CompTIA Pentest+ PT0-002 – Section 9: Wireless Attacks Part 3

78. WPA/WPA2 Hacking (OBJ 3.2)

In this lesson, I’m going to demonstrate how to use a dictionary attack to crack the pre-shared key in a WPA/WPA2 protected network. To do this, I’m going to use the Aircrack-ng suite of tools to penetrate this wireless network. First, I’m going to put my network card into monitor or promiscuous mode by using airomon-ng. That way, I can capture all the traffic being said on a particular network, regardless of whether or not it’s addressed to my wireless card. Second, we need to find the WPA/WPA2 enabled network in range that I’m going to want to capture the traffic for using airodump-ng. Third, we’re going to capture the network traffic to a PCAP file using airodump-ng so that we can later conduct offline cracking of that network traffic to be able to get the password. Fourth, we’re going to use aireplay-ng to conduct a de-authentication attack. This will kick the wireless client off the network and have them try to reconnect to the network which generates numerous handshakes that we can then capture. And fifth, we’re going to use aircrack-ng to attempt a dictionary attack against those handshakes that we in the PCAP file. This way, we can try to find the pre shared key and display it in plain text. Now, since I own this particular WPA2 encrypted network that we’re going to attack, I already know the password is Dr@g0nBr3@+h. This is normally a fairly secure password. You can see it uses a mixture of uppercase and lowercase letters, numbers, and special characters, and it’s 12 characters in length. So normally we would say this is a good or strong pre-shared key. Unfortunately, this password does exist in the word list that I’m going to use during this demonstration, which is called rockyou.txt. Because of the fact that this password is in that list, it’s just going to be a matter of time before we’re able to crack this network and identify the plain text version of the pre-shared key, as you’re going to see shortly.

Remember, for the exam, you are not expected to know how to conduct this attack or any other wireless networks attacks. So don’t try to memorize all the commands I’m using here. Instead, you should know what each part of the Aircrack-ng tool set is going to be used for. For example, Airomon-ng is used to set your wireless network adaptor into monitor or promiscuous mode. Airodump-ng is used to monitor the wireless frequencies, identify the clients and access points, and capture network traffic, and save it to a PCAP file. Aireplay-ng is going to be used to conduct our de-authentication attack by resending spoofed deauth request from the client to the access point. And Airocrack-ng is going to be used to conduct the dictionary attack against the capture WPA2 handshakes, so we can determine the plain text version of that pre-shared key that’s protecting the WPA2 network. All right, let’s jump into the lab environment and walk through these steps. So the first thing we need to do is go back into our terminal, we’ll expand that, and we got to check and see if our card is in monitoring or access point mode. And so we are going to go ahead and do iwconfig, and you can see here it is in managed mode, which means it’s looking for an access point. So what we’re going to want to do is turn that into monitor mode. And we do that through airmon-ng start wlan0. And here we go. It’s going to go ahead and kick that card into wireless mode, or into monitor mode, and it should become wlan0mon here in a second. And we’ll verify that by doing an iwconfig once more. And you can see right here, we are now out in monitoring mode, which is perfect.

The next thing we need to do, is we need to find that network we want to attack. And if you remember the way that we did that before is we used Airodump-ng. And so we just do airodump-ng and then we put in wlan0mon, and up to the screen we should start seeing the access point. And the access point we want is this wireless hacking WPA2 right here. And so what I need to do is copy that. I’ll go ahead and cancel that so it’ll stop scrolling on us, but we need to copy that access point right here, and we need to know what channel it’s on which is channel one. Now, do we see anybody connecting to 28:C6 station? Well, yes we do right here. We see there is something connecting to it, and that actually is my iPhone. We’re going to need that because what we’re going to do is send a deauthorization command to that iPhone which will kick it offline for a second, and then when it re-connects, we’re going to capture that handshake to a file, and then we’re going to compare offline that file handshake to our passwords to crack the password. So, now what we want to do is we want to capture all the data going to that network into a file, and then we’re going to send a deauthorization attack. So the first thing we’re going to do here is I’m going to scroll this screen down just a hair, and make it so that we have a little bit more room, and we’re going to actually create a second terminal window because we’re going to need it in a second. Okay. So now we’re going to go ahead and capture ourself to a file. So we’re going to do airodump-ng wlan0mon. We’re going to do -c for the channel, channel 1 –bssid, paste in the MAC address, and then –write, and the file name, which is going to be WirelessHackingWPA, and then hit Enter. It’s going to go ahead and start capturing that to a file, and you can see it’s capturing that iPhone traffic. It’s got just a couple of frames, and it’s not really moving anywhere. So we can either sit here and wait for somebody to connect to the network and capture it, or we can force a connection.

And that’s what we’re going to do here by using a deauthorization. So we’re going to send a deauthorization, and the way we’re going to do that is use aireplay-ng. We’re going to use –deauth, and then 0, which is how many deauthorization packets we want to do. In this case, we’re just going to send an unlimited amount until I tell it to cancel, -a and the access point. So we’re going to copy the access point we’re targeting, and then we’re going to use -c for the client that we’re going to disconnect from that network, so we can capture the handshake when that iPhone reconnects, and then we’re going to do wlan0mon, which is the interface card, and we’ll hit Enter, and off it goes sending deauthorizations. And so we have captured it. We’ll hit Cancel. We sent about six or seven there, that’s enough for the handshake. So at this point, we can go back to the original monitoring and go ahead and cancel it. So now we can make our screen full screen again. We’ll go ahead and clear the screen, and let’s do an LS. And here you can see we have that capture file that we just captured. Now in there should be our handshake. So we’re going to use a program called aircrack-ng ’cause everything is part of the Air-ng suite. And the file we’re going to use is this WirelessHackingWPA-01.cap file, which is the capture file. Now, if you put -w, you’re going to specify the word list, if not, it’s going to attempt doing something like a brute-force attack and it’s just going to take you forever.

So when we do this -w, we’re going to put in the word list and the word list we’re going to use is in /usr/share/wordlists/rockyou.txt. So when you have your full command there, aircrack-ng, the name of the file you want to attack where the handshake is captured, w and where that word list is located. Go ahead and hit Enter. You could see it’s 9:28 p.m. here. Let’s see how long this takes. Off it goes, cracking away. We’re cracking about 830 keys per second. And it says it’s going to take us three hours. Well, right now it already found it. It found it in just a couple of seconds there you saw. It only had to go through 5,000 keys until it found the particular key we wanted which was Dr@g0nBr3@+h and there it is right there. It went through about half of 1% of that entire word list. That word list had over 14 million keys, and we put it in at about the 15,000 key mark is the line that we put it in. So you see how quickly that can work if your key is in the right place in the file. Now, if that key was number 14 million, it would’ve taken us probably three or four hours to find it. Now, if the key wasn’t in any of those 14 million, we never would’ve cracked this key. And so it’s really important to make sure that you have a good word list, and to realize that you’re not going to crack every network out there. Now, why is that important? Because from a security standpoint if you’re running the network, you have to have a long complicated password, because if you don’t, someone is going to crack your network very quickly and very easily using the tools that we just showed you in this example.

79. WPS PIN Attacks (OBJ 3.2)

So what is WPS? Well, WPS was something that was done to save users time and effort of configuring their devices. It stands for WiFi Protected Setup. Now, there’s some flaws inside WPS, and we can exploit that to be able to get onto a WPA or WPA2 network without having to even crack the password. So the way WPS works is there is usually a button on your router or a pin number on your router associated with it. And what you would do is you would push that button and then you would tell your device to configure, and it would automatically find the router and configure itself for that network. And when it does that, it uses a pin code and it’s an eight-digit pin code that it uses to be able to connect to this network. So once you push the button, it actually does the self-configuration between the device and the endpoint, and you can actually set up your wireless networks this way very quickly and easily, which is great for operations but is very bad for security. Now, the reason it’s bad for security is because if somebody can touch your router ’cause you’re in your business, they can get on very quickly and that requires some social engineering.

Now we can do some attack against that WPS settings as well to guess the pin number. The great thing about this WPS from a security vulnerability standpoint, if you want to call that great, is that there’s only seven digits to the pin because the eighth digit is reserved as a checksum. So it’s a fairly easy computation to guess all those digits and be able to guess the pin number because you only have 10 to the 7th options here. So you really only have less than 10 million passwords, which sounds like a lot, but for a computer that’s pretty quick. Now the other flaw that’s inside of WPS is that when you guess a password, for instance, if I guess the number 5682283, it would go back and say, “Ah, you got that wrong because those first four digits were wrong.” But I can keep guessing those first four digits and it will eventually tell me, “Oh, you got the right first four digits.” And now I only have to guess the last three digits because the way it actually passed the password, or the passcode here, was it broke that seven-digit number into two, a four-section and a three-section, which makes this an even easier problem to solve. Because if I only have to go for four digits to get it right the first time, well that’s only 10,000 options.

And then those last three are only 1,000 options. So it makes the problem very quick to solve if you start going against a WPS enabled network. For this reason, a lot of newer networks, people will turn off their WPS, but in a lot of consumer-grade and small business environments, WPS is still enabled. Why? Because it makes configuring networks easy, and people like easy. So they set this up, they leave it up, and it makes it really simple for us as attackers to be able to get on these networks as you’ll see in the demonstration. What we’re going to do here is work against that eight-digit pin. Now the last digit of that is actually a checksum so we only have to calculate the first seven digits. And if you remember, I talked about that this breaks it up into four digits and then three digits. So it’s only a 10,000 and 1,000 combinations we’re looking at, so it shouldn’t take too long. Now the biggest detriment here is as we go through it and hack it is the program we use here, which is called Reaver. It actually will have to wait about five seconds in between each attempt. Now by doing that, that is going to slow us down. and if it’s a very high number pin, it could take all night for us to crack. So we’ll just let it run. I’ll pause the video and we’ll come back, depending on what the passcode is on this particular router. The first thing we need to do is see if our card is in monitoring mode.

So we’ll do that by doing iwconfig again. And we can see here that it’s actually in access point mode. So we are going to use airmon-ng start and then wlan0, which is the name of this wireless card. We’ll hit Enter and that card will get turned into monitoring mode. Now from the prompt, we’ll verify that by iwconfig and you can see that card is now in monitoring mode ready to do our bidding. So we’re going to clear our screen to bring us back to the top and we’re going to use a program called Wash. And if you do -h, it will show you all the commands that are there for Wash. There’s two required arguments. You have to have an interface, and if you want the the packets be read from a capture file, you use -f. Now we’re going to do a live scan so we’re just going to use wash -i and then wlan0mon. just like it shows in the example here. And you’ll see that it will start scanning our wireless networks. Now this works very similar to airmon. The big difference here is that this one is really focused on WPS. You’ll notice it has a lot less information. We do have our MAC address right here of the access point. It’s on channel 1, it is using WPS version 1, and it is not locked, which means it is vulnerable to this attack, possibly.

So now that we’ve gotten the information we need, we can hit Control + C, get us to the prompt, and we’re going to use a program called Reaver. so I’m going to clear our screen and we’re going to look at Reaver. reaver -h is going to show you the help file. Now Reaver is a WiFi Protected Setup attack tool that will allow us to go against WPS and guess that pin. It’s going to do that by doing a brute force attack. It’s going to start with 12345670 and go from there. So we’re going to have to give it a interface, which is our wlan0mon. We’re going to give it our base station’s MAC, that dash-b and then the MAC we just copied. And we can leave it at that, and it’ll just start scanning right from there. We can do that and see what’s going to happen. So we’ll let’s start with that. So to conduct this attack, we’re going to use reaver -i wlan0mon -b, the MAC address of our card, vv, which is verbose mode, and then -K 1 just like the example which is going to be using this option, this pixie dust, and we’re going to use version 1 here. And we’ll hit enter and see if it can crack our password. Now, if you noticed, I’m going to hit Control + C here, you’ll see that it keeps trying the same pin. This is a function of the way that this router that we’re attacking is responding to these NACK. So what we’re going to do is we’re going to go back here to the help. So ready to type in our command. What we’re going to use is reaver -i wlan0mon, the base station, -b, paste in that terminal ID, -vv for verbose. And then we want to use no NACKs because as you saw in the last example, that NACK was just causing all sorts of problems for us. We’re going to do -N, which we’ll do no NACKs, which is no acknowledgment messages. And that way it’ll keep going and we’ll get different pins each time. So we’ll see if that works. And here we go, the first pin is 1234567, the next one is different. You’ll see that these pins are changing here. So now we’re going through, we’re on the sixth pin, the seventh pin. I’m going to let this run, and when it finds one, I’m going to come back to this video because I don’t want you to sit here for what could be possibly several hours.

As you see right now, it is 5:52 my time. We’ll see what time it is when we come back and this thing has solved its problem. So you can see that it took a long time to find this pin. In fact, it tried over 10,000 combinations until it finally found it. Now, when it did find it, it did take us about 3 1/2 hours. Notice here that the pin was cracked in 12,338 seconds, and the pin that we got was 21088612, shown here at the bottom. But if we have just that pin, can we connect to the network? Well, certainly, we can use WPS and we can connect to the network. But, really, we’d like to know what the password is as well. And so we’re going to use a tool called Bully to take that pin, connect to network and figure out what the password is. So, first thing I’m going to do is I’m going to clear my screen and bring us to the top. I’ll go ahead and copy that pin number first and then we are going to clear our screen. Okay, so now that we found the pin, what we’re going to do is we are going to clear the screen and we are going to look for that network again, and we’re going to try to connect to it one more time, this time using the pin. So what we’re going to use is wash -i wlan0mon, just like we did before.

And notice we now have this BSSID, which we’re going to need. So the next thing we’re going to do is we are going to use a program called Bully. And the way Bully works is if use bully -h, you can see here that Bully is going to allow us to give it an interface and give it some options. We’re going to use the -b option, which is the MAC address for that target access point that we just got above, and we’re going to use the -p option and give it a pin number because we know the pin number from what we just did with Reaver. So what we’re going to do here is I wrote down my pin number, which was 21088612. And I’m going to copy this BSS ID so that I don’t have to type it out ’cause that’s a longer thing to type out. So what we’re going to do is we’re going to use bully -b for the access point and paste in that MAC address. Then we’re going to use -p for the pin number. And although we got an eight-digit pin, the pin number itself only needs to be seven digits. That eighth digit is actually a checksum.

So we’re only going to give it seven digits, leave off the last digit, and then we’re going to use the interface, which is wlan0mon. And hit Enter and away it’ll go. So there we go, it found it immediately. You could see here, it has the pin number calculated fully with the last digit, the 2. And it did find the key, Dr@g0nBr@+h, which is the password. We do have the access point we attacked and the name of the access point we attacked. And so now, just because we had WPS, this did take us three to five hours, in our case 3 1/2 to find this pin number. But once we have that pin number, we’re able to reverse engineer that by connecting to the access point and getting that password. And now simply using that password, we can connect to the access point with no issues. Now the great thing about this is that if somebody has WPS enabled, often they’ll remember to change their password, but they won’t remember to change their WPS code. In fact, a lot of times the routers don’t even allow you to change the WPS code. So I can go and change Dr@g0nBr@+h to whatever I want, and no matter how long the password is, if I still have that pin number, I can run this.

And you saw, it took just a couple of seconds for Bully to connect to it using that known pin and come back with a password. This makes our life very, very simple. So using these three tools: Wash, Reaver, and Bully and just a couple hours, you’re able to have the password that you want for that particular network. So I hope you enjoyed this quick tutorial on how to crack WPS or WiFi Protected Setup. Now, what can you do you to secure other networks from this threat? Well, if you have the option on your router, turn off WPS. Although it’s great from ease of use of connecting new clients by only having to type in those pin numbers, it is really, really bad for security as you saw here. This attack works each and every time. There is no known mitigation to stop this type of an attack. It’s just a matter of how long it’s going to take you to go through that entire key space of 11,000 keys, in our case about 3 1/2 hours. Now, if you want to stop this completely, the only mitigation there is, is turning off WPS, which really isn’t even a mitigation ’cause you’re taking away the service. But by taking away that service, you’re going to prevent anyone from using this against you.

80. Evil Twins (OBJ 3.2)

In this lesson, we’re going to focus on the use of evil twins as part of an attack. An evil twin is a fraudulent Wi-Fi access point that appears to be legitimate but it’s actually set up to eavesdrop on wireless communications. As a network defender, if you find one of these in your network, we usually categorize these evil twins as rogue access points. Now let’s take a quick look at how an evil twin attack might work. Let’s pretend I’m conducting an engagement against Big Corp’s network. To conduct the attack, I might park my car at the parking lot next to their building. And then I’ll configure a wireless access point with the name of their wireless network, like BigCorpWi-Fi. Now, I need to get their employees to connect to my wireless access point that I called BigCorpWi-FI instead of the official wireless access point, known as BigCorpWi-Fi which are using the same name. Now to do this, I want to ensure that I’m broadcasting at a higher power level than the official wireless network. And I’m then going to conduct a de-authentication attack against any client’s who are connected to the official BigCorpWi-Fi. When those devices attempt to reconnect to BigCorpWi-Fi, their network adapters are going to see my wireless network using that same name and a higher power level and stronger signal, so they’re going to connect to me. Once connected to my access point, I can provide them with internet access so they can still conduct their normal business operations.

But the entire time they’re doing that, I am now in a position to capture all of their network traffic as it’s passing through my wireless access point. For example, if the user is browsing an unencrypted website or email account, I can then intercept those transmissions, change the details, or simply record all their information to a PCAP file for later analysis. This can be a great way to conduct credential harvesting because you’re going to see any usernames and passwords that are being transmitted to the websites because you’re acting as a relay for this entire communication session. Another method used to get victims to connect to an evil twin or rogue access point, is to use a KARMA attack. Now, the KARMA attack was first documented back in 2004 and it’s considered a variation of the evil twin attack. In a KARMA attack, the behavior of Wi-Fi devices is going to be exploited, due to a lack of access point authentication protocols being properly implemented. In a KARMA attack, a vulnerable client, is going to broadcast its Preferred Network List which is known as the PNL, just like it normally would.

Now the Preferred Network List is simply a list of all the SSIDs of any access points that that device has previously connected to and will automatically connect them to those networks when they’re in range. Now, if you use the “Remember This Network” setting when you connect to your home or office Wi-Fi, the SSID of your home or office’s access point is going to be added to your Preferred Network List. To execute the KARMA attack, you simply need to listen for any PNL’s broadcast that are happening from a device that’s trying to find a network that it already knows and trusts. Then your access point needs to change its SSID to match one of the SSIDs in the Preferred Network List. This will allow the device to connect to your access point and your access point has now become an evil twin. Now, this sounds a lot like evil twins, right? And the real big difference between a regular evil twin and the KARMA attack, is that with a KARMA attack, your device is going to pick an SSID based on the trusted SSIDs listed in a given devices Preferred Network List broadcast. With a regular evil twin attack, you’re simply picking out an SSID that you think the client is going to be willing to manually connect to, based on the name or their familiarity with that SSID name.

For example, I often see evil twins and rogue access points set up at airports. As you walk around the airport searching for Wi-Fi, it’s really common to see SSIDs like SJUFreeWifi or JetBlueFreeWiFi or things like that. This Wi-Fi network could be set up by an attacker to simply gather credentials and other sensitive information from unaware travelers who are simply looking to connect to a free wireless network. Often attackers will use a captive portal in conjunction with an evil twin. A captive portal is a webpage that a user of a public access network is obligated to view and interact with before they get full network access. When using a captive portal, an attacker will often ask for something like the user’s Facebook credentials or Google credentials to access that given wireless network. Since these two are commonly asked by legitimate websites as a form of third party authentication and authorization, many victims will enter those credentials to gain access to what they believe is a free to use wireless network. Unfortunately for them, the attacker is now collecting their information and can use that during other attacks too. Now, there are many different tools you can use to conduct an evil twin attack. If you want to set up a captive portal, you can use a tool like ESPortalV2 which is a great piece of software for setting up your captive portal and redirecting all Wi-Fi devices, that connect to a particular access point, over to your portal for authentication. This way, you can set the portal to look like the hotel, an airport, a coffee, shop, a restaurant, whatever you want, and then collect information.

This is one of the reasons why we always tell our users they need to use a VPN whenever they’re connecting to a wireless network outside of a trusted area like their home or office, because otherwise they could be victim to an evil twin attack using a captive portal. Now, if you want to set up a regular evil twin without a captive portal, you can do that using a tool known as Wifiphisher inside a Kali Linux. If you perform a lot of wireless network engagements though, I highly recommend you invest in a hardware device, known as a Wi-Fi Pineapple. The Wi-Fi Pineapple is a device that can be used to automate Wi-Fi auditing with different types of campaigns and it’ll even create vulnerability reports at the conclusion of your engagement. For example, you can create a KARMA attack, an evil twin attack, and captive portal attacks easily using a Wi-Fi Pineapple because it has a very simple and easy to use web interface. These devices are all self-contained too and they run an embedded version of Linux with all the tools already installed and configured that you might need when conducting wireless network engagements.

• Category: Uncategorized