by hash3liZer . 07 August 2018
I was working on a project which is now by far completed a bit. So, I was thinking of writing about it and here I am gonna tell you about how you could crack WPA/WPA2 passwords using a dictionary attack via WiFiBroot. WiFiBroot helps you with various problems that you could face with other C cracking utilities and maybe it's the time to move on to something else. Well, that's the purpose of coding wifibroot.
What far so good about WiFiBroot is basically it crack the passwords by using half of the captured handshake, the rest half is never used. However, to assure the computation of the right Message Integrity Code (MIC), there needs to a full handshake. The thing is it auto-captures the handshake by dispatching dissociating frames over the air and then verify it for validity.
If the handshake appears to be valid, further of cracking is done by computing hashes of default passwords and then dictionary passwords. Dictionary passwords are provided so far by user but remember the default one, they are actually the combination of the target MAC address.
Some of the vendors, most famously FiberHome are still manufacturing routers with passwords derived from MAC addresses. So, there is a good chance that you can crack it out without providing a dictionary at all.
First thing firsts, we need the card to be operating in Monitor mode. Put it in monitor mode:
$ airmon-ng start wlan1
Now, we need to have WiFiBroot from GitHub. Clone it with git command:
$ git clone https://github.com/hash3liZer/WiFiBroot.git $ cd WiFiBroot/
WiFiBroot heavily depends on the scapy module which provides various layers and sending and receiving packets modules. So, install scapy:
$ pip install scapy
All you need to kick-start is the monitor interface which we already have. So,
$ python wifibroot.py -i wlan1mon --verbose
If any of the filters are not provided, it will listen on to all channels and access points. Other case will go likely as you think, an example:
$ python wifibroot.py -i wlan1mon --channel 6 --essid "unknown"
In this case, it will be listening to AP unknown on channel 6
Verbose mode will redirect you to another screen where the networks will be shown as any of the Beacon frame will get captured while in normal mode you have to break with CTRL+C.
When the sniffing will be stopped, you will be asked for the target. Each target is assigned an ID according to the last reported signal values. Networks with highest strength will be on top whilst with low strength will be downwards. For now i am choosing my hosted network by the name unknown as you can see in the screenshot:
At this part, WiFiBroot will try to locate connected clients to the network with the exception of those clients which are yet trying to connect to the AP. Next, it will try to disconnect clients from AP by sending deauth frames. For the current version, there is no option for specifying the number of frames you would like to send but i'll be adding it soon.
Again, you just have to wait. As soon a valid handshake is found, it will be saved in handshakes directory on the same level.
If you already got the handshake, you can manually place it in the handshakes directory too, just make sure the name of the file is the lowercase bssid of target with extension .cap
As soon, the handshake is found, it will try to crack the password. First, the default passwords will be checked which would take a second or less. Further, the dictionary passwords will be hashed and checked against hashes from handshake. If the attack goes successful, you'll see something familiar:
So, the password is cracked which is 786 5555. Please, Note down the last hash, i.e. Message Integrity Code (MIC).
00000000: 4a e5 61 10 70 3e af 14 9f 8e 8b 41 ce f6 76 cf 00000010: fb bc dc b0
Fire up Wireshark and open the handshake which is by now has been placed in handshakes directory. Expand the second handshake and locate the MIC field. Now, match the above MIC code from the handshake.
This is the proof of concept that half of the handshake can be used to crack WiFi Protected Access (WPA) passwords.
Again, let's level up things. Now, we are gonna see what is coWPAtty calculating for us. Fire up, coWPAtty along with neccassery arguments:
$ cowpatty -r [path/to/handshake] -f [path/to/dictionary] -s [essid] -v -v -v
The hash that coWPAtty will calculate would certainly be from 4th frame.
Today, we looked into WiFiBroot, a WPA hash cracker that automates most of the cracking stuff. We saw how it works and how it cracks the WiFi pass by using half of the handshake. Moreover, the handshakes are stored in a seperate directory and the script also check the hash against default passwords derived from the MAC address which all makes it worth one try.