HACK - Wireless Hacking - WPA/WPA2

Background - WPA/WPA2

This is the second part of my wireless hacking tutorial. If you are interested in hacking WEP security, please check out this blog post. WEP should never be used, as it does not matter how long or complicated your password is, a hacker can achieve a network key as long as there is a client. With WPA/WPA2, the difficulty in cracking the password comes from its complexity and length. Before we get started, it should be noted that the first three steps of cracking WPA/WPA2 are the same as cracking WEP on my other post.


Requirements:

• Kali Linux
• Includes the Air-ng Suite
• Wireless Adapter
• A router to hack
• A client already on the network
• Permission to crack, it is otherwise illegal

1.) Set up a monitor interface.

With Kali Linux booted up, make sure you have a wireless interface to work with.

# iwconfig

 A very popular wireless interface name is wlan0.

# airmon-ng start [WIRELESSINTERFACE]

Make sure to KILL any recommended processes.

# kill [PID1] [PID2] [PID3]

2.) Start monitoring traffic.

# airodump-ng

The top part shows all Access Points.

The bottom part shows all clients.

BSSID - the Access Point's MAC Address

PWR - the signal strength

Becaons - the packets that the router sends out to alert its presence

CH - The channel that information is being broadcast on

AUTH - Either MGT for Managed or PSK for Pre-Shared Key

ESSID - the Access Point's network name

STATION - the client's MAC Address

Probe - The list of ESSIDs that the client is looking to connect with

We are looking for anything that has PSK Authentication.

Once we find the access point we are looking for, we must make sure there is a client. Otherwise, we will not be able to capture a handshake, which is essential to cracking a network password.

I have not yet learned how to crack MGT Authentication.

Now that we have located an Access Point to crack, we need to start recording any packets that have anything to do with it.

3.) Recording the traffic.

# airodump-ng --bssid [BSSID] -c [CHANNEL] -w [FILENAME] mon0

This will start writing recorded packets to a .cap file. Similarly, you will see your specified access point on the top, and any of its clients on the bottom. Let this run in the background as we continue to work with other utilities.

At this point, we must split into two categories. Your targeted network either has a WEP encryption, or a WPA/WPA2 encryption.

4.) Getting the Handshake.

We are looking for a series of packets called the handshake, which only occurs when someone joins the network. We will use this handshake to crack the network password later.

In order to force a client to provide a handshake, we need to force it to connect. The only way to get it to reconnect to a network it is already a part of is to forcibly disconnect it.

We can do this by injecting what are known as deauth packets. 

# aireplay-ng -0 5 -a [BSSID] -c [CLIENTMAC] -e [ESSID] mon0

-3 is used for a deauth injection

5 is how many sets of deauth packets we want to send

This should successfully send out the deauth packets and force the client to perform a handshake with the access point. We can tell if this works by checking back on our airodump-ng capture.

If the deauth was successful, or we just happened to be monitoring when someone was connecting to the router, the top right of the airodump-ng display screen should say the following:

[WPA handshake: XX:XX:XX:XX:XX:XX

Now we will begin our attempt to crack it.

5.) Cracking the Password.

We now have the password in our grasp, but alas, it is still encrypted. We must now decrypt the password one of two ways.

The first method stays within the suite of the Air-ng tools, using aircrack-ng. The second method takes advantage of a discrete graphics card by using oclHashCat, and is tremendously faster. Before we begin the cracking process, we need to decide whether to use a word list or a brute force attack.

A word list is a text file that contains very popular passwords. These can be effective if a password is expected to be predictable.

A brute force attack is one that tries every single possible password that you allow. These are much lengthier attacks, but cover every possible password that a word list simply can't.

5a.) Aircrack-ng

We will start with a word list attack. The word list we want to use is named rockyou.txt, and can be found inside Kali within the directory /usr/share/wordlists. Do the following commands to bring it to your current directory and unarchive it.

# cp /usr/share/wordlists/rockyou.txt.gz . 

# gunzip rockyou.txt.gz

We will then input the word list into aircrack-ng.

 # aircrack-ng --bssid [BSSID] -w rockyou.txt [FILENAME]-01.cap

You will then see aircrack-ng work its magic. If done on a modern machine, aircrack-ng can usually get up between 1000-5000 keys per second. Depending on the version of rockyou.txt and Kali you have, there can be between 1 and 1.4 million total passwords. If this does not work, you may resort the a brute force attack.

The brute force attack involves using another tool, named crunch. 

 # crunch [MINLENGTH] [MAXLENGTH] [POSSIBLECHARACTERS]

Here are a couple examples:

Every number between 0 and 9999

# crunch 1 4 0123456789

Every letter between aaaaaaaa and ZZZZZZZZ 

# crunch 8 8 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ

Do keep in mind that every WPA key must be between 8-63 ASCII-encoded characters.

It wouldn't make much sense to check passwords between 1-7 characters long.

To implement crunch into aircrack-ng, we need to pipe as follows:

# crunch [MINLENGTH] [MAXLENGTH] [POSSIBLECHARACTERS] | aircrack-ng --bssid [BSSID] -w- [FILENAME]-01.cap

You should start to see every possible combination of characters that you have specified being used to crack the password. Be warned, this may take ages to complete.

For some perspective, a brute force attack that is 8 characters in length and contains both cases of every letter and every number has 63^8 possible combinations, or 218 trillion possibilities! Going through the list at 5000 passwords per second will take you a whopping 2000 years to complete!

5b.) oclHashcat

As stated with the aircrack-ng tool description, it will take you a very long time to calculate hashes. If you have a discrete graphics card (AMD or NVidia), you can utilize oclHashcat and get a much faster cracking time.

Download oclHashCat

You may attempt to get this working on your Kali, but I wouldn't recommend it if you are running it inside a virtual machine. I doubt it would be able to take full advantage of your graphics. Visualization aside, installing graphics drivers for Linux is a pain. For this tool, I recommend running it on Windows with your graphics card drivers already installed.

Before we use oclHashcat, we must convert the original .cap file to .hccap, which is used by Hashcat. Before we do that, it is recommended that we clean the packets.

 # wpaclean [CLEANEDFILE].cap [FILENAME].cap

Next, we can either use the online converter, or we can run the following command in aircrack-ng: 

 # aircrack-ng [CLEANEDFILE].cap -J [CLEANEDFILE].hccap

Now we move to Hashcat. Once extracted, you may download this batch file to make the tool a little more user friendly. Simply dump the text into a text file and then rename it to have an extension of  a .bat file.

If you choose to run the tool as it is, the command for running it is as follows:

For word list:

 > cudaHashcat64.exe -m 2500 [FILENAME].hccap [WORDLIST].txt

For brute force:

 > cudaHashcat64.exe -m 2500 -a3 [FILENAME].hccap [BRUTEOPTIONS]

Using an NVIDIA 660 TI+, I managed to reach 50,000 passwords per second. This was 10 times faster than using my CPU with aircrack-ng!

When the tool has cracked the password, it will place it in a file named cudaHashcat.pot.

This is an example of what that file might contain:

dd-wrt:20aa4b2770b4:b8e8562a3466:10010100

Don't be fooled, but 10010100 was actually the password to this network with an ESSID of "dd-wrt."

Conclusion

WPA/WPA2 isn't an impenetrable form of network security. As established, the stronger your password is, the longer it will take to crack. On the other side, the faster a hacker can go through hashes, the faster they can crack a password. I do not take any responsibility for actions and damage that is caused by the misuse of this tutorial. I only distribute it for those who wish to learn from it. Use it at your own risk. 

Thanks for reading!

-Dan