Written by G3N3T1C5
Over the course of the past several months I have spent a good bit of time diving into this subject and thought I would share it with the community. This is meant to be simple and comprehensive, giving a basic understanding on the vulnerabilities with each of these security protocols and a how-to guide on attacking each of them.What you will need
VMWare or VirtualBox
Kali Linux VM
External WiFi Dongle
(I use a TP-Link TL-WN722N)Breaking into a WEP Secured Access Point
Wired Equivalent Privacy (WEP) is an outdated security algorithm and is superseded by Wireless Protected Access (WPA/WPA2). It is important to understand why it is flawed and if you know anyone who is still using WEP please let them know how easy it is to penetrate. Over the past year I had taken a Wireless Networking course in which one of the classes, the instructor setup a WEP secured router and we were to break into it. Using a simple tool supplied in the Kali Linux suite called Wifite; I was able to get the key in 36 seconds. Hopefully this gives you an understanding on how insecure WEP is.
Without going into extreme details, the principle behind finding the passphrase is capturing Initialization Vectors (IV’s) also called Starting Variables (SV’s). WEP uses a Stream cipher called RC4 (ARCFOUR) and cannot have the same traffic key used twice. IV’s are used to prevent repetition in the key stream. But when a network is busy with traffic there is a high probability an IV will eventually repeat.
We are going to use wifite for breaking WEP
Open up a command prompt in kali and type.
The program should begin and put your Wi-Fi Adapter in monitor mode, and because we added the –wep into the command it will begin listening for only WEP secured networks. If you have a router to test this out with, wait until it displays the SSID you chose. When wifite has found it, press CTRL+C and type in the number that your SSID appeared on the list then press enter. Wifite should begin its attack on the network.
As you can see from the picture above at around 10,000 IV’s it will start cracking the passphrase and will display it for you once it is done. One thing about Wifite that I haven’t had too much luck with, but hopefully those of you who use this guide will, is that it performs various attacks to help obtain the key quicker, such as an ARP replay attack. If there is no traffic within the network it will take forever gathering over 10,000 IV’s. Basically an ARP replay attack will generate traffic so that you do not have to wait for a client on the network to do it.Breaking into a WPA2 Secured Access Point
WPA2 (Wireless Point Access 2) is what is used to secure most access points today. This typically takes much longer breaking into than a WEP secured network. Instead of capturing IV’s, We need to capture a WPA Handshake which is when a client connects to an access point. In this 4 way Handshake is the Hash encryption of the plaintext password for the network, fortunately for us and yet unfortunately for us, the purpose of a Hash is to prevent a hacker from ever finding out the plaintext password. So once we have captured the Handshake, we will run a rainbow table against the hash. Kali Linux already has a rainbow table in it called rockyou.txt which has around 14,000,000 passwords in it. If you end up wanting to get a larger rainbow table there are some more available on the internet, the largest I have found is 1.43 Billion passwords. There will be 5 steps in us breaking into a WPA2 secured access point.
1. Find out the BSSID (Basic Service Set ID) or MAC (Media Access Control) Address of the Access Point
2. Begin to monitor traffic from the clients to the access point.
3. Launch a DeAuth Attack (De-Authentication) against a client within the network.
4. Capture the handshake from the client we have de-authenticated from the network when it re-connects.
5. Running aircrack using our rockyou.txt rainbow table to obtain the password.We need to first find out what is the interface for our Wi-Fi dongle.STEP 1:[/b] In a command terminal type iwconfig and your adapter should display, typically as wlan0 for the interface. After that we need to put it in monitor mode.
root@kali:~# airmon-ng start mon0
It should display different wifi networks that are around you and clients your adapter can see that are connected to them. You will need the BSSID and the CH (Channel) for the next part.
After we have found this information out about the network we will now narrow our view to just that access point and its clients, as well as write a file when the WPA handshake is found.root@kali:~# airodump-ng –c (your channel) --bssid (MAC address of the access point) –w (whatyouwanttocallthefile) mon0
(the monitor interface we set earlier)
Here is an example root@kali:~# airodump-ng –c 1 --bssid 00:FF:1C:A2:90:1D –w pentest mon0
You should see something like this
This needs to stay running until a Handshake is captured. We can either leave it on and wait for a client to join the network or we can force a client to rejoin using a DeAuth attack.STEP 3 and STEP 4:
This step will be short and sweet, you will need both the MAC address of the Access Point and the Client.
To launch the attack, open up another terminal, do not close the one monitoring traffic. In the new command prompt type aireplay-ng -0 25 -a (MAC of Access Point) -c(MAC of Client) mon0 (interface)
Exampleaireplay-ng -0 25 -a 00:FF:1C:A2:90:1D -c 99:C4:FF:5F:8A:B8 mon0
This will cause the client to disconnect from the network and when the attack stops the client will rejoin and you will capture a WPA handshake. The number “25” in the line is how many times aireplay will send DeAuths to the client. If a few minutes go by and you still haven’t captured a handshake you may want to send another attack and increase the number.STEP 5:
Once it shows that you have captured a WPA handshake (if you did it will display next to the time and date, circled green in my screenshot) press CTRL+C to stop airodump and we are now going to run aircrack with our rainbow table against the handshake, if the password is in our database, it will compare the 2 hashes together and if it’s a match it will display the password for you. I chose a password that I knew was in the rockyou.txt table. At a rate of 600 keys a second it should take you around 8 hours to go through the entire file.
Command is aircrack-ng -w rockyou.txt (what you chose for the name of the capture file)-01.capExample: aircrack-ng -w rockyou.txt pentest-01.cap
This concludes my guide on WEP and WPA2.
If you liked this guide or have questions you can leave a comment and I will try and respond to you soon =)