Home‎ > ‎CIS 75‎ > ‎

Lab 6 - Wireless Passwords

For this lab you will use a very similar approach to stealing a very different kind of password, using the Pyrit program to analyze wireless traffic. Take a look at Pyrit's website:


Pyrit attacks a known weakness with WPA2-PSK whereby if you can observe an authorized client login (called a handshake) you can steal the hash of the password. The hash is generated by a well known process so you can use it to make guesses like we did with Windows passwords in the previous lab. The details of how that works can be found here. Pyrit is designed to run on your computer's GPU which (according to its website) can guess passwords at a rate of up to 89,000 guesses per second! The Pyrit program on Kali Linux, however, lacks the ability to use the GPU so you'll probably see something closer to 1,000 to 4,000 guesses per second (still not bad). 

Step 1: Observe
Normally you would go hang out somewhere that has a wireless network you're interested in and watch it for a while. This could easily be done from your apartment. However, in the interest of time and the ability to grade, I've done this step for you. The file is attached at the bottom of the page. It contains packets I have stolen from a local coffee shop over breakfast. The coffee shop doesn't use any kind of remote authentication method, instead they use WPA2-PSK with a password and change it every so often. 

Once you have downloaded the file linked below, check to see if Pyrit has the information it needs to perform an attack:

# pyrit -r cis175-lab5-wireless-capture.cap analyze

If a handshake is present you should see a message like this in the output:

  #23: Station f0:cb:a1:26:3b:94, 1 handshake(s):
    #1: HMAC_SHA1_AES, good, spread 1

There may be many of them. 

Step 2: Get a list of passwords
In order to make guesses you will need a list of passwords. Because Pyrit works so fast you can use a lot more than the 35,000 passwords that came from the myspace.com dictionary. Pyrit will get through those in under a minute on many computers. Linux machines typically have an English dictionary in a file located in /usr/share/dict/words. On Kali Linux that file contains 99,171 English words including contractions and possessive forms (i.e. with apostrophes). You can load that dictionary into Pyrit with this command:

# pyrit -i /usr/share/dict/words import_passwords

Using the dictionary couldn't be easier.

Step 3: Identify the SSIDs
Now that you have a database and a packet capture you can run Pyrit to see if you have the password:

# pyrit -r cis175-lab5-wireless-capture.cap attack_batch

What's the password?

Step 4: Gather your own packet log (Extra Credit)
The tool used to grab the packets is also installed in Kali Linux. It's called airodump-ng. Read its documentation here: 

IMPORTANT: Gathering packets this way is legal but may not be ethical. I am teaching you how to steal passwords so that you understand how easy it is to break into poorly secured systems. That knowledge is intended to make you a better system administrator not a thief, hacker, cracker or incarcerated. 

For extra credit run airodump-ng on a network of your choice and wait to see a client login. When you have a capture file you can have Pyrit analyze it like this:

# pyrit -r <capture_file_here> analyze

If you were successful Pyrit will give you a message like this:
#9: AccessPoint cc:b2:55:91:15:60 ('UncleMeat'):
  #1: Station 00:26:bb:12:29:b1
  #2: Station d0:df:c7:c9:40:ea
  #3: Station d0:df:c7:c2:fc:e8, 1 handshake(s):
    #1: HMAC_SHA1_AES, good, spread 1
Once you know that there's a conversation worth seeing in the file strip it the useless packets out of it using Pyrit:

# pyrit -r <capture_file_here> -o stripped.cap strip

After being stripped the file should be much smaller. Submit this file on blackboard for extra credit.

Turn In
When you have found the wireless password submit it in a screenshot on blackboard.

Grading
  • 20 points for the correct password 
  • Extra Credit: 10 points for a stripped packet capture that contains a hash

ċ
cis175-lab5-wireless-capture.cap
(14802k)
Michael Matera,
Oct 30, 2013, 9:22 AM
Comments