Unlocking WPA2 Wi-Fi Networks: A Step-by-Step Guide

Introduction

Fews days ago, I got challenged on wifi security, this leds me to rethink about wifi security concern. Obviously I have some basic knowledge, but I wasn't sure I could take any wifi network and break it easily.

So I decided to dive in the topics and brainstorm on it, here are my points:

• What does wifi hacking mean for people versus real life concern ?
• How would I break a wifi network ?
• Are any wifi network breakable ?

Let's dive in this complex question, and of course, let's try it !

What does wifi hacking mean

Several protocols have been developed to secure wireless communications:

• WEP (Wired Equivalent Privacy): this is the first and oldest protocol (the standard was ratified in 1999). Its algorithm (RC4) is subject to numerous flaws which allow an attacker to crack the security key in a few minutes. This protocol is now obsolete.
• WPA (Wi-Fi Protected Access): is the successor to WEP and provides enhanced security by overcoming WEP's vulnerabilities by incorporating the TKIP protocol. A 128-bit encryption key is used for each packet sent.
• WPA2 (Wi-Fi Protected Access II): the successor to WPA, it improves on it by replacing the TKIP protocol with CCMP (AES) which is much more robust.
• WPA3 (Wi-Fi Protected Access III): the latest standard in force. It replaces Pre-Shared Key (PSK) in WPA2 and provides stronger password-based authentication, which makes attacks based on WPA/WPA2 much more complicated or even obsolete.

WPA/WPA2 comes in two forms:

• WPA/WPA2-Personal or PSK: Designed for home and small office networks. Uses a Pre-Shared Key (PSK), which is a passphrase between 8 and 63 characters long, but all devices on the network use the same passphrase to connect.
• WPA/WPA2-Enterprise: Designed for larger organizations and enterprises. Uses individual credentials for each user, such as usernames and passwords, instead of a shared passphrase. Requires a RADIUS (Remote Authentication Dial-In User Service) server for authentication.

WPA3 improved security by introducing new features, but still has 2 forms:

• WPA3-Personal: Designed for home and small office networks. Uses Simultaneous Authentication of Equals (SAE) for authentication, which replaces the Pre-Shared Key (PSK) used in WPA2. SAE provides stronger protection against brute-force attacks and ensures that each device establishes a secure connection individually.

• WPA3-Enterprise: Designed for larger organizations and enterprises. Uses individual credentials for each user, such as usernames and passwords, instead of a shared passphrase. Requires a RADIUS (Remote Authentication Dial-In User Service) server for authentication. WPA3-Enterprise offers enhanced security features, including stronger encryption and better protection against various types of attacks, making it suitable for environments with stringent security requirements.

Wi-Fi attacks exploit vulnerabilities in the wireless communication protocols to gain unauthorized access to networks. These attacks can range from passive eavesdropping to active interference, depending on the attacker's intent and the security measures in place. In this section, we'll explore some common types of Wi-Fi attacks and the techniques used by attackers.

Understanding Wi-Fi Attacks

Wi-Fi attacks can be classified into two main categories: passive attacks and active attacks.

Passive Attacks

Passive attacks involve eavesdropping on wireless communications without interfering with the network. The goal is to intercept data transmitted over the airwaves. These attacks are difficult to detect because they do not disrupt the normal operation of the network.

Eavesdropping, also known as sniffing, involves capturing data packets transmitted over the wireless network. Tools like Wireshark can be used to analyze the captured packets and extract informations.

Active Attacks

Active attacks involve interfering with the normal operation of the network to gain unauthorized access or disrupt services. These attacks are more likely to be detected because they alter the network's behavior.

Deauthentication Attack
A deauthentication attack forces clients to disconnect from the wireless network. This can be achieved by sending deauthentication frames to the target client or access point. Once disconnected, the client must reauthenticate, allowing the attacker to capture the authentication credentials.

Evil Twin Attack
An evil twin attack involves creating a fake access point with the same SSID (Service Set Identifier) as the legitimate network. By mimicking the legitimate access point, the attacker can trick clients into connecting to the fake network, where they can capture login credentials and other sensitive information.

Man-in-the-Middle (MitM) Attack
A MitM attack intercepts and possibly alters the communication between two parties without either party's knowledge. In a wireless network, an attacker can position themselves between the client and the access point to eavesdrop on or modify the data being transmitted.

Cracking WPA/WPA2: The 4-Way Handshake Attack

Cracking WPA/WPA2 wireless networks involves exploiting vulnerabilities in the authentication and encryption processes to gain unauthorized access. One of the most common methods used by attackers is the 4-way handshake attack. This technique targets the initial handshake between a client and an access point, which is used to establish a secure connection.

The 4-Way Handshake is a critical step in the process of establishing a secure connection between a client and an access point. It ensures that both parties have the correct encryption keys and that the connection is secure. The handshake involves the exchange of four messages, as follows:

1. Message 1 (AP → Client): The access point sends a nonce (a random number) to the client.
2. Message 2 (Client → AP): The client generates a pair of keys (PTK - Pairwise Transient Key) using the nonce received from the access point and its own nonce. The client sends the access point its nonce and a MIC (Message Integrity Code) calculated using the PTK.
3. Message 3 (AP → Client): The access point verifies the MIC received from the client. If the MIC is valid, the access point sends the client a GTK (Group Temporal Key) and a MIC calculated using the PTK.
4. Message 4 (Client → AP): The client verifies the MIC received from the access point. If the MIC is valid, the client sends the access point a confirmation message.

The 4-Way Handshake is designed to ensure that both the client and the access point possess the correct encryption keys. However, if an attacker can capture the 4-Way Handshake, they can use it to derive the PTK and gain access to the network.

Pentesting a wifi network

Nothing better than practice, I had a Flipper Zero with the wifi dev board near to me, that's a great occasion to use it and notice its usefulness. We are targeting a WPA2-Personal network, as it's the most common network in the world.

If your trying to follow my actions on your side, here are some extra informations:

• Using Flipper Zero with momentum firmware and an external storage (SD Card)
• Wifi dev board for Flipper Zero is required
• Laptop with wireshark, hashcat and hcxtool is strongly recommended

Setup the Marauder firmware

The Flipper Zero features a GPIO header on the top edge of it's body. This header is able to accommodate many different peripheral devices including ESP32 modules and development boards. Because of it's many available protocols, the Flipper Zero is able to communicate directly with the ESP32 Marauder firmware when it is properly installed on a compatible ESP32 expansion board.

At this step, connect the wifi dev board on the Flipper Zero through GPIO ports. We will then navigate the the firmware installation menu, this have to be done the first time to ensure the wifi dev board to work correctly.

On the Flipper Zero with your Wi-Fi board plugged in: According to the marauder wiki:

Install anyone of the following third party firmwares on your Flipper Zero. They come prebuilt with the WiFi Marauder app created by 0xchocolate. This application allows you to control the Marauder firmware from your Flipper Zero user interface.

cf: https://github.com/justcallmekoko/ESP32Marauder/wiki/flipper-zero

Let's do it !

1. Open Apps and scroll to GPIO
2. Open [ESP] ESP Flasher

You can now select Quick Flash, and launch the process.

Configuring the target

All configuration is done, we can now proceed to interesting things !

1. Open Apps and scroll to GPIO
2. Open [ESP32] Wi-Fi Marauder

After opening it, you're now on the good toolkit. Let's dive in ! First, we will launch a scan, that will detect all access point near us. Select Scan making sure that ap is selected, simply click on it and it will process, when the access point you're targeting is listed, come back.

We can then get the list of the scanned Access points using the menu actions below.

This should output something like the following screen. (Yes, I blurred the result for obvious privacy reasons)

Here, remember the number of your targeted network, and we will now select it for our attack. Go on menu action Select.

You will have your keyboard open on the Flipper Zero, you can simply enter the number remembered few secs ago. (Hope you did it ahah)

Nice ! Now we made our network detection plus selection. Now we can launch our attack. But wait..

What attack are possible and which one should works on our network ?

In our scenario, we're going to forcibly deauthenticate devices from the network, eavesdropping on their attempts to reconnect. This works by the Flipper Zero sending de-authentication packets to client devices on the network. PMKID stands for Pairwise Master Key Identifier, and it's part of the WPA/WPA2 4-way handshake. It can be obtained from the first message of the handshake, making it possible for an attacker to eavesdrop and collect the data.

To use it, scroll in the menu to the Sniff action, you will need to switch values until the pmkid is selected. You can then enter by launching it.

We now have a submenu providing fews derivative of our attack.

As you understand, their is mainly 2 scenarios:

• passive: wait a client to authenticate to the AP using a PMKID request.
• active: force a connected client to re-authenticate.

For simplicity issues, I'll use the active one. So we will :

1. Send Deauth Frames: The Flipper ZEro sends deauthentication frames, forcing the client to disconnect from the network.
2. Re-authentication: The client, upon disconnecting, will attempt to reconnect to the AP, initiating the 4-way handshake.
3. Capture EAPOL Packets: During the re-authentication process, the Flipper Zero captures the EAPOL packets (4-way handshake), which contain the necessary information for offline password cracking.

Choose Active (Force Deauth).

More information on the sniff pmkid action here

This will starting by showing this output, this mean that the Flipper Zero is sending deauth packets in broadcast to force connected client to disconnect and re-authenticate.

After few seconds, if there are some connected clients, you will notice this kind of log messages appearing, this mean the Flipper Zero successfully intercepted re-authentication packets. I recommend to let it run 5 seconds more after noticing it and you can close it.

Great ! Now ou Flipper Zero should have intercepted some packets. Theses files are stored on the SD card of the flipper. Let's find them !

Using your laptop, connect your flipper and open the qFlipper applications. This menu must appear, simply select the file icon on the top-left corner.

Now you can change directory to apps_data/marauder/pcaps, this repository contains all pcaps file generated by our marauder tool. Simply right click on the file and download it to your laptop.

Now, we can put the Flipper Zero on ou side, we don't need it anymore. Move to your folder containing the downloaded file. You could open this file using wireshark and read the packets intercepted by the Flipper Zero. As this isn't necessary for our demonstration, I won't do it.

At this step, we have our pcap file, we can now proceed to the cracking part. Before this,I'll quickly show you the content of the pcap file using wireshark.

As you can see, we have the 4-way handshake, this is the part we need to crack the password. Your pcap file should contains a large amout of packet, you can filter them using the eapol filter to only see the 4-way handshake. Let's continue.

ls
sniffpmkid_3.pcap

We now have our intercepted authentication exchange between a client and the Access Point. We need to convert the file format to .hccapx to ensure hashcat can read it. To achieve this, use hcxtool toolkit with the following command:

hcxpcapngtool sniffpmkid_3.pcap -o cracked.hccapx

Now we should have 2 files.

ls
cracked.hccapx sniffpmkid_3.pcap

The file cracked.hccapx contains the packet in a format that hashcat can use to crack it.

Before launching hashcat like a script kiddies, I'll give you quick-win and tips from a professional to be an effective pentester. Brute-forcing without strategy is equivalent to lose your time. Here is why, as smart pentester, we will prefer building a custom wordlist to test and get effective result.

As this is a scenario, we don't have many informations on the target owning the router. Company often use their name in the password, suffix with date or some special char. As a smart pentester, you should consider this, maybe correlate this with previous password found, password policy grabbed, or social engineering findings to build a custom wordlist of probable password structure.

To build this kind of wordlist, you can use for example crunch In my scenario, i'll consider that they just used the word admin followed by a date (4 number) and a special char.

Here is my command:

crunch 10 10 -d 2@ -t "admin%%%%^" --stdout > wordlist.txt

Crunch allow you to build wordlist by pattern, here are the placeholder:

• @ will insert lower case characters
• , will insert upper case characters
• % will insert numbers
• ^ will insert symbols

Now, we have our wordlist, the packets containing the authentication request. We can launch our cracking !

hashcat -m 22000 cracked.hccapx wordlist.txt

This command let hashcat understand that we are breaking WPA key, using a dictionnary attack. If your dictionnary contain the password, hashcat will find it and you can simply get it using the following command:

hashcat cracked.hccapx --show 

Are any wifi network breakable ?

A simple question sometimes need a tricky answer. I can't provide an absolute truth on this, as a simple human xD But with fews years in cybersecurity, the point I like to mention is that:

"Cybersecurity is simply a notion of cost versus gain."

An absolute truth I can tell is : "There is nothing unbreakable." So, let's merge both affirmation, there is nothings unbreakable, the thing that matter is the cost to break it versus the gain we can expect from breaking it.

If it take 5 years to break a system and steal 10 000 €, you can be sure that no one will try to, hackers will prefer going on a 2 days of penetrations tests to earn 100 000 €.

This make sense, and that my essential point when I talk about cybersecurity. My goals isn't to be unbreakable or "the best of the world", I prefer put the good barrier on the entry points to let understand to the attacker that it will take a lot of times and effort to break the system. You should do the same, and adapt the severity based on the potential gain, to discourage attackers from trying to break your system.

I don't want to be bad interpreted, I'm not saying "let's them come and see", we should constantly as cybersecurity experts improve our system and solutions. The points to reach quickly the one I mentioned, make the fortress too strong compared to the gain of penetrating it.

Conclusion

As you understand, no wifi network is unbreakable, but making strong and resilient infrastructure and passwords are the keys to make it costly to penetrate. As a pentester, you should always consider the cost versus gain, and adapt your strategy to be effective and efficient.

I hope you enjoyed this article, and that it will help you to understand the complexity of wifi hacking and the importance of using strong and complex password for your wifi network.