Wireless Penetration Testing: WPA2-PSK

In our increasingly connected world, securing wireless networks is essential. In this post, we’ll dive into wireless hacking using the Aircrack-ng suite, focusing on an attack against WPA2-PSK due to its vulnerabilities, as cracking WPA3 can be significantly more time-consuming. We'll break down the techniques used to expose weaknesses in WPA2-PSK and demonstrate how these insights can enhance your wireless penetration testing skills. Let's get started!

Requirements:

You will require a wireless network adapter, a virtual machine running Kali Linux loaded with the aircrack-ng suite of tools, and a wireless access point (one you are authorized to test against).

Your choices for wireless network adapters:

ALFA AWUS036NHAor an ALFA AWUS036AXML 5GHz, if you’re here for the OffSec OSWP exam the first ALFA adapter at 2.4GHz is sufficient.

Discovering your wireless adapter in multiple ways:

You can see your wireless adapter among the other networking information listed by using ip a or the depreciated ifconfig:

You can also use iwconfig or iw dev to only list the wireless networking adapters and see where you’re in the default ‘Managed’ Mode:

You can run the command iw list which will show you your wireless adapters and display the capabilities of the device you’re using, which comes more in handy when understanding if your device is capable of creating an ‘Evil Twin’ or ‘Rogue Access Point’ - duplicate:

Killing conflicting processes and putting your wireless interface into monitoring mode:

You can achieve this by using the command airmon-ng check kill && airmon-ng start wlan0 which will kill any conflicting processes and put your interface into monitoring mode:

We can run iwconfig and confirm that we’ve entered ‘Monitor’ mode:

Note: If your only means of internet access was your wireless adapter you will lose internet connection. If you’re using a virtual machine which should have an eth0 interface connected back to the host, you should retain internet access and be able to have your external adapter (connected to your virtual machine) in monitoring mode.

Scanning for Wireless Access Points in range of your adapter:

You can start discovering wireless networks with sudo airodump-ng wlan0mon. You will start seeing a changing list of networks displayed.

The BSSID (MAC Address of the access point), the channel the wireless network is running on, the encryption type (WPA2), CIPHER (CCMP), and type of authentication protocol (PSK), along with the ESSID (network name).

There is a column for PWR (power/signal strength) as well which indicates the strength of the connection to these WAPs. The closer you are to -40 the stronger the connection is, the further away, the weaker it is.

Launching an attack against a Wireless Access Point:

We are going to use the following command sudo airodump-ng -w capture1 -c 11 —bssid <BSSID> wlan0mon.

You will be able to see if any clients are connected, and no capture of a 4-way handshake at first. We can capture a 4-way handshake by de-authenticating clients connected to the wireless access point in the next step.

Performing a de-authentication attack on clients:

We are going to de-auth all clients and continuously de-auth against the wireless access point. Open a new terminal, leave the original running, and we can do this using sudo aireplay-ng —deauth 0 -a <STATION ID> wlan0mon.

This will continuously send de-auths to the access point. Then in our window where we launched the initial attack we will see a handshake at the top right has been captured.

On the user-end this will disconnect them from the wireless access point over and over, keep this in mind for an authorized real-life scenario as that may raise red flags during a penetration testing engagement.

Stop the initial attack and notice the artifacts we have:

We should have multiple capture files as remnants from the previous actions. We can use the .cap file to examine information in Wireshark and see the 4-way handshake process there, along with a decryption key.

Practically using the aircrack-ng suite you will not need to dive into Wireshark. We will be able to use the capture file provided and begin a password cracking effort to obtain the clear-text password.

Cracking the password using the capture file we obtained:

Now we can use the command aircrack-ng wificapture1.cap -w /usr/share/wordlists/rockyou.txt in order to crack what we’ve obtained.

You can use any wordlist but in most average cases it makes sense to use rockyou.txt or a custom-wordlist.

Reverting your wireless networking interface from monitored to managed (normal) once you’re finished:

We can revert the wireless network adapter to its previous state using the command: sudo airmon-ng stop wlan0mon.

Then when we check with iwconfig we can see that we’re back in ‘managed’ mode.

As we wrap up our exploration of wireless hacking with the Aircrack-ng suite, it’s clear that understanding vulnerabilities in protocols like WPA2-PSK is crucial for any penetration tester. By mastering these techniques, you not only sharpen your skills but also contribute to building more secure wireless environments. Remember, the goal of ethical hacking is to identify weaknesses before malicious actors can exploit them. Stay curious, keep practicing, and continue to enhance your knowledge in wireless security. Thanks for reading, and happy hacking!