In my article "Hack A WEP Encrypted WiFi In 10 Simple Steps", I mentioned how each data packet has a part of the network password. Over there we simply had to gather enough packets, apply permutations and combinations and we had our password.
Whoever came up with the idea of WEP now saw a huge shortcoming in the encryption.
Hence the need for a safer encryption was seen and WPA was introduced.
Now data packets don't have a sub pass key in them. The connection of router and computer is authenticated through a WPA handshake.
The diagram should explain what the handshake is:
One thing, this illustration is not how it exactly happens. I have tried to explain it in an extremely simple manner.
There are more complicated algorithms and many more components but basically the network key is used in the encryption process.
Now this entire thing is called a WPA handshake.
In WEP our objective was to gather as many packets as possible.
Here our objective is to capture this handshake which happens only once when a machine connects to the router.
Once we have the handshake, we have the random string and its encrypted form. Once we have these, we can apply different passwords from a collection of possible passwords to the random string , encrypting it using these passwords and compare it to the encrypted string. If it matches, we have our password!
So lets get down to it!
Step 1:
Like WEP network hacking, we have to enable monitor mode here so we can receive data from networks without being connected to them
So airmon-ng will be our first command to check the interface on which monitor mode is to be started.
Step 2:
Remember to use macchanger before you start sniffing or hacking.
If you dont know how to, click here and scroll down to where the macchanger command is mentioned.
The next step is to sniff all networks in the vicinity and decide the one you want to hack.For this type in airodump-ng mon0.
This what the command yields .
Step 3:
We choose the wireless network to attack. Here I choose network with Name: sweetps, Mac Address: 64:66:B3:AC:9A:36 (I can see this is a WPA network).
In the Konsole, we now write the following command:
Here, -c specifies the channel, -b specifies the bssid or the mac address of the router you're trying to hack and -w tells the Linux system to write all information gathered into a file called WPAcrack or any other filename you'd like.
This is what we see when we press enter:
Step 4:
As mentioned earlier, all we need is the WPA handshake to hack the network. The problem is that this handshake occurs only when a computer successfully connects to a network.
So do we wait until someone comes along, types the correct password and gives us the handshake?
Nah. As we all have set "automatically connect when in range" in all our devices, as soon as our device comes within range of a WiFi network, the handshake occurs and our device connects. What if we can forcefully disconnect all connected users so all of them try to re-connect thus presenting us, nicely gift-wrapped, the Handshake!
We can! How?
Let the previous window run.Open a new konsole window and go on.-->
Here aireplay-ng is used.
-0 represents a deauth attack (disconnect)
30 represents the number of times the attack will run(I've run it 30 times, you can run it as many times as you want)
-a represents the mac address of the router we want should deauthorise all its clients and
mon0 is our monitor interface.
Press enter, this is what you see:
Count and you'll see that the deauth attack ran 30 times.
Step 5:
Now if we switch back to the airodump window, we see a new addition!
In the top right side of the console we see this!---
WOOOOHOOO!
When we successfully deauthorised all clients of the router, at least one tried to connect back giving us the handshake!
Step 6:
Now what!?
Over to aircrack-ng.
This is what we type:
The concept of a dictionary comes into being here.
As you must have read earlier in this article that we need a dictionary of keys to hack WPA.
A dictionary is basically a collection of possible passkeys which aircrack will use to encrypt the random string and compare with one by one.
Here, -w specifies our dictionary. Mine is called WPAdictionary.lst
-b specifies the mac address of the router being hacked,
in the end we specify the name of our .cap file which captures all data that we got through airodump.
Step 7:
Now you wait till aircrack-ng picks up each phrase/word from your dictionary and applies it to the handshake data, checking for correctness.
If the key exists in your dictionary, this is what will make you jump real high!
Security Tip:
WPA is virtually unhackable unless you have an excellent dictionary.
It is highly common for people to use their phone numbers and birthdates as passwords. Making dictionaries of this data is extremely simple!
Use passwords that are a mix of numbers,letters and special characters. Highly difficult to crack.
You can also check how strong your password is here.
You can make dictionaries by adding keys one by one to a text file or you can download dictionaries.
Also you can use a utility called crunch which is pre-installed in Linux.
Wait for the next article on hw to make dictionaries with crunch! :D
Whoever came up with the idea of WEP now saw a huge shortcoming in the encryption.
Hence the need for a safer encryption was seen and WPA was introduced.
Now data packets don't have a sub pass key in them. The connection of router and computer is authenticated through a WPA handshake.
The diagram should explain what the handshake is:
One thing, this illustration is not how it exactly happens. I have tried to explain it in an extremely simple manner.
There are more complicated algorithms and many more components but basically the network key is used in the encryption process.
Now this entire thing is called a WPA handshake.
In WEP our objective was to gather as many packets as possible.
Here our objective is to capture this handshake which happens only once when a machine connects to the router.
Once we have the handshake, we have the random string and its encrypted form. Once we have these, we can apply different passwords from a collection of possible passwords to the random string , encrypting it using these passwords and compare it to the encrypted string. If it matches, we have our password!
So lets get down to it!
Step 1:
Like WEP network hacking, we have to enable monitor mode here so we can receive data from networks without being connected to them
So airmon-ng will be our first command to check the interface on which monitor mode is to be started.
Our next command will be airmon-ng start wlan0. This starts monitor mode on the default interface.
We type in airmon-ng once again to check whether monitor mode has been enabled.
Step 2:
Remember to use macchanger before you start sniffing or hacking.
If you dont know how to, click here and scroll down to where the macchanger command is mentioned.
The next step is to sniff all networks in the vicinity and decide the one you want to hack.For this type in airodump-ng mon0.
This what the command yields .
Step 3:
We choose the wireless network to attack. Here I choose network with Name: sweetps, Mac Address: 64:66:B3:AC:9A:36 (I can see this is a WPA network).
In the Konsole, we now write the following command:
Here, -c specifies the channel, -b specifies the bssid or the mac address of the router you're trying to hack and -w tells the Linux system to write all information gathered into a file called WPAcrack or any other filename you'd like.
This is what we see when we press enter:
Step 4:
As mentioned earlier, all we need is the WPA handshake to hack the network. The problem is that this handshake occurs only when a computer successfully connects to a network.
So do we wait until someone comes along, types the correct password and gives us the handshake?
Nah. As we all have set "automatically connect when in range" in all our devices, as soon as our device comes within range of a WiFi network, the handshake occurs and our device connects. What if we can forcefully disconnect all connected users so all of them try to re-connect thus presenting us, nicely gift-wrapped, the Handshake!
We can! How?
Let the previous window run.Open a new konsole window and go on.-->
Here aireplay-ng is used.
-0 represents a deauth attack (disconnect)
30 represents the number of times the attack will run(I've run it 30 times, you can run it as many times as you want)
-a represents the mac address of the router we want should deauthorise all its clients and
mon0 is our monitor interface.
Press enter, this is what you see:
Step 5:
Now if we switch back to the airodump window, we see a new addition!
In the top right side of the console we see this!---
WOOOOHOOO!
When we successfully deauthorised all clients of the router, at least one tried to connect back giving us the handshake!
Step 6:
Now what!?
Over to aircrack-ng.
This is what we type:
The concept of a dictionary comes into being here.
As you must have read earlier in this article that we need a dictionary of keys to hack WPA.
A dictionary is basically a collection of possible passkeys which aircrack will use to encrypt the random string and compare with one by one.
Here, -w specifies our dictionary. Mine is called WPAdictionary.lst
-b specifies the mac address of the router being hacked,
in the end we specify the name of our .cap file which captures all data that we got through airodump.
Step 7:
Now you wait till aircrack-ng picks up each phrase/word from your dictionary and applies it to the handshake data, checking for correctness.
If the key exists in your dictionary, this is what will make you jump real high!
Security Tip:
WPA is virtually unhackable unless you have an excellent dictionary.
It is highly common for people to use their phone numbers and birthdates as passwords. Making dictionaries of this data is extremely simple!
Use passwords that are a mix of numbers,letters and special characters. Highly difficult to crack.
You can also check how strong your password is here.
You can make dictionaries by adding keys one by one to a text file or you can download dictionaries.
Also you can use a utility called crunch which is pre-installed in Linux.
Wait for the next article on hw to make dictionaries with crunch! :D
No comments:
Post a Comment