Find Weak WPA Passphrases
But what about WPA (both the original WPA and the later WPA2)? WPA is much more secure than WEP, and there are no statistical attacks that can methodically break WPA in the way that WEP can be broken.
But there is a weakness: like any encryption system, you can always carry out a brute force attack trying every possible passphrase in turn to try to find the correct one. In practice this is not possible – it would take billions of years to try every possible passphrase. So all that is practicable it to test whether an "obvious" passphrase has been used, by trying possible passphrases from a word list. If the passphrase is "non-guessable" – ideally a long random string of upper and lower case characters and symbols – then a brute force attack using a word list will not succeed. If the brute force attack does succeed, then it’s time to change the passphrase to something more complex.
When a client authenticates with a WPA protected access point, packets of information are exchanged between the two devices. If these packets can be captured, they are a convenient point to mount the brute force attack, which Aircrack-ng can carry out very easily at a rate in the order of 500 tries per second.
The first stage then is to capture the authentication packets which are exchanged when a client signs on. You can set up Airodump-ng to listen on the appropriate channel for an association by issuing the same command as before: airodump-ng -c X -w mycapture ath0
Since a client may sign on at the start of the day and remain connected until evening, it is often convenient to disconnect a client that is already connected, and wait for it to reconnect automatically a few seconds later. You can do this using aireplay-ng by injecting a deauth (disassociate) packet onto the network using the -0 option, followed by the number of deauth packets you want to send. To inject 8 packets, for a good chance of success, the command would be: aireplay -0 8 –a [base station MAC] –c [client device MAC] ath0
As the client re-associates, airodump-ng will capture the handshake.
[Note: If airodump-ng finds an access point which does not broadcast its network name (ESSID) then sending deauth packets to force a client to re-associate with allow airodump-ng to discover the hidden ESSID as the client re-associates.]
The next step is to subject the captured association packets to the brute force attack. Assuming you have a suitable list of possible passphrases in a file called passwordlist.txt in your home folder, use: aircrack-ng -w passwordlist.txt -b [base station MAC] mycapture-01.cap
Brute force attacks take time, but since this is an offline attack Aircrack can be left to run anywhere until it finds the password or exhausts all the possibilities from the password list. It's up to you to decide how large and complex a password file you want to use, but if you are lucky, Aircrack-ng will find a match and you'll see a message.
All in all, Aircrack-ng is one of the most useful open source wireless auditing tools around. This article has covered the basics, with which you can hunt for rogue access points and check any WPA (or WPA2) pre shared key protected networks to ensure that the passphrases are not easily crackable. Once you've mastered this then explore the software suite or read the manuals: there are many more options and applications in the suite than covered here that can also be useful for more complex auditing tasks.
But what about WPA (both the original WPA and the later WPA2)? WPA is much more secure than WEP, and there are no statistical attacks that can methodically break WPA in the way that WEP can be broken.
But there is a weakness: like any encryption system, you can always carry out a brute force attack trying every possible passphrase in turn to try to find the correct one. In practice this is not possible – it would take billions of years to try every possible passphrase. So all that is practicable it to test whether an "obvious" passphrase has been used, by trying possible passphrases from a word list. If the passphrase is "non-guessable" – ideally a long random string of upper and lower case characters and symbols – then a brute force attack using a word list will not succeed. If the brute force attack does succeed, then it’s time to change the passphrase to something more complex.
When a client authenticates with a WPA protected access point, packets of information are exchanged between the two devices. If these packets can be captured, they are a convenient point to mount the brute force attack, which Aircrack-ng can carry out very easily at a rate in the order of 500 tries per second.
The first stage then is to capture the authentication packets which are exchanged when a client signs on. You can set up Airodump-ng to listen on the appropriate channel for an association by issuing the same command as before: airodump-ng -c X -w mycapture ath0
Since a client may sign on at the start of the day and remain connected until evening, it is often convenient to disconnect a client that is already connected, and wait for it to reconnect automatically a few seconds later. You can do this using aireplay-ng by injecting a deauth (disassociate) packet onto the network using the -0 option, followed by the number of deauth packets you want to send. To inject 8 packets, for a good chance of success, the command would be: aireplay -0 8 –a [base station MAC] –c [client device MAC] ath0
As the client re-associates, airodump-ng will capture the handshake.
[Note: If airodump-ng finds an access point which does not broadcast its network name (ESSID) then sending deauth packets to force a client to re-associate with allow airodump-ng to discover the hidden ESSID as the client re-associates.]
The next step is to subject the captured association packets to the brute force attack. Assuming you have a suitable list of possible passphrases in a file called passwordlist.txt in your home folder, use: aircrack-ng -w passwordlist.txt -b [base station MAC] mycapture-01.cap
Brute force attacks take time, but since this is an offline attack Aircrack can be left to run anywhere until it finds the password or exhausts all the possibilities from the password list. It's up to you to decide how large and complex a password file you want to use, but if you are lucky, Aircrack-ng will find a match and you'll see a message.
All in all, Aircrack-ng is one of the most useful open source wireless auditing tools around. This article has covered the basics, with which you can hunt for rogue access points and check any WPA (or WPA2) pre shared key protected networks to ensure that the passphrases are not easily crackable. Once you've mastered this then explore the software suite or read the manuals: there are many more options and applications in the suite than covered here that can also be useful for more complex auditing tasks.