Sunday, January 8, 2017

How to crack WLAN - WPA/WPA2 pre shared keys


To crack WPA/WPA2 pre shared keys may not so difficult as many people think.

When an client authenticates at the router, there is a 4-way handshake between router and client, to handshake a session key, which must be recorded with a simple WLAN sniffer. The messages are called EAPOL.

Here I described how to setup a simple sniffer with a raspberry pi-2
http://blog.x1622.com/2016/12/how-to-setup-rasperry-pi-2-model-b-for.html

So, the only task to do is to record  all the traffic until one of the 4-way handshake gets recorded. In WIRESHARK there exists a display filter called "eapol".

In my test case, I opened a WLAN called darkqueen with a simple numeric password 19042001


I authenticated with a mobile device and captured the handshake. In my example I did it more than one time but capturing a complete handshake (1-4) is enough.
I stopped capturing and stored all data in a standard wireshark pcap format. You can store all data or mark the EAPOL lines.

The standard PCAP file cannot be used direct with HASHCAT. The file has to be converted to hccap format. Here is a description about the different possibilities to do that.
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
It can be done online, or locally using AIRCRACK suite.


I took the hccap file to a single machine with an old GPU (~50 Dollar) I got from sons old gaming PC.



I started HASHCAT and for eight digits (WPA passwords minimum length is eight) and HASCAT calculated a maximum time of 50 minutes.

After few Minutes HASHCAT cracked the password of darkqueen => 1904001


In this POC ist was simple because I used a weak WPA2 key. If it's more complex it may take much more time. In this case, there is also the possibility to pre calculate a rainbow table if the name of the accesspoint is known. Therefor COWPATTY can be used http://tools.kali.org/wireless-attacks/cowpatty