At present, the only software we can find is brute force cracking. It is said that a scientist has found a way to crack without violence.
According to a report submitted by security researchers Erik Tews and Martin Beck on Thursday, the encryption method of WiFi Protected Access (WPA) has been partially cracked.
The two men will present and discuss their achievements without reservation at the PacSec meeting in Tokyo next week. The method of cracking this time is that the hacker first reads the data transmitted from the router to the laptop, and then sends incorrect information to the client.
Baker, one of the crackers, said that as long as the vulnerability of TKIP in temporal key integrity protocol is found, it will take no more than 15 minutes to crack WPA encryption. This is the fastest cracking method at present. Of course, they also pointed out that PC to router can't be cracked, so encryption keys and data can't be obtained.
TKIP has been proved to be cracked by dictionaries, including using large computer resources or guessing. Tews and Beck did not use this method. They obtained the encryption method by obtaining router data, and then made a breakthrough through mathematical methods.
The old WEP encryption method has long been successfully cracked, so WPA2 wireless standard is currently considered as a relatively safe wireless standard. WPA, on the other hand, is a widely used encryption method for enterprise users, and the new cracking method makes it no longer secure.
True explanation:
Wireless security breaks through violence and cracks WPA encryption
IT 168 special article With the gradual maturity of wireless technology and the popularity of wireless equipment prices, more and more families begin to use WLAN, a wireless local area network, to surf the Internet anytime and anywhere. However, the problem of network security is also born. Although some users with a certain level of computer and network security began to use WEP or WPA keys to encrypt the transmitted data packets, it is quite easy to crack WEP. It is said that foreign professionals can intercept WEP encrypted packets and analyze WEP keys within 2 minutes through tools. The WPA encryption that once reassured us 100% is no longer secure. Today, we will learn how to violently crack the WPA encryption key, so that users can experience the feeling that shielding a spear is more beneficial.
I. Brief introduction to the network topology of the experimental environment:
This paper mainly uses the method of brute force to crack the WPA encryption key. This method requires that there are enough WPA encrypted data packets in the network, so I choose a computer to provide this encrypted data packet, that is, the computer communicates with the wireless router in the network continuously after passing the WPA verification. On this basis, another computer steals encrypted data packets and violently cracks them. The specific equipment is as follows.
AP: D-Link DWL-2000AP+A, responsible for setting WPA encryption information.
Wireless client: Notebook +D-Link DWL-G 122 wireless network card, responsible for ensuring continuous WPA data communication.
Listening/cracking: Notebook +NetGear WAG5 1 1v2 wireless network card is used as the machine to capture the login handshake session and crack the key.
Second, teach you how to violently crack WPA ciphertext:
Whether it is to crack WPA encrypted data or WEP encrypted data, it is necessary to find special monitoring and analysis software, similar to sniffer in wired networks. In the wireless network, we mainly use a powerful tool called WinAirCrack. When we explained how to crack WEP ciphertext before, we already introduced the simple use of the software and the download address of the software. Interested readers can refer to the previous articles.
Security Crisis of Easily Cracking WEP Password in Wireless Network (1)
Security Crisis of Easily Cracking WEP Password in Wireless Network (Ⅱ)
Winaircrackpack- download
Step 1: download the WinAirCrack program and decompress it, then download the driver corresponding to your wireless network card according to the above, and upgrade the driver to the wireless network card based on atheros chip. The specific method requires us to download the driver suitable for our own wireless network card brand at the address in www.wildpackets.com/support/downloads/drivers..
Step 2: After the preparation of the wireless network card is completed, open the main directory of WinAirCrack program installation and run the airdump.exe in it.
Step 3: First, select the monitoring network card as your wireless network card, and then select the chip type used by your wireless network card. "O" is hermesl/realtek, "A" is aironet/atheros, and there are only two types. Because the author's product is based on atheros, so choose A.
Step 4: Select the signal to be monitored. Because we know that the wireless network uses the 10 channel, we choose 10 directly. If readers want to crack WPA in the future and don't know its transmission channel, they can choose 0, which means scanning all channels.
Step 5: Set the file name for saving the scanning information, and just pick an easily recognizable name.
Step 6: After filling in all the information, we will start to capture the data. From the window display, we can see the SSID information, channel and rate of the current wireless network scanned by airdump.exe. In the ENC column, the encryption method used by the wireless network is WPA.
Step 7: During this period, you need to ensure that a WPA-PSK client logs in to WLAN normally, and the client must log in to WLAN. In other words, airodump must capture the whole "request/challenge/response" process of client logging into WLAN. Of course, the time required for success or failure and success is not measured by monitoring time, but determined by traffic.
Step 8: After listening and capturing for a long time, we press Ctrl+C to stop the program, and then run the WinAircraft analyzer in the WinAircraft directory.
Step 9: Select "WPA-PSK" from the "Encryption Type" drop-down menu in the "General" tab; In the Capture File column, select the CAP file generated by the airodump capture. Click the "Wpa" button in the left main menu to enter the WPA setting page. Enter the dictionary file path of the lst suffix in the Dictionary file input field. Here, we should focus on this dictionary file. WinAirCrack program itself does not have its own dictionary file, but we can create a new dictionary file by tools or by ourselves.
Tip:
Dictionary files can be set by yourself, as long as there is a crack dictionary per line. For example, keep the following format—
1 1 1
222
333
444
Step 10: After setting the dictionary file, we start to crack it. Of course, the key to success depends on whether the dictionary file is powerful and how much information it contains. One thing to note here is that the password string used by WPA-PSK can be composed of any characters that can be represented by ASCII code, but the length of the string must be greater than or equal to 8 characters.
Step 1 1: After hanging up the dictionary, we return to the scene of WinAirCrack.exe program and press the "airplane key …" button in the lower right corner of the interface. At this time, the system will automatically pop up a CMD console, and input some relevant parameters of the CAP file according to the actual situation, such as the path of the CAP file, how many packages the CAP has captured, and the BSSID|ESSID| encryption method of the AP to which these packages belong. Next, the software will automatically analyze the data packet just captured and violently crack it by comparing the information in the dictionary file. If successful, you will be prompted to find the key.
If there is no successful violent cracking, then there are two possibilities. First, there are not enough data packets to be monitored, and the monitoring time needs to be extended to increase the communication between the tester and the wireless router. Second, the cracked dictionary file is not powerful enough, and there are not enough brute force characters to contain the actual WPA key.
Third, summary:
In any case, brute force cracking is a "waste of people and money" work, which needs to test the endurance of users. In many cases, we may not be able to collect enough packets after listening for 24 hours or more, and sometimes we may have tried tens of thousands of cracking keys without success. However, the method of brute force cracking is feasible. As long as the conditions are met, the key used by WPA can be found out. Of course, the violent cracking introduced in this article depends largely on luck. After all, WPA is much safer than WEP without encryption.
Security Crisis of Easily Cracking WEP Password in Wireless Network (1)
In recent years, wireless technology has developed rapidly. More and more users use wireless devices to build wireless networks at home. By establishing a wireless network, they can use laptops and wireless network cards to access the Internet in every corner of their homes. There are many articles about how to set WEP encryption in wireless security to ensure that other computers and illegal users cannot connect to our wireless network.
But is this really the case? Is the so-called security encryption measure WEP really foolproof? After a long period of research, the author found that WEP is not safe. We can use several tools and some tricks to crack him, so that we can invade the wireless network that has been encrypted by WEP unnoticed. Below, the author will present the whole strategy of WEP encryption cracking in two articles.
First, solve the difficulties:
Before introducing the cracking operation, we should first understand what methods ordinary users use to improve the security of their wireless networks.
(1) Modify the SSID number:
Enter the wireless device management interface and modify the default manufacturer's SSID number, so that other users can't connect to the wireless network by guessing the default manufacturer's SSID number.
(2) Cancel the broadcast function of SSID:
By default, when the wireless device turns on the wireless function, it will send its SSID number to the space in the form of broadcast, so any wireless network card can scan and find this SSID number in the area with signal. It's a bit like when we broadcast over the loudspeaker. Anyone who can hear the sound knows what you said. Similarly, we can avoid broadcasting by canceling the broadcasting function of SSID number in wireless devices.
(3) Add WEP encryption function:
WEP encryption can be said to be the most basic encryption measure in wireless devices, and many users use it to configure and improve the security of wireless devices. We can turn on the WEP encryption function of the wireless device, and then select the number of encryption bits, that is, the encryption length, and the shortest is 64 bits. We can enter a11111165438. After entering the ciphertext and turning on WEP encryption, only the wireless network card that knows the ciphertext can connect to our wireless device with WEP encryption, thus effectively ensuring that people without ciphertext cannot access the encrypted wireless network normally.
Second, SSID Broadcasting Foundation:
So how can we crack these security encryption measures mentioned above? First, let's take a look at the cracking of SSID number.
Tip:
What's the SSID number? The SSID (Service Set Identifier) can also be written as ESSID to distinguish different networks, and it can have up to 32 characters. Wireless network cards can use different SSIDs to enter different networks. The ssid is usually broadcast by AP or wireless router, and the ssid of the current area can be viewed through the scanning function that comes with XP. For security reasons, it is not necessary to broadcast the SSID. At this point, the user must manually set the SSID to enter the corresponding network. Simply put, SSID is the name of a local area network, and only computers with the same SSID can communicate with each other.
Then the SSID number is actually a bit like cable broadcasting or multicast, and it is also sent from one point to multiple points or the whole network. After receiving the SSID number sent by the router, the general wireless network card should first compare whether the SSID number to be connected is configured, if so, connect, if not, discard the SSID broadcast packet.
Readers who have experience in cable network maintenance must have heard of sniffer. Through sniffer, we can monitor our network card, so that the network card will record all the packets it receives and feed them back to sniffer. Many of these packets are data that this network card should receive, and many are broadcast packets or multicast packets that should be discarded. Whether the network card receives these data or not, once the sniffer is bound to it, it will not hesitate to record these data and save these data information into the sniffer program. Therefore, by installing a wireless sniffer, the wireless network can also be bound to the wireless network card to realize the detection and discovery of the SSID number.
Tip:
We can easily get the SSID name of the wireless network that has set the broadcast of SSID number, even if it modifies the default name. Generally, this problem can be solved by the management configuration tool of your own network card or the wireless network management program that comes with XP system.
If we set the broadcast of SSID number in the wireless device to cancel, can we detect this SSID broadcast packet by installing sniffer software on our computer according to the above method? The answer is yes. Let's do an experiment.
Experimental environment:
Wireless router -TP-LINK TL-WR54 1G54M wireless router
Wireless network card -TP-linktl-wn5 10g 54m wireless network card
Notebook computer-Compaq Evo N800c
ADSL connects Beijing Netcom ISP.
Step 1: Access the management interface of TP-LINK 54 1G 54M wireless router through wired network, and cancel the broadcast function of SSID number of wireless router.
(Click to enlarge)
Step 2: In order to ensure the accuracy of the experiment, the author deliberately changed the SSID number to IT 168, changed the frequency band from the original 5 to 12, and the speed was still 54M.
Step 3: Click the "Save" button below, and "Changing the wireless network settings will cause the wireless router to restart" will appear. Are you sure? ",we can click OK to make the set wireless parameters take effect.
(Click to enlarge)
Step 4: Next, we turn off the wired network card and connect the wireless network card to the PCMCIA interface of the notebook.
Step 5: Plug in the wireless network card and scan the whole wireless network through the management tools of TP-LINK. At this time, you should be able to see a wireless signal, using 12 channel, in 54M wireless mode. But the SSID number can't be found. This is because we prohibit broadcasting SSID numbers.
(Click to enlarge)
We need to bind the wireless network card with sniffer tool to realize the function of detecting SSID number.
Third, reinstall the wireless network card driver:
WinAircrackPack is the wireless network card sniffer tool I want to use, but it is not compatible with most of our wireless network card drivers by default. In order to successfully use the wireless network card sniffer tool, we must first install a compatible wireless network card driver.
Before doing all kinds of operations, I recommend a small toolkit named WinAircrackPack, which is a combination package of wireless tools, including WinAircrackPack, wzcook.exe, airdecap.exe and airodump.exe. These programs have their own uses. The tool for finding SSID number introduced in this paper is airodump.exe. At present, his version is 2.3. The tool kit is attached.
Winaircrackpack- download
(1) Test whether it can be used directly:
Some readers may ask whether it is possible to use the sniffer tool directly without reinstalling the wireless network card driver. This requires us to test.
Step 1: Unzip the downloaded toolkit and run the airodump.exe inside.
(Click to enlarge)
Step 2: Select the corresponding network card and enter the serial number before the corresponding wireless network card, such as 13 by the author.
(Click to enlarge)
Step 3: Enter O or A to select the network card mode, which is related to downloading and installing drivers described later.
Step 4: Select the search frequency band. Entering 0 means that all frequency bands are detected.
Step 5: Next, you will be prompted to enter a save file, so that the tool will put all the packets from sniffer into this file.
(Click to enlarge)
Step 6: Whether to write wep ivs only and detect wep encrypted packets, we can choose "Y".
Step 7: At this time, a prompt will appear, which probably means that the driver does not support it at present and cannot operate sniffer. At the same time, the browser will automatically go to a page where we can download compatible drivers and upgrade our wireless network card, so that the sniffer tool-airodump.exe can run smoothly.
(Click to enlarge)
(2) Download the new driver of the wireless network card:
If you want to download a suitable new driver for the wireless network card, you need to go to the jump page mentioned above.
Step 1: The address of the opened page is/support/product _ support/airopeek/hardware, and we can download the driver that can use airodump and is suitable for our network card through this address.
(Click to enlarge)
Step 2: Select the brand and model of the wireless network card in the Search Device page. The author chooses all wireless products of tp-link to query and see which driver should be downloaded.
(Click to enlarge)
Step 3: On the query result page, we can see that our 5 10G network card can only use airodump by using the AR5005G driver provided by this website. (as shown in figure 10)
(Click to enlarge)
Step 4: Return to the/support/product _ support/airopeek/hardware page again. On this page, you will see the atheros card model compatible with the driver, and you will mention ar5005. Although ours is ar5005g, it can be used. Click the Wildpackets Atheros wireless driver version 4.2 link at the bottom of this page to download it.
(Click to enlarge)
Step 5: Download the wireless driver version 4.2 of wildpackets atheros to the local hard disk.
(Click to enlarge)
Step 6: After opening it, there are three files in it, and our wireless network card upgrade depends on these three files.
(Click to enlarge)
(3) Install a new driver for the wireless network card:
Three files in the previously downloaded Wildpackets Atheros wireless driver 4.2 compression package are the protagonists of our driver installation.
Step 1: Right-click the neighbor icon on the desktop network and select Properties.
Step 2: Right-click the local connection corresponding to your wireless network card and select Properties.
(Click to enlarge)
Step 3: In the Wireless Network Connection Properties window, click the Configure button next to the network card information under the General tab.
(Click to enlarge)
Step 4: Click the "Update Driver" button in the "Driver" tab.
(Click to enlarge)
Step 5: The Hardware Installation Wizard will appear. We select "Install from a list or specified location (advanced)" and then click "Next".
(Click to enlarge)
Step 6: Then select "Don't search, I want to choose the driver installation myself" and click "Next" button to continue.
(Click to enlarge)
Step 7: Since the drivers we installed before are the official drivers of TP-LINK 5 10G wireless network card, the system will find the corresponding drivers by default, so we don't select them and click "Have Disk".
(Click to enlarge)
Step 8: Use the "Browse" button to find the directory where we downloaded and unzipped the Wildpackets Atheros wireless driver version 4.2 file.
(Click to enlarge)
Step 9: Select Atheros Ar5005g Cardbus wireless network adapter, and then click Next to continue.
(Click to enlarge)
Step 10: A compatibility prompt will appear during the driver installation. We just need to click "Continue".
(Click to enlarge)
Step 1 1: The system copies the necessary files to the local disk.
(Click to enlarge)
Step 12: Complete the hardware update wizard. Our TP-LINK wireless network card has now become atheros ar5005g wireless network card, so we can use airodump, a wireless network sniffing tool.
(Click to enlarge)
Fourth, summary:
Because there are many preparations for WEP cracking, we can't present them all in one article, but we successfully updated our network card driver through this article, which is also the key to WEP encryption cracking, because all the wireless network tools I said are based on new drivers.
Please be sure to check your wireless network card driver through the page just mentioned, and download and install it. In the next article, the author introduces how to use a new driver to find the SSID number on the wireless network card that prohibits broadcasting and crack the WEP encrypted ciphertext.