Professional Documents
Culture Documents
ThamKhao AirHashWPA
ThamKhao AirHashWPA
Participants:
The motivation for developing hashcat was to create a powerful password cracking tool
that could be used to recover forgotten passwords or to crack passwords for malicious
purposes. Hashcat is a very effective tool, and it can be used to crack passwords for a
wide variety of applications, including Wi-Fi networks.
Aircrack-NG
Aircrack-NG is a packet capture tool that is used to capture and analyze Wi-Fi traffic.
It can be used to capture Wi-Fi traffic from a variety of sources, including Wi-Fi
adapters, access points, and Wi-Fi networks.
It was developed to create a powerful packet capture tool that could be used to capture
and analyze Wi-Fi traffic. Airodump-ng is a very versatile tool, and it can be used for a
variety of purposes, including:
In this context, the goal of this project is to investigate the issues and solutions
associated with wireless network security, with an emphasis on understanding the basics
of wireless networks, the vulnerabilities they confront, and the security mechanisms
implemented. We can better defend our wireless networks, manage risks, and maintain
the confidentiality and privacy of data transferred over these networks by learning more
about wireless security.
2. Research Objectives
It is important to acknowledge the scope and limitations of this research project. The
scope of the project includes:
• Focus on the Aircrack-NG Software Suite and Hashcat as the primary tools
for wireless security assessment.
• Exploration of wireless security protocols, specifically WPA2 and the latest
WPA3, and their vulnerabilities.
• Investigation of common wireless network threats and vulnerabilities.
• Experimental implementation of password cracking techniques using
Aircrack-NG and Hashcat.
• The research is limited to the assessment of Wi-Fi networks and does not
cover other wireless technologies such as Bluetooth or NFC.
• The project does not address hardware-level security vulnerabilities in
wireless devices.
• The effectiveness of Aircrack-NG and Hashcat may vary depending on the
complexity of the Wi-Fi password and the security measures implemented.
CHAPTER 2
Wireless Network Security
Fundamentals
1. Introduction to Wireless Networks
What is a wireless network?
• Access points (APs): APs are devices that transmit and receive radio signals.
They are responsible for creating and managing the wireless network.
• Wireless clients: Wireless clients are devices that can connect to the wireless
network. They can be computers, smartphones, tablets, laptops, or other devices.
There are a lot of wireless network threats but here is a few of them:
WPA3 (Wi-Fi Protected Access 3) is the latest security protocol for Wi-Fi networks,
introduced by the Wi-Fi Alliance in 2018. It is designed to enhance the security of
wireless networks and protect them from a variety of threats, including eavesdropping,
data breaches, and password cracking. WPA3 is the successor to WPA2, which is the
most widely used wireless security protocol today.
In addition to the improvements listed above, WPA3 also includes a number of other
enhanced security features and capabilities, such as:
PSK is a relatively simple authentication method that relies on a shared secret key that
is known to all authorized devices on the network. This makes PSK vulnerable to attacks
where an attacker can guess or learn the shared secret key.
SAE, on the other hand, uses a more complex authentication process that does not
require a shared secret key. Instead, SAE uses a Diffie-Hellman key exchange to
establish a secure connection between the device and the access point. This makes SAE
much more resistant to attacks than PSK.
Enhanced Encryption
Transition to the more secure encryption algorithm (CCMP-128 to AES-
256)
WPA3 uses AES-CCMP (Advanced Encryption Standard with Counter Mode with
Cipher Block Chaining Message Authentication Code) with 256-bit encryption, which
provides a significant improvement in security over the 128-bit encryption used in
WPA2.
WPA3 also introduces a new feature called "Individualized Data Encryption" (IDE).
IDE encrypts each data packet with a unique encryption key, which is derived from the
device's credentials and the access point's master key. This makes it much more difficult
for an attacker to decrypt data that is intercepted on the network.
Protection against offline dictionary attacks
Introduction to offline dictionary attacks
The adoption of WPA3 is still in its early stages, but it is growing rapidly. According
to a report by ABI Research, the number of WPA3-enabled devices is expected to reach
1.8 billion by 2026. This represents a significant increase from the 200 million WPA3-
enabled devices that were shipped in 2021.
• Airodump-ng: This tool is used for capturing packets from Wi-Fi networks and
collecting important information such as network names (SSIDs), MAC
addresses, signal strength, and encryption types. It allows users to monitor and
analyze the traffic on wireless networks.
• Aireplay-ng: Aireplay-ng is a tool used for injecting or replaying network
packets. It can be utilized to generate various types of network traffic, including
fake authentication requests, deauthentication attacks, and ARP request replay
attacks. These attacks help identify vulnerabilities in the network's security
implementation.
• Aircrack-ng: Aircrack-ng is the core tool of the suite, designed for cracking
WEP and WPA/WPA2-PSK encryption keys. It utilizes captured packets and
employs various attack techniques such as dictionary attacks, brute-force attacks,
and statistical attacks to recover passwords or encryption keys.
• Airmon-ng: This tool is used to enable or disable monitor mode on wireless
network interfaces. Monitor mode allows the capture of raw Wi-Fi packets,
which is essential for performing network analysis and security testing.
• Airbase-ng: Airbase-ng is a tool used for setting up rogue access points. It
enables the creation of fake wireless networks that can be used for various
purposes, including capturing network traffic, conducting man-in-the-middle
attacks, and testing the security of client devices.
• Airtun-ng: Airtun-ng is a virtual tunnel interface creator. It helps in creating
virtual network interfaces and establishing encrypted communication channels
between them.
• Introduction to Hashcat
Hashcat is a powerful and versatile password cracking tool that has gained
widespread popularity among security professionals and penetration testers. It is
renowned for its efficiency, effectiveness, and extensive support for various hashing
algorithms and attack methods. Developed by Jens Strøger, Hashcat is primarily used
to recover lost or forgotten passwords for various applications, including Wi-Fi
networks, websites, and operating systems.
Hashcat boasts an impressive array of features that make it a valuable tool for
password cracking:
This is the wifi card of the computer, next we will have to kill all the process that use
in this card to prepare changing it to monitor mode. Then we will use command sudo
airmon-ng start wlan0mon to change it to monitor mode.
➔ Note: Monitor mode, or RFMON mode, allows a computer with a wireless
network interface controller to monitor all traffic received on a wireless channel.
Next, we will use sudo airodump-ng wlan0mon to scan for surrounding wifi networks
using the wifi card transferred to the monitor above.
Note the BSSID and the CH of wifi Sunsilk, we will use that to crack this wifi.
Next, we will change to capture just this netword by editing the command above by
adding the BSSID, CH and the file field.
For cracking faster, I will change this file to my server by using scp protocol.
Here is the broadcast package that was sent from the access point. It said that the router
supports WPA2 (PSK) and WPA3 (SAE).
You can see, not like WPA3 it uses 4 message to handshake (WPA2 is 3) because
WPA3 use handshake called DragonFly.
In cracking the WPA3, we can’t crack the Dragonfly handshake but we can use a
security hole called dowgrade attack.
So, we will config a fake access point to broadcast same bssid, channel but in WPA2
protocol.
This access point will help to capture the WPA2 handshake from the client that
remembers the network has WPA3 protocol.
Here, you can see it just supports WPA 2.
Next step will like the WPA2 craking, we will send the deauth and the client will
reconnect to the access point, and we will have the handshake.
Here you can see it just sends 2 messages to handshake (not 4 like above) because there
is no WPA3 protocol.
➔ Note: 8 8 is the min, max of the password B.1234 is the character that have in
the password