One of the most popular hacking requests, besides “how to hack facebook”, is how to gain access to protected WiFi networks. Many years ago, this was an easy task, as most access points were protected by WEP, a now outdated security standard that was very easy to hack into. Today’s routers all implement the WPA2 standard, which in general is secure, but also shares a weakness that most security algorithms have: short, easy-to-guess passwords.
There are two variants of WPA: WPA-PSK (also called WPA-Personal) and WPA-802.1X (called WPA Enterprise). The difference is: WPA-PSK uses a passphrase that you need to enter, WPA-Enterprise needs an authentication server and often uses username/password combination to connect. This blog post affects WPA-PSK networks and will be extracting the password of a WiFi network. If you are not interested in the technical details, you can skip the next section and continue with “Installing the tools”.
I will not go into detail for this blog post, so if you are interested in all the specifics of the attack, you can look at the reference at the end of this post.
The vulnerable part that I am going to exploit is the 4-way authentication handshake. When you connect to a WiFi network, the client and the access point need to authenticate to each other and agree on keys to encrypt the traffic between your device and the router. During the handshake, the pre-shared key is transmitted in a hashed format. This is the hash I want to capture, so that I can bruteforce the password. So, there are two steps in this attack:
- Capture the handshake (and the password hash)
- Crack the password
The second step is straightforward, but the first is not that easy. Not only do you have to monitor the environment with a compatible WiFi card, you also have to wait for devices to connect, as the handshake only occurs when a device connects to the network. If you do not want to wait, there is one nifty trick called deauthentication attack. Basically, you as an attacker impersonate the router and send a message to a connected victim, telling them that they were disconnected from the network. The client then reconnects to the access point, doing the 4-way handshake. You can do this with any network (open or protected, you only need to know the MAC address of the victim (which is regularly transmitted by the client to nearby networks).
The technical details of the handshake are not important for the attack, but if you are curious, head over to KaliTutorials.net.
Installing the tools
For most network hacking procedures, you need a compatible wifi card and the appropriate tools. I will be using the popular aircrack-ng suite, a collection of console applications that can be used for a number of use cases. You can find a lot of tutorials on the Internet about how to use install it, so I won’t go into details here.
If you want to follow along, download aircrack-ng and the following capture file, retrieved from the aircrack-ng documentation:
If you know Docker, there is an image that you can use if you do not want to install any packages:
docker pull frapsoft/aircrack-ng
We also need a password dictionary for our bruteforce attack. There are a lot available on the internet, but for our experiment you should use the following:
For now, you can put everything inside a new folder where we will be working with the tools. I will give an explanation of the files in the next section.
Crack the pre-shared key
Make sure that the password and capture files are in the same folder. Run a terminal inside the folder and enter:
aircrack-ng -w 20000.txt wpa.full.cap
If you are using the docker image, you can run the following command:
docker run -v $(pwd):/root frapsoft/aircrack-ng -w /root/20000.txt /root/wpa.full.cap
The output should look like this:
Read 15 packets.
# BSSID ESSID Encryption
1 00:14:6C:7E:40:80 teddy WPA (1 handshake)
Choosing first network as target.
Reading packets, please wait…
You can see that the capture file contains data about a WiFi named “teddy”, including a handshake. This handshake is going to be checked against the wordlist. Next, an updating screen is shown:
Aircrack-ng 1.2 beta3
[00:00:01] 2612 keys tested (1919.10 k/s)
Current passphrase: 21232123
Master Key : 2A CD 56 B5 74 28 69 B8 C7 A8 D3 7F 9B EA 5A 26
6F 5B D3 E3 24 6A C8 35 3D D8 2C E8 87 A9 F0 1E
Transient Key : 49 41 16 2F 97 E0 C8 74 2B 58 3A 5C FE 1F 90 71
E2 0C 74 E4 9A 0F C3 0E 22 52 0D 4B 42 BA C7 52
C0 77 C2 C6 96 98 6C 6A BD 35 30 EB C2 56 7F 73
0A 6B 32 83 FF A3 BD 63 AF F2 3D A0 9B E4 0E 08
EAPOL HMAC : 12 98 FC B4 35 3C 2E E7 D6 07 40 35 36 5C 04 D7
Depending on your machine, this may take a few seconds or minutes. At the end, you get:
Aircrack-ng 1.2 beta3
[00:00:01] 3392 keys tested (1939.20 k/s)
KEY FOUND! [ 44445555 ]
There you have the pre-shared key that you can use to join the protected network! As you can see above, it took only a second to crack the password. Of course this was easy because the key is not complex. But the experience shows that a lot of protected WiFi hotspots have only basic access passwords. Therefore, only a long and random password is the best protection. My recommendation: it depends on how many (new) users you have. If you are the only one using the network, you only need to enter the monstrous 64 characters once. If you have friends coming over or operate a public hotspot, 16+ characters are good to go and still safe.
Achilleas Tsitroulis, Dimitris Lampoudis, and Emmanuel Tsekleves. 2014. Exposing WPA2 security protocol vulnerabilities. Int. J. Inf. Comput. Secur. 6, 1 (March 2014), 93-107. DOI=http://dx.doi.org/10.1504/IJICS.2014.059797