Introduction
Here we’re going to show capturing WPA/WPA2 handshake steps (
*.cap
), continuing with explanations related to cracking principles. We’ll go through the process step by step, with additional explanations on how things work, which WiFi keys are generated and how, using captured handshake to manually crack/calculate MIC in EAPol Frames (using WireShark and custom Python code).This device costs about $30 on eBay and plugs into the USB port on your mac. The Teensy works by brute force attacking the 4 digit pin code, trying every combination of 4 digits. Apple circumvented this by enabling a 6 digit code. Later revisions of the Teensy now cost more and also do 6 digit brute force attacks.
With my example hash data that's: Save this to a file named hash.txt and use it in hashcat. The proper brute force command to find the password (=my simple test password only containing 4 digits) is./hashcat-cli64.app -m 7100 hash.txt -a 3?d?d?d?d The resulting password after 3 minutes cracking (in a VM) is 1111. Any cryptographic hash function, such as SHA-2 or SHA-3, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-X, where X is the hash function used (e.g. HMAC-SHA256 or HMAC-SHA3-256). The Reaver brute-force attack was a radical new weapon for Wi-Fi. You may want to change the MAC address of your adapter with a tool like. It’s exactly what WIBR + – WiFi Bruteforce without root is for, which is capable of accessing WPA and WPA2 networks through brute force. In this assignment we build code to reverse an MD5 hash using a brute force technique where we simply 'forward hash' all possible combinations of characters in strings. This would be similar to a situation where an e-commerce site stored hashed passwords in its database and we somehow have gotten our hands on the database contents and we want.
We’re not going to crack hashes with usual tools (oclHashCat or aircrack-ng), but we’ll mention some related details. That process depends on the available hardware and password complexity, and will be covered later on. We do have to mentioned that there are other ways to avoid 4-way handshake altogether, PMKID (found while looking at WPA3 – ‘dragonfly’ vulnerabilities).
The 4-way handshake
The goal of this handshake is to create an initial pairing between the client and the AP (access point):
- AP sends ANonce to the STA (connecting station). The client creates the PTK (Pairwise Transient Key).
- Client sends SNonce to AP and a MIC (Message Integrity Code) which includes the authentication.
- The AP creates PTK and sends the GTK (Group Temporal Key), along with a sequence number together and an MIC.
- The client sends a confirmation to the AP.
GTK is then used to decrypt multicast/broadcast traffic.
Key Construction [PMK, PTK, KCK, MIC]
Before this handshake takes place, both AP and Station/Client contain PMK (never transmitted over the air). It’s used to derive PTK and is computed using PBKDF2 (Password-based Key Derivation Funtion 2) which uses
HMAC-SHA1
algorithm to encode data:PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)
The 4096 iterations to create 256 bit PMK with SSID used as salt and PSK (passphrase) used as the base of entire process. Sample python code:
Brute Force For Hash Mac And Cheese
PTK is dependent on ANOUNCE, SNOUNCE, AP & Station MAC Addresses and PMK. The result is 512bit PTK which are treated as 5 separate keys:
- 128bits – Key Confirmation Key (KCK) – Used during the creation of the MIC.
- 128 bits – Key Encryption Key (KEK) – Used by the AP during data encryption.
- 128 bits – Temporal Key (TK) – Used for the encryption and decryption of unicast packets.
- 64 bits – MIC Authenticator Tx Key (MIC Tx) – Only used with TKIP configurations for unicast packets sent by access points.
- 64 bits- MIC Authenticator Rx Key (MIC Rx) – Only used with TKIP configurations for unicast packets sent by clients.
PKE value is assumed. PTK can be generated with a function (customPRF512) or simply by calling hmac lib. Sample python code for generating the keys:
With that, we have everything we need to calculate MIC, which you can further use to validate your attempts to crack password. Below you’ll find a complete python code you can use to experiment.
Capturing WPA/WPA2 Handshake with Aircrack-ng
Maybe an overkill for the sake of the example, but we’re going to use couple of Devices:
- an Asus Tables as AP
- an old IPhone 4 as STA
- a WiFi USB
Start
I varies from system to system (adapter) but you’ll probably end up with an interface wlan0mon. Check ifconfig output and see what you’ll end up with:
Next, look what’s out there:
Dumping everything you capture to a FILE (
*.cap
):With this, we’re waiting for any WPA handshake to happen. When it does occur, in the top right corner you’ll see something like:
Here in this example, we’re going to be a more specific, we have a target in mind (CyberPunk Net with AP on 40:16:7E:DC:1A:8C). We want to read channel 6 (CyberPunk Channel), BSSID (40:16:7E:DC:1A:8C) and write all that into a file:
![Hash Hash](/uploads/1/3/4/2/134235732/480266140.jpg)
To speed things up we’re going to deauthanticate the wireless client on that BSSID by sending DeAuth package:
0
: Deauthentication Frame1
: Number of DeAuth packages-a
: AP MAC Addr-c
: Client:STA MAC Addr
Deauthentcation frame, sent from router to a device, terminates client’s connection. Devices are usually configured to re-connect automatically, again going through 4-way-handshake. Previously started airodump-ng will capture it.
In this example, we know the password (“theonecp”), it has 8 lowercase chars (WPA Minimum), so that’s
26^8 = 208.827.064.576
possible combinations.On our machine, crunch + aircrack has performance of 10k keys/sec. With that speed, we would break it in ~240 days (max).
On the other hand GUI oclHashCat is far better with 360k keys/sec (2 RX 580 Cards). Rough estimate, 6 days (max).
We’re not going to go into cracking this using tools, but we’re going to cover the principles on which those tools are based. If you need additional stats, check Password Cracking and Login Brute-force [Stats]
Capturing WPA/WPA2 Handshake: Cracking Principles [Steps]
Based on the 4-way-handshake diagram we’ve previously showed, we can see exact EAPol packets involved in 4-way-hanshake we captures (WireShark SS,
*.cap
):Note: WPA uses md5 to compute the MIC while WPA2 uses sha1
With the 2nd EAPol package of the handshake geting captured, there’s enough information to try and compute PTK (using assumed PSK passphrase), which can then be used to extract KCK and compute MIC (HMAC_MD5). This newly computed MIC is than compared to the captured MIC to determine the validity of assumed PSK.
The simple script below enables you to manually calculate appropriate fields and check if certain password is the one we’re looking for:
If you want to make something more specific with python, you should probably check Python WPA2 Cracker. It’s a nice & short example on how to manage things in WiFi sphere, who knows it might inspire an idea to build something of your own.
Conclusion
If you never before went into details on how WPA/WPA2 is getting cracked (bruteforced), we hope this article demistified the process a bit. It’s not a science fiction and understanding it might provide some additional perspectives related to WiFi, Pentesting and Cybersecurity in general.
The compromise of passwords is always a serious threat to the confidentiality and integrity of data. Generally, the passwords shorter than 7 characters are especially susceptible to bruteforce attack. However, a sequence of mistyped commands or incorrect login responses (with attempts to recover or reuse them) can be a signs of brute-force intrusion attempts.
Brute force attack is a process of guessing a password through various techniques. Atmosphere for mac spectrasonic. Huawei driver windows 10. Commonly, brute force attacks are divided into three categories:
a) Traditional Brute Force
In a traditional brute force attack, you will try all the possible combinations to guess the correct password. This process is very usually time consuming; if the password is long, it will take years to brute-force. But if the password is short, it can give quick results.
b) Dictionary Attacks
In a dictionary-based brute force attack, we use a custom wordlist, which contains a list of all possible username and password combinations. It is much faster than traditional brute force attacks and is the recommended approach for penetration tests.
c) Hybrid Attacks
Hybrid brute force attacks are a combination of both traditional brute force attack and dictionary based attack. The idea behind a hybrid attack is that it will apply a brute force attack on the dictionary list.
Using bruteforce attacks, an attacker could gain full access to the affected machine. When conducting brute force attacks or password attacks, faster processing speed is beneficial. In cases where remote brute force attacks are conducted, bandwidth constraints must be addressed.
1. THC Hydra
THC hydra is one of the oldest password cracking tools developed by “The Hackers Community“. By far, Hydra has the most protocol coverage than any other password cracking tool as per our knowledge, and it is available for almost all the modern operating systems. THC Hydra can perform rapid dictionary attacks against many protocols such as Telnet, FTP, HTTP, SMB etc.
Here is the basic syntax for hydra (Linux version) to brute-force a service.
Syntax: Hydra –L administrator –P password.txt <target ip > <service>
- Official Website –https://sectools.org/tool/hydra/
- Github Link –https://github.com/vanhauser-thc/thc-hydra
- Latest Version (As Per Dated:11 March 2019) – v8.9
- Available for – Windows/Linux/Mac OS X/
2. Aircrack-Ng
Aircrack-ng is another most popular brute force wireless hacking tool which is further used to assess WiFi network security. Generally it focuses on different 4 areas of WiFi security i.e. Monitoring, Attacking, Testing and Cracking.
Aircrack-ng is a set of tools widely used to crack/recover WEP/WPA/ WPA2-PSK. It supports various attacks such as PTW, which can be used to decrypt WEP key with a less number of initialization vectors, and dictionary/brute force attacks, which can be used against WPA/WPA2-PSK. It includes a wide variety of tools such as packet sniffer and packet injector. The most common ones are airodump-ng, aireply-ng, and airmon-ng.
- Official Website –http://www.aircrack-ng.org/
- Github Link –https://github.com/aircrack-ng/aircrack-ng
- Latest Version (As Per Dated:11 March 2019) – v1.5.2
- Available for – Linux/BSD/OS X/Windows
3. Ncrack
Ncrack is one of our favorite tool for password cracking. It is based upon nmap libraries. It comes pre-installed with Kali Linux OS. It can be combined with nmap to yield great results. The only disadvantage is that it supports very few services, namely, FTP, SSH, Telnet, FTP, POP3, SMB, RDP, and VNC.
- Official Website –https://nmap.org/ncrack/
- Github Link –https://github.com/nmap/ncrack
- Latest Version (As Per Dated:11 March 2019) – v0.6
- Available for – Windows/Linux/BSD/Mac OS X
Brute Force For Hash Machine
4. SAMInside
SAMInside is a security tool compatible with only Windows operating systems and allows lost passwords and locked systems to be unlocked and accessed with a complex, but easy to use system of password recovery.
- Official Website –https://www.insidepro.team/
- Github Link – N.A.
- Latest Version (As Per Dated:11 March 2019) – v2.7.0.1
- Available for – Windows
5. Hashcat
Hashcat is the world’s fastest and most advanced password recovery utility, supporting 5 unique modes of attack for over 200 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking.
Intel ssd for mac. Some features require Sidecar-enabled apps. Sidecar requires an iPad that supports Apple Pencil. Software and content may be sold separately.
- Official Website –https://hashcat.net/hashcat/
- Github Link –https://github.com/hashcat/hashcat
- Latest Version (As Per Dated:11 March 2019) – v5.1.0
- Available for – Linux/Windows/Mac OS
6. Ophcrack
Ophcrack is a Windows-based tool that has the capability to not only dump the hashes, but also crack those hashes using rainbow tables. The ophcrack program comes with rainbow tables that work for passwords of a very short length. So if the password is lengthy, or, say, alphanumeric, you won’t be able to crack it.
- Official Website –http://ophcrack.sourceforge.net/
- Github Link –https://github.com/luisgg/ophcrack
- Latest Version (As Per Dated:11 March 2019) – v3.8.0
- Available for – Windows/Linux
7. Cain & Able
Cain and Abel (often abbreviated to Cain) is a password recovery tool for Microsoft Windows only. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks.
- Official Website –http://www.oxid.it/cain.html
- Github Link –https://github.com/xchwarze/Cain
- Latest Version (As Per Dated:11 March 2019) – v4.9.56
- Available for – Windows
8. Rainbow Crack
Rainbow crack can not only be used to crack password hashes by using rainbow tables, but it can also help you create your own rainbow tables in case you don’t want to download them; but remember that if you are generating a large rainbow table, you should make sure that you have ample hard drive space.
- Official Website –http://project-rainbowcrack.com/
- Github Link –https://github.com/adamalawrence/rainbow
- Latest Version (As Per Dated:11 March 2019) – v1.7
- Available for – Windows/Linux
9. John the Ripper
![Machine Machine](/uploads/1/3/4/2/134235732/348774548.png)
John the Ripper (JTR) is an open source password cracker; it’s one of the fastest password crackers around and is pre-installed in Kali Linux OS. It can be used to perform both bruteforce attacks and dictionary-based attacks. It also comes with a pre-installed wordlists.
- Official Website –https://www.openwall.com/john/
- Github Link –https://github.com/magnumripper/JohnTheRipper
- Latest Version (As Per Dated:11 March 2019) – v1.8.0
- Available for – Linux/Mac OS X/Windows/Android
10. L0phtcrack
L0phtCrack is a password auditing and recovery application originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables. It was one of the crackers’ tools of choice, although most use old versions because of its low price and high availability.
- Official Website –http://www.l0phtcrack.com/
- Github Link –https://github.com/L0phtCrack
- Latest Version (As Per Dated:11 March 2019) – v7.1.1
- Available for – Windows