WPA Cracking && Hashcat. Gareth Kerr – Cyber Security/Rune Security Contact: T7145543@live.tees.ac.uk
Wireless Communication Info Operates using Radio Frequency(RF) technology IEEE 802.11 is a set of standards for the implementation of wireless LAN networks Otherwise known as Wi-Fi. Operates on the 2.4Ghz and 5Ghz frequency bands Supports up to 13 channels Various encryption methods implemented
Kali Linux Kali Linux is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services. In addition to Kali Linux, Offensive Security also maintains the Exploit Database and the free online course, Metasploit Unleashed. Download link for Kali - https://www.kali.org/downloads/ Exploit Database - https://www.exploit-db.com
What’s Aircrack-ng? Aircrack-ng is a complete suite of tools to assess WiFi network security. It focuses on different areas of WiFi security: Monitoring: Packet capture and export of data to text files for further processing by third party tools. Attacking: Replay attacks, deauthentication, fake access points and others via packet injection. Testing: Checking WiFi cards and driver capabilities (capture and injection). Cracking: WEP (Deprecated) and WPA PSK (WPA 1 and 2).
Interface Configuration. (Ifconfig – Iwconfig) MODE Description Managed Node connects to a network composed of many Access Points, with roaming. Ad-Hoc Network composed of only one cell and without Access Point. Master The node is the synchronisation master or acts as an Access Point Repeater The node forwards packet between other wireless nodes Monitor The node is not associated with any cell and passively monitor all packets on the frequency
Interface Configuration. (Ifconfig – Iwconfig) CLI Commands: ifconfig wlan0 down (Brings the interface WLAN0 down) iwconfig wlan0 mode monitor (Changes the interface operating mode to monitor) ifconfig wlan0 up (Brings the interface WLAN0 up) iwconfig Airmon-ng check kill (Kills any processes that may be using the wireless card) DEMO
Mac Spoofing using “Macchanger” Anatomy of a MAC Address? 00:00:8f:13:b6:84 VENDOR:UNIQUEID macchanger --random wlan0 (Changes the Mac to a randomly assigned MAC address) macchanger -l (Lists all known Mac Vendors) macchanger --mac=00:00:8f:13:b6:84 wlan0 (Changes to a specific Mac address)
Testing Injection Capability of the Wireless Card. aireplay-ng -9 -a [BSSID] -a [BSSID] -i [RECIEVING INTERFACE] [INTERFACE TO TEST] DEMO -9 Injection test. Long form is --test. -a MAC address of the access point (BSSID). -i wlan1 is interface name of the second card if you want to determine which attacks your card supports. This interfaces acts as an AP and receives packets. interface Interface to test injection
Airodump-ng (Sniffing for Local Access Points) Airodump wlan0 Deciphering the output BSSID The MAC address of the AP PWR Signal strength. Note - Some Wireless drivers to not report this. Beacons Number of beacon frames received. If you don't have a signal strength you can estimate it by the number of beacons: the more beacons, the better the signal quality Data Number of data frames received. CH Channel the AP is operating on. 0-12 MB Maximum speed for the AP. ENC Encryption: OPN: no encryption, WEP: WEP encryption, WPA: WPA or WPA2 encryption. ESSID The network name. Sometimes hidden
Airodump-ng (Targetted Sniffing) Now we know the details of the Access Point we wish to target. We can narrow down our output to just this BSSID. airodump-ng [CHANNEL] [BSSID] [WRITE] [INTERFACE] --channel Channel the access point is broadcasting on. --bssid Mac address of the target access point. --write Writes the packet capture to a file. interface Interface you wish the use to start the packet capture.
Airodump-ng Extended (Targetted Sniffing) You should notice we now have a new area at the bottom of the output. BSSID The MAC of the AP the client is associated to. STATION The MAC of the client itself. PWR Signal strength. PACKETS Number of data frames received. PROBES Network names (ESSIDs) this client has probed.
Obtaining the WPA Handshake (Hash). If you are sniffing on a large network. You will find that you may obtain the handshake fairly quickly. You will know when the handshake has been obtained as Airodump-ng will inform you.
Aireplay-ng (Deauthentication) Aireplay-ng is another tool in the Aircrack protocol suite. The theory behind this is we want to disconnect the device. Then when the client reconnects we capture the handshake. Will a generic user know that this has happened? Probably not. aireplay-ng --deauth [Deconnection Attempts] -a [AP MAC ADDRESS] -c [MAC ADDRESS TO TARGET] [INTERFACE] DEMO --deauth ARP disconnection attack. -a Mac address of the target access point. -c Targetted MAC address. interface Interface you are using.
“Cleaning” the Capture file. Since we have a packet capture file (While writing during Airodump-ng). We now need to clean the file. It needs to be in a format which HASHCAT understands. CLI Commands: locate cap2hccapx.bin (Locates the binary file) mv /usr/lib/hashcat-utils/cap2hccapx.bin . (Move file to the directory) ./cap2hccapx.bin [CAPTURE FILE] [CLEANED FILE NAME] We should now have a cleaned file. We will leave this file until later when we crack it.
HASHCAT
Hash Functions
Hashcat Overview Hashcat is the self-proclaimed world’s fastest password recovery tool. It support hundreds of hash formats, such as MD5, the SHA family. Unix Crypt formats, Mysql (Many more). It harnesses the power of GPU’s for accelerated cracking (Cuda), can be used with a CPU however it is much slower. Hashcat will take the HASH and try to convert it back into the plain text equivalent. Works on Windows/Linux and MAC OS.
Hashcat Basics - Attack Modes Hashcat comes with a number of attack modes: 0 | Straight 1 | Combination (Using Two Wordlists) 3 | Brute-force (Using a defined character set) 6 | Hybrid Wordlist + Mask 7 | Hybrid Mask + Wordlist
Hashcat Basics - Benchmarking You can benchmark a hashing algorithm using hashcat. Throughout this tutorial video we will be using MD5 for demonstration purposes. -b = Benchmark -m = Hash Number. e.g. 1700 or 0 or 8900 for scrypt. Command: hashcat -b -m 1700 Output: 1 kH/s is 1,000 (one thousand) hashes per second 1 MH/s is 1,000,000 (one million) hashes per second. 1 GH/s is 1,000,000,000 (one billion) hashes per second. 1 TH/s is 1,000,000,000,000 (one trillion) hashes per second. 1 PH/s is 1,000,000,000,000,000 (one quadrillion) hashes per second. 1 EH/s is 1,000,000,000,000,000,000 (one quintillion) hashes per second
Hashcat Basics - Arguments In order for the command to execute. You must provide the appropriate parameters. Argument 1: -a (Attack Mode, 0, 1, 3, 6, 7) Argument 2: -m (Hash type, Example MD5,WPA) Argument 3: Filename | Hash Argument 4: Dictionary | Mask | Directory Complete Command: Hashcat –a 0 –m 2500 hashes.txt rockyou.txt
Hashcat Basics - Straight Attack Mode (-a 0) Using the google10000.txt wordlist (Google’s most searched for words). We will run a straight attack against the MD5 Hashing Algorithm. I have compiled pre hashed MD5’s to show the attack modes. Command: hashcat -a 0 -m 0 md5hashes.txt google10000.txt DEMO
Hashcat Basics - Straight Attack Mode – Cracking the WPA Handshake Using the cleaned hccap file we created earlier, we will use the straight attack mode alongside a wordlist to crack the key. Command: hashcat -a 0 -m 0 cleaned google10000.txt DEMO
Hashcat Basics - Straight Attack Mode & Rules Using the same attack mode, we will use a rule to alter the wordlist. The rule will be applied to every password in the worlist, hashed and then compared to the hash file. Each rule file will generally contain hundreds or rules. For example, one rule might change all of the A’s to 4’s, or perhaps all of the S’s to $’s Wordlist containing the following words: Password, Hashcat, Is, Awesome. Rule alters the words: p4$$word, ha$hcat,is,4we$some A popular ruleset is the best64.rule, which comes with hashcat. Command: hashcat -a 0 -m 0 md5hashes.txt google1000.txt -r /usr/share/hashcat/rules/best64.rule DEMO
Hashcat Basics – Combinator Attack Mode (-a 1) The combinator attack mode concatenates wordlists. It will try every variation of the each of the wordlists. If we had two wordlists: Wordlist1: Hashcat, Is, Awesome. Wordlist2: Random, Words, Combinator. Combined: hashcatrandom, hashcatwords, hashcatcombinator etc. Command: hashcat -a 1 -m 0 md5hashes.txt wordlist1.txt wordlist2.txt DEMO
Hashcat Basics – Combinator Utility We can also just use the Combinator Utility to create a permanent, combined dictionary. Commands: mv /usr/lib/hashcat-utils/combinator.bin . ./combinator.bin google10000.txt google10000.txt > google10000combined.txt cat google10000combined.txt Now we can use this in the straight attack mode, since the dictionary is already combined. Hashcat -a 0 -m 0 md5hashes.txt google10000combined.txt
Hashcat Basics – Bruteforce (-a 3) This is by far the slowest and most inefficient way of cracking any password. Syntax ?l = abcdefghijklmnopqrstuvwxyz ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ ?d = 0123456789 ?h = 0123456789abcdef ?H = 0123456789ABCDEF ?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ Can also define custom character sets. Using the -1 [CHARACTERS] Command: hashcat -a 3 -m 0 md5hashes.txt -1 ?l?d?s?u ?1?1?1?1?1?1 -w 3
Hashcat Basics – PACK (Password Analysis Toolkit) Using PACK to analyze datasets, meaning PACK will look for the most common patterns within a password dataset and create a mask. To understand why this is useful we will need to give you an insight into what it actually does. So the steps we will be following in sequence are, analyzing a dataset using statsgen creating a mask using maskgen converting the mask to a hcmask file. As this takes some time I have prepared the files just for use in this demo.
Hashcat Basics – PACK (Statsgen) statsgen hashesorgwordlist --minlength=5 --maxlength=6 --hiderare -o hashesorg.masks Breakdown: So first we are giving statsgen the dataset, in this case hashesorgwordlist. Statsgen hashesorgworlist --minlength=5 --maxlength=6 Specifying the minimum and maximum length of the passwords we wish to analyse. --hiderare Hiderare just means do not show us statistics which are less than 1% of the data sample. -o hashesorg.masks The last part is just telling hashcat to output the stats to a mask file.
Hashcat Basics – PACK (Maskgen) Command: maskgen hashesorg.masks --optindex -o hashesorg.hcmask Breakdown: First we are giving statsgen the dataset, in this case hashesorgwordlist. Maskgen hashesorg.masks --optindex Default switch to sort the mask. ---o hashesorg.hcmask Output file name, to then be given to hashcat.
Hashcat Basics – Hybrid – Wordlist & Mask A hybrid attack mode combines the elements we have already learned about, we are taking a wordlist and appliny g mask to it. Effectively concatenating characters to the end of the words. Command: hashcat -a 6 -m 0 demohashes.txt google10000.txt hashesorg.hcmask DEMO
Hashcat Basics – Hybrid – Mask & Wordlist This attack mode is the opposite of the last, we are appending a wordlist to a Mask. Command: Hashcat -a 7 -m 0 md5hashes.txt /usr/share/hashcat/masks/rockyou-1-60.hcmask-O -w 3 DEMO
ANY QUESTIONS?
Gareth Kerr – Cyber Security/RuneSecurity Contact: T7145543@live.tees.ac.uk