Hacking WPA / WPA2 Encrypted Networks

Part II of my Network Security How-To Series:
1)  ARP Spoofing from a Mobile Device
2)  Hacking WPA / WPA2 Encrypted Networks (This Tutorial)
3)  Defeating SSL / Encrypted Hijacking

Target of Attack:

- WPA/WPA2-PSK Wireless Networks

Tools Required:

- Any Computer with VMware software installed. (Download Here)
- Backtrack 5 VMware Virtual Machine. (Download Here)
- Compatible Network Adapter.

Common Terms Defined:

MAC Address

(Media Access Control Address) is a unique identifier assigned to network interfaces for communications on the physical network segment.

WAP

(Wireless Access Point) is a device that allows wireless devices to connect to a wired network using Wi-Fi

BSSID

(Basic Service Set Identification) is the MAC address of the WAP

ESSID

(Extended Service Set Identification) is the display name of the wireless network

WPA/WPA2

(Wi-Fi Protected Access / Wi-Fi Protected Access II) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks.

PSK

(Pre-Shared Key) is the term for the password defined in WPA/WPA2 encrypted networks.

Before we Begin:

The methods and tools used in this WPA / WPA2 hacking tutorial can be utilized without any previous knowledge, however it is best for the attacker to have an understanding of what is going on behind the scenes. My job with this tutorial is to break down each step of the attack process and explain it in a simplified manner. Assuming that the reader of this guide has no previous knowledge with hacking, Linux, or Network Security, I will take it slow (one step at a time). I know this stuff can be intimidating for beginners, but just follow the steps and you will start to understand the fundamentals of what is going on to be better protected against future malicious users.
It is important to note that hacking WEP is simple and is widely recognized as an inefficient encryption technique, thus why I have not covered it in this tutorial. Although WEP still exists in many places, most wireless networks these days have been configured with WPA/WPA2-PSK which are vulnerable to brute force attacks. I will explain that the success of hacking WPA/WPA2-PSK is only as good as the word list you are comparing against.

Step 1: Set up the VMware Software

Download and Install Required Software (FREE)
For the purpose of keeping this blog short, I am not going to provide instructions on how to download and install the VMware software. But the link and information to install VMware Player can be found below:
http://www.vmware.com/products/player/
After VMware is installed, you are going to want to download the Backtrack 5 R3 (32bit) virtual machine from the following link. Backtrack 5 is a Linux distribution that is used for many different types of penetration testing/network security and much more. The download is archived using 7-zip so you will have to extract the contents before using.
http://www.backtrack-linux.org/ajax/download_redirect.php?id=BT5R3-GNOME-VM-32.7z
With the software installed, make sure you are able to power up the virtual machine successfully. I have both Backtrack 5 R3 and the VMware View software running off my USB drive so I can operate it from any computer at any time. I have not seen any reduction really in performance because I am not really writing to the drive while its up and running.

USB Device with Backtrack + VMware Player

Step 2: Preparation for the Attack!

If you are not familiar with command prompt or terminal then some of this may look a little foreign but I am going to break it down as best I can, and if you follow my instructions and type exactly as shown, there should not be any issue and you should be on your way to becoming a network penetration tester in no time!

Part I: View Network Interface Information

Since my internal wireless adapter does not support monitor mode, I have purchased an Alfa AWUS036H Long-Range 802.11N USB Network Adapter (~$38).

Alfa AWUS036H Wireless USB Adapter

This of course is only needed in the case that your internal wireless adapter is not compatible. However, most USB wireless adapters will work with this process. I simply plug it into my USB port and make sure it is recognized in the virtual machine.
To view a list of the recognized interfaces, open up the console and type in the following command and press enter.

1

ifconfig

ifconfig – command to view interfaces

ifconfig command

We need to shut down the interface before we spoof the MAC address because the interface cannot be in operation during this time.Type the below command and press enter

1	ifconfig wlan0 down

wlan0 – network interface
down – shut down interface

ifconfig down command

Now we can spoof the MAC address of the network adapter, in this case we are just going to set a static “phony” MAC address of 00:11:22:33:44:55. Type the below command and press enter.

1	macchanger -m 00:11:22:33:44:55

macchanger – command to spoof MAC Address
-m 00:11:22:33:44:55 – specifying the MAC Address to spoof

Then after, we need to turn on the interface after the spoofed MAC address succeeded. Type the below command after MAC address spoof is finished and press enter

1	iwconfig wlan0 up

up – turn interface on

macchanger command

Part II: Enable “Monitor Mode” on your Network Adapter

Monitor mode will allow your network adapter to view all network traffic within range, along with identifying information for each network found. This command will activate monitor mode on mon0. You will be presented with a message stating that “Monitor mode enabled on mon0″

1	airmon-ng start wlan0

airmon-ng – command for monitor mode
start wlan0 – starting monitor mode on wlan0 interface

monitor mode command

Part III: Verify “Monitor Mode” is enabled

Verify mon0 on the list of interfaces. To see the configuration of the monitor mode interface, type the following command and press enter. You should then see mon0 listed in the command results

1	iwconfig mon0

iwconfig – command to view interface configuration
mon0 – interface used in monitor mode

Verify Monitor Mode

At this point, all the preparation is complete and we are now ready to move on to the fun stuff. The next stage will be choosing what network to perform the attack on.
Legal note: Hacking into networks is illegal, make sure you have been granted permission to test, or perform this on your own equipment. I cannot be liable for any misuse!

Step 3: Begin the Attack!

Now that the network interface is configured properly to monitor network traffic within range, we can proceed to selecting a target and performing the actual brute force attack.

Part I: Choose your victim!

Lets take a look at some of the network traffic within range of the wireless adapter. With the console still open, type in the following command and hit enter.

1	airodump-ng mon0

airodump-ng – command to view networks in range

List of Victims

As described above, you will be presented with an active list of all networks within range. The network that I have selected is my own. You see it labeled as “HackThisWiFi”. Here is the information that we will need for the next set of commands.
ESSID: HackThisWiFi
BSSID: 00:23:69:98:AC:05
Channel: 4
Encryption: WPA
Authentication: PSK

Part II: View all clients connected to Access Point

Now that we know which network to attack, we have to monitor that specific network and reveal any clients that may or may not be connected at that given time. In order for WPA / WPA2 hacking to work, it must capture the 4-way handshake that is accomplished when the client authenticates to the access point (AP).
Not only will we be viewing connected clients, but we will be capturing data specific to the HackThisWiFi access point and storing it to a capture file called “hackwpa”, type the following command and press enter.

1	airodump-ng --bssid 00:23:69:98:AC:05 -c 4 -w hackwpa mon0

00:23:69:98:AC:05 – Access Point MAC Address
-c 4 – Channel 4
-w hackwpa – write to file “hackwpa”
mon0 - network interface

View Clients of Access Point

Part III: DoS the Access Point

Denial of Service (DoS) is a good way to accelerate the process of capturing the 4-way handshake because it sends a message to the client saying that that it is no longer associated with the Access Point. The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. This is what we use to break the WPA/WPA2 pre-shared key.
The following command will deauthenticate clients to hopefully force them to reauthenticate.

1	aireplay-ng -0 30 -a 00:23:69:98:AC:05 mon0

-0 30 – Send 30 DeAuth requests
-a 00:23:69:98:AC:05 – Access Point MAC Address
mon0 – Network Interface

Deauthenticate AP clients

Now that the clients have been deauthenticated from the AP, and the handshake has been captured sucessfully, we can start to process of cracking the PSK. (And you thought you were safe! ^-^)

Step 4: Time for PWNAGE!

Time to Crack the WPA / WPA2 Encryption using Aircrack
To accomplish this, you must have some type of wordlist to compare against the captured PSK. It essentially will check down the wordlist one by one until it reaches the correct key. This can be a very time consuming process and it takes quite a bit of processing power to execute. The faster your computer, the faster the key can be cracked. See the fun facts at the bottom of this post to get an understanding of password recovery speeds. There is also small dictionary that comes with aircrack-ng – “password.lst”. The file is found in the “test” directory of the aircrack-ng source code. Just send me an email and I can either send you my wordlist or show you how to create your own using crunch (default with Backtrack 5 R3).
Use the below command to start the cracking.

1	aircrack-ng -w wordlist.lst -b 00:23:69:98:AC:05 hackwpa*.cap

aircrack-ng – command for the password cracker
-w wordlist.lst – specifying the wordlist to use (wordlist.lst)
-b 00:23:69:98:AC:05 – specifying the bssid of the AP
hackwpa*.cap – specifying the capture file

Aircrack command to crack PSK

Let the password cracker work with as much processing resources as possible, it could take a long time depending on the complexity of the WiFi password used. In my case, I placed the PSK near the top of the text file so I did not have to wait very long for the cracker to parse the wordlist one by one. This would not be possible if I was not aware of the PSK prior, and I would have to wait until every string in the wordlist is compared.

WPA / WPA2 Hack Complete

Protection Against Brute Force WPA / WPA2 Attacks

There are many ways to help protect and defend against brute-force attacks, here are a few tips to keep your WiFi a little safer from malicious intruders

• Setup MAC Address Filtering on Router

This makes it so that only specifically “whitelisted” devices are able to connect to your network. But as you know, a savvy hacker can also monitor the MAC address of a whitelisted client and then spoof their own MAC to gain access. Most of the time, this is not the case…

• Use a Complex Passphrase:

Using a combination of special characters, lowercase and uppercase letters, and also numberic characters can make the process of brute-forcing so time intensive that a hacker may just give up and move to an easier target. For my own network, I do not use a passphrase less than 15 characters in length. An example of a “safe” password would be “Th3Sm1ThF@mi1yWirEles$NeTw0rk2013″. By using a relatively easy sentence and changing some characters around to dramatically increase the complexity, it would take years for this password to be brute-forced.

• Change the Password Frequently:

Like shown above, it could take hours, weeks, even years to brute-force passwords. If you change it on a regular basis, then you are going to be one step ahead of your potential attacker.

• Turn off your router when you are not home:

If you are not using the WiFi when you are away, why have it on? It only allows an attacker more time to find vulnerabilities to gain access. If you only have your WiFi on when you are home, then you are drastically reducing the attack-time of the malicious hacker

Fun Facts:

Some interesting statistics regarding password recovery speeds. This speeds listed here are estimates of the maximum time it would take a common dual-core workstation to brute force various types of passwords. Keep in mind that a lot of people these days have quad-cores or clusters of computers that make the password recovery speeds drastically more efficient.
Numerals [0-9]
0123456789
10 Character Password: 2 ¾ Hours
Only Upper Case Alpha [A-Z] -or- Only Lower Case Alpha [a-z]
ABCDEFGHIJKLMNOPQRSTUVWXYZ -or- abcdefghijklmnopqrstuvwxyz
8 Character Password: 5 ¾ Hours
Only Upper Case Alpha [A-Z] -or- Only Lower Case Alpha [a-z]
+ Numerals [0-9]
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ -or- 0123456789abcdefghijklmnopqrstuvwxyz
5 Character Password: Instant
Upper Case Alpha [A-Z] + Lower Case Alpha [a-z]
AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
8 Character Password: 62 Days
Upper Case Alpha [A-Z] + Lower Case Alpha [a-z] + Numerals [0-9]
0123456789AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
8 Character Password: 253 Days
Upper Case Alpha [A-Z] + Lower Case Alpha [a-z] + Special Char
AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz!”#$%&’()*+,-./:;?@[\]^_`{|}~
8 Character Password: 23 Years
As always, thanks for reading and please make sure to drop a comment below with your thoughts.