WPA Cracking && - PowerPoint Presentation

Slide1

WPA Cracking && Hashcat.

Gareth Kerr – Cyber Security/Rune Security

Contact: T7145543@live.tees.ac.uk

Slide2

Wireless Communication Info

Operates using Radio Frequency(RF) technology

IEEE 802.11 is a set of standards for the implementation of wireless LAN networks

Otherwise known as Wi-Fi.

Operates on the 2.4Ghz and 5Ghz frequency bands

Supports up to 13 channels

Various encryption methods implemented

Slide3

Kali Linux

Kali Linux is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services. In addition to Kali Linux, Offensive Security also maintains the Exploit Database and the free online course, Metasploit Unleashed.

Download link for Kali -

https://www.kali.org/downloads/

Exploit Database -

https://www.exploit-db.com

Slide4

What’s

Aircrack

-ng?

Aircrack

-ng is a complete suite of tools to assess

WiFi

network security.

It focuses on different areas of

WiFi

security:

Monitoring: Packet capture and export of data to text files for further processing by third party tools.

Attacking: Replay attacks,

deauthentication

, fake access points and others via packet injection.

Testing: Checking

WiFi

cards and driver capabilities (capture and injection).

Cracking: WEP (Deprecated) and WPA PSK (WPA 1 and 2).

Slide5

Interface Configuration. (

Ifconfig

–

Iwconfig

)

MODE 

Description 

Managed

Node connects  to  a  network composed of many Access Points, with roaming. 

Ad-HocNetwork composed of only one cell and without Access Point.MasterThe node is the synchronisation master or acts as an Access PointRepeaterThe node forwards packet between other wireless nodesMonitorThe node is not associated with any cell and passively monitor all packets on the frequency

Slide6

Interface Configuration. (

Ifconfig

–

Iwconfig

)

CLI Commands:

ifconfig

wlan0 down (Brings the interface WLAN0 down)

iwconfig

wlan0 mode monitor (Changes the interface operating mode to monitor)ifconfig wlan0 up (Brings the interface WLAN0 up)iwconfig Airmon-ng check kill (Kills any processes that may be using the wireless card)DEMO

Slide7

Mac Spoofing using “

Macchanger

”

Anatomy of a MAC Address?

00:00:8f

:

13:b6:84

VENDOR:UNIQUEIDmacchanger --random wlan0 (Changes the Mac to a randomly assigned MAC address)macchanger -l (Lists all known Mac Vendors)macchanger --mac=00:00:8f:13:b6:84 wlan0 (Changes to a specific Mac address)

Slide8

Testing Injection Capability of the Wireless Card.

aireplay

-ng -9 -a [BSSID] -a [BSSID] -

i

[RECIEVING INTERFACE] [INTERFACE TO TEST]

DEMO

-9

Injection test. Long form is --test.

-a

MAC address of the access point (BSSID). -iwlan1 is interface name of the second card if you want to determine which attacks your card supports. This interfaces acts as an AP and receives packets.interfaceInterface to test injection

Slide9

Airodump

-ng (Sniffing for Local Access Points)

Airodump

wlan0

Deciphering the output

BSSID

The MAC address of the AP

PWR

Signal strength. Note - Some Wireless drivers to not report this. 

BeaconsNumber of beacon frames received. If you don't have a signal strength you can estimate it by the number of beacons: the more beacons, the better the signal qualityDataNumber of data frames received.CH

Channel the AP is operating on. 0-12

MB

Maximum speed for the AP. 

ENC

Encryption: OPN: no encryption, WEP: WEP encryption, WPA: WPA or WPA2 encryption.

ESSID

The network name. Sometimes hidden

Slide10

Airodump

-ng (

Targetted

Sniffing)

Now we know the details of the Access Point we wish to target. We can narrow down our output to just this BSSID.

airodump

-ng [CHANNEL] [BSSID] [WRITE] [INTERFACE]

--channel 

Channel the access point is broadcasting on.

--bssid Mac address of the target access point.--write Writes the packet capture to a file.interfaceInterface you wish the use to start the packet capture. 

Slide11

Airodump

-ng Extended (

Targetted

Sniffing)

You should notice we now have a new area at the bottom of the output.

BSSID

The MAC of the AP the client is associated to. 

STATION  

The MAC of the client itself.

PWRSignal strength. PACKETS

Number of data frames received.

PROBES

Network names (ESSIDs) this client has probed.

Slide12

Obtaining the WPA Handshake (Hash).

If you are sniffing on a large network. You will find that you may obtain the handshake fairly quickly. You will know when the handshake has been obtained as

Airodump

-ng will inform you.

Slide13

Aireplay

-ng (

Deauthentication

)

Aireplay

-ng is another tool in the

Aircrack

protocol suite. The theory behind this is we want to disconnect the device. Then when the client reconnects we capture the handshake. Will a generic user know that this has happened? Probably not.

aireplay

-ng --deauth [Deconnection Attempts] -a [AP MAC ADDRESS] -c [MAC ADDRESS TO TARGET] [INTERFACE] DEMO--deauthARP disconnection attack. -aMac address of the target access point.-c

Targetted

MAC address. 

interface

Interface you are using.

Slide14

“Cleaning” the Capture file.

Since we have a packet capture file (While writing during

Airodump

-ng). We now need to clean the file. It needs to be in a format which HASHCAT understands.

CLI Commands:

locate cap2hccapx.bin (Locates the binary file)

mv /

usr

/lib/

hashcat-utils/cap2hccapx.bin . (Move file to the directory)./cap2hccapx.bin [CAPTURE FILE] [CLEANED FILE NAME]We should now have a cleaned file.We will leave this file until later when we crack it.

Slide15

HASHCAT

Slide16

Hash Functions

Slide17

Hashcat

Overview

Hashcat

is the self-proclaimed world’s fastest password recovery tool.

It support hundreds of hash formats, such as MD5, the SHA family. Unix Crypt formats,

Mysql

(Many more).

It harnesses the power of GPU’s for accelerated cracking (

Cuda

), can be used with a CPU however it is much slower.Hashcat will take the HASH and try to convert it back into the plain text equivalent.Works on Windows/Linux and MAC OS.

Slide18

Hashcat

Basics - Attack Modes

Hashcat

comes with a number of attack modes:

  0 | Straight

  1 | Combination (Using Two Wordlists)

  3 | Brute-force (Using a defined character set)

  6 | Hybrid Wordlist + Mask

  7 | Hybrid Mask + Wordlist

Slide19

Hashcat

Basics - Benchmarking

You can benchmark a hashing algorithm using

hashcat

. Throughout this tutorial video we will be using MD5 for demonstration purposes. 

-b = Benchmark

-m = Hash Number. e.g. 1700 or 0 or 8900 for

scrypt

. 

Command:hashcat -b -m 1700Output:1 kH/s is 1,000 (one thousand) hashes per second1 MH/s is 1,000,000 (one million) hashes per second.1 GH/s is 1,000,000,000 (one billion) hashes per second.1 TH/s is 1,000,000,000,000 (one trillion) hashes per second.1 PH/s is 1,000,000,000,000,000 (one quadrillion) hashes per second.1 EH/s is 1,000,000,000,000,000,000 (one quintillion) hashes per second

Slide20

Hashcat

Basics - Arguments

Arguments:

In order for the command to execute. You must provide the appropriate parameters.

Argument 1:

-a (Attack Mode, 0, 1, 3, 6, 7)

Argument 2:

-m (Hash type, Example MD5,WPA)

Argument 3:

Filename | HashArgument 4:Dictionary | Mask | DirectoryComplete Command:Hashcat –a 0 –m 2500 hashes.txt rockyou.txt

Slide21

Hashcat

Basics - S

traight

Attack Mode (-a 0)

Using the google10000.txt wordlist (Google’s most searched for words). We will run a straight attack against the MD5 Hashing Algorithm. I have compiled pre hashed MD5’s to show the attack modes.

Command:

hashcat

-a 0 -m 0 md5hashes.txt google10000.txt

D

EMO

Slide22

Hashcat

Basics - S

traight

Attack Mode – Cracking the WPA Handshake

Using the cleaned

hccap

file we created earlier, we will use the straight attack mode alongside a wordlist to crack the key.

Command:

hashcat

-a 0 -m 0 cleaned google10000.txtDEMO

Slide23

Hashcat

Basics - S

traight

Attack Mode & Rules

Using the same attack mode, we will use a rule to alter the wordlist. The rule will be applied to every password in the

worlist

, hashed and then compared to the hash file. Each rule file will generally contain hundreds or rules.

For example, one rule might change all of the A’s to 4’s, or perhaps all of the S’s to $’s

Wordlist containing the following words:

Password, Hashcat, Is, Awesome.Rule alters the words:p4$$word, ha$hcat,is,4we$some A popular ruleset is the best64.rule, which comes with hashcat.Command:hashcat -a 0 -m 0 md5hashes.txt google1000.txt -r /usr/share/hashcat/rules/best64.ruleDEMO

Slide24

Hashcat

Basics – Combinator

Attack Mode (-a 1)

The combinator attack mode concatenates wordlists. It will try every variation of the each of the wordlists.

If we had two wordlists:

Wordlist1:

Hashcat

, Is, Awesome.

Wordlist2: Random, Words, Combinator.

Combined: hashcatrandom, hashcatwords, hashcatcombinator etc. Command:hashcat -a 1 -m 0 md5hashes.txt wordlist1.txt wordlist2.txtDEMO

Slide25

Hashcat

Basics – Combinator Utility

We can also just use the Combinator Utility to create a permanent, combined dictionary.

Commands:

mv /

usr

/lib/

hashcat-utils

/

combinator.bin ../combinator.bin google10000.txt google10000.txt > google10000combined.txtcat google10000combined.txtNow we can use this in the straight attack mode, since the dictionary is already combined.Hashcat -a 0 -m 0 md5hashes.txt google10000combined.txt

Slide26

Hashcat

Basics –

Bruteforce

(-a 3)

This is by far the slowest and most inefficient way of cracking any password.

Syntax

?l =

abcdefghijklmnopqrstuvwxyz

?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ

?d = 0123456789?h = 0123456789abcdef?H = 0123456789ABCDEF?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~Can also define custom character sets. Using the -1 [CHARACTERS]Command:hashcat -a 3 -m 0 md5hashes.txt -1 ?l?d?s?u ?1?1?1?1?1?1 -w 3

Slide27

Hashcat

Basics – PACK (Password Analysis Toolkit)

Using PACK to 

analyze

 datasets, meaning PACK will look for the most common patterns within a password dataset and create a mask. To understand why this is useful we will need to give you an insight into what it actually does. 

So the steps we will be following in sequence are,

analyzing

a dataset using

statsgen

creating a mask using maskgenconverting the mask to a hcmask file. As this takes some time I have prepared the files just for use in this demo.

Slide28

Hashcat

Basics – PACK (

Statsgen

)

statsgen

hashesorgwordlist

--

minlength

=5 --maxlength=6 --hiderare -o hashesorg.masksBreakdown:So first we are giving statsgen the dataset, in this case hashesorgwordlist.Statsgen hashesorgworlist --minlength=5 --maxlength=6 Specifying the minimum and maximum length of the passwords we wish to analyse. --hiderareHiderare just means do not show us statistics which are less than 1% of the data sample. -o hashesorg.masksThe last part is just telling hashcat to output the stats to a mask file.

Slide29

Hashcat

Basics – PACK (

Maskgen

)

Command:

maskgen

hashesorg.masks

--

optindex -o hashesorg.hcmaskBreakdown:First we are giving statsgen the dataset, in this case hashesorgwordlist.Maskgen hashesorg.masks  --optindex Default switch to sort the mask. ---o hashesorg.hcmask Output file name, to then be given to hashcat.

Slide30

Hashcat

Basics – Hybrid – Wordlist & Mask

A hybrid attack mode combines the elements we have already learned about, we are taking a wordlist and

appliny

g mask to it. Effectively concatenating characters to the end of the words.

Command:

hashcat

-a 6 -m 0 demohashes.txt google10000.txt

hashesorg.hcmask

DEMO

Slide31

Hashcat

Basics – Hybrid – Mask & Wordlist

This attack mode is the opposite of the last, we are appending a wordlist to a Mask.

Command:

Hashcat

-a 7 -m 0 md5hashes.txt /

usr

/share/

hashcat

/masks/rockyou-1-60.hcmask-O -w 3 DEMO

Slide32

ANY QUESTIONS?

Slide33

Gareth Kerr –

Cyber Security/

RuneSecurity

Contact:

T7145543@live.tees.ac.uk