Monday, April 9, 2012

Brute forcing a 802.11 WPA/WPA2-PSK

I was asked recently if there was a way to brute force a WPA/WPA2 key with aircrack-ng. Aside from the MASSIVE amount of time this would take to actually crack a real password, it was a good exercise and demo.

Aircrack-ng is a tool in the Aircrack-ng suite of tools (http://www.aircrack-ng.org/) that can be used to crack 802.11 WEP, and WPA/WPA2-PSK keys. The only method that is provided by aircrack for cracking WPA/WPA2-PSK is a dictionary attack. This is normally accomplished with the following aircrack-ng command:

aircrack-ng -e <essid> -w <wordlist file> <wpa/wpa2 pcap>

Now, lets say for instance that you wanted to brute force the key instead of supplying a wordlist for a dictionary attack. How do I do this with aircrack-ng when it only accepts a wordlist? To do this, we need to essentially create our own wordlist and then pass that wordlist to aircrack-ng.

To create a "brute force" wordlist, we can use a password generation utility such as crunch (http://sourceforge.net/projects/crunch-wordlist/). With crunch, you can specify a character set, min/max length of characters, etc. and it will generate a list of all the combinations and permutations. From here, we can pass this wordlist to aircrack-ng and start cracking.

Here is an example of how you can use crunch with aircrack-ng using the sample WPA2 packet capture included with the aircrack-ng suite. The WPA2-PSK in the sample is an eight digit number, "12345678". Both of these tools are included in the BackTrack 5 distribution (http://www.backtrack-linux.org/). This command will work on BackTrack 5, but if you are running on a different distro, then you will need to adjust the folder path as appropriate.


/pentest/passwords/crunch/crunch 8 8 0123456789 | aircrack-ng -e "Harkonen" -w - /pentest/wireless/aircrack-ng/test/wpa2.eapol.cap 

Lets break this down... The first command runs crunch and specifies a min-length of 8 characters, a max-length of 8 characters, and the character set that includes all numbers. This will generate all the different combinations of numbers from 00000000 to 99999999. If you wanted to output this to a file for later use, you can use the "-o <output file>" flag. For more info on the different options available with crunch, you can use the command: man crunch.

crunch 8 8 0123456789
crunch <min-length> <max-length> <char set>

Now that we have our "brute force", we need to pass that into aircrack-ng. We could just use crunch and the "-o" flag to output it to a file and then supply that file to aircrack-ng. But I'm lazy... :) Why do that when we could just pipe the results directly into aircrack-ng? The next part of command runs aircrack-ng and specifies the ESSID (Wireless network name or SSID), the wordlist, and the packet capture to crack from. You will notice that instead of specifying a wordlist filename for the "-w" flag, we instead use "-" (hyphen). This indicates to get the input from stdin instead of a file.

aircrack-ng -e "Harkonen" -w - /pentest/wireless/aircrack-ng/test/wpa2.eapol.cap

Then you put it all together with the "|" (pipe) character to direct the stdout from the crunch command to the stdin of the aircrack-ng command.

/pentest/passwords/crunch/crunch 8 8 0123456789 | aircrack-ng -e "Harkonen" -w - /pentest/wireless/aircrack-ng/test/wpa2.eapol.cap 

Again, keep in mind that even with a simple example such as this, it will still take a few hours to crack the key of "12345678". As you can see, brute forcing a WPA/WPA2 key really isn't practical as the amount of time required to crack a key grows exponentially as the length of the key and character set increases. But in any case, if you did want to give it a shot, you now know how. Enjoy! :)