Difference between revisions of "Crack WPA2-PSK menggunakan Aircrack-ng"

From OnnoWiki
Jump to navigation Jump to search
 
Line 20: Line 20:
 
     How to perform dictionary attack on WPA2-PSK
 
     How to perform dictionary attack on WPA2-PSK
  
What is a dictionary attack ?
+
==What is a dictionary attack ?==
  
 
Hashing is one of the keys used in the security field professional to protect the users from the malicious attackers.
 
Hashing is one of the keys used in the security field professional to protect the users from the malicious attackers.
Line 30: Line 30:
 
In a dictionary attack,
 
In a dictionary attack,
  
    We create/use a wordlist (text file of possible passwords)
+
* We create/use a wordlist (text file of possible passwords)
    Take a word at a moment from the wordlist
+
* Take a word at a moment from the wordlist
    Create its hash using the Hash function, PBKDF2 for WPA2
+
* Create its hash using the Hash function, PBKDF2 for WPA2
    Compare the output value with the existing hash.
+
* Compare the output value with the existing hash.
    If value matches, password taken from the wordlist is the correct password
+
* If value matches, password taken from the wordlist is the correct password
  
 
Above steps are involved in the WPA2 passphrase cracking process.
 
Above steps are involved in the WPA2 passphrase cracking process.
Line 49: Line 49:
 
Final output should look like this:
 
Final output should look like this:
  
start-mon-mode
+
start-mon-mode
  
 
Step 2: Start capture, airodump-ng
 
Step 2: Start capture, airodump-ng
Line 61: Line 61:
 
As you can see in the above image, “rootsh3ll” is the victim AP . We will now note the information highlighted
 
As you can see in the above image, “rootsh3ll” is the victim AP . We will now note the information highlighted
  
    AP (ESSID): rootsh3ll
+
AP (ESSID): rootsh3ll
    AP MAC (BSSID): 64:66:B3:6E:B0:8A
+
AP MAC (BSSID): 64:66:B3:6E:B0:8A
    Client MAC: 30:A8:DB:C6:88:13
+
Client MAC: 30:A8:DB:C6:88:13
    Channel: 11
+
Channel: 11
  
 
Hit CTRL-C, and kill airodump-ng.
 
Hit CTRL-C, and kill airodump-ng.
Line 93: Line 93:
 
In the second option we are actually making sure that option 1 happens, so that we can capture the handshake.
 
In the second option we are actually making sure that option 1 happens, so that we can capture the handshake.
  
    Client disconnects when receives the disconnect packet.
+
* Client disconnects when receives the disconnect packet.
    Reconnect to the AP
+
* Reconnect to the AP
    4-way handshake between AP and client
+
* 4-way handshake between AP and client
    Hacker captures the 4-way handshake
+
* Hacker captures the 4-way handshake
  
 
let’s disconnect the client now,
 
let’s disconnect the client now,
Line 170: Line 170:
 
==Countermeasures==
 
==Countermeasures==
  
Use a strong password to stay safe,
+
Use a strong password to stay
 
 
Example: Myp@sword8@#,  is a strong password
 
 
 
As it has
 
 
 
    No order in plain English language
 
    13 Character password, very secured
 
    Alpha-numeric and special characters in one makes a very strong password.
 
    Upper and Lower-case characters.
 
    No pattern
 
    Not a mobile number, as mobile numbers can be easily guessed.
 
 
 
Or you can just keep a password with some special characters, a word that isn’t a pattern or a dictionary word.
 
 
 
That will also be good and secured.
 
 
 
==Conclusion==
 
 
 
We learned the process involved in WPA cracking.
 
 
 
Here is a list of commands we went through the capture and the cracking process
 
 
$ ifconfig wlan1 # check wireless IFace
 
$ sudo airmon-ng check kill  # kill issue causing processes
 
$ sudo airmon-ng start wlan1 # start monitor mode
 
$ sudo airodump-ng wlan1mon  # start capturing
 
$ sudo airodump-ng --bssid 64:66:B3:6E:B0:8A -c 11 wlan1mon -w rootsh3ll # airodump-ng on rootsh3ll
 
$ sudo aireplay-ng --deauth 5 -a 64:66:B3:6E:B0:8A wlan1mon  # deauthenticate the client
 
$ sudo aircrack-ng rootsh3ll-01.cap dict # crack the passphrase
 
 
 
That’s all for WPA2 for now, Hope you enjoyed through the chapter.
 
 
 
In next chapter we will learn how to crack WPS, and why WPS ?
 
 
 
 
 
 
 
 
 
==Referensi==
 
 
 
* http://www.rootsh3ll.com/2015/09/rwsps-wpa2-cracking-aircrack-ng-dictionary-attack-ch3pt4/
 

Latest revision as of 10:20, 12 December 2015

Sumber: http://www.rootsh3ll.com/2015/09/rwsps-wpa2-cracking-aircrack-ng-dictionary-attack-ch3pt4/


WPA2-PSK, WiFi Protected Access - Pre Shared Key, adalah jauh salah satu enkripsi keamanan wireless yang paling aman dan tak terjebolkan pada saat ini. Tidak ada cacat enkripsi belum dilaporkan oleh para peneliti keamanan untuk WPA2, sehingga seorang hacker jahat dapat dengan mudah memanfaatkan dan mudah mendekripsi paket.

Enkripsi mungkin paling aman dan tidak terjebolkan pada saat ini, tetapi sistem WPA2 masih cukup rentan terhadap hacker.

Tidak seperti WEP, WPA2 menggunakan 4-way handshake sebagai proses otentikasi. Di mana kuncinya adalah tidak pernah dikirim melalui jaringan tetapi digunakan untuk mengenkripsi / mendekripsi paket data di jaringan. Yang memungkinkan hacker untuk hanya menangkap jabat tangan dan melakukan serangan tanpa Tinggal menangkap paket data seperti yang kita lakukan saat retak WEP.


Sama seperti paket-paket broadcast yang kita lihat di wireshark, 4-way handshake juga dalam teks biasa. Yang memungkinkan hacker potensial untuk menangkap informasi plaintext seperti

  • Access point MAC address
  • Client MAC address
  • ESSID – AP Name

Informasi di atas digunakan oleh hacker untuk melakukan dictionary attack pada ditangkap 4-way handshake (PCAP File). Mari kita lihat

   What is a dictionary attack ?
   How to perform dictionary attack on WPA2-PSK

What is a dictionary attack ?

Hashing is one of the keys used in the security field professional to protect the users from the malicious attackers.

Hash is simply a cryptographic function that converts a data or file of an arbitrary length or size to a fixed length, which is considered practically impossible to invert or reversed, as no key is involved in the process.

   A Hash is always unique

In a dictionary attack,

  • We create/use a wordlist (text file of possible passwords)
  • Take a word at a moment from the wordlist
  • Create its hash using the Hash function, PBKDF2 for WPA2
  • Compare the output value with the existing hash.
  • If value matches, password taken from the wordlist is the correct password

Above steps are involved in the WPA2 passphrase cracking process.

Let’s begin,

Step 1: Start monitor mode

$ ifconfig wlan1             #Check whether card is detected
$ sudo airmon-ng check kill  #Kill process causing issues
sudo airmon-ng start wlan1   #Start monitor mode

Final output should look like this:

start-mon-mode

Step 2: Start capture, airodump-ng

We will now start airodump-ng to sniff the air and wait until the desired AP and corresponding client are displayed.

airodump-ng wlan1mon

airodump-ng-output

As you can see in the above image, “rootsh3ll” is the victim AP . We will now note the information highlighted

AP (ESSID): rootsh3ll
AP MAC (BSSID): 64:66:B3:6E:B0:8A
Client MAC: 30:A8:DB:C6:88:13
Channel: 11

Hit CTRL-C, and kill airodump-ng.

Now, we will start airodump-ng exclusively to capture packets associated with “rootsh3ll” and save the 4-way handshake in a PCAP file, say rootsh3ll

Step 3: Start airodump-ng exclusively

   airodump-ng –bssid 64:66:B3:6E:B0:8A -c 11 wlan1mon -w rootsh3ll

Here “rootsh3ll” is the output filename provided to the -w parameter

airodump-ng-rootsh3ll

Step 4: Disconnect the client with aireplay-ng.

Now, are two ways for capturing the handshake,

   Wait for a client to connect.
   Disconnect the already connected client.

First option seems to be slow, time taking. Whether in our case, option 2 is just perfect as we have a client connected to the wireless AP “rootsh3ll”.

How does that work ? we use a utility from the aircrack-ng suite named aireplay-ng which allows us to craft and send a disconnect request to the desired AP with the information we noted down earlier.

We are actually abusing a legitimate Windows(or any other OS) feature. Which forces the wireless card to re connect to the AP when available.

In the second option we are actually making sure that option 1 happens, so that we can capture the handshake.

  • Client disconnects when receives the disconnect packet.
  • Reconnect to the AP
  • 4-way handshake between AP and client
  • Hacker captures the 4-way handshake

let’s disconnect the client now,

Open a new Terminal window and type:

aireplay-ng –deauth 5 -a 64:66:B3:6E:B0:8A wlan1mon

aireplay-ng

parameters applied:

–deauth 5: 5 deauth requests broadcasted with BSSID “rootsh3ll”, 0 for endless
-a: parameter to tell aireplay-ng the BSSID
wlan1mon: monitor mode interface

Step 5: Capture the handshake

Meanwhile in the terminal window of airodump-ng, you would notice the top of the output. which says

   WPA Handshake: 64:66:B3:6E:B0:8A

WPA2-handshake

Which simply means that the WPA handshake has been capture for the specific BSSID, which is the AP MAC of rootsh3ll.

Hit CTRL-C, as the handshake has been captured, we will now crack the password using the captured handshake

Step 6: How does a Handshake looks like? Open Wireshark (Optional)

This step is optional, you can open the PCAP file(rootsh3ll-01.cap) in Wireshark for manual inspection, or to see how does a handshake looks like.

Type in terminal wireshark [.cap file], which in our case is

   wireshark rootsh3ll-01.cap
   Type “eapol” in the filter field, press [ENTER]

wireshark-eapol

You would notice the last column, “Info” is showing a message no. from 1 to 4.

This is the 4 way handshake happened during the capture. It is like AP and Client are talking to each other. Notice the Source and Destination tab.

moving on to the next step,

Step 7: Cracking

Here’s an ugly truth

WPA2 password cracking is not deterministic like WEP, because it is based on a dictionary of possible words and we do not know whether the passphrase is in the dictionary or not. So you are never sure whether a specific dictionary will just work or not.

For this tutorial I have beautifully crafted a wordlist, just to demonstrate how the output of the cracked password would look like. Command and the wordlist looks like this:

wordlist

Here I have directly saved the password in the wordlist to demonstrate how the output would look like, your will be different, obviously.

let’s fire up aircrack-ng and crack the key

Type in terminal, aircrack-ng [.cap file] -w [wordlist], which in our case looks like

aircrack-ng rootsh3ll-01.cap -w dict

and aircrack-ng has cracked the password in one go.

aircrack-ng-output-cracked-password

This is quite odd to see the cracked passphrase for the first time, right ?

Here’s a sample output of the running process, yours would look like the same during the cracking process. aircrack-ng-output

Countermeasures

Use a strong password to stay