Hacking Tricks for WPA and WPA2 WiFi Networks

Posted on by

More advanced hacking tricks are required if your target does not use WEP encryption, and instead uses WPA Personal or WPA2 Personal encryption. (Here’s the WEP WiFi password hack if you missed it).

The truth is that most access points not longer use WEP encryption these days. And that’s definitely a good thing. But as a computer security expert, the vast majority of your wireless engagements will not involve WEP. In fact, I know some security auditors in the industry who have never come across a WEP network!

Because WEP has been cryptographically broken for almost two decades, business owners and home Internet users are switching to the much more secure WPA and WPA2 encryption for their wireless networks. WPA security is much stronger. It doesn’t suffer from the same weaknesses that WEP does. WPA and WPA2 use additional checks in the algorithm that watch for changes in the flow of data through the air. That coupled with WPA/WPA2′s stronger encryption means we cannot simply capture X number of data packets in order to discover the password. We will need to Statistical analysis won’t work here. You should really check out this excellent resource on WEP vs. WPA vs. WPA2.

However, there are hacking tricks available to us which might allow us to crack a WPA or WPA2 network. I say might because there are no guarantees. In order for us to attempt to hack WPA or WPA2, we will need to use a dictionary. A dictionary – or password list – is a .txt file filled with a list of common passwords, one on each line of the .txt file. Dictionaries and password lists can be as simple or as complex as you want. They can be filled with just random words in all lowercase, or they can be common words and phrases with capitalization, numbers, and symbols. The best security consultants keep huge lists of possible passwords to increase their chances of success. Remember: You will only be able to crack the password if it also exists identically in one of your .txt files.

What hacking tricks will we use to attack WPA/WPA2?

Our attack is two-pronged. To hack WPA, we must capture a TCP 4-way handshake between a client (a PC, tablet, or smart phone for example) and the server (the wireless access point we are targeting.) We will need to capture the handshake using airodump, wireshark, or some other packet capturing utility. Remember that during our attack on WEP, we also used airodump to capture the packets. So in this example I will use airodump again to capture the 4-way handshake.

After successfully capturing a handshake, we will move on to the second phase of our hacking tricks – attacking the wpa passphrase. This is where we will use our dictionaries – massive .txt files of possible passwords and phrases- to try and guess the WPA passphrase. We will only guess the password if it exists in one of our dictionary files.

1. Attacking WPA Security – Capturing the 4 way handshake

Let’s begin our wpa hacking tricks by booting into Kali Linux or Back Track. Open a terminal window, plug in your wireless network adapter, and make sure to spoof the MAC address first. Then put it into monitor mode.

Then, don’t forget to run your updates (you need Internet access)

apt-get update

apt-get upgrade

Now, run:

airodump-ng monO

To start capturing information on the nearby wireless access points (and any clients connected to them.) When on a wireless security audit, make sure you are in range of the target. Otherwise you won’t see the target’s BSSID and what channel it’s on. When you find your target, right down or copy the BSSID and the Channel.

Open a new terminal window and run the command below to filter out everything and everyone else, and only capture the target AP’s packets.

airodump-ng -c 12 –bssid 00:11:22:33:44:55 –showack -w target-handshake monO

I’ll break this command down for you.

  •  -c indicates the channel our target AP is on. In this case, the target’s channel was 12.
  • –bssid If you’ve looked at my hacking tricks against WEP tutorial, you should know what a BSSID is. You will need to specify the target AP’s BSSID in here.
  • –showack is an optional but very useful command that provides more information in our packet capture that will help us later on.
  • -w tells airodump to write the packet capture to a file, which we named target-handshake in this case.
  • Lastly, be sure to include the monitoring interface you want airodump to listen on.

Hit enter and DO NOT CLOSE THIS WINDOW.

Let’s continue our hacking tricks against the access point. At this point you need to keep watching that airodump window and look for another MAC address to appear under the MAC heading. Ideally, you want to see multiple MAC addresses under the MAC heading.

The more clients we have to chose from, our hacking tricks are more likely to be successful. The MAC addresses listed here are all clients who are connected to the access point right now. Any time one of these clients connect to the target access point, both ends exchange a 4-way handshake, basically a series of packets to ensure trust.

That is, the four-way handshake is way for the client to prove the access point’s identity and a way for the access point to prove the client’s identity.

You need to capture this 4 way handshake because it contains information you can use to run your WPA cracker to try and guess the password. You either have to wait for a new client to connect to grab the handshake, or you can speed up these hacking tricks by forcing one of the established clients to deauthenticate from the access point. When the client reauthenticates, you can capture the four-way handshake. That’s where one of those client MAC addresses come in.

Continuing on with your hacking tricks, chose which client you wish to deautheticate, and make note of its MAC address from the previous airodump screen. Then open a new terminal window and run:

aireplay-ng -0 5 -a 00:11:22:33:44:55 -c aa:bb:cc:dd:ee:ff mon0

I’ll break this command down again.

  • -o tells aireplay to inject deauthentication packets. Because I typed 5 after -o it will send 5 deauth. packets. But I can change this number if I want. See what works for you.
  • -a specifies the target’s BSSID.
  • -c specifies the client we want to deauthenticate. Type in the client’s MAC address here.
  • Last, remember to specify the monitoring interface.

(We can chose to send broadcast deauth packets as well. We don’t have to specify a client MAC, but it’s stealthier to do so.)

If our hacking tricks are successful so far, we’ll see plenty of ACK messages on the aireplay screen. ACKs are good. That means connected client has acknowledged the deauths we just injected. It will then disassociate from the target access point.

Now go back to the original airodump window that you’ve kept open. You want to see that the WPA handshake has been captured. It will tell you that in the upper right-hand corner of the airodump window. Once you have this WPA handshake, you are ready to try and crack the WPA password.

 2. Load the WPA Cracker and Fire Away

Halfway there with these WPA/WPA2 hacking tricks. Hang in there and stay focused. We will use aircrack to attack WPA security. We’ll also need one of the dictionary files we have, and the airodump capture file. (The one we called target-handshake.) We point aircrack to one of our dictionary files and to our capture file containing the handshake. Aircrack will then test all the words in our dictionary file to check if one of them is the password. If this fails, we’ll need to try again, specifying a different dictionary.

Open a new terminal window and run:

aircrack-ng -a 2 -w dictionary-1.txt target-handshake-01.cap
  • -a 2 tells aircrack to use its WPA cracker method.
  • -w tells aircrack which dictionary to use. Because we should have many dictionary files, I’ll specify the name of my first one.
  • Lastly, we need to specify the name of our packet capture file we got from airodump. It may append a -0 after the file name so check

At this point we can only wait and see if our WiFi hacking tricks succeed or not. They’ll only succeed if the password is also in one of our dictionary files. If you are successful, aircrack will indicate KEY FOUND! and print the password on the screen for you.

But what do you do if the password is not in one of your dictionary files? You’re could try a WPS attack against the access point.

Kind of scary, isn’t it? Think about it, is the wireless password you use right now easy to guess? Do you think it may be something common, something that could conceivably appear in a WiFi hacker’s dictionary files?

Protecting Yourself Against WPA/WPA2 Hacking Tricks.

So how can you protect yourself against wireless hacking tricks like these and others?

To start, use a completely random passphrase of at least 14 characters. Something like:

hr#yN728ADqgx#12z

WPA security can be robust enough to protect you if you chose a passphrase like that. Basically the longer and more random the passphrase, the better. Think this is paranoid?

Think again. And yes, it is a pain. I get that. It isn’t easy to remember passwords like this, but there are some pretty neat ways to think of complex yet easy to remember phrases.

Otherwise, you may even want to switch to using WPA2 Enterprise for authentication. This is much stronger wireless security than using a WPA or WPA2 Personal preshared key. You can set it up yourself or purchase an Enterprise WiFi system. This looks just like a regular wireless access point, but all the enterprise authentication is contained within the device. There is a virtual radius server with users set up, so you don’t have to configure

The absolute best for the money is the Uqiwiu Access Point.