Breaking WPA2-PSK with Kali Linux Posted In Hacking - By Aamir Lakhani on
Sunday, May 26th, 2013
WPA2-PSK may not be as safe as you think. There are a few attacks against
WAP2-PSK. One of the most common attacks is against WPA2 is exploiting a weak
passphrase.
Below you will find a few easy steps on how to break WPA2 with a weak
passphrase.
Breaking the Wireless Lab Home Network:
---------------------------------------
I set up a test network for this blog article. The client box is logging into my
Wireless Lab test network. This is the network we will break.
Selecting Wireless Network
--------------------------
Step 1:
The first step is to verify the router configuration. Normally in a real
penetration test we would not have this option, but since this is a home lab I
have a little more flexibility.
In this case the lab access point is securing the wireless network Wireless Lab
with WPA2-PSK. It using the passphrase Cisco123. You can use any wireless router
to setup your wireless lab.
Wireless Lab
Step 2:
We will be using Kali Linux to complete this task. Kali will need a wireless
card configured before it can be used by the operating system. I am using the
Alfa AWUS051NH adapter. Almost any Alfa wireless adapter will work. I am a big
fan of the AWUS051NH adapter because it a duel band adapter. However, this card
is very difficult to obtain since it is no longer sold.
Alfa
The iwconfig command will show any wireless cards in the system. I am using a
RealTek wireless card. Linux ships with the RealTek drivers, making it a Linux
plug and play wireless card.
The operating system recognizes a wireless interface named wlan0.
IWconfig
Step 3:
My next step will be to enable the wireless interface. This is accomplished
issuing the ifconfig wlan0 up command.
ifconfig up
Step 4:
I need to understand what wireless networks my wireless card sees. I issue the
iwlist wlan0 scanning command.
iwlist scanning
This command forces the wireless card to scan and report on all wireless
networks in the vicinity.
You can see from this example it found my target network: Wireless Lab. It also
found the MAC address of my access point: 0E:18:1A:36:D6:22. This is important
to note because I want to limit my attack to this specific access point (to
ensure we are not attacking or breaking anyone else’s password).
Secondly, we see the AP is transmitting on channel 36.This is important because
it allows us to be specific on what wireless channel we will want our wireless
card to monitor and capture traffic from.
Wireless Lab
Step 5:
The next step is to change the wireless card to monitoring mode. This will allow
the wireless card to examine all the packets in the air.
We do this by creating a monitor interface using airmon-ng. Issue the airmon-ng
command to verify airmon-ng sees your wireless card. From that point create the
monitor interface by issuing the command: airmon-ng start wlan0
airmon-ng start
Next, run the ifconfig command to verify the monitor interface is created. We
can see mon0 is created.
ifcofig-2
Now verify the interface mon0 has been created.
mon0
Step 6:
Use airodump-ng to capture the WPA2 handshake. The attacker will have to catch
someone in the act of authenticating to get a valid capture. Airodump-ng will
display a valid handshake when it captures it. It will display the handshake
confirmation in the upper right hand corner of the screen.
Note: We will manually connect to the wireless network to force a handshake. In
a future post I will show you how to force a reauthorization to make a device
automatically disconnect and reconnect without any manual intervention.
We used the following command: airodump-ng mon0 – -bssid 20:aa:4b:1f:b0:10 (to
capture packets from our AP) – -channel 6 (to limit channel hopping) – -write
BreakingWPA2 (the name of the file we will save to)
airodump-ng mon0 – -bssid 0E:18:1A:36:D6:22 - -channel 36 – -write BreakingWPA2
(make sure there is no space between “- -”)
Airodump command
To capture the handshake you are dependent on monitoring a legitimate client
authenticate to the network. However, it does not mean you have to wait for a
client to legitimately authenticate. You can force a client to re-authenticate
(which will happen automatically with most clients when you force a
deauthorization).
When you see the WPA Handshake Command you know you have captured an valid
handshake
example:
WPA2 Handshake
Step 7:
We will use aircrack-ng with the dictionary file to crack the password. Your
chances of breaking the password are dependent on the password file.
The command is: aircrack-ng “name of cap file you created” -w “name of your
dictionary file”
aircrack
The BreakingWPA2-01.cap file was created when we ran the airodump-ng
command. The valid WPA2 handshake airodump captured is stored in the
BreakingWPA2-01.cap file.
Backtrack 5 ships with a basic dictionary. The dictionary file darkc0de.lst is a
popular worldlist that ships with BackTrack5. We added our password Cisco123 in
this file to make the test run a little smoother
Many attackers use large dictionaries that increase their chances of cracking a
passwords. Many dictionaries contain passwords from real users and websites that
have been cracked and posted on the Internet. Some sophisticated dictionaries
combine multiple languages, permutations of each word, and key words and phrases
from social media sites such as Twitter and Facebook.
Kali does not come with the darkc0de.lst but you can download it from here
NOTE: Kali does have built-in worldlists in: /usr/share/worldlist
In this blog we created a file named “sample.lst” and added the word Cisco123 in
it.
Success:
If the password is found in the dictionary file then Aircrack-ng will crack it.
aircrack WPA
http://www.drchaos.com/breaking-wpa2-psk-with-kali
