Cracking WPA/WPA2 for Non-Dictionary Passphrase

WPA/WPA2 password can be cracked simply by capturing WPA handshake and then apply dictionary. And if passphrase is in dictionary then password will be cracked. But what if password is not in dictionary? Are there other ways to crack the non-dictionary passphrases? Let’s see them…

First we will look the basics of WPA/2 cracking-

STEP 1: Start wireless monitor mode.

STEP2: Then capture the WPA handshake.

STEP3: And then apply dictionary

STEP4: Provide .cap file to aircrack-ng with darkc0de.lst dictionary.

Here we cracked the passphrase in around 9 mins.

If client are already connected, and not getting handshake, then use:

aireplay-ng --deauth 10 –a <bssid><interface>

But even after all the steps followed, if the passphrase in not in dictionary then you will get message as: “passphrase not in dictionary”

And the other interesting note while keeping WPA passphrase is:

The basic idea while cracking any passphrase comes is “Brute-Force attack.” So why not brute force the .cap file?

We can do the same by piping the crunch output with aircrack-ng tool as shown below:-

It cracked the password in about~ 23 mins.

But you can clearly see that I have provided only 6 small letters as input. What if you provided all alphabets?

With my single lapy I have to wait till 11 years! And again the passphrase may contain numbers, digits and special symbols too -

So brute-force would not be effective way with single system.

So here we will do something interesting…

WPS:- As per Wiki, Wi-Fi Protected Setup (WPS; originally Wi-Fi Simple Config) is a computing standard that attempts to allow easy establishment of a secure wireless home network. By default this is enabled in most of routers.

Reaver is fantastic tool to crack this WPS pin written by Craig Heffner. It performs a brute force attack against the AP, attempting every possible combination in order to guess the AP's 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10^7 (10,000,000) possible values.

The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually.

Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts.

Here I am giving screenshot of my Dlink DIR-615 router.

Above screenshot is of default setting in the router. Here the pin is: 65020920

So here key concept is that we can brute-force that pin, and can get all the credentials kept for Access Point which can be any combination of digits, special symbols (simply no matter ) .

STEP1: Scan the air for these WPS systems with “wash”

So here two access points are available. We will go with first one.

After 23864 seconds…

Passphrase “R0ck$t@R” was cracked along with pin: 65020920

But this is not the end. What if victim gets suspected on suddenly decrease in bandwidth, and changed the passphrase. So again do we need to brute-force for 6-10 hours?

The answer is simply ‘No’

As along with passphrase we have also received the “pin.”

So from now apply pin and get the passphrase as below:

After only 3 seconds…

Passphrase: ‘N0nec@nh@ckthis1

At first glance one may think that as I mentioned Dlink DIR-615 router but what about others?

So I scanned the air, and got Belkin!

So, most of the new routers are with this WPS facility. And WPS is enabled by default. So no matter which password you kept it can be cracked.

Countermeasures
1.    Disable WPS
2.    Keep non-dictionary passphrase with any combinations!  
Ex: “R0ck$t@R”

References
1.    SecuritytubeWlan security Megaprimer
2.    Tactical Network Solutions articles

 

 

Swaroop D. YermalkaR
[email protected]

Swaroop is a final year engineering student from M.I.T.College Of Engineering, Pune. He is a EC-Council  Certified Ethical Hacker, enthusiastic and hobbyist for Infosec.