WPA/WPA2 is susceptible to dictionary
based attacks. The best way to protect against this type of attack
is to use a complex passphrase used to create the Pre-Shared Key
(PSK) and change it regularly.
WPA creates a per-session key called
the Pairwise Transient Key (PTK). This key is created using the PSK
and other parameters such as the SSID, ANounce, Snounce, AP MAC, and
Client MAC. The only parameter not easily available to an attacker
is the PSK. The PSK key is created using the passphrase and SSID
which is passed through the Password Based Key Derivation Function
(PBKDF2). The output is a 256-bit shared key.
An attacker will use a dictionary
attack to create the 256-bit PSK which combine with the other
parameters will create a PTK. The PTK is used with the Message
Integrity Check (MIC) in one of the packets of the handshake to
determine if they match. If they do, then the passphrase was guessed
properly. If not, the process repeats itself throughout the
dictionary.
This is for educational purposes only. Do not attempt this on networks without their explicit permission. The steps below will illustrate the process:
- airodump-ng mon0 –channel X –write target.cap (Wait for a WPA Handshake)
- aircrack-ng target.cap -w dictionary (Performs the dictionary attack)
Once you have the key, you can use Wireshark or airdecap-ng to view the packets.
Many thanks to Vivek Ramachandran of Securitytube for explaining the material!
No comments:
Post a Comment