WPA / WPA2 Handshake Cracking WITH Dictionary using Aircrack-ng | How To | Wireless Hacking

Written by Pranshu Bajpai | Join me on Google+ | LinkedIn

If you are planning to hack your nearest WPA/WPA2 network (with No WPS), I have two words for you: Good. Luck.

In all my experiments with penetration testing, I have found dictionary attacks on WPA/WPA2 handshakes to be the most annoying and futile exercises. This is because:

• going through each word in a dictionary file containing millions of words is time-consuming.
• success is not guaranteed (the passphrase may not be present in your dictionary).

During my experiments in India, the WiFi passphrases are usually a combination of Hindi and English words or a Hindu name which are, of course, not present in any dictionary that I download no matter how exhaustive it promises to be.

If you are still brave enough to try a dictionary attack on WPA handshake, here's the procedure.

UPDATE: I have also posted a video on how capture and crack a WPA hanshake on my YouTube channel.

How to launch a Dictionary Attack on WPA Handshake

You might get lucky and your nearest WiFi password may be based on a common dictionary word or number sequence. In such a case, you may succeed with a dictionary attack.

Step 1: Enable monitor mode on wireless interface

#airmon-ng start wlan0

This will start the monitor mode.

Step 2: Take note of the nearest WiFi networks.

#airodump-ng mon0

Step 3: Take note of the channel of your target network, dump packets from that channel and save them to a local capture file.

#airodump-ng -c6 mon0 -w capture_file

Step 4: Wait for WPA handshake capture

At this point, you can use 'aireplay-ng' to de-authenticate an associated legitimate client from the network. The point is that as he/she will authenticate again shortly, we will capture the handshake without having to wait too long:

#aireplay-ng --deauth 0 -a <AP_MAC> -c <CLIENT_MAC> mon0

If you don't know the MAC of any associated client, simply 'broadcast' a 'deauth' to all clients:

#aireplay-ng --deauth 0 -a <AP_MAC> mon0

Step 5: After you grab a WPA handshake comes the hard part of brute forcing using a dictionary. Use 'aircrack-ng' for this:

#aircrack-ng capture_file-01.cap -w /media/Pranshu/...../dic/dark0de.lst

Now say your prayers and hope the passphrase is present in the dictionary you chose.

You can also use online distributed WPA/WPA2 handshake cracking tool on this website:

Note that if the Access Point has WPS Enabled, it becomes easier to recover the WPA / WPA2 passphrase as there are only 11,000 possible combinations needed to brute force the WPS PIN due to an implementation flaw.

Disclaimer: This is for experimentation or authorized penetration testing purposes only.

Hacking Neighbour's Wifi (Password) | Hacking Neighbor's Wireless (Internet) | Step by Step How To

Written by Pranshu Bajpai | Join me on Google+ | LinkedIn

Disclaimer: For educational purposes only: This is meant merely to exhibit the dangers of using Poor wireless security. Please note that prior to beginning the test you should seek explicit consent from the owner if the access point does not belong to you.

Hacking into a Neighbor's Wifi access point

OS: Kali Linux
Test Subject: Neighbor's WiFi Access Point
Encryption: WEP

I noticed 4 wireless Access Points in the vicinity. 3 of these were using WPA / WPA2 and I was in no mood for a dictionary attack on WPA handshake, since it takes a long time and success isn't guaranteed. I found one access point using WEP Security and as you know it is an outdated protocol with poor security.

I tested penetrating this WEP access point using the same Aircrack-ng Suite of tools as I have mentioned in this previous post.

Step 1: Discovered the WEP AP having SSID 'dlink'  (Notice the weak signal power from neighbor's house to mine)

Step 2: Collected the required number of Data Packets from the WEP Network. Meanwhile, I used 'aireplay-ng --arpreplay' to increase the data rate since I am not a Patient soul.

Step 3: Saved the data packets in a file called 'neighbor-01.cap' and cracked the password using 'Aircrack-ng'

The Key for the Neighbor's Wifi turned out to be: "1234567890"   -    (An easily guessable Password, just what I expected from someone using WEP Security in 2014)

Step 4: I connected to the wifi using the decrypted key, it allocated an IP to me using DHCP (192.168.0.102)

Note: If you want a better step by step on how to hack a WiFi, check out my previous post here.

5: I was connected to the Internet.

6: Since I was part of their network now, curiosity got the better of me and I decided to scan the network and see who else is connected. I found 3 devices in the network:

One was my Laptop
Another one was my cellphone (I connected my cellphone to the network earlier)
And third was the Dlink router itself (192.168.0.1)

None of the neighbor's own devices were connected to the network at the time.

nmap told me that the dlink router had an open port 80, which reminded me to check out the control panel of this dlink device.

Step 7: So I fired up my browser and went to '192.168.0.1:80' which opened the login panel for dlink access point control panel



Step 8:  Quick google search revealed that defaults for login on dlink devices are:

username: 'admin' and password:blank

Step 9: A tried logging in with defaults and got access to the control panel.




(Again BAD security practice: leaving defaults unchanged!)

Step 10: I was getting weak power from the AP and decided to upgrade their firmware and see if it made a difference.

The Current firmware of the neighbor's wifi was '5.10'

I checked for latest Firmware available. It was '5.13'



I downloaded the upgrade on my machine ("DIR********.bin")

Step 11: I made a backup of the configuration of the Access point before upgrading. I saved backup 'config.bin' to my laptop from the neighbor's wifi

Step 12: I went ahead and upgraded the Firmware. I uploaded the DIR****.bin from my laptop to the access point and it went for a reboot.



I lost access to the WiFi after the upgrade.

I figured the new upgraded firmware changed the Password for the WiFi now and I couldn't connect to it anymore. Moreover, since I lost access to the Internet now along with the WiFi, I couldn't Google the default password for the upgraded firmware anymore.

And I couldn't crack it either because this time no one--not even the neighbor himself--would be able to authenticate to the WiFi with the new unknown password after the firmware upgrade and hence no data packets would be generated and I will have nothing to crack.

Step: I fired up 'Airodump-ng' again and noticed that the firmware upgrade simply changed the access point security to "open", ie, no password is required to connect to it.

Step: I connected to the "Open" wifi and restored the Configuration settings using the 'config.bin' backup I made earlier.

I manually selected WPA2 security and provided the same password as used earlier by my neighbor ("1234567890")

Disclaimer: Please note that I had explicit consent from the owner before commencing this test. If you do not have such permission, please try it on your own access point. Failing to do so will result in illicit activities.

How To Hack Wifi and Crack its Password | Hacking Wifi | WEP + WPA

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

I recently traveled to Delhi in order to collaborate with an information security firm there.

The place that I rented for my short stay demanded an extra amount if I wanted to access the Internet. That didn't go down with me too well. They were using WEP, WPA and WPA2 security in the different WiFi HotSpots that they were running.

WEP Cracking

No doubt, WEP is the easiest to crack.

Here's how to crack WEP:

#airmon-ng start wlan0

 

Notice that the monitor mode is enabled on mon1; take note of this. We will need this interface later on.

Start dumping data packets with airodump:

#airodump-ng mon1

You'll see all the Wifi hotspots available in your area. Here we see different security like WEP, WPA and WPA 2. As WEP is the easiest to crack, choose one with WEP security.

Also, it is important to note other information here as that will determine how easily you get into the WiFi:

• The BSSID is the MAC address of the Wifi hotspot.
• Pwr tells you about the signal strength.
• Beacon signals are sent by the hotspot to indicate its presence.
• Data is the actual packets that we are interested in. The more data packets we have, the more certain we are to crack the hotspot.
• CH tells you the channel being used by the hotspot

Here I am testing something called 'BIPL'.

So I use airodump to focus on dumping packets from this paricular BSSID and store them in a file:

#airodump-ng -w wap -c 8 --bssid 14:D6:4D:A6:F6:69 mon1

-w specifies the file to write to, -c specifies the channel and you know what --bssid is for

Now packet capture starts, and we play the waiting game. Wait to collect enough packets before trying to crack the password. Usually, we wait till we grab around 20000 packets.

How long this takes depends on the traffic flow on that BSSID and your distance from the BSSID.

If it is taking too long to grab required number of packets, then you can use something called aireplay:

#aireplay-ng -b 14:D6:4D:A6:F6:69 -h 00:11:22:33:44:55 mon1

-b option is to specify the bssid
-h is to specify your hardware address

aireplay-ng will start generating bogus traffic, so that you can grab enough data packets fast.

Now that we have enough data packets (42445), we can start cracking the password.

#aircrack-ng wap-02.cap

This cap file is where we saved the captured packets:

After a while Aircrack-ng will give you the cracked password:

It turns out, the password is someone's cell phone number. I traced its location and it's based in Delhi. A bad practice to use personal information as password.

  
WPA Cracking

A detailed article on WPA / WPA2 cracking is here

WPA cracking can be a bit more uncertain and complicated.

One thing to remember while WPA Cracking, is that you need to grab the WPA handshake. Use airodump to dump packets from the target WPA network (just like in WEP) but wait until you see 'Captured WPA Handshare' (or something close to that) on the top right corner.

Then stop the packet capture.

Load up aircrack-ng and provide it the .cap file where the handshake is located (saved by airodump previously).

Also provide a wordlist to aircrack-ng. Remember this is a 'dictionary based' attack:

#aircrack-ng blah_blah.cap -w /root/dic/darkc0de.lst

Aircrack will try passwords from the dictionary file against the .cap file. This might take a long time to crack and success depends on the kind of dictionary file you are using and how strong the password is.

Another tool called 'Reaver' can be used for WPA cracking, if WPS is enabled.

Here's the sample use of reaver:

#reaver -i mon1 -a 94:D7:23:48:BE:78 -vv -c8

• -i is for interface
• -a "94.... " is the bssid of hotspot
• -vv for verbose mode
• -c to specify the channel

For details on WPA / WPA2 Cracking, Check out this article

Disclaimer: This post is merely to demonstrate the inherent risks involved in using outdated WiFi security. This test was done under simulated conditions and does not endorse public or private WiFi hacking.