HACKING DEFAULT WPA2 PASSWORD I - INTRODUCTION The following tutorial demonstrates an attack on a WiFi router using its factory default configurations. The wireless network is protected with WPA2-PSK AES encryption. The attack will be executed using a virtualized instance of Kali Linux on VMware using an EdiMax wireless adaptor and a TP-LINK wireless router. The ultimate objective of this attack is to demonstrate the weakness of using default factory device configurations. II - ENVIRONMENT Operating System Distributor ID: Kali Description: Kali GNU/Linux 2.0 Release: 2.0 Codename: sana Software Versions Aircrack-ng 1.2 rc2 Airodump-ng 1.2 rc2 Aircrack-ng 1.2 rc2 Crunch 3.6 Wireshark 2.0.1 VMware 12 Pro Wireless Router Brand: TP-LINK Model: TL-WDR3600 Frequency: 2.4Ghz Encryption: WPA2-PSK AES Wireless Adapter Vendor: Edimax Technology Co., Ltd Model: EW-7811Un 802.11n Wireless Adapter Chipset: Realtek RTL8188CUS III - PROCEDURE 1. Monitor Mode (airmon-ng) By default, wireless adaptors operate in promiscuous mode, which can be used to sniff packets when only associated with an Access Point (AP). In order to run wireless attacks using airmon-ng it is necessary to switch to monitor mode as shown in Figure 1 below. Figure 1: Starting monitor mode on a wireless adaptor (wlan3) 2. Scan Area (airodump-ng) Once the adaptor is in monitoring mode, it’s possible to scan for any wireless AP traffic running in the range of the wireless adaptor using airodump-ng. The ultimate goal of running the scans is to capture handshakes between an AP and its clients. Figure 2 below shows a list of all detected Aps. The number of active APs will vary depending on the area being scanned. Once the target AP is identified in the airodump-ng output it is important to note down the AP’s detail, such as the BSSID, Channel and ESSID for the next steps. In this case, the target AP is first in the output list as shown in Figure 2. Figure 2: General airodump-ng scan output By using previously obtained information on the target AP, a more specific scan focused on the target AP can be executed. A capture of the scan should also be saved on the hard disk for later analysis. Figure 3: airodump-ng with more filter -c : channel of target AP --bssid : MAC address of the target AP -w : File name prefix to save a capture of the scan wlan3mon : Wireless adapter monitoring interface 3. Handshake (aireplay-ng) During the scan if no clients are trying to establish or reestablish a connection with the target AP, the scan capture is useless. In the latter case, aireplay-ng might be a helpful tool. As shown in Figure 4, by specifying the target AP MAC address, aireplay-ng can send de authentication requests to the AP as if the clients requested it, which will disconnect all clients currently associated with the AP. As a result, clients will try to reestablish the connection at which point airodump-ng will capture and save all handshake activities. As shown on the top right corner in Figure 4 , a handshake is captured. Figure 4: aireplay-ng deauth target AP (left) ; airmon-ng capturing handshakes (right) 4. Crack WPA2/ WPA2-PSK The last step will be to crack the captured handshake using a password dictionary. The possibilities of the password are endless, hence it’s wise to gather information as much as possible about the target AP. This can significantly reduce the amount of possible passwords to include in the password dictionary. If the router is using the default configuration’s password, it’s possible to minimize the password possibilities. As shown in Fig 5, one method is to simply open the previously captured handshake file with Wireshark and extract the router model information from the “Vendor Specific” tag. The next step will be to do a quick search on google web/image to determine characteristics and patterns of default passwords used for that model. Figure 5: Wireshark view of handshake capture Using the above method, we’ve determined that the model seems to be using an 8 digit long all numbers password. It is now time to build a number list of 8 digits long using Crunch. Crunch is a tool used to generate a world list, as shown in Figure 6. By providing the minimum and maximum length as well as the characters to include, the tool will build and save the list to a file. Figure 6: Generating word list using Crunch The final step is to crack the password using the generated password dictionary. As shown in Figure 7 by populating the parameter Aircrack-ng will start cracking the password. The process can take up to several years depending the size of the password dictionary and the complexity of the password. Figure 7: Start cracking the password using dictionary attack -w : password list (the one generated by Crunch) -b : MAC address of the target AP (highlighted on Figure 4) SecureNetworking-02.pcap : capture file containing the handshake In this attack, the aircrack-ng tool took 3 hours and 3 minutes to crack the Wi-Fi password, Figure 8. Kali Linux was operating on a virtualized environment with the minimum hardware requirements. If the cracking was run with the full potential of the hardware, software and support of additional GPU’s, the cracking time can significantly reduce. As demonstrated in this tutorial, due to the high security vulnerability of default passwords, it is strongly recommended to avoid using default security configurations Figure 8: Decrypted Password
HACKING DEFAULT WPA2 PASSWORD I - INTRODUCTION The following tutorial demonstrates an attack on a WiFi router using its factory default configurations. The wireless network is protected with WPA2-PSK AES encryption. The attack will be executed using a virtualized instance of Kali Linux on VMware using an EdiMax wireless adaptor and a TP-LINK wireless router. The ultimate objective of this attack is to demonstrate the weakness of using default factory device configurations. II - ENVIRONMENT Operating System Distributor ID: Kali Description: Kali GNU/Linux 2.0 Release: 2.0 Codename: sana Software Versions Aircrack-ng 1.2 rc2 Airodump-ng 1.2 rc2 Aircrack-ng 1.2 rc2 Crunch 3.6 Wireshark 2.0.1 VMware 12 Pro Wireless Router Brand: TP-LINK Model: TL-WDR3600 Frequency: 2.4Ghz Encryption: WPA2-PSK AES Wireless Adapter Vendor: Edimax Technology Co., Ltd Model: EW-7811Un 802.11n Wireless Adapter Chipset: Realtek RTL8188CUS III - PROCEDURE 1. Monitor Mode (airmon-ng) By default, wireless adaptors operate in promiscuous mode, which can be used to sniff packets when only associated with an Access Point (AP). In order to run wireless attacks using airmon-ng it is necessary to switch to monitor mode as shown in Figure 1 below. Figure 1: Starting monitor mode on a wireless adaptor (wlan3) 2. Scan Area (airodump-ng) Once the adaptor is in monitoring mode, it’s possible to scan for any wireless AP traffic running in the range of the wireless adaptor using airodump-ng. The ultimate goal of running the scans is to capture handshakes between an AP and its clients. Figure 2 below shows a list of all detected Aps. The number of active APs will vary depending on the area being scanned. Once the target AP is identified in the airodump-ng output it is important to note down the AP’s detail, such as the BSSID, Channel and ESSID for the next steps. In this case, the target AP is first in the output list as shown in Figure 2. Figure 2: General airodump-ng scan output By using previously obtained information on the target AP, a more specific scan focused on the target AP can be executed. A capture of the scan should also be saved on the hard disk for later analysis. Figure 3: airodump-ng with more filter -c : channel of target AP --bssid : MAC address of the target AP -w : File name prefix to save a capture of the scan wlan3mon : Wireless adapter monitoring interface 3. Handshake (aireplay-ng) During the scan if no clients are trying to establish or reestablish a connection with the target AP, the scan capture is useless. In the latter case, aireplay-ng might be a helpful tool. As shown in Figure 4, by specifying the target AP MAC address, aireplay-ng can send de authentication requests to the AP as if the clients requested it, which will disconnect all clients currently associated with the AP. As a result, clients will try to reestablish the connection at which point airodump-ng will capture and save all handshake activities. As shown on the top right corner in Figure 4 , a handshake is captured. Figure 4: aireplay-ng deauth target AP (left) ; airmon-ng capturing handshakes (right) 4. Crack WPA2/ WPA2-PSK The last step will be to crack the captured handshake using a password dictionary. The possibilities of the password are endless, hence it’s wise to gather information as much as possible about the target AP. This can significantly reduce the amount of possible passwords to include in the password dictionary. If the router is using the default configuration’s password, it’s possible to minimize the password possibilities. As shown in Fig 5, one method is to simply open the previously captured handshake file with Wireshark and extract the router model information from the “Vendor Specific” tag. The next step will be to do a quick search on google web/image to determine characteristics and patterns of default passwords used for that model. Figure 5: Wireshark view of handshake capture Using the above method, we’ve determined that the model seems to be using an 8 digit long all numbers password. It is now time to build a number list of 8 digits long using Crunch. Crunch is a tool used to generate a world list, as shown in Figure 6. By providing the minimum and maximum length as well as the characters to include, the tool will build and save the list to a file. Figure 6: Generating word list using Crunch The final step is to crack the password using the generated password dictionary. As shown in Figure 7 by populating the parameter Aircrack-ng will start cracking the password. The process can take up to several years depending the size of the password dictionary and the complexity of the password. Figure 7: Start cracking the password using dictionary attack -w : password list (the one generated by Crunch) -b : MAC address of the target AP (highlighted on Figure 4) SecureNetworking-02.pcap : capture file containing the handshake In this attack, the aircrack-ng tool took 3 hours and 3 minutes to crack the Wi-Fi password, Figure 8. Kali Linux was operating on a virtualized environment with the minimum hardware requirements. If the cracking was run with the full potential of the hardware, software and support of additional GPU’s, the cracking time can significantly reduce. As demonstrated in this tutorial, due to the high security vulnerability of default passwords, it is strongly recommended to avoid using default security configurations Figure 8: Decrypted Password