Subscribe to Blog via Email

Categories

Archives

Wireless Penetration Testing

Wireless Penetration Testing: Password Cracking

In this article, we will be demonstrating the various methods that can be used for Password Cracking for performing Penetration Testing on Wireless Devices.

Table of Content

  • Introduction
  • Simulation Mechanism
  • Pre-requisites
  • Initial Setup
  • Password Cracking
    • Aircrack-ng
    • cowpatty
    • Hashcat
    • John The Ripper

Introduction

Brute-forcing is probably one of the most well-known techniques when it comes to gaining access. It’s a soft cushion to land upon when nothing seems to work anymore and rightfully so since the majority of network devices and applications lack the resilience to effectively detect and prevent brute-force attacks, it comes as an effective attack. In this article, we’ll be focusing on various Wi-Fi password brute-forcing tools to demonstrate how easy it can be for an attacker to guess your Wi-Fi password and the necessity to keep a complex password.

Simulation Mechanism

Since we don’t want to be breaking into unauthorized devices, we’ll set up our own lab. And by the lab I mean we’ll use our own Wi-Fi access point, keep a password that we know, forget the device and attempt brute forcing using a dictionary containing that password.

Pre-requisite

If you are using a virtual machine with Kali Linux, you would need an external Wi-Fi adapter because virtual machines by default are bridged or natted to the adapter you specify and won’t detect the WLAN interface. So, kindly research and buy an external adapter capable of going into monitor mode. And thereafter, go to your VM settings and connect that adapter to your virtual machine.

Initial Setup

Let’s first set up the password of our access point here. Let’s say raaj:raj12345

We are good to go now and since the password has changed you obviously aren’t connected to the access point. Before going any further, let me throw out some theory now. In the previous article here we saw some background about monitor mode and Wlan interface. Let’s begin by putting our Wi-Fi adapter in monitor mode first.

Assuming that the Wi-Fi interface is Wlan0, the command is:

airmon-ng start wlan0

We are using the airmon module for this which comes with built-in Kali Linux. Next, we’ll have to scan for the access point (here, SSID=raaj). If you check your interfaces with the iwconfig command now you’d see your Wlan0 has been transformed to Wlan0mon. Good for us. Now we scan access points around us

airodump-ng wlan0mon

This should start scanning for Access Points’ SSIDs and BSSIDs (Basic service set identifiers or simply a 48 bit MAC) around you. We see raaj in there too.

Now let us understand this screen first. On the top left you see CH 3 written. That is a Wi-Fi channel.

Definition: In layman terms, a Wi-Fi channel is a path on which Wi-Fi packets travel to and from your device to the access point.

A 2.4 GHz Wi-Fi uses 11 channels and a 5 GHz Wi-Fi uses 45 channels. Each channel may vary or depending on what the vendor may use– higher or lower channel size is possible but generally is under 100 MHz in width. Your Wi-Fi access point uses a specified channel to transmit data. This channel to transmit can be manually configured in access points. A Wi-Fi adapter, however, just like your FM receiver can tune to listen to any channel.

Analogy: Just like radio channels, a Wi-Fi adapter working on channel 3 (lets say a 60 MHz frequency) won’t listen to what’s happening on channel 6 (let’s say a 100 MHz frequency) until you tune it to listen to channel 6. But your Wi-Fi adapter/NIC is able to change its listening channel automatically. We’ll use airodump-ng to specify a channel later in this article.

Now that I have the target, I will capture a handshake.

Handshake: A handshake in Wi-Fi is a mechanism by which an access point authenticates a client to onboard it and use its services. The cool thing to note is that in a handshake, the pairwise master key (PMK) is not transferred in this handshake so you can’t directly grab the PMK otherwise it would be a major vulnerability. Rather, this handshake file has something called a message integrity check (MIC) which is a combination of your Wi-Fi passphrase, nonce (random numbers), SSID and some other keys.

Goal: Our goal is to capture this handshake file (.cap file), extract juicy information and brute force against the MIC to finally obtain a password. Since MIC is analogous to a hash in Wi-Fi, we need a dictionary to calculate hashes and compare against the value given in the handshake capture and confirm the password.

Since a handshake is happening on a channel, we can use the same channel to see what a handshake file looks like. But since this handshake only occurs when a user authenticates, we have to wait for a client to connect himself or deauthenticate the client and force him to connect  (yeah, possible).

We saw in the above screenshot that “raaj” operates on channel 3 with a given BSSID. Let’s use airodump to capture a handshake file.

airodump-ng wlan0mon -c3 --bssid 18:45:93:69:A5:19 -w pwd

-c : channel

-w : name to save as

Now, while airodump would wait for a handshake, we can’t just sit quietly. We have to force a user to reauthenticate by deauthenticating him. It can be done by aireplay-ng like this:

aireplay-ng --deauth 0 -a 18:45:93:69:A5:19 wlan0mon

And it seemed to have worked like magic as you can see the client has re-authenticated and we have a handshake! The file is saved as pwd-01.cap

Aircrack-ng

For simplicity, I’ll rename it to “handshake.cap” and run aircrack-ng using a very long dictionary of millions of most common passwords and some passwords I created from the information about my target! Let’s call it dict.txt. And instead of millions let’s only add 5-10 passwords because we already know it and just have to demonstrate the attack!

So, the command is:

aircrack-ng handshake.cap -w dict.txt

 

As evident below, we have the password thanks to aircrack.

cowpatty

The same method can be done using another well-known tool called cowpatty. Link here. During my testing, the “handshake.cap” got renamed to “wifi.cap” so don’t get confused.

cowpatty -r wifi.cap -f dict.txt -s raaj

-s: SSID

It worked like a charm!

Hashcat

For this next method, we would need to install hashcat first. It is the undisputed go-to tool when we talk about hash cracking. You can download it from here. In Kali Linux, hashcat is preinstalled with utilities as well. We would use the “cap2hccapx” script for this method.

hccapx: It is a custom format specifically developed for hashcat for usage on WPA and WPA2.

cap2hccapx would convert the .cap file to .hccapx and hashcat would be able to bruteforce against it.

We can do this by:

cd /usr/share/hashcat-utils
./cap2hccapx.bin /root/wifi.cap /root/wifi.hccapx

It is done. We now need to run hashcat to brute force this file:

hashcat -m 2500 wifi.hccapx dict.txt --show

-m : hash type. 2500= WPA/WPA2 hashes

Quiet simple.

John The Ripper

The same can be done using john the ripper too. We just need to convert it into a standard john hash file. This can be done using the hcxpcapng tool like:

hcxpcapngtool --john hash.john wifi.cap

A gorgeous thing to observe here is the contents of the capture file! Juicy, isn’t it? Let’s use john to crack the hash now:

john --format=wpapsk --wordlist dict.txt hash.john
john --show hash.john

Second Method

For all the pros who converted .cap to .hccapx, here’s the last method for you. You can use the hccap2john script pre-existing in your Kali to convert that .hccapx file to a John hash!

/usr/sbin/hccap2john wifi.hccpax > wifihash

And finally, use John to crack it

john --wordlist=/root/dict.txt --format=wpapsk wifihash

We learnt various methods to brute force a captured handshake .cap file. The aim is to have multiple arrows in your quiver so if one technique fails you, you know how you can cross it over. Thanks for reading.

Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *