:: INDEX :
  • Introduction
  • > Overview
    > Terms & Definitions
    > The PMK
    > The 4-Way Handshake
    > The Dictionary attack
  • [ Step 1 ] : Configuring the network interface
  • [ Step 2 ] : Collecting the network info
  • [ Step 3 ] : Capturing data
  • [ Step 4 ] : Deauthenticating the client
  • [ Step 5 ] : Cracking the PMK

  • Introduction :
    This guide was created to demonstrate the encryption vulnerabilities of WPA (Wifi Protected Access).

    Breaking into a protected wireless network is illegal!
    The content and instructions contained herein are for educational purposes, only. I did not break the law when creating this example. All information in the screenshots is that of my own networks that I compromised for this demonstration. You may attempt the steps outlined at your own risk - on your own network. If you wish to hack an other wireless network you must get permission from the network owner.

    Unlike WEP which can always be broken, WPA is much more secure and cannot always be hacked.
    Whether or not a WPA key can be hacked ultimately depends on the type of protocol and the strength of the password/key.
    The protocol we will be focusing on in this guide is TKIP (Temporal Key Integrity Protocol) as CCMP is not vulnerable at this time.

    As demonstrated in our WEP article - WEP can always be hacked regardless of password strength due to a flaw in how clients associate / authenticate with the network.
    WPA is a rather different. The same association / authentication vulnerabilities to not apply to WPA and a hacker will only be able to determine the password if 2 conditions are met :
    	(1) They have captured a valid 4-way handshake.
    	(2) They have the password stored in a word-list.
    This guide will explain how all of this takes place and outline the steps involved in a successful hack.
    [Intro] - Overview :
    In this scenario we are targetting a WPA PSK encrypted network that has at least 1 client connected.
    This process is the very same for both WPA and WPA2. There are no differences in terms of breaking the key.
    If there are no clients connected - this will not work. This attack relies on capturing a 4-way handshake from an authenticated client.

    In this scenario we are making 3 assumptions :
    	(1) You've got Backtrack running properly.
    	(2) The target network is using WPA TKIP-PSK.
    	(3) There is a client connected to the Access point.

    The lesson to be learned from this demonstration is that although WPA & WPA2 are a much better choice than WEP - they are still vulnerable if you use a weak password. You should not use a password that would exist in a dictionary or word-list.
    Instead you should use a password consisting of both letters AND numbers.
    [Intro] - Terms & Definitions :
    There are a few terms used throughout this guide that are important to know when beginning the processes.

    Aircrack-ng
    MAC Address
    Access Point
    BSSID
    ESSID
    Channel
    Network Interface
    Client / Station
    Capture
    4 Way Handshake
    PMK
    PTK
    TKIP
    PSK
    Word List
    Salt
    Hash

    A set of tools included with Backtrack. Includes aircrack, airodump, aireplay, airdecap, airolib.
    A unique combination of letters/numbers assigned as a "permanent" identifier to network hardware.
    The technical term for the "Router" or "Gateway". Also referred to as a "WAP".
    The MAC Address of the Access Point.
    The Broadcast name of the Access Point.
    The frequency at which data is being broadcast.
    The device used to send/receive data.   Example : wlan0 or mon0 .
    A computer/device connected/associated to an Access point.
    The process/data that is collected when monitoring an Access point with Airodump.
    The process/data exchanged between the client and Access Point during authentication.
    Pairwise Master Key. An encrypted version of the password / key.
    Pairwise Transient Key. An encrypted version of the PMK used during the 4-way Handshake.
    Temporal Key Integrity Protocol. A type of protocol / cipher used in WPA encryption.
    Pre-Shared Key. The type of WPA password / key used with TKIP.
    A file containing a list of words (potential passwords).
    The ESSID of the Access Point. Combined with the PSK to create the PMK.
    An encrypted password.   Example : The PMK.

    - Throughout this guide the terms Client and Station will be used interchangeably as they refer to the same thing.
    - The terms Password, Key, and PSK will also be used interchangeably as they too mean the same thing.
    [Intro] - The PMK :
    When a WPA key / password is created by the user - it is encrypted using both the password (PSK) AND the name of the wireless network (ESSID). This creates something called a PMK (Pairwise Master Key).
    Much like a standard MD5 encryption - the creation of the PMK is a 1-way encryption meaning that you can generate a PMK with a network name & password however the resulting PMK cannot be decrypted to determine the original network name & password.
    This PMK is used to encrypt all traffic on the wireless network and only the devices that have the PMK will be able to decrypt it.
    The PMK itself is never sent between the clients and access point but is used after successful authentication to encrypt the traffic between them.
    During creation of the PSK - the password / key is salted (combined) with the name of wireless network (ESSID) to ensure that each PMK is unique - even among networks that use the same password.
    [Intro] - The 4-Way Handshake :
    Connecting to a WPA network (associating & authenticating) involves a process called a 4-way handshake.
    The specifics of this process are a bit complicated and are not necessary for the purpose of this guide.
    What is important to note is that the handshake is performed using an encrypted version of the PMK called the PTK (Pairwise Transient Key).
    Most of this process is performed using 1-way encryptions and there are no known vulnerabilities to extract the original passwords from the encrypted hashes.

    Although we cannot attack the encryption itself - we can still determine the password by capturing the 4-way handshake and performing a dictionary attack on the captured PTK/PMK.

    To capture a 4 way handshake - the wireless network must have at least 1 client connected. If there are no clients on the network then no handshakes will occur.
    As long as there is at least 1 client connected then you can send a "Deauth" packet to kick them off the network - causing their device to re-associate / re-authenticate and a handshake to occur.
    [Intro] - The Dictionary attack :
    WPA Passwords are case-sensitive and require a minimum of 8 characters so you can assume the password is at least 8 characters long.

    A dictionary attack works by taking a list of words and encrypting them one at a time using the same cipher as the target (WPA TKIP).
    Since a PMK is created using the name of the wireless network (ESSID) as well as the password - the ESSID is combined with each word in your word list as they are encrypted.
    The result is a PMK generated for each word in the list which can then be compared to the captured PMK to determine if it matches.
    If your word list contains the target's password - then there will be a PMK generated that matches the captured PMK.
    If the password does not exist in your word list then you will not produce a matching PMK and will not find the password.


    Please refer to the this image for a visual representation of the process.

    Note that the information in the picture has been simplified a bit to help grasp the process.

    The PMK itself is not actually transmitted between the client and access point.
    Instead it sends a PTK - data encrypted using the PMK.

    The process is still the same as depicted in the image.






    [Step 1] - Configuring the network interface :
    - When executing commands in the terminal it is necessary to declare which network interface you would like to use.
    - You can retrieve a list of available interfaces by entering the iwconfig command with no parameters.
      The Interface names will be listed in the left column.
    - Your wireless interface will be identified as an "IEEE 802.11" device.

    possible examples : wlan0 , wlan1 or rausb0 .

    - In this example, all we have to do to configure our interface is set it to "monitor mode".
      This can be done with a single command :

    Syntax:
  • iwconfig [Interface] mode monitor

  • Parameters:
    [Interface] Your wireless network interface / (wifi card) (wlan0, mon0, rausb0, etc).
    mode monitor Sets the network interface to monitor mode.

    Example:
  • iwconfig wlan0 mode monitor


  • - If you receive an error stating that the device is busy then you will have to turn it off first using the ifconfig command.
      If so, you will also have to turn the device back on again after setting it to monitor mode.

    Syntax:
  • ifconfig [Interface] down
  • ifconfig [Interface] up


  • - If you are unable to put your device into monitor mode using the iwconfig command - you can also try using the airmon-ng command.
    - Using airmon-ng will usually create a new device / interface to monitor traffic with. It's often named mon0.
    - In most cases iwconfig works just fine and it doesn't create any additional interfaces but airmon-ng will usually work when iwconfig does not.

    Syntax:
  • airmon-ng start [Interface]

  • Example:
  • airmon-ng start wlan0




  • [Step 2] - Collecting the network info :
    - To perform the attack we must first gather a bit of information about the network.
      Everything we need can be collected using the airodump-ng command.

    - The required information includes:
  • The BSSID   (MAC Address of the target Access Point).
  • The ESSID   (Name of the Access Point).
  • The MAC Address of any associated clients / stations.
  • The Channel that the Access Point is broadcasting on.

  • - After collecting the necessary information - you can terminate the airodump command by pressing Ctrl+C on the keyboard.
    - As you'll see in the see in the image below - Our selected target is using WPA TKIP PSK which is vulnerable to our attack.


    Syntax:
  • airodump-ng [Interface]

  • Parameters:
    [Interface] Your wireless network interface / (wifi card) (wlan0, mon0, rausb0, etc).

    Example:
  • airodump-ng wlan0



  • [Step 3] - Capturing data :
    - Now that we have the required information - we can lock in on the Access Point and start capturing data.
    - This step also uses the airodump-ng command however we will add some parameters so that it saves traffic to a file.
    - The first parameter to specify is the channel. This is done with the -c [Channel] parameter.
    - The next parameter to specify is the output filename. This is done with the -w [Filename] parameter.
    - This will display the same output as it did before but will be focused on a specified channel and will also save any traffic to our capture file.
    - The capture file automatically appends a number to the filename as well as a .cap extension. Example: mycapture-01.cap
    - This command should be kept running in the background while you complete the next steps. Do not terminate it.

    Syntax:
  • airodump-ng -c [Channel] -w [Filename] [Interface]

  • Parameters:
    -c The channel the Access Point is broadcasting on.
    -w The output filename to write to (saves as .cap).
    [Interface] Your wireless network interface / (wifi card) (wlan0, mon0, rausb0, etc).

    Example:
  • airodump-ng -c 6 -w mycapture wlan0



  • [Step 4] - Deauthenticating the client :
    - With your airodump-ng command still monitoring / capturing - we will now open another terminal window to continue the process.
    - To stimulate a 4-way handshake we will issue a deauthentication packet to one of the connected clients / stations.
      This will cause the targetted client to reconnect automatically and establish another 4-way handshake.
    - You can tell if a handshake has been captured by looking in the upper-right corner of your airodump terminal.
      It will show " WPA handshake : [BSSID] " in the top line.
    - If deauthenticating a particular client does not yeild a handshake then you can try deauthenticating another client.
    - You can also send a deauth packet to all clients by excluding the client parameter (-c) however it's best to specify one.
    - You shouldn't have to send any more than 3-5 deauth packets at a time. Too many could prevent the client from reconnecting.

    Syntax:
  • aireplay-ng -0 [Number of Packets] -a [BSSID] -c [STATION MAC] [Interface]

  • Parameters:
    -0 "Deauthentication" attack mode.
    [Number of Packets] The number of deauth packets to send.
    -a BSSID (MAC Address) of target network.
    -c MAC Address of client.
    [Interface] Your wireless network interface / (wifi card) (wlan0, mon0, rausb0, etc).

    Example:
  • aireplay-ng -0 4 -a 6A:1C:A2:00:A1:3E -c 00:22:43:84:E4:D1 wlan0




  • [Step 5] - Cracking the PMK :
    - With our 4-way handshake captured we can now use aircrack-ng to try to generate a matching PMK.
    - We can also terminate our airodump command (Ctrl+C).
    - This command requires 3 parameters : -e [ESSID],  -w [Word list] ,  and the Capture file.
    - BackTrack 5 includes some word lists in the  /pentest/passwords/wordlists  folder.
    - You can drag a word-list file into the terminal window instead of typing the name.
    - Instead of specifying an exact number in the filename we will use a wildcard * (asterisk) to read all of our .cap files.
      This is useful if you've ran airodump more than once resulting in multiple .cap files.

    Syntax:
  • aircrack-ng -e [ESSID] -w [Word list] [Filename]

  • Parameters:
    -e ESSID (name) of target network.
    -w Path / Filename of word list.
    [Filename] The output file name created with the airodump-ng command (.cap) .

    Example:
  • aircrack-ng -e homenetwork -w mywordlist.txt mycapture*.cap


  • - Depending on the power of your computer and size of your word-list - this could take a while.
    - If the original PSK is not in the word-list then it will not be found and a bigger word-list may be necessary.
    - In this example - my computer took 4 minutes to process 295,044 keys before finding the correct PSK.
    - I used the 'darkc0de.lst' word-list that is included with Backtrack.
    - The recovered password / key is "alliance".



    Copyright 2015 QuickFix PEI