As mentioned above, the WPA/WPA2 standard was meant to fix some of the vulnerabilities found in the WEP standard; this also included the attack performed previously in this report. There are some flaws found in the current WPA/WPA2, but there is currently no logical or statistical way that can be used to make the cracking process more efficient. This is because WPA handles encryptions differently than WEP and creates a temporal base key, this key is frequently replaced and thereby makes the initialization vector inconsistent between packets, as discussed earlier on page 2. (The picture below represents TKIP).
The attack that is going to be performed can be summarized into two main steps, capturing a handshake and brute-forcing the password hash.
Capturing the Handshake
Since we can’t retrieve any useful information from the initialization vector, we need to capture something called a 4-way handshake. This 4-way handshake happens every time a client connects to an AP, and inside this handshake there exists a hash version of the password sent from the host authentication toward the AP. If we are able to sniff this handshake, we can brute force the hash and read the password in plain text.
As mentioned earlier in the report, a brute-force tool named Hashcat will be used to perform a dictionary brute-force on the hashed password. A dictionary attack is a technique used to brute-force more efficiently. Instead of calculating every possible combination with x amount of characters, there will be preconfigured wordlists containing millions of “likely” passwords. But if Hashcat has ran through the entire wordlist without acquiring the correct hash, it is then possible to use something called rules. Rules are in theory pretty simple. A rule takes every word given from the wordlist and adds a character or sets of characters to it. I could for example take every word in the wordlist and add the number 1-30 to the end of all of them. Aircrack-ng also has the possibility to perform these types of brute force, but Hashcat will perform more efficiently as it uses the system resources from the GPU instead of the CPU.
1. Started out by setting the networking interface into monitoring mode
- Airmon-ng start wlan0
2. Then I scanned the network to get the correct BSSID and the channel used by the AP
- airodump-ng wlan0mon
3. Then I ran the same command, but this time the channel and the BSSID were specified. This is to filter out all the non-relevant traffic and only show the devices connected to the relevant AP. The station framed with a red line is the device the
- airodump-ng -c 4 --bssid 10:DA:43:08:BF:10 -w myWEPHandshake wlan0mon
- -w Write the captured handshake to a file
- -c Specifies the channel used by the AP
4. As mentioned earlier in the report, the only time the 4-way handshake happens between the client and the AP is when a client connects to the network. It is possible to wait for a device to connect, but this might end up taking a very long time. To speed this process up there will be a deauthentication request send to the station. This will kick the specified client from the network, and since most devices are configured to automatically re-authenticate against any known networks, a 4-way handshake will be performed between the host and the client.
- aireplay-ng -0 1 -a 10:DA:43:08:BF:10 -c EC:1F:72:41:97:39 wlan0mon
- -0 Sets the replay to deauthentication
- 1 This is the number deauthentication requests to send
- -a Specifies the MAC of the ap
- -c Specifies the MAC of the client to deauthenticate, if this flag isn’t specified them the request will be sent to all the devices on the network.
5. When the deauthentication request got sent to the ap, there was a 4-way handshake between the client and ap. In addition, the airodump-ng session was able to hijack the traffic and get the handshake!
6. After the handshake is captured, all that’s left is to crack is the hash. To make the output from aircrack compatible with hashcat, the file needs to be converted from the orginal .cap format to a different format called hccapx. When the handshake file was transferred to the machine running hashcat, it could start the brute-force process
- hashcat64 -m 2500 myWEPHandshake-01.hccapx rockyou.txt
- -m 2500 This specifies the type of hash, 2500 signifies WPA/WPA2
- myWEPHandshake-01.hccapx This is the Handshake file
- rockyou.txt This is the wordlist
After 25 seconds the hash was cracked!!
8. As seen in the picture below, the authentication was a success and I was able to log on to the network.
In terms of technicality, this was probably the simplest one. Even though there were a couple of additional steps compared to the attack performed on the WEP network, it is still just a simple man-in-the-middle combined with plain brute force.
- Flexible, and will work on most modern wireless networks
- Simple to understand
- Requires little interaction with client on the network.
- System resource demanding
- Low success rate