Category Archives: WPA/WPA2 Attacks

Hack WiFi with the Crunch Utility – No Dictionaries Needed

Posted on by

As you’ve probably discovered so far, there are tons of ways we can hack WiFi passwords, be they WEP or WPA/WPA2. For network security professionals, you need to muster all the troops you can get to help you in your wireless network audits. By this I mean tools.

Network security professionals need a vast range of hacking tools to assist them. The more they have available to them, the greater their changes of success. In this example, I am going to show you how to use another utility, called Crunch, to hack WiFi networks encrypted with WPA or WPA2. Crunch is an easy way to try to crack WPA passwords without using dictionary files. Sometimes, your WPA dictionary attacks fail, and the access point you’re targeting doesn’t use WPS, so  a WPS attack is out too. What are you left with?

Give Crunch a Try – It Can Hack WiFi Too

Crunch is not like most password hacking tools most security professionals will use. Crunch is a wordlist generator. It can calculate combinations of letters, numbers, and symbols, and then test your password hashes against all the combinations. This is a brute force attack, so it should be your last resort when dictionaries fail and WPS hacking isn’t an option. There are a few caveats with using Crunch to hack WiFi keys. The first thing to keep in mind is that you’ll still need to capture a WPA or WPA2 handshake. So refer back to the first half of my WPA cracking tutorial linked above. It walks you through capturing the handshake.

The command we will be using to try and hack WiFi is relatively simple. But it will take a bit of time to type out, and make sure you don’t have any mistakes!

Open a terminal window and type:

crunch 8 12 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 | aircrack-ng –bssid 00:11:22:33:44:55 -w- hack-wifi-01.cap

We’re basically telling Crunch to auto-generate a list of passwords with a minimum of 8 characters and a maximum of 12 characters, and a mix of lowercase and uppercase characters with numbers thrown in as well. We’ll pipe the Crunch syntax and aim it at our WPA handshake capture file we sniffed in the beginning of our other tutorial. I’ll break down the command for you in proper fashion:

  • The  8 and 12 just tell Crunch to auto-generate a brute force list with a minimum of eight characters and a max of twelve. Since WPA requires at least eight characters we can save time by not testing anything under eight. I capped the number of characters tested at 12,  but you may want to do your own research on the average length of a WPA passphrase.
  • What comes after is the alphabet in lowercase and then uppercase followed by the numbers zero through 9. Crunch will use this information to generate passwords of at least 8 characters and no greater than 12, all using the lowercase and uppercase letters with numbers.
  • | aircrack-ng –bssid 00:11:22:33:44:55 -w- hack-wifi-01.cap – We will need to point Crunch to aircrack, and specify our target network’s BSSID and the handshake we captured. In my original WPA hack WiFi tutorial, my target network had a BSSID of 00:11:22:33:44:55 and I had named the capture file “hack-wifi.01.cap” Obviously your target’s BSSID and the name of your capture file may be different, so substitute accordingly. Know what you are doing!

Remember, knowing how to hack WiFi, actually understanding the mechanics behind it, is what separates the good network security professionals from the keyboard jockeys.

Now you are ready to use Crunch to break the WPA key. This alternate method may crack the password because it relies on brute forcing all combinations of a password rather than specific words in a dictionary.

More Troops for the Attack – Hack WiFi Using Hash Cat

An alternative to Crunch is using Hash Cat to hack the WPA or WPA2 password. If you use HashCat, you’ll need to first convert your .cap file to a .hccap file. And as long as you’re using the latest version Back Track or Kali Linux, you should just be able to use aircrack to convert your .cap file to a .hccap file. For instance, if the name of your capture file is “hack-wifi-01.cap”, just run:

aircrack-ng hack-wifi-01.cap -J capture

Hashcat needs the .hccap file and cannot use the .cap like Crunch can. From Kali Linux, you can get to hashcat from /usr/share/oclhashcat-plus.  To run Hash Cat, just type the command below from Hash Cat’s file location:

Hashcat-plus.bin -m 2500 -a3 hack-wifi-01.hccap abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 pause
  • -m 2500 tells Hash Cat to test in WPA/WPA2 mode
  • a3 tells Hash Cat to use brute force mode, and we need to point it at “hack-wifi-01.hccap” which is my converted capture file containing the WPA/WPA2 handshake
  • As with Crunch, we can specify a character set to include in the brute force attempt.
  • We should use the pause switch to throttle Hash Cat’s cracking attempts.

So there you have it, two alternative brute force methods to hack WiFi networks, specifically encrypted with WPA or WPA2. Remember these are very time intensive attacks, but because of their nature, they are almost guaranteed to crack the password.

But you have to ask, how long? Brute forcing complex WPA/WPA2 passwords could take YEARS. Or hundreds of years. Or hundreds of thousands of years. As with most WPA2 attacks, this one is in no way guaranteed to work any time soon. But, it’s yet another useful tool you should keep in your IT Security toolbox.

Hacking Tricks for WPA and WPA2 WiFi Networks

Posted on by

More advanced hacking tricks are required if your target does not use WEP encryption, and instead uses WPA Personal or WPA2 Personal encryption. (Here’s the WEP WiFi password hack if you missed it).

The truth is that most access points not longer use WEP encryption these days. And that’s definitely a good thing. But as a computer security expert, the vast majority of your wireless engagements will not involve WEP. In fact, I know some security auditors in the industry who have never come across a WEP network!

Because WEP has been cryptographically broken for almost two decades, business owners and home Internet users are switching to the much more secure WPA and WPA2 encryption for their wireless networks. WPA security is much stronger. It doesn’t suffer from the same weaknesses that WEP does. WPA and WPA2 use additional checks in the algorithm that watch for changes in the flow of data through the air. That coupled with WPA/WPA2′s stronger encryption means we cannot simply capture X number of data packets in order to discover the password. We will need to Statistical analysis won’t work here. You should really check out this excellent resource on WEP vs. WPA vs. WPA2.

However, there are hacking tricks available to us which might allow us to crack a WPA or WPA2 network. I say might because there are no guarantees. In order for us to attempt to hack WPA or WPA2, we will need to use a dictionary. A dictionary – or password list – is a .txt file filled with a list of common passwords, one on each line of the .txt file. Dictionaries and password lists can be as simple or as complex as you want. They can be filled with just random words in all lowercase, or they can be common words and phrases with capitalization, numbers, and symbols. The best security consultants keep huge lists of possible passwords to increase their chances of success. Remember: You will only be able to crack the password if it also exists identically in one of your .txt files.

What hacking tricks will we use to attack WPA/WPA2?

Our attack is two-pronged. To hack WPA, we must capture a TCP 4-way handshake between a client (a PC, tablet, or smart phone for example) and the server (the wireless access point we are targeting.) We will need to capture the handshake using airodump, wireshark, or some other packet capturing utility. Remember that during our attack on WEP, we also used airodump to capture the packets. So in this example I will use airodump again to capture the 4-way handshake.

After successfully capturing a handshake, we will move on to the second phase of our hacking tricks – attacking the wpa passphrase. This is where we will use our dictionaries – massive .txt files of possible passwords and phrases- to try and guess the WPA passphrase. We will only guess the password if it exists in one of our dictionary files.

1. Attacking WPA Security – Capturing the 4 way handshake

Let’s begin our wpa hacking tricks by booting into Kali Linux or Back Track. Open a terminal window, plug in your wireless network adapter, and make sure to spoof the MAC address first. Then put it into monitor mode.

Then, don’t forget to run your updates (you need Internet access)

apt-get update

apt-get upgrade

Now, run:

airodump-ng monO

To start capturing information on the nearby wireless access points (and any clients connected to them.) When on a wireless security audit, make sure you are in range of the target. Otherwise you won’t see the target’s BSSID and what channel it’s on. When you find your target, right down or copy the BSSID and the Channel.

Open a new terminal window and run the command below to filter out everything and everyone else, and only capture the target AP’s packets.

airodump-ng -c 12 –bssid 00:11:22:33:44:55 –showack -w target-handshake monO

I’ll break this command down for you.

  •  -c indicates the channel our target AP is on. In this case, the target’s channel was 12.
  • –bssid If you’ve looked at my hacking tricks against WEP tutorial, you should know what a BSSID is. You will need to specify the target AP’s BSSID in here.
  • –showack is an optional but very useful command that provides more information in our packet capture that will help us later on.
  • -w tells airodump to write the packet capture to a file, which we named target-handshake in this case.
  • Lastly, be sure to include the monitoring interface you want airodump to listen on.

Hit enter and DO NOT CLOSE THIS WINDOW.

Let’s continue our hacking tricks against the access point. At this point you need to keep watching that airodump window and look for another MAC address to appear under the MAC heading. Ideally, you want to see multiple MAC addresses under the MAC heading.

The more clients we have to chose from, our hacking tricks are more likely to be successful. The MAC addresses listed here are all clients who are connected to the access point right now. Any time one of these clients connect to the target access point, both ends exchange a 4-way handshake, basically a series of packets to ensure trust.

That is, the four-way handshake is way for the client to prove the access point’s identity and a way for the access point to prove the client’s identity.

You need to capture this 4 way handshake because it contains information you can use to run your WPA cracker to try and guess the password. You either have to wait for a new client to connect to grab the handshake, or you can speed up these hacking tricks by forcing one of the established clients to deauthenticate from the access point. When the client reauthenticates, you can capture the four-way handshake. That’s where one of those client MAC addresses come in.

Continuing on with your hacking tricks, chose which client you wish to deautheticate, and make note of its MAC address from the previous airodump screen. Then open a new terminal window and run:

aireplay-ng -0 5 -a 00:11:22:33:44:55 -c aa:bb:cc:dd:ee:ff mon0

I’ll break this command down again.

  • -o tells aireplay to inject deauthentication packets. Because I typed 5 after -o it will send 5 deauth. packets. But I can change this number if I want. See what works for you.
  • -a specifies the target’s BSSID.
  • -c specifies the client we want to deauthenticate. Type in the client’s MAC address here.
  • Last, remember to specify the monitoring interface.

(We can chose to send broadcast deauth packets as well. We don’t have to specify a client MAC, but it’s stealthier to do so.)

If our hacking tricks are successful so far, we’ll see plenty of ACK messages on the aireplay screen. ACKs are good. That means connected client has acknowledged the deauths we just injected. It will then disassociate from the target access point.

Now go back to the original airodump window that you’ve kept open. You want to see that the WPA handshake has been captured. It will tell you that in the upper right-hand corner of the airodump window. Once you have this WPA handshake, you are ready to try and crack the WPA password.

 2. Load the WPA Cracker and Fire Away

Halfway there with these WPA/WPA2 hacking tricks. Hang in there and stay focused. We will use aircrack to attack WPA security. We’ll also need one of the dictionary files we have, and the airodump capture file. (The one we called target-handshake.) We point aircrack to one of our dictionary files and to our capture file containing the handshake. Aircrack will then test all the words in our dictionary file to check if one of them is the password. If this fails, we’ll need to try again, specifying a different dictionary.

Open a new terminal window and run:

aircrack-ng -a 2 -w dictionary-1.txt target-handshake-01.cap
  • -a 2 tells aircrack to use its WPA cracker method.
  • -w tells aircrack which dictionary to use. Because we should have many dictionary files, I’ll specify the name of my first one.
  • Lastly, we need to specify the name of our packet capture file we got from airodump. It may append a -0 after the file name so check

At this point we can only wait and see if our WiFi hacking tricks succeed or not. They’ll only succeed if the password is also in one of our dictionary files. If you are successful, aircrack will indicate KEY FOUND! and print the password on the screen for you.

But what do you do if the password is not in one of your dictionary files? You’re could try a WPS attack against the access point.

Kind of scary, isn’t it? Think about it, is the wireless password you use right now easy to guess? Do you think it may be something common, something that could conceivably appear in a WiFi hacker’s dictionary files?

Protecting Yourself Against WPA/WPA2 Hacking Tricks.

So how can you protect yourself against wireless hacking tricks like these and others?

To start, use a completely random passphrase of at least 14 characters. Something like:

hr#yN728ADqgx#12z

WPA security can be robust enough to protect you if you chose a passphrase like that. Basically the longer and more random the passphrase, the better. Think this is paranoid?

Think again. And yes, it is a pain. I get that. It isn’t easy to remember passwords like this, but there are some pretty neat ways to think of complex yet easy to remember phrases.

Otherwise, you may even want to switch to using WPA2 Enterprise for authentication. This is much stronger wireless security than using a WPA or WPA2 Personal preshared key. You can set it up yourself or purchase an Enterprise WiFi system. This looks just like a regular wireless access point, but all the enterprise authentication is contained within the device. There is a virtual radius server with users set up, so you don’t have to configure

The absolute best for the money is the Uqiwiu Access Point.

Advanced WiFi Password Hack Techniques – WPS Attack

Posted on by

We can use a special WiFi password hack if a dictionary attack against WPA/WPA2 fails. If our target’s wireless router or access point uses something called WPS, we can hack the wireless password without actually having to attack the encrypted keys. We simply attack the WPS component instead.

Sounds complicated? It’s really not. WiFi Protected Setup (WPS) is a technology that allows easy access to secure wireless home networks. WPS-capable access points come hard-coded with an 8 digit PIN number. Users can connect their devices to a WPS-capable access point without having to type the long passphrases commonly associated with WPA/WPA encryption. WPS only uses this 8 digit PIN to connect.

8 digits has 100,000,000 variations, but luckily (for us) there are some additional WPS vulnerabilities that reduce our workload to only 11,000 variations. Statistically, we will crack the password in ½ the time, so count on only having to churn through roughly 5,500 PIN guesses before we crack the WPA WPA2 password.

To get started on this advanced WiFi password hack, make sure you have the right tools:

  • Back Track or Kali Linux Live CD
  • A wireless Network Card Capable of Packet Injection like the ALFA AWUS036H High Power Wireless adapter.

First update Back Track or Kali Linux by performing the commands below (make sure you are updating as the root user. Open up a terminal window and update the distribution before proceeding:

apt-get update

When that finishes, also be sure to run:

apt-get upgrade

Once our MAC address is spoofed on both the physical adapter and on the virtual one, which we’ll use to sniff and inject with. We are ready to scan the surround air and pick out our target wireless network to perform a WiFi password hack on.

Then run the follow command:

airodump-ng mon0

It will start picking up a ton of WiFi access points in the area, and your screen will fill up similar to the image below. I have however, blocked out the BSSID and ESSID fields.  You will want to pay careful attention to the BSSIDENC, and ESSID fields.

The BSSID field display’s target access points’ own MAC address (which you will use soon).

The ENC field shows the access point’s encryption method. For the WPS-based WiFi password hack to succeed, the ENC field must show WPA or WPA 2. This attack does not work against WEP WiFi networks.

The ESSID field shows the access point’s name.

Pick out your target’s access point. The easiest is to check the ESSID and try to determine it that way. Once you find your target access point, press control C when you want to stop listening on the interface. For reference, my target is outlined in purple below.

We are now ready to launch our attack against WPS. This is an online attack, so we’ll need to keep Back Track or Kali Linux online for the entire engagement. Keep another thing in mind. This particular wifi password hack may or may not work. The reason is because it’s a blind attack. Not all access points use WPS, and saavy administrators know to turn WPS off entirely. We cannot be 100% certain that our target access point uses WPS, but we can be pretty sure that the odds are in our favor.

We will use an off-the-shelf wifi password cracker called Reaver, to do most of our work. Open up another terminal window in your Back Track or Kali Linux live CD, and run the command:

reaver -i monO -b (the target’s BSSID)

-i signifies the adapter we are going to run reaver from. In my case, it is monO. (Again, for you it may be different)

-b specifies the target’s BSSID field. The BSSID is the target’s MAC address. We will need to copy the target access point’s BSSID and enter it,

Hit Enter, and you’ll get some output similar to the image below.

Reaver may scan channels, but it should eventually associate with your target’s BSSID and then it will start the cracking process. Cycling through 11,000 variations of an 8 digit PIN.

Eventually, reaver will crack the WPA password! I’ve highlighted it in purple. And even though all this is marked out it is VERY exciting when you get to this point! You now have the target access point’s WPA PSK. Also known as the wireless password. This is the key you will be able to type in to connect to the WiFi network. Congratulations, you’ve just performed a pretty gutsy WiFi password hack.

The most important thing to take away from this exercise is to NOT USE WPS. If your wireless router or access point uses WPS, it’s vulnerable to this form of WiFi password hack. How can you protect yourself? Check your wireless access point or wireless router. Look at the back, the bottom, and the sides, for a sticker.  If you see a WPS PIN number listed anywhere on the device, it definitely uses WPS. Contact the manufacturer and ask about this. Usually an manufacturers will release updated firmware to close the WPS vulnerability. If they are not or haven’t disabled WPS with a firmware update, raise hell. At the end of the day though, you’re probably better off moving to a wireless AP that does not use WPS at all. You’ll sleep better at night.

Troubleshooting:

Reaver may time out. It may lose association with the target access point from time to time. In most cases, it’s best to Google the exact error you receive and you will find lots of suggestions. Reaver has a large, active user base and there are plenty of people out there to help.

Also, after 10 bad pins, expect a warning message from Reaver. This may be another sign the AP is rate limiting the connection (rather than temp locking) or is just being overwhelmed and cannot keep up with processing the influx of PIN guesses. You can tell Reaver to sleep for a specified period of time by appending your Reaver commands with:

–fail-wait=300 – Some access points will temporarily lock their WPS state if it detects anything suspicious. Like a sudden influx of WPS Pin attempts.
–fail-wait=300 command tells Reaver to stop testing different PINs, then check back after 300 seconds. You can play with the value to see what works best when on an engagement. This may help in situations where you are losing connection to the access point.

Good luck on your WiFi password hacks!