Introduction
We covered the basics of WIFI penetration testing with aircrack-ng and the concept of WPA 4 Way-Handshake.
The core of WPA(2) authentication is the 4 way handshake.
Most home WiFi networks, and many others, use WPA(2) personal. If you have to log in with a password and it’s not WEP, then it’s WPA(2) personal. WPA2-EAP uses RADIUS servers to authenticate, so if you have to enter a username and password in order to connect then it’s probably that.
Previously, the WEP (Wired Equivalent Privacy) standard was used. This was shown to be insecure and can be broken by capturing enough packets to guess the key via statistical methods.
The 4 way handshake allows the client and the AP to both prove that they know the key, without telling each other. WPA and WPA2 use practically the same authentication method, so the attacks on both are the same.
The keys for WPA are derived from both the ESSID and the password for the network. The ESSID acts as a salt, making dictionary attacks more difficult. It means that for a given password, the key will still vary for each access point. This means that unless you precompute the dictionary for just that access point/MAC address, you will need to try passwords until you find the correct one.
In this video, I’ll give you a rundown of wireless attacks and show you how to perform Wi-Fi penetration testing using a popular tool called aircrack-ng.
Getting Started: Basic Terminology
Before we dive into the practical side, let’s get some basic terms out of the way.
WPA2-PSK vs. WPA2-EAP: Your home network probably uses WPA2-PSK, where you just need a password to connect. In a corporate or university environment, you’re more likely to see WPA2-EAP, which is more secure because it requires both a username and a password. This is often handled by a RADIUS server for authentication.
SSID and ESSID: You know that name you see when you’re looking for a Wi-Fi network? That’s the SSID. In larger places like a university or a big company, you might have multiple access points using the same SSID. That’s what we call an ESSID. The ESSID is really important because it’s used to calculate the pre-shared key, or the password.
BSSID: This is simply the MAC address of your router or modem.
The Four-Way Handshake
When you connect to a Wi-Fi network, your device and the router go through a process called the WPA2 four-way handshake. This is the authentication process. For a penetration tester, the main goal is to capture this handshake. Why? Because the key for authentication is calculated using the ESSID and the network password. If we can capture the handshake, we can try to crack the password.
What You’ll Need for the Attack
To pull this off, you’ll need a few things:
- A captured four-way handshake.
- The captured packets saved to a
.capfile. - A powerful wordlist to crack the password.
I’ll be using the aircrack-ng suite for this demonstration. It’s a command-line tool, but it’s very popular and has a lot of community support.
Let’s Get Hacking: The Practical Steps
Now for the fun part! Here are the steps to perform a Wi-Fi penetration test.
- Find Your Network Adapter: First, I need to see what network adapters I have. I can use the
ifconfigoriwconfigcommands for this. I’m looking for my wireless adapter, which is usually named something likewlan0. - Enable Monitor Mode: Next, I’ll put my wireless adapter into monitor mode. This allows me to capture all the wireless traffic around me, not just the traffic meant for my device.
- Kill Interfering Processes: I’ll run a quick command to kill any other processes that might be using the wireless adapter and could interfere with what I’m doing.
- Capture Traffic: Now, I’ll start capturing traffic to see all the nearby Wi-Fi networks and get their details, like their BSSID and the channel they’re on.
- Target a Specific Network: Once I’ve found my target, I’ll focus my capture on that specific network, saving all the captured data to a
.capfile. - Deauthenticate a Client: To capture the four-way handshake, I need a device to connect to the network. If a device is already connected, I can force it to disconnect and then reconnect. This is called a deauthentication attack. When the device reconnects, I can capture the handshake.
- Crack the Password: Finally, with the captured handshake and my wordlist, I can try to crack the password. The success of this step depends entirely on whether the password is in my wordlist. Using a GPU for this is much faster than a CPU.
Technical Commands Used
Here are the commands I used in this demonstration:
ifconfigiwconfigsudo airmon-ng start wlan0sudo airmon-ng check killsudo airodump-ng wlan0sudo airodump-ng --bssid [BSSID] -c [channel] -w mynetwork wlan0sudo aireplay-ng --deauth [number of packets] -a [BSSID] wlan0sudo aircrack-ng -b [BSSID] [cap file] -w [wordlist]
TryHackMe Wifi Hacking 101 Answers
Can this method be used to attack WPA2-EAP handshakes? (Yea/Nay)
What three letter abbreviation is the technical term for the “wifi code/password/passphrase”?
What’s the minimum length of a WPA2 Personal password?
How do you put the interface “wlan0” into monitor mode with Aircrack tools? (Full command)
What is the new interface name likely to be after you enable monitor mode?
What do you do if other processes are currently trying to use that network adapter?
What tool from the aircrack-ng suite is used to create a capture?
What flag do you use to set the BSSID to monitor?
And to set the channel?
And how do you tell it to capture packets to a file?
What flag do we use to specify a BSSID to attack?
What flag do we use to specify a wordlist?
How do we create a HCCAPX in order to use hashcat to crack the password?
Using the rockyou wordlist, crack the password in the attached capture. What’s the password?
