I am writing this guide on testing WiFi network security for my own use. Hopefully others will contribute knowledge, as I have not mastered the art yet! [29.iv.12]
The only way to test the security of a lock is to try to pick it. I managed to lock myself out of my house a while back. With some difficulty I managed to get back in without breaking anything more than wind. But get back in I did! I have now plugged that particular loop-hole. The same principle applies to WiFi networks. You need software to try it; I am currently using beini-1.2.2 This blog is about how to use it.
I have searched extensively variations of “beini WPA tutorial” but so far found nothing of any use. There are e.g. a number of YouTube files but all the ones I have looked at are incomprehensible; either because they are in Spanish or Indonesian or other languages I don’t understand, or gibberish ‘written’ by inarticulate children who fail to get anywhere to the accompaniment of puerile soundtracks. If you know of a GOOD guide, send me a link and I will insert it here.
Having run out of patience watching instructions being plonked out one-fingered and littered with errors which are then equally laboriously retyped, I decided to write my own manual. Being a pen and paper person, a printable manual is what I am after. Hopefully this will be it.
You will see many references to other software such as BackTrack, AirMon, AiroDump etc. This guide only deals with beini-1.2.2. I got mine from here:
Like much else on the internet, although the download page suggests you’ll be getting beini-1.2.3 you will in fact get beini-1.2.2.iso Burn that ISO file to a CD. Whatever computer you use to test a network will need to boot from this CD. You may have to check your BIOS to enable that. There seem to be issues over some chipsets but none of them have affected me. I have used BEINI on several computers and not had chipset problems with any of them. It is also possible to use BEINI with a USB memory stick.
I don’t use WEP for network encryption as too weak, but BEINI can test WEP as well as WPA and WPA2 networks. As I am only interested in WPA and WPA2 that is what I cover here. I could add WEP instructions later if called for.
1. Insert the BEINI CD and boot computer. The opening screen will give you an option to Start Beini 1.2.2. or Reboot. BEINI will start automatically if no choice made. While booting it may report an error such as “SQUASHFSA error can’t find SUPERSQUASH on superblock sda” etc. I ignore them and do nothing until this opening screen appears.
There are 9 icons at the bottom. From left to right they are i) a command prompt terminal ii) control panel iii) App browser iv) Bib v) FeedingBottle vi) Log Out – click to log out and either shut down the computer or restart in Windows vii) minidwep-gtk – seems to be specifically for WEP viii) Root Shell ix) xfe
2. No idea what most of these are for. I have only used FeedingBottle. Clicking it launches a warning screen like the next screenshot.
3. Click YES. The next screen allows you to select a wireless card. At the bottom, in the ‘MESSAGE’ bar, you should see “monitor mode enabled…” Click NEXT.
4. The next window, shown below, displays APs [Access Points] Information and Clients Information as well as 5 default options:
Ignore the Error Item of AP: ✔
Show all Aps when scanning: ✔
Channel Selection: All Channel
Scanning Time: 30 seconds
Change the encryption setting in the above screen to WPA/WPA2 then click SCAN. A progress bar [see below] will appear below the APs Information window.
5. When the scan is completed (usually takes only a few seconds) any WPA/WPA2 networks will appear listed in the APs Information window. Click one to select it [see below] and a message should also appear in the Clients Information. As in the screen below, this is often “Found 0 Client!” With the AP still selected click NEXT.
6. The next screen [see below] gives you two options to proceed; START or ADVANCED. Before doing either you can set the ‘Attacks parameters.’ This is as far as I have been able to make sense of BEINI. Clicking the START button gives you options to select a ‘dictionary’. I have no idea which, if any, is best. It is possible to add dictionaries or make additions to existing dictionaries but again, I don’t know how. The rest of the screenshots are after selecting Advanced Mode.
7. Clicking ADVANCED opens a new window [see below] with a whole lot of other button options none of which I understand. Any ideas anyone? Clicking the various buttons launches different applications as follows;
- CAPTURE = airodump.ng
- START CRACK = select dictionary
- FAKE AUTH (-1) = FakeAuth_-1
- FAKE AUTH (by force) = Fake authentication with AP
- INTERACTIVE 0841 (-2) = InterActive_0841
- ARP REPLAY (-3) = ?
- CHOP CHOP (-4) = ChopChop_-4
- FRAGMENTATION (-5) = ?
- PACKET FORGE = Xor File Chooser
- FORGE ATTACK = Arp File chooser
The general procedure seems to be to detect the 4-way handshake involved in connecting to a WPA encrypted network. Either one needs to be ‘found’ or generated and then ‘captured’. For the latter, an existing connection needs to be broken by ‘deauthenticating’ it which should then reconnect automatically thereby revealing the 4-way handshake. This in turn enables the Pre-shared key [PSK] to be revealed. I think! For the sake of completeness I include below the remaining sequence of screenshots starting with what you get after selecting ‘Uncapture’ in Advanced Mode.