WIFI Pass Cracking For WPA&WPA2 — (Home Lab)

In a general sense, Wi-Fi refers to the wireless LAN technologies that utilize the IEEE 802.11 standards for communications. Wi-Fi products use radio waves to transmit data from a client device to either an access point, which includes a router, and the router completes a connection to other devices on the LAN, WAN or the internet.

Initially the technology used the 2.4 GHz frequency, but has since expanded to 5 GHz, 60 GHz, and soon 6 GHz frequency bands. (A competing standard, known as HomeRF, also supported wireless connections, but vendors and customers eventually chose Wi-Fi and the 802.11 protocols as the wireless standard.)

“Live a simple life with No WiFi.”

There are several types of wireless security that you’ll come across– here’s a quick rundown on the details.

  1. WEP (Wired Equivalent Privacy)
  2. WPA (WiFI Protected Access )
  3. WPA2 (WiFI Protected Access Version2)

WEP (Wired Equivalent Privacy): Wired Equivalent Privacy, aka WEP, is the grandfather of wireless security types, dating back to 1999 (an eternity in the world of technology!). When a client (like a laptop or iPad) connects to a WEP-protected network, the WEP key is added to some data to create an “initialization vector”, or “IV” for short. For example, a 128-bit hexadecimal key is comprised of 26 characters from the keyboard (totaling 104 bits) combined with a 24-bit IV. When a client connects to an AP, it sends a request to authenticate, which is met with a challenge reply from the AP. The client encrypts the challenge with the key, the AP decrypts it, and if the challenge it receives matches the original one it sent, the AP will authenticate the client.

This may sound secure, but there was room in this scheme for an exploit to be discovered. The risk presents itself when a client sends its request to the access point– the portion containing the IV is transmitted wirelessly in clear-text (not encrypted). In addition, the IV is simple compared to the key, and when there are several clients using the same WEP key on a network, IVs have an increased probability of repeating. In a busy environment, a malicious user wishing to gain access to a network utilizing WEP security can passively eavesdrop and quickly collect IVs. When enough IVs have been collected, the key becomes trivial to decrypt.

Clearly, WEP is not the correct choice for securing your network, and in light of this, other types of wireless security were created.

WPA (WiFI Protected Access ): To improve the functions of WEP, WiFi Protected Access or WPA was created in 2003. This temporary enhancement still has relatively poor security but is easier to configure. WPA uses Temporal Key Integrity Protocol (TKIP) for more secure encryption than WEP offered.

As the WiFi Alliance made this transition to a more advanced protocol, they had to keep some of the same elements of WEP so older devices would still be compatible. Unfortunately, this means vulnerabilities, such as the WiFi Protected Setup feature which can be hacked relatively easily, are still present in the updated version of WPA.

WPA2 (WiFI Protected Access Version2): A year later, in 2004, WiFi Protected Access 2 became available. WPA2 has stronger security and is easier to configure than the prior options. The main difference with WPA2 is that it uses the Advanced Encryption Standard (AES) instead of TKIP. AES is able to secure top-secret government information, so it’s a good option for keeping a personal device or company WiFi safe.

The only notable vulnerability of WPA2 is that once someone has access to the network, they can attack other devices connected to the network. This is an issue if a company has an internal threat, such as an unhappy employee, who hacks into the other devices on the company’s network.

Hacker’s Use same attack technique for both WPA & WPA2

Note:

WiFi Protected Access 3 (WPA3) : As vulnerabilities are recognized, advancements are made. In 2018, the WiFi Alliance introduced WPA3. This new version will have, “new features to simplify WiFi security, enable more robust authentication and deliver increased cryptographic strength for highly sensitive data markets.” WPA3 is still being implemented so WPA3-certified hardware isn’t an available option for most people.

DISCLAIMER: This Blog is for learning purposes and we are not responsible for any harm caused at the same time as regarding it.

Welcome to Pratical Section:

Requirements:

  1. Kali Linux OS
  2. WIFI Dongle (Adapter)
  3. WIFI Router (In this attack i use my Wifi router)

Setup:

First connect the wifi dongle to the kali os machine and we need to confirm that the wifi dongle is showing in the network interface to confirm that we have to use the command to check it.

iwconfig

Mode is in Manged

Enable Monitor mode in wifi dongle by using the airmon-ng command.

airmon-ng start wlan0

Moniter Mode is enbaled status for wlan0

To check status of the mode in the wifi dongle with help of iwconfig command.

iwconfig

Mode is in Monitor

Discovering the Wifi and Capturing the Handshake

To discover the wifi around us by using the airodump-ng command .

airodump-ng wlan0mon

command

U can see the image airodump-ng discover my lab wifi which is (Adapala). we can also see the BSSID ID it nothing but my wifi router MAC Address (48:EE:0C:45:B2:6C), the channel it is used is No 10, My wifi Encryption type is WPA2 anc Cipher is CCMP let note down the about details of ur router as shown.

Discoverd the wifi routers near me

Capture the handshake :

To capture the handshake we have to use the airodump-ng command.

airodump-ng wlan0mon — bssid 48:EE:0C:45:B2:6C -c 10 -w adapalas

Handshake is Captured

Note:

The handshake is capture when victim user try to connect to his wifi but is not possible for every time to capture the handshake because sometime user is not in home and sometime user already connected to wifi in that condition we use the DEATH AUTHENTICATION with help of airreplay-ng. It help the victim disconnect from wifi and he agian try to connect at that time it capture the handshake if using death authentication, The link is given in below to check it.

After capturing the handshake it create a cap file in the system as in name of router name in my case it shows as adapalas-01.cap.

Saved cap file

Cracking the Passwd:

For cracking the password use the aircrack-ng command to crack the adapalas01.cap file with the help of rockyou.txt file

aircrack-ng -b 48:EE:0C:45:B2:6C -w /usr/share/wordlists/rockyou.txt adapalas-01.cap

Command
Password is cracked

Note:

rockyou.txt is text file it contain large no of comman password in it but i wont tell all type of password it crack, it depend on wordlist for lot best word list use the rainbow table word list but they are high in Gb size, to crack the password we also need the GPU procces. If the password length is long it may took years of time example image is given below.

Time took for password cracking

Ethical Hacker

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store