The insufficiency of brute-force
In more realistic circumstances, a WPA network would not be as easy (as the previous example seemed to suggest) to penetrate. Everything comes down to the strength of the password, and these passwords are often very hard to crack. This is especially true if the routers/access-points are pre-configured by the manufacturer - these passwords are often a random string of up to 12 characters and usually contain multiple symbols and uppercase letters. In fact, since the WPA encryption algorithm requires so much of the system’s resources, the time required to try every possible combination would literally take billions of years, even with the most powerful graphics cards available. That is why it is often easiest to attack the network from a more vulnerable angle, namely, the user.
As mentioned earlier, I am going to use a tool named fluxion to perform this attack. This is how Fluxion operates:
- Scans the network
- Gets the Handshake
- Generates an open fake AP with the same SSID as the one your attacking
- Starts a MDK3 process, which kicks everyone out of the targeted network.
- Starts a fake DNS server to redirect all the DNS request to the infected host
- A fake website portal is lunched for the user to enter the WPA password
- The entered WPA password is checked against the captured handshake
- If the entered password matches the hash from the handshake, then fluxion will terminate all the running processes and the client will have the ability to connect back to the original APStarted by starting the Fluxion application
Got prompted to choose a language, chose English
Asked to choose a channel to scan, this is a good option if you know the channel used by the AP you’re attacking, I chose “All channels” as I didn’t know which channel was used by the AP..
Then the network adapter goes into monitoring/promiscuous and shows all the available networks. I could also see all the clients’ connections to the different APs. This is important, as the handshake cannot be captured unless there is a client connected to the AP. When the targeted AP was shown, I terminated the scanning session and Fluxion asked me to pick one of the found networks. I picked the CrackMe-WPA2 network.
Then I choose which application to use for the Fake AP. Hostapd was chosen as it was the recommended tool to use.
Picked the application to validate the captured handshake with the hashed password inserted by the target. Chose to use aircrack-ng as pyrit didn’t work properly.
Then I choose how to deauthenticate the devices on the AP. “Deauth all” deauthenticatesall the devices in a network, while “Deauth target” will deauthenticate each target individually, I choose “Deuath Target” as it worked more effectively.
The session will then start. Two new terminals will open, one sending the deauthentication requests to the connected clients, and one monitoring if the handshake has been captured. The deauthentication terminal needs to be manually terminated after a couple of seconds, this will make the target re-authenticate toward the AP, and thereby performing the 4-way-handshake. When the handshake has been captured, the second terminal will signify this in the left corner. When the handshake was captured, I checked it and preceded to the next phase.
- CTRL + C (To exit the Deauth terminal)
Generated a new SSL certificate for the web server and choose the Web Interface as the methodology
Then I was asked to pick a web-interface. There are multiple interfaces to choose between, since this is the page where the user will be asked to input the WPA password because of a firmware update (it’s smart to pick a login page which is consistent will the AP). If this is not an option, the generic pages based on different languages will also work. I picked Netgear.
Then five terminals will show, each with a specific application running. This includes a DHCP server, the fake DNS, a deauthentication tool used to make the original network unavailable, the application used for the fake AP, and an information window showing the connected clients.
The client will now lose its connection to the original network and will not be able to log back on to it. The victim now needs to manually connect to the open network with the same SSID as the targeted network. If a client connects to the network and tries to access any website, the fake DNS will redirect the client to the web server running the fake WPA password authentication.
After the client has submitted a password, the password will be encrypted using the WPA encryption scheme, checked against the hash retrieved from the handshake. If it matches, the Fluxion application will shut down and the client will automatically connect back to the original network and gain back its internet connection.
This was by far the easiest to perform. Even though this attack functions across multiple complex applications, the Fluxion framework is written in a way that makes this invisible to the user. The problem with a social engineering attack like this lies in the fact that it requires an inherited trust from the targeted user. In addition, there is a greater chance of being caught performing this attack as user interaction is required.
- Required little knowledge
- No brute-force needed
- Resource efficient
- Likely to get caught
- Requires inherited trust between target and attacker