IP forwarding, and that your default gateway is set to the authorized network gateway. All outbound traffic from the host will pass through your host and onto the real network gateway. You may not receive return traffic unless you also have the ability to modify the routing table on the default gateway to reroute all return traffic back to you.
All this talk of wired network insecurities may have you thinking that wireless offers more security. Let’s explore that issue by looking at wireless networking technologies.
Recently, unsecured wireless APs have become a hot issue with legislative bodies. In particular, California is considering requiring that all APs ship with a notice that communications are not secured until the router is configured with a password. Wardrivers who drive around with network cards in promiscuous mode, will identify and occasionally explore unsecured networks within their hunting grounds. We will now examine a pair of tools for identifying and sniffing wireless networks.
Netstumbler (on Windows), is one of the most basic tools for identifying wireless networks within range. Netstumbler moves through each wireless channel and identifies any networks that are advertising themselves, or any networks that a host is currently connected to. Upon loading, Netstumbler will select a suitable wireless device and begin scanning.
Once networks are identified, Netstumbler displays them in the right-hand pane. The
dots next to the network name are color-coded according to the signal strength, and contain a lock if the connection is encrypted. By expanding the channels option in the left-hand pane, the channel number, and selecting a Service Set Identifier (SSID), you can see usage statistics.
Wireless SSIDs function similarly to MAC addresses, and like MAC addresses can be
changed. Research has been done to identify wireless cards based on slight differences between devices that introduce variability into the properties of the signals transmitted by the cards. While a successful implementation of this would fully eliminate wireless spoofing, we are still several years away from seeing any technology based on this on the market.
If a de-facto standard for wireless sniffing exists, that standard is Kismet. One of the earliest wireless sniffing packages, and certainly the most popular, Kismet offers a wide variety of features to aid Wardrivers. Kismet is available for Windows users, and for Linux users.
The kiswin package requires setting up a kismet drone on a Linksys wrt54gFeatures
wireless router. This is a significant time investment if you just plan to play with Kismet. A Linux live CD may be an easier alternative to test Kismet’s functionality.
- 802.11b, 802.11g, 802.11a, 802.11n sniffing
- Standard PCAP file logging (Wireshark, Tcpdump, etc)
- Client/Server modular architecture
- Multi-card and channel hopping support
- Runtime WEP decoding
- Tun/Tap virtual network interface drivers for realtime export of packets
- Hidden SSID decloaking
- Distributed remote sniffing with Kismet drones
- XML logging for integration with other tools
- Linux, OSX, Windows, and BSD support (devices and drivers permitting)
One of the most infamous wireless attacks revolves around the initial protocol for secure communications across wireless media. WEP is a protocol based on the RC4 cipher. RC4 is a stream cipher, a form of encryption that has championed such pinnacles of security as the secret decoder ring.
Note, though, that stream ciphers are not inherently weak, and are commonly employed by the military for use in highly sensitive operations!When vendors were implementing the WEP protocol, they made a mistake. The RC4 cipher is very secure in and of itself. Unfortunately, with cryptography, implementation is everything. The design of WEP permitted a piece of information called initialization vector to be re-used. This had dire consequences for the security of the algorithm. To draw a loose analogy, imagine that WEP is the cryptoquip substitution cipher that is syndicated in many newspapers. Every time a wireless packet is transmitted, you get a letter or two of the puzzle. Easy enough, right? Except that the letters in the first packet are encrypted in a different way from those in the second; the first are from Monday’s cryptoquip, and the second’s from Tuesday. For every 5,000 packets, you get a letter or two of the puzzle that’s encrypted the same way as some of your previous letters. With every 5,000 packets, you can build a bit more and a bit more of Monday’s puzzle until you have enough to solve it.
Wireless vulnerabilities are also a hot research topic at the moment, particularly with the expansion of wireless hotspots into urban areas. Wireless vulnerabilities can be categorized into roughly four groups:
- passive attacks
- jamming attacks
- active attacks
- MITM attacks
Conducting Active Wireless Attacks
Active wireless attacks encompass spoofing and denial of service (DoS) attacks. Between them, spoofing attacks are by far the most common. Many wireless APs maintain filtered lists of MAC addresses permitted to connect to them. Through the use of tools like Netstumbler, however, one can easily identify the MAC address used by a valid workstation and modify one’s MAC to match it through the Advanced tab of the network card’s properties(on Windows), as seen in Figure change_MAC.
DoS attacks against wireless APs still hold only nuisance value. By sending multiple control packets to a wireless network, you can degrade performance. You also have to stay in range of the AP to conduct the DoS, greatly increasing the chances of being discovered.
Similar to DoS attacks, jamming attacks rely on using radio frequencies to interfere
with wireless transmissions. Much like military signal jamming, a device can be used to “spam” the appropriate radio frequencies with a signal much stronger than any of the wireless clients. This will effectively perform a DoS attack on the wireless network.
MITM attacks are the most interesting version of attacking a wireless network. They are especially prevalent with the expansion of wireless hotspots. By setting your wireless card up in an identical configuration as an existing hotspot (including spoofed SSID), a client is unable to distinguish the legitimate AP from your spoofed AP without running additional authentication protocols on top of the wireless media.
Defending the Data Link Layer
The Data Link layer offers a number of options for identifying and detecting various types of attacks against the shared media.
Invariably, attackers have the advantage. Through the use of the following techniques, exploits at the Data Link layer can be significantly discouraged, possibly motivating attackers to move on and select an easier target.
Securing Your Network from Sniffers
You might be considering unplugging the network completely so that sniffers like Wireshark, or other more nefarious applications, cannot be used on your network. Hold on to those wire cutters, there are other, more function-friendly ways to help secure your network from the determined eavesdropper.
Fortunately, for the state of network security, encryption is the one silver bullet that will render a packet sniffer useless. The use of encryption, assuming its mechanism is valid, will thwart any attacker attempting to passively monitor your network. Many existing network protocols now have counterparts that rely on strong encryption, and all-encompassing mechanisms such as IPSec and OpenVPN provide this for all protocols. Unfortunately, IPSec is not widely used on the Internet outside of large enterprise companies.
Secure Shell (SSH) is a cryptographically secure replacement for the standard UNIX Telnet, Remote Login (rlogin), Remote Shell (RSH), and Remote Copy Protocol (RCP) commands.
It consists of both a client and a server that use public key cryptography to provide session encryptionIt also provides the ability to forward arbitrary TCP ports over an encrypted connection, which comes in handy for the forwarding of X11 Windows and other connections. SSH has received wide acceptance as the secure mechanism to access a remote system interactively. SSH was conceived and developed by Finnish developer,Tatu Ylönen. The original version of SSH turned into a commercial venture, and although the original version is still freely available, the license has become more restrictive. A public
specification has been created, resulting in the development of a number of different versions of SSH-compliant client and server software that do not contain these restrictions (most significantly, those that restrict commercial use).
- A free version of SSH-compatible software, OpenSSH, developed by the OpenBSDoperating system project,.The new commercialized SSH can be purchased from SSH Communications Security, who have made the commercial version free to recognized universities.
- Mac OS X already contains OpenSSH software.
- For Windows (now for Linux too), a free alternative for the commercial SSH software is PuTTY.
Secure Sockets Layer
Secure Sockets Layer (SSL) provides authentication and encryption services, or can be used as a VPN.
From a sniffing perspective, SSL can be vulnerable to a man-in-the-middle attack. An attacker can set up a transparent proxy between you and the Web server. This transparent proxy can be configured to decrypt the SSL connection, sniff it, and then re-encrypt it. When this happens, the user will be prompted with a dialog box indicating that the SSL certificate was not issued by a trusted authority. The problem is, most users ignore the warnings and proceed anyway.
Pretty Good Protection(Privacy) and Secure/Multipurpose Internet Mail Extensions
Pretty Good Protection (PGP) and Secure/Multipurpose Internet Mail Extensions (S/MIME) are standards for encrypting e-mail. If used correctly, these will prevent e-mail sniffers like dsniff and Carnivore from being able to interpret intercepted e-mail. The sender and receiver must both use the software in order to encrypt and decrypt the communication.
In the United States, the FBI has designed a Trojan horse called Magic Lantern that is designed to log keystrokes, hopefully capturing a user’s passphrase. Once the FBI gets a passphrase, they can decrypt the e-mail messages.
In the United Kingdom, users are required by law to give their encryption keys to law enforcement when requested.
Network switches make it more difficult for an attacker to monitor your network. Technologies like Dynamic ARP Inspection (DAI) can be used to inspect ARP packets in a network and ensure they are valid. DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address. This can significantly reduce the capability of an attacker to launch a successful Data Link layer attack.
Rate Limiting of ARP packets is another technique that can be used to prevent ARP attacks. If a high number of MAC addresses are transmitted quickly, or illegal ARP pairings are noted, the port is placed in the locked state and remains so until an administrator intervenes.
Employing Detection Techniques
Are there other ways to detect malicious Data Link layer activity?
Yes, one method is to look for NIC cards that are running in promiscuous mode.
Many Operating Systems(Os) provide a mechanism to determine whether a network interface is running in promiscuous mode. This is usually represented in a type of status flag that is associated with each network interface and maintained in the kernel. This can be obtained by using the ifconfig command on UNIX-based systems. The following examples show an interface on the Linux operating system
- when it isn’t in promiscuous mode:
harrykar@harrykar-desktop:~$ ifconfig -v eth0 eth0 Link encap:Ethernet HWaddr 00:1e:2a:bd:1e:9a inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::21e:2aff:febd:1e9a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:936138 errors:0 dropped:0 overruns:0 frame:0 TX packets:793409 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1188782130 (1.1 GB) TX bytes:77931947 (77.9 MB) Interrupt:10 Base address:0xa000
Note that the attributes of this interface mention nothing about promiscuous mode.
- When the interface is placed into promiscuous mode, as shown next, the PROMISC keyword appears in the attributes section:
harrykar@harrykar-desktop:~$ ifconfig -v eth0 eth0 Link encap:Ethernet HWaddr 00:1e:2a:bd:1e:9a inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::21e:2aff:febd:1e9a/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:936138 errors:0 dropped:0 overruns:0 frame:0 TX packets:793409 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1188782130 (1.1 GB) TX bytes:77931947 (77.9 MB) Interrupt:10 Base address:0xa000
It is important to note that if an attacker has compromised the security of the host on which you run this command, he or she can easily affect this output. An important part of an attacker’s toolkit is a replacement ifconfig command that does not report interfaces in promiscuous mode.
There are a number of techniques, varying in their degree of accuracy, to detect whether a host is monitoring the network for all traffic. There is no guaranteed method to detect the presence of a network sniffer.
Most programs that are written to monitor the network perform reverse DNS lookups when they produce output consisting of the source and destination hosts involved in a network connection. In the process of performing this lookup, additional network traffic is generated; mainly, the DNS query to look up the network address.
- It is possible to monitor the network for hosts that are performing a large number of address lookups alone; however, this may be coincidental, and not lead to a sniffing host.
- An easier way, which would result in 100 percent accuracy, would be to generate a false network connection from an address that has no business being on the local network. You would then monitor the network for DNS queries that attempt to resolve the faked address, giving away the sniffing host.
A second technique that can be used to detect a host that is monitoring the network is to detect latency variations in the host’s response to network traffic (i.e., ping). Although this technique can be prone to a number of error conditions (e.g., the host’s latency being affected by normal operation), it can assist in determining whether a host is monitoring the network. The method that can be used is to probe the host initially, and then sample the response times.
Next, a large amount of network traffic is generated, specifically crafted to interest a host that is monitoring the network for authentication information. Finally, the latency of the host is sampled again to determine whether it has changed significantly.
Sometimes an operating system driver bug can assist in determining whether a host is running in promiscuous mode. In one case, CORE-SDI, an Argentine security research company, discovered a bug in a common Linux Ethernet driver. They found that when the host was running in promiscuous mode, the operating system failed to perform Ethernet address checks to ensure that the packet was targeted toward one of its interfaces. Instead, this validation was performed at the IP level, and the packet was accepted as if it was destined to one of the host’s interfaces. Normally, packets that did not correspond to the host’s Ethernet address would have been dropped at the hardware level; however, in promiscuous mode, this doesn’t happen. You can determine whether the host was in promiscuous mode by sending an Internet Control Message Protocol (ICMP) ping packet to the host, with a valid IP address of the host and an invalid Ethernet address. If the host responded to this ping request, it was determined to be running in promiscuous mode.
Network Monitor (NetMon), available on Windows NT-based systems, has the capability to monitor who is actively running NetMon on your network. It also maintains a history of who has NetMon installed on their system. It only detects other copies of Network Monitor, so if the attacker is using another sniffer, you must detect it using one of the previous methods discussed. Most network-based IDSes will also detect these instances of NetMon.
Another method of detecting unauthorized use of promiscuous network cards is to effectively bait anyone that would be watching for confidential information. For example, a cleartext Telnet password could be used intermittently to log in to a (fake) Telnet service on sensitive hosts. Any off-schedule accesses to this server would not be legitimate, and would indicate that someone is monitoring traffic.
Taking the concept a step further, one could configure an IDS such as Snort to alert on any network traffic utilizing the honeytoken. Provided the honeytoken is sufficiently unique, false-positives will be minimal. One downside to honeytokens is that they do not provide any indication of where the promiscuous device is; they only tell you that there is one. Additionally, there is no guarantee that promiscuous mode was employed. An attacker may have simply compromised one of the machines involved in the transmission of the honeytoken.
Data Link Layer Security Project
How you can use this knowledge to perform security testing on your own network.
Using the Auditor Security Collection to Crack WEP
The Auditor Security Collection is a fully functional, bootable CD-based operating system that provides a suite of wireless network discovery and encryption cracking tools. To complete the security projects discussed in this chapter you will need to download a copy of Auditor and burn it to a CD. The bootable toolkit is available here.
In order to attack your target network, you must first locate it. Auditor provides two
tools for Wireless Local Area Network (WLAN) discovery:
Once you have determined the type of encryption that is in place, there are several different tools that provide the ability to crack different encryption mechanisms.
- Void11 is used to de-authenticate clients from the target network
- The Aircrack suite (i.e., Airodump, Aireplay, and Aircrack) allows you to capture traffic, reinject traffic, and crack WEP keys
- CoWPAtty performs offline dictionary attacks against WiFi Protected Access-Pre-SharedKey (WPA-PSK) networks.
Cracking WEP with the Aircrack Suite
The Aircrack Suite of tools provides all of the functionality necessary to successfully crack WEP, and consists of three tools:
- Airodump Used to capture packets
- Aireplay Used to perform injection attacks
- Aircrack Used to actually crack the WEP key
WEP cracker | Aircrack suite and select the tool you want to use. The first thing you need to do is capture and reinject an ARP packet with Aireplay. The following commands configure the card correctly to capture an ARP packet:
NOTE---These commands are for a Prism2-based WLAN card. If you aren’t using a Prism2-based card you will need to make sure that your card can be used with the wlan-ng drivers and determine the correct identifier for your card (eth0, eth1, and so forth).
switch-to-wlanng cardctl eject cardctl insert monitor.wlan wlan0 CHANNEL_NUMBER cd /ramdisk aireplay -i wlan0 -b MAC_ADDRESS_OF_AP -m 68 -n 68 -d ff:ff:ff:ff:ff:ff
- First, tell Auditor to use the wlan-ng driver. The switch-to-wlanng command is an Auditor specific command to accomplish this.
- Then the card must be “ejected” and “inserted” in order for the new driver to load. The cardctl command, coupled with the eject and insert switches, accomplish this.
- Next, the monitor.wlan command puts the wireless card (wlan0) into Radio Frequency Monitoring (rfmon), listening on the specific channel indicated by CHANNEL_NUMBER.
- Finally, start Aireplay. Once Aireplay has collected what it thinks is an ARP packet, you are given information and asked to decide if this is an acceptable packet for injection. In order to use the packet, certain criteria must be met:
■ ToDS must be 1
■ The BSSID must be the MAC address of the target AP
■ The source MAC must be the MAC address of the target computer
■ The destination MAC must be FF:FF:FF:FF:FF:FF
You are prompted to use this packet. If it does not meet these criteria, type n. If it does meet the criteria, type y and the injection attack will begin. Aircrack, the program that performs the actual WEP cracking, takes input in pcap format. Airodump is an excellent choice, because it is included in the Aircrack Suite; however,
any packet analyzer capable of writing in pcap format (e.g., Wiresharkl, Kismet, and so forth) will work. You must configure your card to use Airodump.
switch-to-wlanng cardctl eject cardctl insert monitor.wlan wlan0 CHANNEL_NUMBER cd /ramdisk airodump wlan0 FILE_TO_WRITE_DUMP_TO
Airodump’s display shows the number of packets and Initialization Vectors (IVs) that have been collected.
Once some IVs have been collected, Aircrack can be run while Airodump is capturing. To use Aircrack, issue the following commands:
aircrack -f FUDGE_FACTOR -m TARGET_MAC -n WEP_STRENGTH -q 3 CAPTURE_FILE
Aircrack gathers the unique IVs from the capture file and attempts to crack the key. The FUDGE_FACTOR can be changed to increase the likelihood and speed of the crack. The default FUDGE_FACTOR is 2, but it can be adjusted between 1 and 4. A higher FUDGE_FACTOR cracks the key faster, but more “guesses” are made by the program, so the results aren’t as reliable. Conversely, a lower FUDGE_FACTOR may take longer, but the results are more reliable. The WEP strength should be set to 64, 128, 256, or 512 bits, depending on the WEP strength used by the target AP. A good rule is that it takes around 500,000 unique IVs to crack the WEP key. This number will vary, and can range from as low as 100,000 to more than 500,000.
Cracking WPA with CoWPAtty
CoWPAtty, developed by Joshua Wright, is a tool that automates offline dictionary attacks that WPA-PSK networks are vulnerable to. CoWPAtty is included on the Auditor CD, and is easy to use. Just as with WEP cracking, an ARP packet needs to be captured. Unlike WEP, you don’t need to capture a large amount of traffic; you only need to capture one complete four-way Extensible Authentication Protocol Over Local Area Network (EAPOL) handshake and have a dictionary file that includes the WPA-PSK passphrase. Once you have captured the four-way EAPOL handshake, right-click on the desktop and select Auditor |Wireless | WPA cracker | Cowpatty (WPA PSK bruteforcer). This opens a terminal window with the CoWPAtty options.
Using CoWPAtty is fairly straightforward. You must provide the path to your wordlist,
the .dump file where you captured the EAPOL the handshake, and the SSID of the target network.
cowpatty –f WORDLIST –r DUMPFILE –s SSID