Weak Initialization Vectors

Download 22,59 Mb. Pdf ko'rish
bet	201/225
Sana	14.05.2024
Hajmi	22,59 Mb.
	#232856

1 ... 197 198 199 200 201 202 203 204 ... 225

Bog'liq
learningkalilinux

Password Cracking on WiFi | 221

Weak Initialization Vectors
Encryption mechanisms, like those used by WEP and WPA, can
use something called an
initialization vector
. This is a random
numerical value, sometimes called a
nonce
, that is used to help cre‐
ate the encryption key. If the initialization vector algorithm is weak,
it can lead to predictable values. This can essentially
leak
the pass‐
phrase used by the wireless network.
Because the program is doing a statistical analysis, it requires many packets to
increase the chance of getting the passphrase right. This is, after all, a statistical analy‐
sis, and the more data you have, the more you can compare. Think of it as a fre‐
quency analysis when you are trying to decode an encrypted message. A small
collection may yield an even distribution across all or most letters. This doesn’t help
us at all. As a result, the more data we can collect, the better chance we have of being
able to determine one-to-one mappings because everything starts to display a normal
frequency distribution. The same goes for coin flips. You could flip five heads in a
row, for example, or four heads and a tail. Based on the probability of each event, we
Password Cracking on WiFi | 221

will get an equal number of heads as tails, but it may take a large number to fully get
to 50%.
Frequency Analysis
A
frequency analysis
is a count of the number of times characters
show up in text. This is sometimes used when trying to crack
ciphertext, because a frequency analysis of ciphertext will reveal
letters that are used regularly. This allows us to compare that to a
table of letters most commonly used in the language the message is
written in. This can start to break down some of the ciphertext
back to plain text, or at least provide some good guesses as to
which ciphertext letters correspond with which plain-text letters.
To use
aircrack-ng
, we need a packet capture. This can be done using
airodump-ng
, as
we’ve used before. In addition to just the capture from
airodump-ng
, we need the cap‐
ture to include at least one handshake. Without this,
aircrack-ng
can’t make an
attempt at cracking a WPA password. You will also need a password file. You will find
a collection of such dictionaries to be useful, and you may spend some disk space
accumulating them. You will find that different files will suit you well because pass‐
word cracking can have different requirements depending on the circumstances. Not
all passwords are created equal, after all. WiFi passwords may be more likely to be
passphrases, meaning they would be longer than a user’s password.
Fortunately, Kali can help us out here, although what Kali has to offer isn’t specifically
directed at WPA passphrases but instead at common passwords. One file that is use‐
ful because of its size and varied collection of passwords is
rockyou.txt
, which is a
word list provided with Kali in the
/usr/share/wordlists
directory. We will use this file
to check against the packet capture. You can see a run of
aircrack-ng
with
rockyou.txt
as the wordlist/dictionary and then
localnet-01.cap
as the packet capture from
airodump-ng
in
Example 7-8
.
Example 7-8. Running aircrack-ng to crack WPA passwords
root@savagewood:~# aircrack-ng -w rockyou.txt localnet-01.cap
Opening localnet-01.cap
Read
10299
packets.
# BSSID ESSID Encryption
1
70:3A:CB:4A:41:3B CasaChien WPA
(
0
handshake
)
2
70:3A:CB:52:AB:FC CasaChien WPA
(
0
handshake
)
3
18:D6:C7:7D:EE:11 CasaChien WPA
(
1
handshake
)
4
50:C7:BF:82:86:2C TP-Link_862C No data - WEP or WPA
5
70:8B:CD:CD:92:30 Hide_Yo_Kids_Hide_Yo_WiFi WPA
(
0
handshake
)
6
C4:EA:1D:D3:78:39 CenturyLink5191 No data - WEP or WPA

Download 22,59 Mb.

1 ... 197 198 199 200 201 202 203 204 ... 225

Download 22,59 Mb.

Pdf ko'rish