This time on the show we're getting a little BASH happy with Standard Streams and pipelines as we break the encryption on a WPA protected wireless access point using John the Ripper and Aircrack-ng.
Standard Streams in Unix like operating systems -- and Windows to some extent -- are the inputs and outputs between a program and it's environment.
Our environment in this case is BASH, the bourne-again shell. It's my personal favorite but there are a few others, like C-Shell.
Now three are three standard streams: STDIN, STDOUT and STDERR
Standard Input is data, usually text, that goes into the program. 9 times out of 10 this is just what you're typing on the keyboard.
Similarly Standard Output is where the program writes its output data. This could be to a file, a com port, the network, but quite often its simply your terminal or display.
Now not all programs have input and output. For example, dir or ls doesn't take any input. You issue ls and it outputs the contents of the directory. Similarly issuing rename or mv to rename a file doesn't send any output. You INPUT the oldname and newname to the MV or Rename program with your keyboard and the file name is changed. Nothing really that exciting to write home about, hu?
Finally Standard Error is another output from the program. It's independent from Standard Ouput and is used to send error messages, which are typically to the terminal or display. But it's nice to know we can send 'em elsewhere if need be.
Now I mentioned sending the output somewhere and that's exactly what we'll be doing today. While the output of a program typically goes to the terminal it doesn't have to. For example we could take the output of the "ls" or "dir" program and send it to input of the "more" program.
ls | more
More allows us to read the output of the ls or dir command one page at a time, using the spacebar to advance. The Q key quits by the way.
This is what's called piping. We can run the programs together, and the output of the first programs gets "piped" into the input of the next.
If you're not familiar with John the Ripper it's a fantastic tool for cracking passwords. You can use it to generate or process word lists, or even come up with 'em on the fly with a little bit of brute force.
I've already gone ahead and set my wireless card to monitor mode, started packet sniffing, deauthorizing users and successfully captured a bunch of traffic, including the 4-way handshake. This means I can start attempting to crack the pre-shared-key. If that sounded greek to you don't worry we'll be disecting all of that in an upcoming HakTip.
The aircrack-ng program wants three things. The BSSID of the access point we're cracking. The packet capture file containing the handshake, and a wordlist or dictionary file. Now since the WPA key of our access point isn't in the dictionary we're going to send in John the Ripper.
John has a nifty little option called incremental which will try every password possible -- 8 characters by default. With John we specify the stdout option which will output the candidate passwords it generates to standard output.
So using what we just learned we can take the output from John the Ripper, which is busy coming up with every password possible, and "pipe it" to aircrack-ng, which will try those passwords against the captured handshake.
And in anywhere between one second and 16 years we'll have cracked this network! Rock on!