WPA2
WPA2 was built from the ground up to provide a secure encryption system for wireless networks.
It implements an encryption protocol built specifically for wireless security called Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol (CCMP).
CCMP is built on the Advanced Encryption Standard (AES).
WPA and WPA2 support both personal and enterprise setups. WPA/WPA2 personal uses a pre-shared key, similar to WEP.
WPA/WPA2 enterprise adds an additional element called a Remote Authentication Dial-In User Service (RADIUS) server to manage client authentication.
The Enterprise Connection Process
In WPA/WPA2 enterprise networks, the client connection process comprises four steps. First the client and the access
point agree on mutually supported security protocols. Then, based on the authentication protocol chosen, the access point and the RADIUS server
exchange messages to generate a master key. Once a master key is generated, a message that authentication was successful is sent to the access point
and passed on to the client, and the master key is sent to the access point.
The access point and the client exchange and verify keys for mutual authentication, message encryption, and message integrity via a four-way hand-shake.
Following key exchange, traffic between the client and the access point is secured with WPA or WPA2.
The Personal Connection Process
The WPA/WPA2 personal connection process is slightly simpler than the enterprise one: No RADIUS server is required, and the entire process is
between the access point and the client. No authentication or master key step occurs, and instead of a RADIUS server and master key, WPA/WPA2 personal use pre-shared keys, which are generated using pre-shared passphrases.
The WPA/WPA2 personal passphrase that you enter when you connect to a secured network is static, whereas enterprise setups use dynamic keys
generated by the RADIUS server. Enterprise setups are more secure, but most personal networks and even most small businesses lack RADIUS servers.
The Four-Way Handshake
In the first phase of the connection between an access point and supplicant (client), a pairwise master key (PMK), which is static throughout the entire
session, is created. This is not the key that will be used for encryption itself, but it will be used during the second phase, where a four-way handshake
will take place between access point and client, with the purpose of establishing a channel of communication and exchanging the encryption keys
used for further data communication.
This PMK is generated from the following:
The passphrase (pre-shared key, or PSK)
The access point’s SSID
The SSID length
The number of hashing iterations (4096)
The resulting length in bits (256) of the generated shared key (PMK)
These values are fed into a hashing algorithm called PBKDF2, which
creates a 256-bit shared key (PMK). While your passphrase (PSK) may be
DonaldTrumpiscrazy, this is not the PMK that will be used in a second phase.
That said, anyone who knows the passphrase and the access point’s SSID
can use the PBKDF2 algorithm to generate the correct PMK. During the
four-way handshake, a pairwise transient key (PTK) is created and used to
encrypt traffic between the access point and the client; a group transient
key (GTK) is exchanged and used to encrypt broadcast traffic. The PTK is
made up of the following:
The shared key (the PMK)
A random number (nonce) from the access point (ANonce)
A nonce from the client (SNonce)
The MAC address of the client
The MAC address of the access point
These values are fed into the PBKDF2 hashing algorithm to create the PTK.
To generate the PTK, the access point and the client exchange MAC
addresses and nonces (random values). The static shared key (PMK) is never
sent over the air, because both the access point and the client know the passphrase (PSK) and, thus, can generate the shared key independently.
The shared nonces and MAC addresses are used by both the client and
the access point to generate the PTK. In the first step of the four-way hand-shake, the access point sends its nonce (ANonce). Next, the client chooses
a nonce, generates the PTK, and sends its nonce (SNonce) to the access point.
(The S in SNonce stands for supplicant, another name for the client in a wireless setup.)
In addition to sending its nonce, the client sends a message integrity
code (MIC) to guard against forgery attacks. In order to compute the correct
MIC, the passphrase used to generate the pre-shared key must be correct, or
the PTK will be wrong. The access point independently generates the PTK
based on the SNonce and MAC address sent by the client, then checks the
MIC sent by the client. If it’s correct, the client has authenticated successfully,
and the access point sends over the GTK plus the MIC to the client.
In the fourth part of the handshake, the client acknowledges the GTK.
Cracking WPA/WPA2 Keys
Unlike WEP, the cryptographic algorithms used in WPA and WPA2 are
robust enough to stop attackers from recovering the key simply by capturing enough traffic and performing cryptanalysis.
The Achilles’ heel in WPA/WPA2 personal networks lies in the quality of the pre-shared key
(passphrase) used. If the Windows Administrator password you found during
post exploitation is the same as the WPA or WPA2 personal passphrase or
the passphrase is written on a whiteboard in the front office of the organization, it’s game over.
To try to guess a weak password, we first need to capture the four-way
handshake for analysis. Recall that given the correct passphrase and the
SSID of the access point, the PBKDF2 hashing algorithm can be used to
generate the shared key (PMK). Given the PMK, we still need the ANonce,
SNonce, and the MAC addresses of the access point and client to calculate
the PTK. Of course, the PTK will differ for each client, because the nonces
will differ in each four-way handshake, but if we can capture a four-way
handshake from any legitimate client, we can use its MAC addresses and
nonces to calculate the PTK for a given passphrase. For example, we can
use the SSID and the passphrase password to generate a PMK, then combine the generated PMK with the captured nonces and MAC addresses to
calculate a PTK. If the MICs comes out like the ones in the captured handshake, we know that password is the correct passphrase. This technique can
be applied to a wordlist of possible passphrases to try to guess the correct passphrase. Luckily, if we can capture a four-way handshake and supply a
wordlist, we have Aircrack-ng to take care of all the math.
Using Aircrack-ng to Crack WPA/WPA2 Keys
To use Aircrack-ng to crack WPA/WPA2, first set up your wireless access
point for WPA2 personal. Choose a pre-shared key (passphrase) and then
connect your host system to your access point to simulate a real client.
To use a wordlist to try to guess the WPA2 pre-shared key (passphrase),
we need to capture the four-way handshake. Enter airodump-ng -c 6 for the
channel, --bssid with the base station MAC address, -w to specify the filename
for output and mon0 for the monitor interface.
root@kali:~# airodump-ng -c 6 --bssid 00:23:69:F5:B4:2B -w akitatest mon0
CH 6 ][ Elapsed: 4 s ][ 2018-08-05 10:06
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH E
00:23:69:F5:B4:2B -43 100 66 157 17 6 54 . WPA2 CCMP PSK 1
BSSID STATION PWR Rate Lost Frames Probe
00:23:69:F5:B4:2B 70:56:81:B2:F0:53 -33 54-54 15 168
As you can see the host is connected. To capture a four-way hand-
shake, we can either wait for another wireless client to sign on or speed up
the process by kicking a client off the network and forcing it to reconnect.
To force a client to reconnect, use Aireplay-ng to send a message to a
connected client telling it that it is no longer connected to the access point.
When the client reauthenticates, we’ll capture the four-way handshake
between the client and access point. The Aireplay-ng options we’ll need are:
-0 means deauthentication.
1 is the number of deauthentication requests to send.
-a 00:14:6C:7E:40:80 is the MAC address of the base station.
-c 00:0F:B5:FD:FB:C2 is the MAC address of the client to deauthenticate.
root@kali:~# aireplay-ng -0 1 -a 00:23:69:F5:B4:2B -c 70:56:81:B2:F0:53 mon0
16:35:11 Waiting for beacon frame (BSSID: 00:23:69:F5:B4:2B) on channel 6
16:35:14 Sending 64 directed DeAuth. STMAC: [70:56:81:B2:F0:53] [24|66 ACKs]
Now we return to the Airodump-ng window.
CH 6 ][ Elapsed: 2 mins ][ 2018-08-05 10:45 ][ WPA handshake: 00:23:69:F5:B4:2B
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:23:69:F5:B4:2B -51 100 774 363 18 6 54 . WPA2 CCMP PSK linksys
BSSID STATION PWR Rate Lost Frames Probe
00:23:69:F5:B4:2B 70:56:81:B2:F0:53 -29 1 - 1 47 457
If the Airodump-ng capture sees a four-way handshake with a client, it
records it in the first line of the captured output.
Once you’ve captured the WPA2 handshake, close Airodump-ng, and
open the .cap file in Wireshark with File > Open > filename.cap. Once in
Wireshark, filter for the eapol protocol to see the four packets that make
up the handshake.
Now we create a wordlist. making sure that the correct WPA2 key is included in the list.
The success of our attack against WPA2 is contingent on our ability to compare the hashed
values for our passphrase with the values in the handshake.
Once we have the handshake, we can do the rest of the calculations
to recover the key offline; we no longer need to be in range of the access
point or send it any packets. Next we use Aircrack-ng to test the keys in
the wordlist, specifying a list with the -w option.
Otherwise, the command is identical to cracking the WEP key.
If the correct key is in the wordlist, it will be recovered with Aircrack-ng.
root@kali:~# aircrack-ng -w password.lst -b 00:23:69:F5:B4:2B akitatest*.cap
Aircrack-ng is just one suite of tools for cracking wireless. It is ideal for
beginners, because starting different tools for each step of the process will
help you become familiar with how these attacks work. Other widely used
Wi-Fi auditing tools that you may encounter are Kismet and Wifite.