Today’s tutorial will be looking into how you can crack the password of the 4 way handshake of someone that is re-authenticating themselves to a wireless router. The goal is to gain access to the router.
As always guys, these posts are for Penetration Testing purposes and not to be used on real networks without permission.
So let’s get started, first we need to fire up our Kali Linux machine and get our WiFi card into monitor mode so we can monitor local connections to local routers. Then we will need to de-authenticate a user from the WiFi connection, this will give us time to capture the re-authentication (the 4 way handshake). Once we do that we will try to crack the password to that WiFi router to gain access.
Once you are logged into Kali Linux, open a command shell. Type
iwconfig
This will tell you the interfaces that are connected to the internet over a wireless connection.
We can see that our interface wlan0 is our listening interface, at the moment it’s in Managed Mode. We want to change that to Monitor Mode to scan for local devices trying to connect to local routers.
It does this by packet capture over the airwaves. Kali does it with a range of tools. Airmon allows us to start monitor mode on this interface.
airmon-ng start wlan0
That seemed to work, no errors, so let’s check to see that the interface is in monitor mode.
iwconfig
Cool, the interface is set. Once you have that set up we can now grab packets from the airwaves on this interface.
airodump-ng wlan0mon
This process is knows as Channel Hopping and you will see the monitor change channels on the top left hand corner. It’s trying to find the devices that are trying to connect to all access points in the vicinity no matter what channel they are on.
Now let’s say we want to target this AmIRootYet channel then we can stop the packet capture.
Now that we have our target router, let’s see what devices are trying to connect to it. As we can see from above, the BSSID is being broadcast for devices to detect their presence and underneath, the Stations (clients) are associated with the access points.
Now that we know the channel to the access point we are interested in we can just filter everything else out. Airodump will help us do that.
airodump-ng -c2 -w capture -d DE:EF:CA:CA65AF wlan0mon
The -c tag is the channel, the -w tag is writing the packet capture to a file called ‘capture’ and then we need to specify the BSSID. Then the interface at the end.
Now it is fixed on the channel we want (2) and the access point we are trying to crack. On the bottom line we can see the access point and the Station beside it, that is a device that’s connected to that router.
Our purpose now is to knock that Station, or any other device that’s connected to this access point, off of it, so that they have to reconnect. This will enable us to capture the re-authentication handshake and then we will try to crack the password offline.
To knock the client off the network we need to firstly de-authenticate them from the access point. Airplay in Kali let’s us do exactly this. So grab the BSSID of the Station or client, we will need that for the next command.
aireplay-ng --deauth 0 -a DE:EF:CA:CA:65:AF -c 10:A5:D0:EB:99:E6 wlan0mon
The -c flag is the client we want to knock off the network, if we didn’t specify this we would knock all clients from the network and raise suspicion.
Perfect, we are sending de-authentication packets to the client now. Now we wait to see if it got knocked off the network. This may take some time so be patient.
What we are waiting for in the top right hand corner is for the WPA handshake to show up. Once we capture it we are good to go.
BOOM! There it is!! We were able to knock the client off the network and we have captured the handshake in our file that we called ‘capture’.
As we can see we have the capture file, so let’s open it up in Wireshark and see what it gives us. Wireshark comes as a default tool in Kali Linux.
wireshark capture-01.cap
Wireshark is a network protocol analyser but you could use another tool if you are more comfortable with something else.
There are a lot of packet captures we don’t want to see here, so let’s use the filter to just show us the 4 way handshake. In the filter filed type:
eapol
This stands for Extensible Authentication Protocol Over LAN (Local Area Network) and will filter just what we want.
Look at that, 4 packets. That is the 4 way handshake we are looking for. So let’s dig into the packet a bit and see what’s in here. Click on the arrow beside 802.1X Authentication and this should give us the WPA Key.
Marvelous, just one more thing to do now is to try and crack the key to get a password from it. We will be using a built in wordlist that we made for this post. Aircrack will help us achieve this with a brute force dictionary attack.
So it’s going to fire all passwords in the list at the target to see if we can guess the correct password eventually.
aircrack-ng capture-01.cap -w /usr/share/dict/words
This could take days, weeks or even months depending on the combination of letters and numbers and special characters that you use in the wordlist. For this demonstration though, we just used an easy passphrase to get access.
Once we get the password Aircrack will et us know that it was found successfully.
We cracked the password as we can see and it is the word ‘community’. This is why you should always use strong passwords for access to any network.
Thank you so much for reading until the end. Please like, subscribe or comment, we’d love to hear from you. Also, give us some of your own ideas that you’d like us to cover.
Peace!! 🕊️
Quits 2019-10-29
Linux Security Blog 