Hacking WPA/WPA-2 WPS Using Reaver
WPS (Wi-Fi Protected Setup), which was introduced to complement the WPA, is designed to be easier to configure but tough to crack. However, it has a wellknown security hole that various tools such as Reaver can exploit with minimal effort on your part. Note, however, that it still might take hours for the hack to be successful, but as you will discover later in the hour, it is a much more preferable technique than brute force.
10.1.1 Information Gathering
Before you can begin using Reaver on Kali Linux to hack a WPA/WPA-2 protected the wireless network, you first need to know whether WPS is enabled. This attack will not work if WPS is not enabled. You will also need to know the BSSID of the network which means it would probably be best not to attempt this exercise on a hidden network.
Start VMware, load Kali Linux OS on the virtual machine and log into your root account.
Next, set the wireless interface to monitor mode using the following command: airmon-ng start wlan
This command should reveal details of the adapter card interface, chipset, and driver as well as enable monitor mode as in the screenshot below.
Step 3: We can then use the wash command to find networks with WPS enabled. While wash is an easier way to detect a network, it might sometimes fail to detect networks even those with WPS enabled. The good thing is that any network it finds has WPS enabled. Here is the command:
wash -i mon
The results you get will contain a column of the network’s BSSID.
Step 4: Use the airodump-ng to show all the networks around you and see which ones have WPA enabled. The command is:
airodump-ng mon
Step 5: Write down or copy the BSSID of the target network in the format XX:XX:XX:XX:XX:XX. This is what we need to hack the network using Reaver.
10.1.2 Hacking the Wireless Network
Step 6: Start Reaver on the terminal and begin the hack using the following command
root@kali # reaver -i mon -b [BSSID]
Replace [BSSID] with the network’s BSSID you copied in the previous step. In the command, the -i is the interface to use, which is the network monitor mode we created in step 4. The -b in the command specifies the BSSID of the target network.
That is all you need to do to initiate the hack. Depending on how secure the network is, the process may be over in a few minutes, or it might take hours. Be patient and let Reaver do its thing.
When the hack is complete, Reaver will present you with the password of the network in the message:
WPA PSK: [password]
If yours did not work as expected, read on to troubleshoot.
10.1.3 Known Issues with Reaver
1. It is not uncommon for Reaver to keep switching interfaces forever rather thancarrying out the actual scan. If yours does this, try turning the wireless adapter on then back on then attempt the hack again.
2. Errors such as “Something went wrong with the wireless card,” “AP does notuse WPS,” “You are too far from the AP,” and “AP is choosy, does not let you associate” are straightforward and have possible workarounds.
3. If you are using the version of Reaver that came bundled with your version of
Kali Linux, you might want to update it first if it does not work. A newer version of Libpcap may solve the problem.
4. Reaver may not work if you have other services using the wireless adapter.For instance, if you are already connected to a Wi-Fi network, you may want to disconnect and refresh the AP before giving it another try.
5. If after many attempts and rectification of issues the hack does not work,perhaps the target network just isn’t vulnerable. There are many other hacking tools available on the Kali platform that you can try.
10.2 Hacking WPA/WPA-2 Using Brute Force
Brute force is a very popular way to hack a secured wireless network because it takes advantage of users’ susceptibility to create easy and textbook passwords. If you find that a network’s WPS is secure and Reaver is not getting anywhere, brute force, also called dictionary or wordlist attack may work. There are many tools you can use on Kali Linux, but for this guide, we will use the Hashcat tool.
10.2.1 What is the Hashcat Tool?
The Hashcat is a CPU-based tool has been around for quite some time. The Hashcat tool we will use uses modern GPU processors to crack encrypted username and password hashes on WPA and WPA-2 wireless networks.
Step 1: Capturing a 4-way handshake with the router
First, you will need to capture a 4-way handshake with the secured wireless network and save it in a .cap file. Your network adapter must support monitor mode, just as with the previous hack. We will use the airmon-ng command to switch to monitor mode and airodump-ng to sniff the networks. Enter the following commands on your Kali Linux shell:
airmon-ng start wlan0mon airodump-ng wlan0mon airodump-ng -c 1 -b XX:XX:XX:XX:XX wlan0mon -w write2file
When the airodump-ng is done saving the file, send de-authentication packets to the target network access point to force connected devices to disconnect from the AP. You will then be able t capture the 4-way handshake when the devices are establishing a new connection using aireplay-ng. Here is the command to use: aireplay-ng --deauth 100 -a [Router_Mac] -c [Device_Mac] wlan0mon
Replace [Router_Mac] with the router mac address and [Device_Mac] with the mac address of a connected device. If this attempt fails, retry several times because it is not uncommon for the first couple of attempts to fail. Just remember that the -a switch in aireplay-ng is for the Wi-Fi/AP mac address and b is the mac address of the device connected to the wireless network.
Step 2: Convert the .cap file to .hccap
Hashcat works with a .hccap file while the data we need is stored in a .cap file. Use the following command to convert the file and assign it the name handshake.hccap:
aircrack-ng filename.cap -J handshake.hccap
Step 3: Download a wordlist to use in the hack
One of the best things about Hashcat is that it creates its own wordlist to use in the brute force hack on the fly. This means that you can use it without downloading an existing dictionary of passwords to try. We will cover this in Step 5, but for now, we will get ready with a downloadable wordlist.
There are many wordlists you can download on the internet in .txt files. A simple Internet search should give you millions of results. Simply filter results to find the newest hosted in a credible site and download it. However, be sure to check that the wordlist is created specifically for WPA/WPA-2 as the passwords must be eight characters long. Save the file in root, where the handshake.hccap file is located.
Step 4: Use oclHashcat with a wordlist
Use the following command to crack the WPA handshake file, which is now in the .hccap format:
oclhashcat -m 1000 /root/handshake.hccap /root/wordlist.txt
At this point, you can let Hashcat run the hack attempts in the background. Depending on the speed and memory of your GPU, this tool can peak at over 150,000 attempts per second. You can tweak the command using -u to get fill speed.
Step 5: Use oclHashcat without a wordlist
Alternatively, you can let Hashcat create its own dictionary on the fly and not clog it up with a massive wordlist. For this to work though, you will need to use various masking options in order to create a text file with your prefered charsets.
The basic set include:
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?l = abcdefghijklmnopqrstuvwxyz
?d = 0123456789
?s = !"#$%&'()+,-./:;??@\^`{|}~
?a = All the above characters (?L, ?U,?D, and ?s)
Other character sets and switches available on Hashcat include:
?l?l?l?l?l?l?l?l = a-z, 8 Characters long.
?u?u?u?u?u?u?u?u = A-Z, 8 Characters long.
?d?d?d?d?d?d?d?d = 0-9, 8 Characters long.
?s?s?s?s?s?s?s?s = All special characters, 8 characters long.
?a?a?a?a?a?a?a?a = a-z, A-Z, 0-9, and all special characters, 8 characters long.
Hashcat offers you the option to choose an attack mode to use. The switches to use are:
0 = Straight attack
1 = Combination attack
3 = Brute force attack
6 = Hybrid dictionary + mask attack
7 = Hybrid mask + dictionary attack
For instance, to carry out a mask brute force attack, you will use the -a 3 switch
10.3 Conclusion
Hacking a secured network is not easy, and this explains why it takes long even when successful. However, with so many hacking tools available on the Kali Linux platform, you will discover a pattern and even your favorite methods with practice in your lab. These two approaches are basically examples of how you would go about using almost every other WPA/WPA-2 hacking tool in your arsenal.
Comments
Post a Comment