This tutorial illustrates cracking of pre-shared key which is needed to gain an access to a WPA/WPA2 network. Instead of explaining the theory behind the attack, I focus on providing commands that you can easily copy and paste and penetrate the network. However, I strongly recommend getting a background to this topic by studying online resources before experimenting to understand what's going on under the hood.
Note: Tutorial is written for demonstration purpose only. I am not liable for any damage. Please, be aware that cracking into a network that is not your is illegal. Therefore, I highly recommend that you use your own devices.
Our goal is to to capture WPA/WPA2 authentication handshake and use aircrack-ng suite to crack pre-shared key. Handshake can be captured either in passive way, or active way. The passive way can be time consuming as an attacker waits for client to authenticate to WPA/WPA2 network. The active way speed up the whole process as an attacker deauthenticate an existing wireless client (all all clients) in order to obtain handshake. As a result, clients must re-authenticate. However, this method is loud and it may get unwilling attention, in case of many deauthentication attempts.
Passphrase:
The length of pre-shared key is from 8 to 63 characters. Finding a key with random 20 characters by the brute force method is impossible at a convenient time unless the passphrase is in the dictionary. For the purpose of demonstration, we are going to brute force a passphrase with 9 characters. The passphrase is in a notorious well known dictionary - rockyyout.txt.
WPA/WPA2 authentication handshake:
4-way handshake is the process of exchanging 4 messages between AP (authenticator) and client (supplicant) to generate encryption keys that are used to encrypt data sent over wireless medium. During handshake, PTK ( Pairwise Transit Keys) is generated and it is used to encrypt traffic between station and AP. PTK is unique between client and AP (1). Example of captured handshake between AP (94:44:52:4a:d1:54) and client (00:b5:d0:f0:c7:81) is depicted on the Picture 1.
Picture 1 - Example of 4-way Handshake
Note: Here is captured traffic with 4-way handshake file - output_file-01.7z.
Used Equipment:
AP: Belkin F5D8235-4 v2
AP MAC (BSSID): 94:44:52:4a:d1:54
ESSID: HackMeIfYouCan
Wireless AP channel: 1
Pasphrase: submarine
Client OS: Samsung Galaxy XCover 4
Client MAC : 00:b5:d0:f0:c7:81
Attacker OS: Linux Debian 10
Attacker MAC: 72:0d:2e:7d:2b:91
Wireless monitoring interface: wlp3s0mon
The wireless NIC and used kernel driver is depicted on the Picture 2.
Picture 2 - Wireless Network Card
1. Aircrack-ng Installation and Switching Wireless NIC from Managed to Monitor Mode
$ sudo apt install aircrack-ng
By default, wireless NIC is in managed mode and not associated with any AP (Picture 3).
Picture 3 - Wireless Network Card in Managed Mode
In order to capture all traffic on wireless channel without being associated with AP, we must switch wireless NIC from managed mode to monitored with the command:
$ sudo airmon-ng start wlp3s0
Once we enter the command, a new interface wlp3s0mon has been created (Picture 4).
Picture 4 - Wireless Interface wlp3s0mon in Monitor Mode
Note: In order to switch back from the Monitor to Managed mode, issue replace start with stop keyword.
2.1. Capture 4-way Authenitcation Handshake
Start capturing trafic on wireless channel on network with airdodump-ng utility. You may end up with an error message depicted on the Picture 5.
$ sudo airodump-ng wlp3s0mon
Picture 5 - RF-kill Error Message
In order to investigate the message, list the devices with the command:
$ sudo rfkill list all
Picture 6 - List of Blocked Wireless Devices
In order to unblock wifi device issue the command:
$ sudo rfkill unblock wifi
Note: If your device is hard blocked, it may have be blocked by hardware switch (Fn + F9 combination for Lenovo) or in BIOS. Ii my case, hardware blocked device phy0 has been unblocked with the rfkill command, as well.
Picture 7 - Unblocked Wifi Devices
Check if we can run the airodump-ng command without any issues (Picture 8).
$ sudo airodump-ng wlp3s0mon
W have got MAC address of Access point of our interest - BSSID: 94:44:52:4A:D1:54. There is a station with MAC address 00:B5:D0:F0:C7:81 associated with the AP. If we are patient enough we should be able to capture handshake for any of BSSID listed in the Picture 8. As we have mentioned, this process depends entirely on how often clients autheticate to the WAP/WPA2 network.
Picture 8 - Getting 4-Way Authentication Handshake
Terminate the process of capturing 4-way handshake on the fly with CTRL-C key signal. We are going to capture traffic destined for AP with BSSID 94:44:52:4A:D1:54 and save it to the file output_file. Channel number is 1.
$ sudo airodump-ng --bssid 94:44:52:4A:D1:54 -c 1 --write output_file wlp3s0mon
Picture 9 - Getting 4-Way Authentication Handshake
2.2 Accelerate Process of Capturing 4-way Athentication Handshake
If they are not many wireless clients trying to authenticate to WPA/WPA2 network, the process of capturing 4-way handshake may take too long. In that case, aireplay may give us a hand and shorten the time required for the attack (Picture 10). This method, however, rely on de-authentication of existing wireless client from network which can have legal consequences.
$ sudo aireplay-ng -0 100 -a 94:44:52:4A:D1:54 wlp3s0mon
-0: deauthenticate all stations for particular AP
100: - number of dauthetications frames sent to all clients
-a MAC address of AP (BSSID)
Picture 10 - Sending Deauthetication Frames to ALL Stations Associated with BSSID 94:44:52:4A:D1:54
After while we have successfully captured 4-way handshake for BSSID 94:44:52:4A:D1:54 (Picture 11).
Picture 11 - Successfully Captured 4-way Handshake
Now, stop capturing traffic with Interrupt signal (CTRL-C).
3. Cracking Pre-shared Key
We are going to use aircrack-ng to crack the pre-shared key. In order to do this, we need to download a dictionary and hope that the key will be listed in the dictionary.
$ wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
Once we get a dictionary rockyyou.txt, we can start the process of brute forcing passphrase (Picture 12). This can be quite intensive task for CPU as the aircrack-ng depends on entirely on CPU to find a key.
$ sudo aircrack-ng -w rockyou.txt -b 94:44:52:4A:D1:54 output_file-01.cap
Picture 12 - Pre-shared Key Found
After while, aircarck-ng found a pre-shared key submarine listed in the dictionary rockyou.txt. The average speed is 5346 keys per second when all CPUs are used (default option). To calculate your speed running aircarck-ng with the flag -S (Picture 13).
Picture 13 - Aircrack-ng Speed Test
To get info about your CPU, use aircrack-ng with the flag -u.
Picture 14 - Checking CPU Type with Aircrack-ng
End.