As WEP has been deprecated since early 2001, WPA was introduced as an industry standard,
which used TKIP for encryption of data. Later, WPA2 became an industry standard since it
introduced AES encryption, which is more powerful than TKIP; however, it also supports TKIP encryption. The WPA/WPA2 key that we would use to authenticate on a wireless network is used to generate another unique key. Five additional parameters would be added to our key to generate a unique key. The parameters are the SSID of the network authenticator, Nounce (ANounce), supplicant Nounce (SNounce), authenticator MAC address (access point MAC), and suppliant MAC address (Wi-Fi client MAC).
which used TKIP for encryption of data. Later, WPA2 became an industry standard since it
introduced AES encryption, which is more powerful than TKIP; however, it also supports TKIP encryption. The WPA/WPA2 key that we would use to authenticate on a wireless network is used to generate another unique key. Five additional parameters would be added to our key to generate a unique key. The parameters are the SSID of the network authenticator, Nounce (ANounce), supplicant Nounce (SNounce), authenticator MAC address (access point MAC), and suppliant MAC address (Wi-Fi client MAC).
From a hacker’s perspective, we can use a brute force or dictionary attack or rainbow tables to crack a WPA/WPA2 network, obviously a dictionary attack is much less time consuming than other attacks; therefore it should be your first preference. The success rate of this attack depends upon the wordlist you would use. Another requirement for this attack to work is the four-way handshake, which takes place between a client and an access point, which we will capture using the deauthentication attack.
Let’s see how we can use aircrack-ng to crack a WPA/WPA2 network:
Step 1—First of all, ensure that your network card is inside the monitoring mode.
Step2—Next, we would listen on the mon0 interfaces for other access points having encryption set to either wpa or wpa2. We would use the “airmon-ng mon0” command to do it.
Step2—Next, we would listen on the mon0 interfaces for other access points having encryption set to either wpa or wpa2. We would use the “airmon-ng mon0” command to do it.
Our target AP would be Shaxter, which uses WPA as their encryption type. We will take a
note of its BSSID and the channel that it’s on, this information would be useful in the upcoming steps.
BSSID: F4:3E:61:92:68:D7
Channel: 6
note of its BSSID and the channel that it’s on, this information would be useful in the upcoming steps.
BSSID: F4:3E:61:92:68:D7
Channel: 6
CAPTURING PACKETS
Step 3—Next, we need to save the data associated with our access point to a specific file. The inputs we need to specify are the channel, the bssid, and the file name to write.
Command:
airodump-ng –c 1 –w rhawap –bssid F4:3E:61:92:68:D7 mon0
–w—File to write
–c—Channel
Command:
airodump-ng –c 1 –w rhawap –bssid F4:3E:61:92:68:D7 mon0
–w—File to write –c—Channel
CAPTURING THE FOUR-WAY HANDSHAKE
Step 4—In order to successfully crack WAP, we would need to capture the four-way handshake. As mentioned, to achieve this we could use a deauthentication attack to force clients to disconnect and reconnect with the access point.
STRUCTURE
aireplay-ng –deauth 10 –a ≤Target AP≥ –c ≤Mac address of Mon0≥mon0
Command:
aireplay-ng –deauth 10 –a F4:3E:61:92:68:D7 –c 94:39:E5:EA:85:31 mon0
Command:
aireplay-ng –deauth 10 –a F4:3E:61:92:68:D7 –c 94:39:E5:EA:85:31 mon0
After we have successfully performed a deauthentication attack, we will be able to capture the four-way handshake.
CRACKING WPA/WAP2
Now that we have all the inputs required for cracking the WPA/WPA PSK, we will use aircrack-ng and specify a wordlist that would be used against the rhawap.cap file that was generated earlier.
Remember that in order for us to successfully crack the WPA/WPA2 PSK, we need to make sure that our file contains the four-way handshake.
Remember that in order for us to successfully crack the WPA/WPA2 PSK, we need to make sure that our file contains the four-way handshake.
STRUCTURE
aircrack-ng –w Wordlist ‘capture_file’.cap
Command:
aircrack-ng rhawap.cap –w/pentest/passwords/wordlists/darkc0de.lst
Command:
aircrack-ng rhawap.cap –w/pentest/passwords/wordlists/darkc0de.lst
So, now this will start the dictionary attack against the rhawap.cap file, and if the key is found.Itwill reveal it to us as above.
No comments:
Post a Comment