Search Here

Wednesday, 10 February 2016

How a Cracker breaks wifi and more details, WEP,WPA,WPA2,WPS and more

Attacking wifi tools and how attacks work.

Wifi types are open, wep, wpa1, WPA2, wpa2 enterprise. There are also services on wifi to help people connect for the first time easier.  This service is called wps.  WPS is either active or passive. So here are the bellow

And here is the explanation for the different wifi types of connections and attacks and security against them.


There are open wifi networks are just that open to everyone. There is not much to do here than connect.


Wired Equivalent Privacy is the first encryption type for wifi. It's not meant to be the most secure but better than nothing. There is an vulnerability in wep protocol is a vulnerability in the rc4 cipher stream. the Fluhrer, martin, and Shamir attack (FMS) is a n attack to recover the key in large number of message streams. This attack is in the weak initialization vectors on the rc4 for wep. by gathering a lot of IVs around 50k you should be able to easily get the key. Read more about the actual attack and the link above.
These attacks are easy to implement in various tools like aircrack or scripts that automate the attack for you like wifite or wepcrackgui.
So the attack goes like this generally speaking. attacker puts card in monitor mode with something like airmon-ng, then once in monitor mode the card can pick up packets across the air even if it is not connected to that network (see monitor mode). From there attacker picks a channel of his target and begins his attack. After capturing IV packets by either deauthenticating the client, doing a replay attack, or some other attack the attacker tries to then use a FMS attack against the IVs and get the key.
For another simple explanation of the WEP attack can be found here.


wifi protected access is leaps and bounds ahead of WEP though still has some issues with it. weak keys, wpa packet spoofing and decryption. with WPA there are attacks against the WPA-TKIP allowing decrypt packets and then inject the packets to hijeck connections.
you can read more about the actual attacks at the bellow links
there are 2 basic encryption protocols with WPA CCMP and TKIP. most the attacks above use the TKIP. the if the nettwork is using CCMP then its using the AES cipher which is a lot stronger.
Though other attacks against WPA personal (WPA1-PSK) is to run either a dictionary attack against the handshake or if the SSID is a common SSID to use a rainbow table. Rainbow tables are generally not used because the way WPA works is that it stalts the password hashes with the SSID of the wifi network. This means that 2 networks with 2 different SSIDs and the same passwords would have 2 different pairwise master keys PMKs. So less you have a user with a simple dictionary word or a common ssid name brute forcing is generally not the best option out there. Though this does not mean its not possible if you take into human habit and the standard into account. the WPA-PSK requires the passphrase to be 8-63 characters long. Knowing this fact and the fact that humans want to try the least possible they most likely will use a word starting and being only 8 digits long aka the minimum length required. This allows an attacker to create mask attacks against the wpa keys in hoping that the human element is what created the weakness. Since a mask attack does not require brute forcing 1-7 digits it starts at only trying the 8 digits and then on top of that starting with trying only say the first 4 characters of the password be letter and then ending with numbers or symbols you can reduce the attack brute force dramatically in time making a brute force with a GPU possible. here is a benchmark on how fast a single GPU can run for pyrit HERE. So if you combine a lot of GPUs together like the amazon cloud or just creating your own farm or botnet. then cracking a WPA is a lot faster than expected.
you can find out more about the WPA1 standard at the bellow link

WPA2 Personal (aka WPA2-PSK):

along with the mention above with WPA the WPA2 protofal was built to fix shortcomings in the authentication and privacy of WPA1. i wont go over a lot of the information again about the attacks. Though WPA2 in general has less flaws in it than WPA though the attack vectors are still the same.

WPA Enterprise:

WPA-Enterprise is the use of a RADIUS or a TACACS+ server to authenticate connections on the network. The only major flaw found in it is the MS-CHAPv2 which severely reduces the complexity of brute-force attacks. Check out the bellow link for more information on the attack.


Wps as a protocol to help non technical users to easily setup wifi networks where they wouldn’t have to type out complex passwords but only push a button and connect. you can find out more about WPS at the bellow link
with the WPS attack by reaver was originally explained here and explained here and then was later developed and improved upon by wiire with the pixie dust attack and can find the code for it here pixiewps .
A more updated toolset is located at the next 2 links for reaver and pixiewps

since there is a huge amount of resource for information on both the links above i won’t go into the attacks much or how they are done.
instead even better… VIDEO!!!!