WPA2-PKS Attack
In the early 2000’s when people started putting wireless
networks in their homes, most routers did not come with authentication
pre-setup and when users did implement a security protocol, the standard at the
time was WEP (Wired Equivalent Privacy) which proved to be greatly flawed and
very quick and easy to crack. Because of this, manufacturers began to use
WPA2-PSK (Wi-Fi Protected Access 2) and shipped products with WPA2 setup by
default.
The vulnerability in WPA2 is during authenticating a device,
during the 4-way handshake the encrypted password is shared. By
de-authenticating devices off the network, causing them to reconnect we can
intercept the 4-way handshake and attempt to crack the password.
Summary of Task: To
obtain a plain text password for the target access point (my home wireless
access point) using a Kali Linux Virtual box.
Walkthrough
The first step is to put the network card into monitor mode.
Airmon-ng start wlano
Then start looking at what traffic we can see. Which will
give us the BSSID of out target.
Airodump-ng wlan0mon
Now we have the target BSSID and the channel we can focus on
the correct access point. -c is used for the channel, in this case it is 6.
Filename can be anything, I’d recommend using something like the ESSID to keep
it unique but memorable.
airodump-ng –bssid
70:xx:xx:xx:xx:8a -c 6 –write filename wlan0mon
In a new terminal we can now deauth the network in order to
capture the handshake.
Aireplay-ng –deauth
100 -a 70:xx:xx:xx:xx:8a wlan0mon
At this point my kids were watching Netflix and they didn’t
notice the fact they’d been deauthed from the network as the reconnection
happened fast enough that the films playback was not affected. This means that
this attack can go unnoticed and at this point I still haven’t connected to the
network.
After the deauth we go back to the terminal running airodump
and check to see if the handshake was captured. In my case it was. If there
isn’t a lot of traffic on the network a few attempts may be required but as
long as there is a device connected it will eventually capture the handshake.
Now that we have the handshake, let’s try to crack the
password with aircrack using the rockyou.txt password list that comes with
kali.
aircrack-ng
filename-o1.cap -w ../usr/share/wordlists/rockyou.txt
Phishing to Crack WPA –
An Alternative Method
If a password is not in the password list and is unlikely to
be brute forced, an alternative is to phish for the password. Using Fluxion a
Linux tool, available on GitHub we can do just that. Two network cards that are
capable of being put into monitor mode are needed for the attack. Once both
cards have been selected, specify the target access point. Next set the attack
type to Hostapd and use the aircrack-ng option to get the handshake. This is
the same as how I got the handshake earlier but its more automated. Select to
Deauth target, once the handshake is captured select the check handshake option
and create SSL certificate. The next steps are to create the fake login page.
Once done the targeted networks connected users will be deauthed and
reconnected the fluxion man in the middle network that prompts the user with a
phishing login page to enter the WPA key. When they enter a key, it is checked
against the captured handshake. If it is key is wrong, they are prompted to
enter it again otherwise they are allowed back onto the network and we have the
key.
I did not attempt this as I would have had to do it on my
home network to ensure I had the correct permissions to stay within the scope
of this assignment and if anything breaks, I’m the one that fixes it and it is
not a realistic test if I pretend to fall for my own phishing attack.
Solutions and Conclusion
Full disclosure, I added the password to the password list,
but this was because I simply did not have the time to brute force it as this
would have taken approximately 2.5 days. One issue is that 2.5 days is not a
long time for someone that really wants to get access to a network. There are a
few places online, I found a good list on hak5’s forums that detail how
different vendors and manufactures format their passwords which vastly limits
the possibilities making brute force attacks much quicker but using as long as
possible, random letters, numbers and symbols for a passwords makes this kind
of attack useless as it would take even a high end PC longer to crack then the
Earth has existed. Another issue is that people do not change the default login
on their routers and when an attacker gets access to their network is free to
change the defaults and change the passwords if they want.
It is crucial that all passwords are changed and that they
are in fact strong passwords. In my opinion the manufacturers and providers
should enforce that defaults should be changed. Some have random login details
that are difficult to crack but I think the users need to be educated and if
the system insisted on them changing the passwords, this type of attack would
become redundant if they enforced stronger passwords. It is a trade off as
companies make products that are user friendly and have minimal setup, but with
all the media attention that black hats or state sponsored hackers have
received recently, in my opinion user are more likely to be happy to do this as
it will make them feel more secure.
No comments:
Post a Comment