Introduction
Brute-forcing is probably one of
the most well known techniques when it comes to gaining access. It’s a soft
cushion to land upon when nothing seems to work anymore and rightfully so,
since the majority of network devices and applications lack the resilience to
effectively detect and prevent brute-force attacks, it comes as an effective
attack. In this article we’ll be focusing on various Wi-Fi password brute
forcing tools to demonstrate how easy it can be for an attacker to guess your
Wi-Fi password and the necessity to keep a complex password.
Simulation Mechanism
Since we don’t want to be breaking
into unauthorized devices, we’ll set up our own lab. And by lab I mean we’ll
use our own Wi-Fi access point, keep a password that we know, forget the device
and attempt brute forcing using a dictionary containing that password.
Pre-requisite
If you are using a virtual machine
with kali linux, you would need an external Wi-Fi adapter because virtual
machines by default are bridged or natted to the adapter you specify and won’t
detect wlan interface. So, kindly research and buy an external adapter capable
of going into monitor mode. And thereafter, go to your VM settings and connect
that adapter to your virtual machine.
Initial Setup
Let’s first set up the password of
our access point here. Let’s say raaj:raj12345
We are good to go now and since
the password has changed you obviously aren’t connected to the access point.
Before going any further, let me throw out some theory now. In the previous
article here we saw some background about monitor mode and Wlan interface. Let’s begin by putting our Wi-Fi adapter in monitor
mode first.
Assuming that the Wi-Fi interface
is Wlan0, the command is:
airmon-ng start wlan0
We are using the airmon module for
this which comes built in Kali Linux. Next, we’ll have to scan for the access
point (here, SSID=raaj). If you check your interfaces with iwconfig command now you’d see your Wlan0 has been transformed to Wlan0mon.
Good for us. Now we scan access points around us
airodump-ng wlan0mon
This should start scanning for
Access Points’ SSIDs and BSSIDs (Basic service set identifiers or simply a 48
bit MAC) around you. We see raaj in there too.
Now let us understand this screen
first. On top left you see CH 3 written.
That is a Wi-Fi channel.
Definition: In layman
terms, a Wi-Fi channel is a path on
which Wi-Fi packets travel to and from your device to access point.
A 2.4 GHz Wi-Fi uses 11 channels
and a 5 GHz Wi-Fi uses 45 channels. Each channel may vary or depending on what
the vendor may use-- higher or lower channel size is possible but generally is
under 100 MHz in width. Your Wi-Fi access point uses a specified channel to
transmit data. This channel to transmit
can be manually configured in access points. A Wi-Fi adapter, however, just
like your FM receiver can tune to
listen to any channel.
Analogy: Just like
radio channels, a Wi-Fi adapter working on channel 3 (lets say a 60 MHz
frequency) won’t listen to what's happening on channel 6 (let’s say a 100 MHz
frequency) until you tune it to listen to channel 6. But your Wi-Fi adapter/NIC
is able to change its listening channel automatically. We’ll use airodump-ng to
specify a channel later in this article.
Now that I have the target, I will
capture a handshake.
Handshake: A handshake
in Wi-Fi is a mechanism by which an access point authenticates a client to
onboard it and use its services. Cool thing to note is that in a handshake, the
pairwise master key (PMK) is not transferred in this handshake so you can’t
directly grab the PMK otherwise it would be a major vulnerability. Rather, this
handshake file has something called a message integrity check (MIC) which is a
combination of your Wi-Fi passphrase, nonce (random numbers), SSID and some
other keys.
Goal: Our goal is
to capture this handshake file (.cap file), extract juicy information and brute
force against the MIC to finally obtain a password. Since, MIC is analogous to
a hash in Wi-Fi, we need a dictionary to calculate hashes and compare against
the value given in the handshake capture and confirm the password.
Since a handshake is happening on
a channel, we can use the same channel to see what a handshake file looks like.
But since this handshake only occurs when a user authenticates, we have to wait
for a client to connect himself or deauthenticate the client and force him to
connect (yeah, possible).
We saw in the above screenshot
that “raaj” operates on channel 3 with a given BSSID. Lets use airodump to
capture a handshake file.
airodump-ng wlan0mon -c3 --bssid 18:45:93:69:A5:19 -w pwd
-c : channel
-w : name to save as
Now, while airodump would wait for
a handshake, we can’t just sit quietly. We have to force a user to
reauthenticate by deauthenticating him. It can be done by aireplay-ng like
this:
aireplay-ng --deauth 0 -a 18:45:93:69:A5:19 wlan0mon
And it seemed to have worked like
magic as you can see the client has re-authenticated and we have a handshake!
The file is saved as pwd-01.cap
For simplicity I’ll rename it to
“handshake.cap” and run aircrack-ng using a very long dictionary of millions of
most common passwords and some passwords I created from the information about
my target! Let’s call it dict.txt. And instead of millions lets only add 5-10
passwords because we already know it and just have to demonstrate the attack!
So, the command is:
aircrack-ng handshake.cap -w dict.txt
As evident below, we have the password thanks to aircrack.
Using cowpatty
The same method can be done using
another well known tool called cowpatty. Link here.
During my testing the “handshake.cap” got renamed to “wifi.cap” so don’t get
confused.
cowpatty -r wifi.cap -f dict.txt -s raaj
-s: SSID
It worked like a charm!
Using Hashcat
For this next method, we would
need to install hashcat first. It is the undisputed go-to tool when we talk
about hash cracking. You can download it from here.
In Kali Linux, hashcat is preinstalled with utilities as well. We would use the
“cap2hccapx” script for this method.
hccapx: It is a
custom format specifically developed for hashcat for usage on WPA and WPA2.
cap2hccapx would
convert the .cap file to .hccapx and hashcat would be able to bruteforce
against it.
We can do this by:
cd /usr/share/hashcat-utils && ./cap2hccapx.bin
/root/wifi.cap /root/wifi.hccapx
It is done. We now need to run
hashcat to brute force this file:
hashcat -m 2500 wifi.hccapx dict.txt --show
-m : hash type. 2500= WPA/WPA2
hashes
Quiet simple.
Using John The Ripper
The same can be done using john
the ripper too. We just need to convert it into a standard john hash file. This
can be done using the hcxpcapng tool
like:
hcxpcapngtool --john hash.john wifi.cap
A gorgeous thing to observe here
is the contents of the capture file! Juicy, isn’t it? Let’s use john to crack
the hash now:
john --format=wpapsk --wordlist dict.txt hash.john
john --show hash.john
For all the pros who converted
.cap to .hccapx, here’s the last method for you. You can use hccap2john script
pre existing in your Kali to convert that .hccapx file to a John hash!
/usr/sbin/hccap2john wifi.hccpax > wifihash
And finally use John to crack it
john --wordlist=/root/dict.txt --format=wpapsk wifihash
We learnt various methods to brute
force a captured handshake .cap file. The aim is to have multiple arrows in
your quiver so if one technique fails you, you know how you can cross it over.
Thanks for reading.
0 comments:
Post a Comment