9 – WPA2 TKIP – Security Mode Cracking

We are going to skip WPA and go straight to WPA2 TKIP because if we can crack WPA2 we can crack WPA..

What does WPA stand for?

Wi-Fi Protected Access

How did it come about?

Well if you were following the previous lessons you will see that the other security protocols are extremely vulnerable and trivial to crack or bypass so the Wi-Fi Alliance defined these in response to the previous research that uncovered these vulnerabilities.

WPA is more secure than WEP though so why should I be worried?

Well nothing is really as secure as we think, nothing is bulletproof or 100% secure and plenty of 0-days exist out there that already bypass these that we don’t know about, we will go though some of the known vulnerabilities that exist and can be easily carried out in order to crack the password using different methods.

What if my password is really long?

Well if you are using a 64 character password congratulations you are a lot more secure than most people out there but if someone really wants you they will get you. If your router has Wi-Fi Protected Setup (WPS) though your 64 character password has become 4 numbers and will be trivial to crack so if you have WPS disable it and if you disabled it and you can still crack it you should obtain a different router. We will look at this in a future lesson.

Now that we have discussed a little bit about WPA let’s get move on with the lesson and crack it, as always modify your access point settings to replicate the image below:1- Configure WPA2 access point settingsAs always put your card into monitor mode

airmon-ng start wlan0 6

2 - monitor mode enabledNow that you have put your card into monitor mode you need to start airodump-ng in order to capture the traffic from the access point.

airodump-ng –bssid 00:18:E7:XX:XX:XX –channel 6 -w testcapture mon03 - airodump-ng captureOutput looks like this4 - airodump-ng outputYou can see the following from the above output

BSSID is the access point MAC address
STATION is a client either authenticated or looking for an access point if not associated with a BSSID
CH or channel is set to 6
ENC or encryption type is set to WPA2
CIPHER is set to TKIP
AUT or authentication is set to PSK aka Pre-Shared Key or Personal Mode
ESSID or the name of the access point is set to “test”

Now we are looking for the four-way handshake and this can be accomplished in two different ways here with number one just waiting for a client to connect and number two sending a de-authentication packet to the client forcing it to reconnect and obtaining the handshake that way, we are going to focus on number tow in this scenario.

aireplay-ng -0 2 -a 00:18:E7:XX:XX:XX -c F4:09:D8:XX:XX:XX mon0

-0 means deauthentication
-1 is the number of deauths to send
-a is the MAC address of the AP MAC
-c is the MAC of the client you are de-authenticating5 - de-authentication of the clientNow if you check back in your airodump-ng output you will now see that you have obtained the handshake6 - handshake captured in airodump-ngAt this point you can kill airodump-ng as you have the handshake but to verify you have captured either the full four parts of the handshake or at the minimum two parts fire up wireshark and take a look.

wireshark your_capture_file.cap &7 - start wireshark on the captureUse the filter eapol and click “Apply” to see only the eapol packets as these contain your handshake8 - Wireshark eapol filterNow it’s just a case of running aircrack-ng against the capture and cracking the password associated with it, in this case in order to speed it up I am going to create a little list so that we don’t have to wait around for ages waiting to see if we can crack it especially as we already know the password!

Using cat just do something like the following depending on your password:9 - cat simple test list
Now for aircrack-ng

aircrack-ng -b 00:18:E7:XX:XX:XX testcapture*.cap

“-b” to select your AP_MAC
“testcapture*.cap” will run aircrack-ng against all your capture files in the directory with the name testcapture-X.cap10 - starting aircrack

Success looks like the following11 - aircrack-ng WPA2 cracked
Lesson Learned:

Even WPA/WPA2 can be easily broken, all it takes is an attacker with some patience to passively monitor the air and get your four-way handshake or alternatively actively de-authenticate you in order to obtain the four-way handshake and then either by uploading to a cloud cracker or using their own GPU/cloud cracker they can crack your key and just leave the cracker running without having to be near your access point. Once the four-way handshake has been obtained that is all that is required in order to break your key off-site and depending on the attackers resources and the strength of your password this can take anywhere from a few minutes to months or even years but it will eventually be broken. Best use an extremely long password in order to mitigate against this form of attack.


One thought on “9 – WPA2 TKIP – Security Mode Cracking

Leave a Reply