A little bit about wireless security…
WEP and WPA cracking were the first things I broke into in my homelab. Why? Mostly because those were the things I wanted to “hack” as a young, ignorant teen. They also were the easiest to follow because while there is a methadology to wireless security, as long as I had a compatible wireless nic that supported packet monitoring and injection, I was set.
Disclaimer
The information provided is intended solely for educational purposes. The use of any information or any activities undertaken by readers based on the information provided on this website are at their own risk. The tools and information discussed when used improperly or without proper authorization, may violate laws and regulations, and may result in civil and/or criminal liability. The content of this website does not constitute legal, professional or technical advice, and should not be relied upon as such. The use of any information or recommendations provided on this website is solely at the user’s own risk.
Wait, I thought WPA2 can’t be cracked?
Well, it can be, it’s just that cracking WPA2 relies on using a dictionary, either pre-compiled or one created using a custom wordlist, possibly with permutations to be more targeted.
For the sake of this proof of concept, I’ll be demonstrating using a wordlist file that contains the correct pre-shared key, amonst some incorrect ones. In the real world, it is very unlikely that you will be able to pull off a WPA2 dictionary attack without performing some type of reconnaissance beforehand.
Mitigations!
What’s important is to not use dictionary words. Consider using a passphrase, or, rely on a long password, preferably 12 characters in length. To get a sense of how strong a password may be, also consider using a password strength calculator, such as the one provided by Bitwarden.
Overview of steps
1.Prerequisites - checking and killing any processing that interface with our wireless nic’s monitor mode
2.Place - placing your wireless nic in monitor mode
3.Discover - discover information about the discovered networks
4.Select - select and target a network to capture data from
5.Perform - perform deauthentication attack in order to capture a handshake
6.Capture - capturing the WPA handshake
7.Attempt - attempt to crack the captured handshake using an offline cracking tool
Easy enough, right? Let’s get started!
Setting up your environment
Below are some of the specifics for my lab. The MAC of the attack machine, client device, and access point, along with the SSID, will be different in your environment. Also, for the sake of lab purposes, I’m running the attacker machine inside a virtual machine on my lab host. In the real world, you may have a dedicated device running the packet capturing and cracking tools.
First, let’s make sure that the base OS running the attacker machine as a VM has the Alfa wireless adapter detected and installed with the appropriate drivers. 
Then, attach the wireless adapter to the VM acting as the attacker machine. 
Finally, run an ifconfig/iwconfig and verify that the wireless adapter was attached successfully and being detected by the VM. In this case, Kali assigned the adapter to the wlan0 interface. 
A Quick Mention About Aircrack-ng
Now’s a good time to talk about the suite of tools we are going to leverage in order to perform this PoC - aircrack-ng. Aircrack are a suite of tools to assess the wireless security of networks and access points. 
We’re going to be using four different aircrack tools for this demonstration:
Airmon-ng
—used to enable monitor mode on wireless interfaces
—used to kill network managers, or go back from monitor mode to managed mode
Airodump-ng
—used for packet capture of raw 802.11 frames
—used for collecting WEP IVs and WPA handshakes (to be subsequently used with aircrack-ng)
Airreplay-ng
—used to generate traffic to be used by aircrack-ng for cracking WPA-PSK and WEP keys
—used to deauthenticate clients to capture WPA handshake data and hand-crafted ARP request reinjection
Aircrack-ng
—used to crack WPA/WPA2 and WEP keys
—can only crack pre-shared keys
Step 1: Prerequisites
The first step is to ensure that we terminate any other processes that would interfere with changing our network adapter’s mode, in this case from ‘managed’ to ‘monitor’, using airmon-ng.
On the Attacker machine, type the following in a console shell: airmon-ng check kill 
Step 2: Place Network Adapter into Monitor Mode
Second, we must place our network adapter into ‘Monitor’ mode (previously, ‘Managed’), so that it can monitor all traffic on the given wireless channel. 
We can confirm this was successful by issuing: iwconfig 
Step 3: Discovering Networks
Now that the network adapter is in Monitor mode, it can begin to discover and analyze different networks in range.
To do this, we are going to use airodump-ng: airodump-ng wlan0 where wlan0 is the value assigned to the mounted wireless network adapter. 
Some things to note about the information returned about the various networks:
- ESSID: wireless network name
- BSSID: MAC address of the ESSID’s access point
- PWE (Power): lower the number, the closer you are to the Access Point
- Channels: 1,6,11 have no overlap
- ENC: authentication type
In this case, the network we are targeting is our lab: Wu Tang LAN
- ESSID: Wu Tang LAN
- BSSID: E2:63:DA:34:16:5B
- ENC: WPA2 CCMP
- AUTH: PSK (Pre-shared Key)
- Channel: 11
With this information, we can now monitor authentication packets from this network to try and intercept a handshake that can be later taken offline and cracked. But first, we must capture and perform a deauthentication attack in order to obtain the handshake.
Step 4: Selecting the Target Network
We need to format the command that will capture the WPA handshake from a client attempting authentication to our desired access point during the next step.
Syntax: airodump-ng -c <channel> --bssid <mac of bssid> -w <output file path>
Using the information captured from Step 3, this gives us:
airodump-ng -c 11 --bssid E2:63:DA:34:16:5B -w wpa2_cracking_poc
Executing this command will create a running capture of any 802.11 frames for WPA handshakes. This will be particularly useful when we deauthenticate a client from this network in the next step. 
What we’re looking for is a client that has is communicating with the access point that can be used as the subject of a deauthentication attack in Step 5. By doing so, the client will reauthenticate using a WPA handshake, which can later be taken offline to be cracked. 
Take note of the client’s MAC address, as this will be used in the deauth attack. For the purpose of this PoC, the client device is a mobile phone. Keep the console open and let the output continually generate on-screen.
Step 5: Performing the Deauthentication Attack
Now that we know the MAC address of a client connected to an access point of our desired network, we can target it for a deauthentication attack.
We are going to used the aireplay-ng tool of the aircrack-ng suite. The syntax we are going to use is as follows:
aireplay-ng -<mode> <# of times to perform> -a <MAC of access point> -c <MAC of station/client being attacked> <wireless_interface>
Using the information collected from Steps 3 and 4:
- –deauth = mode of the aireplay-ng tool
- -a = E2:63:DA:34:16:5B (ESSID of ‘Wu Tang LAN’)
- -c = F8:1A:2B:53:FB:E4 (MAC of the mobile device)
- wlan0 = interface of the mounted wireless adapter
Because our packet capture from Step 4 is continually running, we need to issue the following command in a separate console shell: aireplay-ng --deauth 5 -a E2:63:DA:34:16:5B -c F8:1A:2B:53:FB:E4 wlan0 
After issuing, the mobile device in our lab is disconnected from the ‘Wu Tang LAN’ network, and automatically attempts to reconnect. 
Step 6: Capturing the Handshake
While reconnecting, the WPA handshake containing the PSK (password) of the SSID is captured by the airodump-ng tool running from Step 4. 
Note: sometimes, it is required to issue the deauth numerous times in order to get the WPA handshake
The captured WPA handshake is saved to the local directory. This handshake will contain the valid pre-shared key used to authenticate into the ‘Wu Tang LAN’ network! 
Step 7: Attempt to Crack the Handshake
Finally, now that we have the WPA handshake, we can use a cracking tool, like aircrack-ng or hashcat, to try and brute-force the correct password.
For this PoC, a wordlist containing 10 passwords is used, however only one which is valid. In this real world, you would need to do a dictionary attack and/or use a custom wordlist with permutations tailored for the target, such as street address, phone number, pet name, sports team, etc.
The syntax of the aircrack-ng command will be: aircrack-ng -w wifi_wordlist.txt -b <BSSID of AP> <capture file>
Which, finally, gives us: aircrack-ng -w psk_wordlist.txt -b E2:63:DA:34:16:5B wpa2_cracking_poc-01.cap 
And that’s it! The PSk was found, which in this case, is cr4ckTh1s!