Wpa wpa2 wifi password

Wi-Fi password hack: WPA and WPA2 examples and video walkthrough

Passwords that are long, random and unique are the most difficult to crack. But humans tend to use weak passwords made up of familiar phrases and numbers. Mike Meyers demonstrates just how easy it is to hack a weak Wi-Fi password in this episode of Cyber Work Applied.

How to hack WPA and WPA 2 Wi-Fi

Infosec Skills author Mike Meyers demonstrates a Wi-Fi WPA key hack in the video below. He uses Aircrack-ng and Airodump-ng to access 802.11 WPA and WPA2 connections.

Wi-Fi password hack: How to hack into WPA Wi-Fi and WPA2 | Free Cyber Work Applied series

Cyber Work listeners get free cybersecurity training resources. Click below to see free courses and other free materials.

Wi-Fi hacking examples and walkthrough

The edited transcript of the Wi-Fi password hack walkthrough video is provided below, separated into each step Mike covers in the video.

WPA and WPA2 security

(0:00- 0:24) WPA and WPA2 are very good encryptions. If you’re using WPA, you’re using RC4, but you’re using TKIP with that. If you’re using WPA2 while you’re using AES with CCMP, then you are not going to be able to crack these passwords, except for one little problem.

Problem with WPA and WPA2

(0:25- 1:35) The problem is that the initial connection between a wireless WPA or WPA2 client to an access point has what we call a four-way handshake. Not that many years ago, there was a small weakness discovered in this four-way handshake that allows us to do something very interesting.

Now, I need to be careful here. When you’re cracking WEP, you can mathematically derive the password just by looking at packets. You can’t do that with WPA and WPA2.

With WPA and WPA2, think more instead that you’ve got this guy who’s really good at turning the numbers on a bicycle lock and then pulling on it. So you can go up to this guy and say, “Hey, try 0000,” and he could do that real quick and pull on it.

If you wanted to, you could tell this guy, start with all zeros and then just keep going and go to 9999. Now, if there were only 10,000 different permutations that would work great. But with WPA or WPA2, take that same bike lock analogy and turn it from four digits to like 128 digits. So it would take that guy, even if he was fast, a very, very long time to go through all these.

Humans use weak passwords

(1:36- 2:15) Luckily for us, we know that human beings don’t use good, randomized, long passwords. We know that most human beings are going to use a phrase and then a number. Or their pet’s name and then the date they were born, or the number of kids they have and their wife’s name and the date that they got married. Little, simple, things like that.

And if we know that, we can tell the guy who’s spinning on that bicycle lock, “No, no, no. Don’t start at the zeros, just try all of these first.” So we’ve got to give this WPA, WPA2 cracker what we call a dictionary file.

What is a dictionary file?

(2:16- 3:07) Now, a dictionary file is nothing more than a big text file full of tens of millions of different types of permutations of well-known words, numbers and all kinds of different things. Now you think, “Whoa, tens of millions.” Well, compared to 128th power stuff, at 10 million even my laptop, give it a day, could knock all that stuff out. So it makes a big difference.

Here’s what we’re going to be doing with WPA and WPA2. We’ve got a whole bunch of packets. What we’re going to grab is those four-way handshakes when people start to connect. Using that, we can derive the passwords by using a dictionary file. Basically saying, “Try all these, and if people use it, then we’re going to have them.” So let’s go ahead and let me show you how the setup works this time.

Setting up the Wi-Fi hacking demo

(3:08- 4:26) So I’ve got my same wireless access point. Now, he’s still set to WEP at this moment. So we’re going to change him to a regular, old WPA-PSK, and get him up and running.

We’ll put a really weak password on here, then we’re going to go back over to the Kali box and in this case, what we’re going to do is we’re still going to monitor the traffic, but we’re just going to wait for somebody to authenticate, and we got them. We’ll run the cracker, and with luck, since it’s a weak password, we’re going to be able to get it pretty easily.

So let’s take a look at the setup. All right, so let’s go over here, and first of all, instead of calling it a NOTSECUREWEP, let’s call it NOTSECUREWPA.

The next thing I’m going to do is go over to Wireless Security, and we’re going to take off WEP, and let’s go to WPA Personal. This type of attack will work with a WPA or WPA2 personal shared key. So I’ve already got a password here, and I want to keep it.

The password is “timmytimmy,” so it’s a pretty simple password. It’s just a very common word, used twice. So let me go ahead and apply all this, we’ll save it, and we’re pretty much ready to go.

Using airodump to grab WPA connection data

(4:27- 6:29) So this guy is now WPA personal, he has a very simple password of “timmytimmy,” and now what we’re going to do is go over here, we’re going to grab a bunch of data. But in particular, we’re not just grabbing data, we’re looking for handshakes, and that’s where airodump does a great job. Let me show you.

Now, what I’ve got here is I’ve got airodump still running on my screen. If you take a look right here at the top, you’re going to see there’s NOTSECUREWPA. You can even see that it’s WPA and it’s running TKIP. No great surprise there, and there’s the MAC address for it.

So what we’re going to do now is let’s start airodump, and we’re going to watch for handshakes.

I’m going to put all the stuff that it finds into a file called wpafile, and this guy’s on channel 6, and the bssid is 20:AA:4B:42:43:E8 and we’re going to tell them to listen on wlan0mon.

root@kali:～# airodump-ng -w wpafile -c 6 —bssid 20:AA:4B:42 :43:E8 wlan0mon

So what we’re going to do now is keep watching this and see if somebody comes in.

There it is. Wow! That was really quick. Let’s go ahead and take a look at that file and go ahead and see if we can pull the password out. We can go ahead and turn this off.

Cracking passwords with aircrack

(6:30- 7:31) Let me make sure I’ve got a dictionary file in there.

There it is. Way up at the top, you see the word dictionary? That’s a dictionary file that I’ve created. So to actually go about the cracking, we go ahead and run Aircrack. “a2” means I’m doing a WPA attack on this guy.

I got to tell it where my dictionary file is. It’s right here in the same folder, so I type in “dictionary.” Then I tell it which file I want to crack. In this case, it’s going to be wpafile-01.cap.

root@kali:～# airodump-ng -a2 -w dictionary wpafile-01.cap

Ta-da! There it is, right there.

Weak keys are vulnerable to attack

(7:32-8:17) Pretty easy stuff. Now, you’re looking at this probably saying, “Wait a minute, Mike. You put the right password into your dictionary file.” Yeah, I did. But I did that just to speed up this demonstration. Trust me, there are huge dictionary files, and they got “timmytimmy” in there just as easily.

If you have a weak WPA or WPA2-PSK, odds are good that people will be able to crack it almost as quickly as I’ve done right here.

The right answer is simple. Use long, complex private shared keys when you’re dealing with WPA and WPA2. A lot of people recommend that you don’t use any human words and make sure you use at least 20 characters, which can sometimes be long to remember, but boy, does it make it secure.

More cybersecurity training resources

Check out Infosec’s weekly Cyber Work Podcast for in-depth conversations with cybersecurity practitioners and industry thought leaders — plus other free cybersecurity training videos.

Cyber Work listeners also get free cybersecurity resources. Check out the latest free training courses and resources and keep learning!

Источник

Взлом Wi-Fi-сетей, защищённых WPA и WPA2

Автор статьи, перевод которой мы сегодня публикуем, хочет рассказать о том, как взломать Wi-Fi-сеть, для защиты которой используются протоколы WPA и WPA2.

Статья написана исключительно в ознакомительных целях

Аппаратное и программное обеспечение

Я буду пользоваться дистрибутивом Kali Linux, установленным на VMware Workstation.

Кроме того, в моём распоряжении имеется Wi-Fi-адаптер Alfa AWUS036NH 2000mW 802.11b/g/n. Вот его основные характеристики:

• Стандарты: IEEE 802.11b/g/n, USB 2.0.
• Скорости передачи данных: 802.11b — 11 Мбит/с, 802.11g — 54 Мбит/с, 802.11n — 150 Мбит/с.
• Разъём для подключения антенны: 1 x RP-SMA.
• Частотные диапазоны: 2412~2462 МГц, 2412~2472 МГц, 2412~2484 МГц.
• Питание: 5В.
• Безопасность: WEP 64/128, поддержка 802.1X, WPS, WPA-PSK, WPA2.

Шаг 1

Нужно запустить Kali Linux в VMware и подключить к системе Wi-Fi-адаптер Alfa AWUS036NH, выполнив следующую последовательность действий:

VM > Removable Devices > Ralink 802.11n USB Wireless Lan Card > Connect 

Подключение Wi-Fi-адаптера к ОС, работающей в VMware

Шаг 2

Теперь обратите внимание на средства управления Wi-Fi-подключениями в Kali Linux.

Управление Wi-Fi-подключениями в Kali Linux

Шаг 3

Откройте терминал и выполните команду airmon-ng для вывода сведений об интерфейсах беспроводных сетей.

Вывод сведений об интерфейсах беспроводных сетей

Шаг 4

Как видно, интерфейсу назначено имя wlan0 . Зная это, выполним в терминале команду airmon-ng start wlan0 . Благодаря этой команде Wi-Fi-адаптер будет переведён в режим мониторинга.

Перевод адаптера в режим мониторинга

Шаг 5

Теперь выполните такую команду: airodump-ng wlan0mon . Это позволит получить сведения о Wi-Fi-сетях, развёрнутых поблизости, о том, какие методы шифрования в них используются, а так же — о SSID.

Шаг 6

Теперь воспользуемся такой командой:

airodump-ng -c [channel] –bssid [bssid] -w /root/Desktop/ [monitor interface] 

В ней [channel] надо заменить на номер целевого канала, [bssid] — на целевой BSSID, [monitor interface] — на интерфейс мониторинга wlan0mon .

В результате моя команда будет выглядеть так:

airodump-ng -c 6 –bssid 4C:ED:FB:8A:4F:C0 -w /root/Desktop/ wlan0mon 

Шаг 7

Теперь нужно подождать. Утилита airodump будет мониторить сеть, ожидая момента, когда кто-нибудь к ней подключится. Это даст нам возможность получить handshake-файлы, которые будут сохранены в папке /root/Desktop .

Вот как выглядит работа утилиты до того момента, как кто-то подключился к исследуемой сети.

Программа наблюдает за сетью

А вот что происходит после того, как то-то к сети подключился, и программе удалось получить нужные данные.

Получение необходимых данных

Шаг 8

Вы можете пропустить этот шаг в том случае, если у вас уже есть handshake-файлы. Здесь описан альтернативный способ получения соответствующих данных.

Речь идёт об использовании следующей команды:

aireplay-ng -0 2 -a [router bssid] -c [client bssid] wlan0mon 

Здесь [router bssid] нужно заменить на BSSID Wi-Fi-сети, а [client bssid] — на идентификатор рабочей станции.

Эта команда позволяет получить handshake-данные в том случае, если вам не хочется ждать момента чьего-либо подключения к сети. Фактически, эта команда атакует маршрутизатор, выполняя внедрение пакетов. Параметр -0 2 можно заменить другим числом, например, указать тут число 50, или большее число, и дождаться получения handshake-данных

Использование утилиты aireplay-bg

Шаг 9

Теперь воспользуемся такой командой:

aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap 

• -a2 означает WPA.
• -b — это BSSID сети.
• -w — это путь к списку паролей.
• *.cap — это шаблон имён файлов, содержащих пароли.

aircrack-ng -a2 -b 4C:ED:FB:8A:4F:C0 -w /root/Desktop/ww.txt /root/Desktop/*.cap 

После выполнения этой команды начнётся процесс взлома пароля. Если пароль будет успешно взломан — вы увидите что-то, похожее на следующий скриншот.

Успешный взлом пароля

Как вы контролируете безопасность своих беспроводных сетей?

Источник