Cracking Your Neighbor's Wi-Fi for $180
by zeitgeist
Back in the days, when wardriving was still a thing, Wi-Fi networks were not as common as today and a lot of them were open. Wireless security was in its infancy and WEP was - if at all - used as a security measure so that not every random stranger would hop on your network. I remember driving around the city with my buddy Mac in the car, the Orinoco Gold card in the laptop and an antenna on the roof of the car, trying to find Wi-Fi networks. These were the good old days.
But I am not one to look back and wish for these old days back. I am glad that almost all wireless networks are now secured with WPA2 or (especially in corporate environments) even better means of security. But your neighbor's Wi-Fi will most probably just have WPA2 as a security measure in place and it's leaking its radio waves into your apartment. So why not try to have fun with it from the comfort of your couch? Of course, you will inform your neighborhood buddy who owns the Wi-Fi that you are trying to crack before starting. Do not attempt anything illegal - circumvention of a security measure is in most jurisdictions a felony of some kind.
But how do you attack a WPA2 encrypted network? Fortunately, it's much more difficult than attacking a Wi-Fi network secured with WEP, which only takes seconds to decode after sniffing the traffic for a couple of minutes. Let's take a look at the theory of how WPA2 secures your network before attempting to pry it open.
When a client joins a WPA2 encrypted network and the secure connection is established, a process called the four-way-handshake is initiated. This four-way-handshake is initiated for two reasons, the first reason being so that client and access points can prove to each other that they know the password to the Wi-Fi network - or more commonly known as the Pre-Shared Key (PSK) - without ever transmitting the PSK itself. The second reason is to negotiate the WPA encryption keys which are used for the secure communication between access point and client for the duration of the session, i.e., for the duration that the client is on the network. Once the four-way-handshake is successfully completed, a client is said to be authenticated for the network and can start sending and receiving packets to and from the access point. The four-way-handshake is always initiated by the access point, not the client. This will become important later.
The four-way-handshake can easily be sniffed by an attacker that is in range of the wireless signals of the network. It is merely four packets being transmitted over the air between client and access point. Once an attacker has sniffed and recorded these four packets, they can be cracked by means of dictionary or brute force in order to get the PSK.
As an attacker, you now have to just sit and wait for a new client to join the network you try to attack. When you are dealing with your neighbor's Wi-Fi, you can just sit on the couch and wait, but it might be a while.
In 2016, a group of Belgian researchers came up with a way of increasing the likelihood of an attacker being able to sniff the initial four-way-handshake. They do this by watching already authenticated clients on the wireless network and sending back a fabricated third step of this four-way-handshake on behalf of the client. This will deauthenticate that particular client from the network. Once the access point notices this, it will start to re-initiate the four-way-handshake with this client, thus increasing the likelihood of a four- way-handshake being sniffed by an attacker.
There are a number of tools with which you can catch these four-way-handshakes and also deauthenticate clients from the network. The most common ones that I have seen are Kismet, Airodump-ng, or Wireshark. But I have come to love the versatility and flexibility of using Bettercap. Bettercap is like a Swiss Army knife for performing attacks on all kinds of networks - wired and wireless. Bettercap also offers the possibility to deauthenticate clients from the network, but it is a manual process. The creator of Bettercap has come up with a fun tool called Pwnagotchi, which uses AI to carry out the attack using the scripting capabilities of Bettercap. On top of that, it offers a fun interface, you can carry it around just like a Tamagotchi (if you remember those from the time when wardriving was still a thing). Sniffing the four-way-handshakes with Pwnagotchi is really fun and effortless. Wardriving now becomes warwalking, with the added benefit of capturing four-way-handshakes while walking around your neighborhood. It's also good for your health to take long walks!
The next step after acquiring the four-way-handshakes is to crack these. Brute-force cracking or performing dictionary attacks is no fun on regular machines that you normally have available. If you are into serious cryptomining, then you might have a machine in your basement that you can use for that, but for everyone else, there is the joy of cloud computing.
Using AWS, there are special instances that have GPU cards available to them. I would recommend going with a "p3.16xlarge" instance in order to get the most out of your cracking. Be careful though: you get the power of eight GPUs with 128 GB GPU RAM (and 64 regular CPUs and 488 GB RAM, but we are not interested in that) for $24.48 per hour. So keep an eye on those machines and spin them down as soon as you do not need them any longer.
Once you have spun up this wonderful piece of virtual hardware with your choice of a Linux operating system (the following tutorial assumes Ubuntu, but should be easily adaptable to any flavor), you will need to install some additional software on it.
Install packages to compile and build packages on your machine:
$ sudo apt-get update && sudo apt-get install -y build-essential |
Next, download and install the Nvidia Tesla drivers (please note that the URLs might be different, depending on when you read this article):
$ wget http://us.download.nvidia.com/tesla/410.104/NVIDIA-Linux-x86_64-418.87.run $ sudo /bin/bash NVIDIA-Linux-x86_64-418.87.run --ui=none --no-questions --silent -X |
You can verify that things are working as they should:
$ sudo nvidia-smi |
You should be getting some output that represents the number of virtual GPUs that you have available.
We are going to perform the attack using the Hashcat utility. So, we need to download it from their site and extract it:
$ wget https://hashcat.net/files/hashcat-5.1.0.7z $ 7za x hashcat-5.1.0.7z |
Pwnagotchi captures the packets which contain the handshakes in the standard PCAP file format. Hashcat does not directly understand the PCAP files that you have now - they need to be changed to the HCCAPX format. The simplest way of doing this is through a convenient website that the Hashcat people provide, it will also tell you if the handshakes found in there are any good: hashcat.net/cap2hccapx/
Once the HCCAPX file is available on the system and Hashcat is installed on your AWS instance you can perform different types of attacks on it. A very basic dictionary attack with a wordlist would be done in the following way (where capture.hccapx is the converted PCAP file and rockyou.txt is the file of your wordlist):
$ hashcat -m 2500 capture.hccapx rockyou.txt |
If you are just a script kiddie who does not care about the inner workings of the wonderful Hashcat utility, then the tool Naive Hashcat is for you. It will take care of everything for you by making educated guesses about how to crack your captured data.
Clone it:
$ git clone https://github.com/brannondorsey/naive-hashcat $ cd naive-hashcat |
Download a pretty good dictionary file to feed to Naive Hashcat:
$ curl -L -o dicts/rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt |
Start the cracking:
$ HASH_FILE=capture.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh |
Now I would suggest running the above command in some form of virtual terminal that you can disconnect from. I like to use tmux for this. Once the job is started, go out and kill some time because this surely takes some.
When done, the password will appear in the file hackme.pot. It's a colon separated list, one wireless network per line, the last column of every line contains the password to the wireless network you have attacked if successfully cracked.
During my testing in preparation of this article, the process of cracking took a little more than six hours, which left me with an AWS bill of roughly $180. You will have to decide yourself if spending this amount is worth the result that you get out of it... just be sure to power the AWS instance down again after you are done with your experiment, otherwise you will lose some serious money.
Big shout outs to my buddy macglove!
