I was given the opportunity to run some tests against the wireless infrastructure at my office. The actual scenario is to deploy a rogue access point and start gathering intel on the organization. But I decided to take this a step further and do some pre-work to make a convincing rogue AP. What follows is my initial framework that I developed researching how to crack a WPA/WPA2 pre-shared key network. I’ll revisit this and improve on it as I gain more experience.

Goal

The goal of this exercise is the gain the pre-shared key used on the WPA/WPA2 wireless network. This key will be used to setup a realistic looking rogue access point.

Recon

Build your Word Lists for brute forcing

Grab some of the password dumps available on the internet
OSINT your target(s) to build a list of words and phrases commonly used to build passwords (family and pet names, important dates like birthdays, favorite places, etc.)
once you determine website(s), use CEWL to harvest possible wordlist entries
cupp
Sort and filter your list to remove duplicates.

sort file > newfile to alpha sort only
sort file | uniq [-i to ignore case if you want] > newfile

put anything you think might have a higher probability of success near the front of the wordlist.
Use Mentalist to generate alternative/mangled words based on your base word lists.

The word lists you generate can likely be re-used for other bruteforcing attacks against the target.

Attack

Get the WPA Authentication

determine wireless interface chipset/capabilities (if you do not already know) * needs to allow RFMON

lsusb -vv OR lspci -vv to find the card/driver info
Or the old standby – open the case and look at the card’s labelling.

iwconfig to get interface name (e.g. wlan0)
airmon-ng check kill – what exactly does this do besides kill the supplicant?
airmon-ng start wlan0 – stops the interface, then starts wlan0mon monitoring interface

there may be a better way to do this by manually stopping everything – need to investigate more

airodump-ng wlan0mon to survey to find the available networks. Look for what you know or suspect is the clients.

Be cautious about neighboring wireless networks you are not authorized to test.
Could use airodump-ng -essid [clientssid] wlan0mon if you already know the ssid being used to narrow things down.
Once you have found the target make note the BSSID and channel, then hit Ctrl-C to stop the monitor.

airodump-ng -c [channel] –bssid [target-bssid] -w /path/to/capture/to creates the required monitoring files.

Watch for a bit and make sure this ap is active (if there are multiple ap’s, it might not be.)
Note the client MAC for a few of the stronger clients being actively used
Leave this terminal open for now to determine if you caught the WPA handshake (note will display in the top line of airodump-ng)

Open a new terminal to deauth a client to try and catch the reauth
aireplay-ng -0 2 -a [target-bssid] -c [target-client] To try force deauth

I had problems using -0 10 or higher when trying to grab a client from a multi-ap network on a cisco wireless controller. There may have been some anti-hacking protections coming into place…need to research.
Cross your fingers and hope the client reauths to the same AP.
If you do not catch the first client reauth, try the second or try again. Just try not to be too obvious and make problems for the client.

If you cannot catch the WPA auth, try look at troubleshooting in Sunny Hoi’s post mentioned below.
If you successfully catch the WPA authenciation, you can shut down the capture.
You may need to reboot kali before you can get back on the wireless as a client. (Is there another way?)

Cracking the WPA Password

Pull the capture files down to your cracking machine if it is different from your capture machine.
aircrack-ng -a2 -b [target-bssid] -w /path/to/word/list /path/to/capture.cap
let it churn until it finds the password (or not)

Wireless interface cards used successfully:

Intel Dual Band Wireless-AC 7260 7260NGW FCC ID PD97260NGU * The card worked moderately well on both bands, but it seemed to have issues when the capture ran for more than 15-20 minutes.

Credit Where Credit is Due

Overall Process – Sunny Hoi has an excellent guide for WPA cracking using Kali. In fact, most of this document is based on it. I strongly recommend you give this link a detailed read.
Building custom word lists – Null-Byte has a couple great write-ups on building custom wordlists with OSINT, CUPP and Mentalist and scraping a website for words using CeWL.