Authentication
Code Protocol, Counter Mode CBC-MAC Protocol, or CCM mode
protocol (CCMP). Unfortunately, the one that is using WPA and not WPA2 is not
one
of my networks, so I can’t do any testing on it. Instead, we’re going to be using an
AP I own that isn’t being used for anything other than testing. We’ll use
besside-ng
to
attempt to crack the authentication for that BSSID. You need to use -b with the
BSSID, as you can see in
Example 7-7
. You also need to specify the interface used.
You’ll see
wlan0mon
is used,
but in order to use it, I stopped
airmon-ng
.
Example 7-7. Using besside-ng to automatically crack passwords
yazpistachio:root~# besside-ng -b 50:C7:BF:82:86:2C wlan0mon
[
19:55:52
]
Let
'
s ride
[
19:55:52
]
Resuming from besside.log
[
19:55:52
]
Appending to wpa.cap
[
19:55:52
]
Appending to wep.cap
[
19:55:52
]
Logging to besside.log
UNHANDLED MGMT 10cking
[
TP-Link_862C
]
WPA
- PING
UNHANDLED MGMT 10cking
[
TP-Link_862C
]
WPA - PING
UNHANDLED MGMT 10cking
[
TP-Link_862C
]
WPA - PING
UNHANDLED MGMT 10cking
[
TP-Link_862C
]
WPA - PING
UNHANDLED MGMT 10cking
[
TP-Link_862C
]
WPA - PING
UNHANDLED MGMT 10cking
[
TP-Link_862C
]
WPA - PING
UNHANDLED MGMT 10cking
[
TP-Link_862C
]
WPA - PING
[
19:55:59
]
\
Attacking
[
TP-Link_862C
]
WPA - DEAUTH
You’ll see from the example that
besside-ng
is
sending a
DEAUTH
. This is a deauthen‐
tication message. It’s used to force clients to reauthenticate in order to collect the
authentication message. Once the authentication message has been collected, the pro‐
gram can perform a brute-force attack in order to determine the passphrase or
authentication credentials used. We are attacking a WPA2-encrypted network, but if
we had
found a WEP-encrypted network, we could have used
wesside-ng
.
A deauthentication attack can also be used as a denial of service. By
injecting deauthentication messages to the network, an attacker can
force a client off the network. By continually repeating the deau‐
thentication message, the client may be stuck in an authentication/
deauthentication cycle and never be able to get on the network.
coWPAtty
Another program we can use to
try to crack passwords is
cowpatty
. This is styled
coWPAtty
, to make it clear it’s an attack against WPA passwords. What
cowpatty
needs in order to crack the password is a packet capture that contains the four-way
handshake used to set up the encryption key for encrypting the transmission between
the AP and the station. You can get a packet capture including
the relevant frames by
using
airodump-ng
or
kismet
. Either will generate a packet capture file (
.cap
or
.pcap
)
