Skip to main content

Wireless Hacking - Part9

HACKING WPA2-PSK WITH KALI LINUX

A wireless network is a network that uses radio waves to connect computers and other like devices together. The implementation is done at the physical layer (Layer1) of the OSI model.

WPA2 (Wi-Fi Protected Access) is a wireless security protocol that makes use of AES encryption and CCMP, a TKIP replacement. It is stronger than the other wireless security protocols (WEP, WPA).

WPA2 pre-shared keys use passphrases. This is the weakness I will exploit to crack a WPA2 protected network and gain access to it. Doing so requires software and hardware resources, and patience. The success of such attacks can also depend on how active and inactive the users of the target network are. We are going to take a step-by-step look at how you can break WPA2 using Kali Linux.

Our attack tool is the aircrack suite of tools in Kali Linux and we will employ the sniffing method; this involves intercepting packets as they are transmitted over a network. If you feel you have the necessary skills, let’s begin:

These are things that you’ll need:

    ● A successful install of Kali Linux (which you can easily obtain).
    ● A wireless adapter capable of injection/monitor mode. Some computers have network cards               capable of this from the factory.
    ● Be within the target network’s radius.
    ● A wordlist to attempt to “crack” the password once it has been captured.
    ● Time and patience.

If you have these, then roll up your sleeves and let’s see how secure your network is!

Important notice: Hacking into anyone’s Wi-Fi without permission is considered an illegal act or crime in most countries. We are performing this tutorial for the sake of penetration testing, hacking to become more secure, and I’m using my own test network and router.

Step 1:

Open a terminal and find the name of your wireless adapter, type iwconfig on a terminal. See the result. (here my wireless adapter is ‘wlan0’).











Your computer has a number of network adapters, so to scan one, you need to know its name. So there are basically the following things that you need to know:

●lo - loopback. Not important currently.
●eth - ethernet.
●wlan - This is what we want. Note the suffix associated.

Step 2:
Enable Monitor Mode

We use a tool called airmon-ng to create a virtual interface.
Type airmon-ng start followed by the interface name of your wireless card. Mine is wlan0, so my command would be: airmon-ng start wlan0.
















Here our newly created virtual interface is called wlan0mon.

Step 3:
Capturing Packets.

We’ll use airodump-ng to capture packets in the air; this tool gathers data from all wireless packets within our reach.Airodump will now list all of the wireless networks, and a lot of useful information about them.

We will locate a network to hack (ensure that you hack only your network or the network you have permission to hack). Once you’ve spotted your network on the ever-populating list, hit Ctrl + C on your keyboard to stop the process. Note the channel of your target network.


To do this, type airodump-ng followed by the name of the new monitor interface (wlan0mon).


















Our test network is “mask”.

You can also force the wireless card to scan and report all wireless networks in the vicinity using this command:






























As you can see from the figure above, our target network (MASK) is also displayed.

Focus on the Target Network

Our next step is to focus our efforts on “mask”, and capture critical data from it. We need the BSSID and channel to do this. Let's open another terminal and type:

airodump-ng --bssid (BSSID of mask) -c [channel] --write [file you want to write to]
[interface]




































As you can see in the screenshot above, we're now focusing on capturing data from one AP/router with an ESSID of Mask on channel 11.

Capture the handshake

We will leave the open airodump-ng screen to tell when we have a WPA2 handshake. In order to capture the encrypted password, we need to have the client authenticate against the AP/router. We need to catch a user in the act of authenticating to get a valid capture. Airodump-ng will display a valid handshake when it captures it. It will display the handshake confirmation in the upper right hand corner of the screen.

We also can de-authenticate them (kick them off) and their system will automatically re-authenticate, whereby we can grab their encrypted password in the 4- way handshake process.

The two scenarios:

1. waiting














What we’re really doing now is waiting for a device to connect. Once this happens, we get a handshake as shown below:








2. force re-authentication
 Really don’t like waiting for a new device to connect, no, that’s not what impatient hackers do. We’re actually going to use another tool that belongs to the aircrack suite, called aireplay-ng, to achieve this. Instead of waiting for a device to connect, we will use this tool to force an already connected device to reconnect by sending deauthentication (deauth) packets to the client, thereby making it reconnect with the network.












Here we have a client already connected. Let's open another terminal and type:

● aireplay-ng --deauth [no. of deauth packets] -a [BSSID] [interface]
































…and we have our handshake!

Also, four files should show up in your chosen airodump directory, this is where the handshake will be saved when captured, so don’t delete them!






Crack the Password

Here is the fun part! Now that we have the encrypted password in our file WPAPSKCRACK-01.cap, we can run that file against aircrack-ng using a password file of our choice. I created a customized wordlist called wordlist.txt with crunch, and will be using this to crack the encrypted password for mask. This wordlist is located on my desktop.

We'll now attempt to crack the password by opening another terminal and typing:

    ● aircrack-ng [captured packet file] –w [Absolute path to our wordlist)












Cracking the password might take a long time depending on the size of the wordlist. Mine went very quickly.Remember that this type of attack is only as good as your wordlist.

Here we are:



















Proof Of Concept

Let’s try to login with the password we found:














































As you can see, we are connected.




















Note the channel (11).

Now that we are in the network, we can take the exploit further, as far as attacking the connected systems.

Popular posts from this blog

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was