Search

SearchSearch

WiFi Hacking ๐ŸŒ

Nov 15, 20243 min read

Basics. Intro to WPA

Key Terms

  • SSID: The network โ€œnameโ€ that you see when you try and connect
  • ESSID: An SSID that may apply to multiple access points, eg a company office, normally forming a bigger network. For Aircrack they normally refer to the network youโ€™re attacking.
  • BSSID: An access point MAC (hardware) address
  • WPA2-PSK: Wifi networks that you connect to by providing a password thatโ€™s the same for everyone
  • WPA2-EAP: Wifi networks that you authenticate to by providing a username and password, which is sent to a RADIUS server.
  • RADIUS: A server for authenticating clients, not just for wifi.

The core of WPA(2) authentication is the 4 way handshake.

Most home WiFi networks, and many others, use WPA(2) personal. If you have to log in with a password and itโ€™s not WEP, then itโ€™s WPA(2) personal. WPA2-EAP uses RADIUS servers to authenticate, so if you have to enter a username and password in order to connect then itโ€™s probably that.

Previously, the WEP (Wired Equivalent Privacy) standard was used. This was shown to be insecure and can be broken by capturing enough packets to guess the key via statistical methods.

The 4 way handshake allows the client and the AP to both prove that they know the key, without telling each other. WPA and WPA2 use practically the same authentication method, so the attacks on both are the same.

The keys for WPA are derived from both the ESSID and the password for the network. The ESSID acts as a salt, making dictionary attacks more difficult. It means that for a given password, the key will still vary for each access point. This means that unless you precompute the dictionary for just that access point/MAC address, you will need to try passwords until you find the correct one.

NOTE: Wi-Fi Protected Access (WPA) is a Wi-Fi protocol that has better security mechanisms than protocols such as WEP by means of handling user authentication and keys more securely. WPA has been further improved by versions such as WPA2 and WPA3

Capturing packets to attack

Using the Aircrack-ng suite, we can start attacking a wifi network. This will walk you through attacking a network yourself, assuming you have a monitor mode enabled NIC.

The aircrack-ng suite consists of:

  • aircrack-ng
  • airdecap-ng
  • airmon-ng
  • aireplay-ng
  • airodump-ng
  • airtun-ng
  • packetforge-ng
  • airbase-ng
  • airdecloak-ng
  • airolib-ng
  • airserv-ng
  • buddy-ng
  • ivstools
  • easside-ng
  • tkiptun-ng
  • wesside-ng

Weโ€™ll want to use aircrack-ng, airodump-ng and airmon-ng to attack WPA networks.

The aircrack tools come by default with Kali, or can be installed with a package manager or from https://www.aircrack-ng.org/

I suggest creating a hotspot on a phone/tablet, picking a weak password (From rockyou.txt) and following along with every stage. To generate 5 random passwords from rockyou, you can use this command on Kali: head /usr/share/wordlists/rockyou.txt -n 10000 | shuf -n 5 -

You will need a monitor mode NIC in order to capture the 4 way handshake. Many wireless cards support this, but itโ€™s important to note that not all of them do.

Injection mode helps, as you can use it to deauth a client in order to force a reconnect which forces the handshake to occur again. Otherwise, you have to wait for a client to connect normally.

Example of capturing it

If you get a capture like this one:

do the following:

aircrack-ng -j wifi NinjaJc01-01.cap
 
aircrack-ng -a2 -b 02:1A:11:FF:D9:BD -w /usr/share/wordlists/rockyou.txt wifi.hccapx

Graph View

Backlinks

  • No backlinks found