Cracking WPA & WPA2

Unlike WEP cracking there is no 100% guarantee that you will successfully hack a WPA key. Hacking WPA requires a bit of luck. A successful WPA hack is reliant on the access point having a weak password. The good news is that there is no difference in cracking both WPA and WPA2. As well as having a strong password list you also need the “4-way handshake” or at least some of it from the access point. The 4 way handshake can be obtained when a client connects to the access point.

 

What is the 4-way handshake? 
The 4-way handshake is the way in which a client can authenticate with the access point without revealing the key and without having to re-transmit the key after successful authentication. The process itself is very complex and the details are out of scope for this post. All you need to know when cracking WPA is that you require at least 2 parts of the 4-way handshake. This diagram shows the process and the details of each phase are explained on:

Capture the handshake

First step is to put your wireless interface in monitor mode.

sudo airmon-ng start wlan0

Next start sniffing the airwaves and saving captured packets to an output file with the command:

sudo airodump-ng mon0 --write output

In order to obtain the needed 4-way handshake you can either wait for a client to connect or the much faster method is to kick an already authenticated client off the network and wait for them to re-connect. In this case I will be attacking the AP “00:04:ED:B1:02:DA“(super_happy_fun_slide) as there is already an authenticated client “00:22:43:22:23:8F” on this network.

To disconnect a client we send the access point a “de-auth” packet. This stands for deauthentication packet and is used in wireless networks when a client wishes to disconnect. In our case we send a deauth to the AP and either choose the client to deauth or we can deauth all clients that are connected. A Few seconds later the clients auto connect kicks in and re-authenticates them.

Make sure your airodump is still running and writing out the packets. To de-auth a single client run this command:

sudo aireplay-ng -0 1 -a 00:04:ED:B1:02:DA -c 00:22:43:22:23:8F mon0

To deauth all connect clients leave out the -c option:

sudo aireplay-ng -0 1 -a 00:04:ED:B1:02:DA mon0

Note in some versions of aircrack you may need to append –ignore-negative-one to the end of the command. Also to note is that in some cases a single de-auth may not work. You can send an unlimited amount by replaceing the 1 with  a higher number or use 0 to send unlimited de-auths like so:

sudo aireplay-ng -0 0 -a 00:04:ED:B1:02:DA -c 00:22:43:22:23:8F mon0 --ignore-negative-one

In my case I needed to send 5 de-auths to receive a reply:


We see the de-auth received a reply so now we can check airodump for the handshake:
Cracking the hash with hashcat
****************************
**********UPDATE************
****************************
As of hashcat version 6.0.0.0, captured handshakes now need to be converted to a .hc22000 file. Hashcat supply an online tool that can do that here: https://hashcat.net/cap2hashcat/ The manual method instructions can be found here:
Once converted the .hc22000 can be run through hashcat with:
hashcat -m 22000 hash.hc22000 wordlist.txt

Convert the pcap file to hccapx using hashcats website:
https://hashcat.net/cap2hccapx/

Run the converted hccapx through hashcat:
hashcat -m 2500 12671_1612239675.hccapx rockyou.txt

Cracking the hash the oldschool way with Pyrit

I actually wrote the original post for this quite some years ago when I used pyrit to crack hashes so I may as well include the oldschool way. Nowdays hashcat will do the job fine.

Oldschool Pyrit:

There are two options to cracking with a wordlist with pyrit. The first is to simply run the handshake through the wordlist. For each word pyrit needs to calculate what is called the Pairwise Master Key or PMK. This is fine if you have a unique access point name like Super happy fun slide. By say you have a generic name like netgear. You can pre-compute all of these PMKs and put them in a database so you dont have to pre-compute them for the next netgear you crack. In the past I have computed 900,000,000 passwords and it took about 4 – 5 hours. Once they where in the DB it took about 5 minutes to get through all of them.


Start the cracking process with the command:

pyrit -r output-02.cap -i Custom-WPA attack_passthrough
-r = your file containing the handshake
-i = input file. AKA the wordlist
attack_passthrough = compute pmks on the fly directly from the wordlist and dont use a database.

One thing to note is that if you have multiple handshakes in the one file pyrit will ask you which one to you wish to crack. You can also specify an access point manually with the command:
pyrit -r output-02.cap -i Custom-WPA  -b 00:04:ed:b1:02:da attack_passthrough