Jump to content
Nytro

How to crack WLAN - WPA/WPA2 pre shared keys

By Nytro, in Wireless Pentesting

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Sunday, January 8, 2017

How to crack WLAN - WPA/WPA2 pre shared keys

 
To crack WPA/WPA2 pre shared keys may not so difficult as many people think.

When an client authenticates at the router, there is a 4-way handshake between router and client, to handshake a session key, which must be recorded with a simple WLAN sniffer. The messages are called EAPOL.

Here I described how to setup a simple sniffer with a raspberry pi-2
http://blog.x1622.com/2016/12/how-to-setup-rasperry-pi-2-model-b-for.html

So, the only task to do is to record  all the traffic until one of the 4-way handshake gets recorded. In WIRESHARK there exists a display filter called "eapol".

In my test case, I opened a WLAN called darkqueen with a simple numeric password 19042001
 
wire.JPG

I authenticated with a mobile device and captured the handshake. In my example I did it more than one time but capturing a complete handshake (1-4) is enough.
I stopped capturing and stored all data in a standard wireshark pcap format. You can store all data or mark the EAPOL lines.

The standard PCAP file cannot be used direct with HASHCAT. The file has to be converted to hccap format. Here is a description about the different possibilities to do that.
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
It can be done online, or locally using AIRCRACK suite.
 
convert%2Bhccap.JPG

I took the hccap file to a single machine with an old GPU (~50 Dollar) I got from sons old gaming PC.
 
gpu.jpg
 

I started HASHCAT and for eight digits (WPA passwords minimum length is eight) and HASCAT calculated a maximum time of 50 minutes.
found0.PNG

After few Minutes HASHCAT cracked the password of darkqueen => 1904001
 
found.PNG

In this POC ist was simple because I used a weak WPA2 key. If it's more complex it may take much more time. In this case, there is also the possibility to pre calculate a rainbow table if the name of the accesspoint is known. Therefor COWPATTY can be used http://tools.kali.org/wireless-attacks/cowpatty 
 
 
  • Upvote 8

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...