There’s been a dearth of tech posts around here lately, but that’s about to change.

I’ve previously mentioned the Alfa AWUS036S USB WLAN adapter that I got a while back for OpenBSD wardriving. It’s been reliable for that purpose, but lately I’ve been interested in using it with aircrack-ng to crack WPA pre-shared keys.

Normally this isn’t the kind of thing I’m into, but then I learned about the Church of Wifi’s WPA Rainbow Tables, which consist of 40GB of compressed pre-computed WPA keys and their hashed derivations for the 1000 most common SSIDs and a selection of common passphrases. I downloaded the torrent (tip: the CoW link is bad; the torrent is here, and the Church of Wifi cracking tool CoWPAtty which reads the rainbow tables and uses them to crack WPA.

I ran them against a capture I’d taken using OpenBSD and kismet, only to find that I had not captured any of the WPA handshakes required to crack the WPA PSK. This led me down the rathole of actively forcing the WPA handshake by knocking a client off of an AP and monitoring the client’s attempt to reconnect, using the aircrack-ng suite of tools.

Rather than fight with getting aircrack-ng to inject packets with my USB wlan device on OpenBSD, I bit the bullet and went with Ubuntu Gutsy 7.10 instead.

Running Gutsy i386 on a VMWare Workstation 6.0 virtual machine, I plugged in the Alfa USB adapter, enabled it in VMWare with the VMWare UI, and did an ifconfig to confirm my adapter was detected. It showed up as wlan0 and that was that. Or so I thought.

Once I downloaded and built the latest 1.0 beta of aircrack-ng (an uneventful proces; just make sure the libssl-dev and libpcap0.8-dev packages are installed). Then I ran airmon-ng start wlan0 11, which unexpectedly failed. I could not get the wlan0 interface into monitor mode; attempts kept failing with an error about the mode not being supported. I then booted into a Backtrack 2 Live CD and ran airmon-ng there, but despite forcing a WPA handshake (first with aireplay-ng and later by manually disconnecting and reconnecting a client to the AP I was cracking) I wasn’t getting any WPA handshakes in any of my captures.

Now is a good time to digress for a bit about the Linux WLAN driver situation. If you’re going to use a wireless adapter on Linux, you have to wonder, what wireless chipset does the adapter use, are there drivers available, are they reliable? If you intend to use the adapter for wardriving, WEP cracking, WPA cracking, etc, then you also have to figure out if the tool you want to use supports the chipset, if the drivers you’re using support what you’re doing with the tool, and whether or not the drivers are so unstable as to kernel panic your machine at random.

In my case, I’m using a USB wireless adapter so I can use it from a virtual machine, which makes the situation even worse as USB wireless support is hit or miss at best, especially if you’re capturing all traffic on a channel which requires monitor mode.

As wireless USB devices under Linux go, there aren’t many options. The Alfa AWUS036S, based on the Ralink RT73 chipset, is the best option I’ve found. I’ve also read about the Alfa AWUS036H, based on the Realtek RTL8187. The aircrack-ng and Kismet sites both list a few other USB adapters, none of which I’ve read particularly good things about.

The RT73 driver situation is pretty complicated. Gutsy 7.10 ships with RT73 support, though I don’t know where the drivers came from. A while back I tried to get the serialmonkey drivers working with my shitty EDIMAX USB adapter and had nothing but problems under Linux; I’ve not tried the new RT73 stuff from serialmonkey but I assume it’s unstable.

Finally, there’s p_larbig’s stuff, which seems based on the serialmonkey code but is patched for stability, packet injection, and compatibility with aircrack-ng. He has drivers for rt73 and rt2570-based hardware, though I’ve not worked at all with the rt2570 drivers.

I finally had luck with the latest p_larbig rt73 driver, 2.0.1. It was the usual download tarball, make, make install, which installs the rt73 kernel module. However, that’s not enough.

I also had to disable the modules Ubuntu shipped with, which otherwise insist on loading instead. I’ve read elsewhere about a guy suggesting you actually delete the built-in modules from /lib/modules, but that seems a bit heavy-handed. Instead, I added the following lines to /etc/modprobe.d/blacklist:

 # Disable the USB ralink drivers other than the custom build one
 # AJN 11-2007
 blacklist rt2500usb
 blacklist rt73usb
 blacklist rt2x00usb

I also added alias ra0 rt73 to /etc/modprobe.d/aliases.

Then ran sudo update-modules. After that I plugged in my Alfa and it came up at rausb0.

Using beta1 of aircrack-ng 1.0 I ran a few simple tests.

First, airmon-ng stop rausb0 and airmon-ng start rausb0 11, both of which worked this time.

Next I ran aireplay --test rausb0, which reported successful injection.

After that I used these instructions to force and capture a WPA handshake. I would note that it’s important to verify you can capture these handshake packets before you declare victory. I thought I had it made when I booted the Backtrack 2 live CD, which has built-in support for rt73 chips, only to find that I could capture everything but the WPA handshakes. Be sure that’s working if you intend to crack WPA PSKs.

Once I got a WPA handshake, I ran it against cowpatty with the WPA-PSK rainbow tables, and tried one million keys in about 20 seconds, roughly 50k keys/second. If you’ve every tried brute-forcing a WPA PSK with just aircrack-ng and no rainbow tables, you’re probably more used to 10-50 keys/second; that’s right, it’s an improvement of three orders of magnitude. Insane.

The final moral of the story is: change your access point’s default SSID, and choose a secure WPA passphrase. Failure to do either will result in vigorous pwnage.