Wireless WiFi network password cracking attack and defense and principle detailed explanation

Everyone must have had this experience: the wireless network at home seems to be slow. "Is someone using my network?" "Sometimes we also want to try to use other people's networks when we go out." The premise of "using the network" here is to crack the other party's "wireless password". So is this "wireless password" safe? What is its technical principle? How should we prevent others from "using the network"?

[[261859]]

Today, we will use this article to sort out the "Wireless WiFi network password cracking attack and defense and principles"!

1. WiFi encryption method

Here we will explain the WiFi encryption method of wireless routers.

The encryption modes currently available in wireless routers mainly include: WEP, WPA-PSK (TKIP), WPA2-PSK (AES) and WPA-PSK (TKIP) + WPA2-PSK (AES).

1. WEP (Wired Equivalent Privacy) (easily cracked)

WEP is short for Wired Equivalent Privacy, a security protocol for wireless local area networks (WLANs) defined in the 802.11b standard. WEP is used to provide the same level of security as wired LANs. LANs are inherently more secure than WLANs because the physical structure of a LAN protects it, and burying part or all of the network inside a building can also prevent unauthorized access. WLANs that use radio waves do not have the same physical structure and are therefore vulnerable to attacks and interference. The goal of WEP is to provide security by encrypting data in radio waves as if it were sent end-to-end. The WEP feature uses the RC4PRNG algorithm developed by RSA Data Security. If your wireless base station supports MAC filtering, it is recommended that you use this feature along with WEP (MAC filtering is much more secure than encryption). Although the name suggests that this is a security option for wired networks, it is not.

The WEP standard was created in the early days of wireless networking with the goal of being an essential security layer for wireless local area networks (WLANs), but WEP's performance has undoubtedly been very disappointing. The root cause of this is a design flaw. In a system using WEP, data transmitted over a wireless network is encrypted using a randomly generated key. However, the method WEP uses to generate these keys was soon discovered to be predictable, making it easy for potential intruders to intercept and crack these keys. Even a moderately skilled wireless hacker can quickly crack WEP encryption in two to three minutes.

IEEE802.11's dynamic Wired Equivalent Privacy (WEP) mode was designed in the late 1990s, when powerful encryption technology was used as an effective weapon under strict export restrictions from the United States. Wireless network products were banned from export due to the fear that strong encryption algorithms could be cracked. However, just two years later, the dynamic Wired Equivalent Privacy mode was found to have serious shortcomings. But the mistakes of the 1990s should not be regarded as a hindrance to wireless network security or the IEEE802.11 standard itself. The wireless networking industry could not wait for the Institute of Electrical and Electronics Engineers to revise the standard, so they introduced the Dynamic Key Integrity Protocol TKIP (a patched version of Dynamic Wired Equivalent Privacy).

Although WEP has been proven to be outdated and ineffective, it is still supported as an encryption mode in many modern wireless access points and wireless routers today. Not only that, it is still one of the most widely used encryption methods by individuals or companies. If you are using WEP encryption, if you are very serious about the security of your network, then try not to use WEP in the future, because it is really not very secure.

2. WPA-PSK (TKIP) (more secure, but can also be cracked)

The initial security mechanism used by wireless networks was WEP (Wired Equivalent Privacy), but it was later discovered that WEP was very unsafe, so the 802.11 organization began to develop a new security standard, which was later called the 802.11i protocol. However, it takes a long time from the formulation of the standard to its final release, and considering that consumers will not abandon their original wireless devices for the sake of network security, the Wi-Fi Alliance developed a security mechanism called WPA (Wi-Fi Procted Access) based on the 802.11i draft before the standard was launched. It uses TKIP (Temporary Key Integrity Protocol), and the encryption algorithm it uses is still the encryption algorithm RC4 used in WEP, so there is no need to modify the hardware of the original wireless device. WPA targets the problems in WEP: IV is too short, key management is too simple, and there is no effective protection for message integrity, and improves network security through software upgrades.

The emergence of WPA provides users with a complete authentication mechanism. The AP decides whether to allow the user to access the wireless network based on the user's authentication result. After successful authentication, the encryption key of each access user can be dynamically changed according to multiple methods (the number of transmitted data packets, the time when the user accesses the network, etc.). In addition, the data packets transmitted by the user in the wireless are encoded with MIC to ensure that the user data will not be changed by other users. As a subset of the 802.11i standard, the core of WPA is IEEE802.1x and TKIP (Temporal Key Integrity Protocol).

WPA takes into account the different security needs of different users and applications. For example, enterprise users need very high security protection (enterprise level), otherwise very important business secrets may be leaked; while home users often only use the network to browse the Internet, send and receive e-mails, print and share files, and these users have relatively low security requirements. In order to meet the needs of users with different security requirements, WPA stipulates two application modes: enterprise mode and home mode (including small office). According to these two different application modes, WPA authentication also has two different methods.

For large-scale enterprise applications, the "802.1x+EAP" method is often used, and users provide the credentials required for authentication. However, for some small and medium-sized enterprise networks or home users, WPA also provides a simplified mode that does not require a dedicated authentication server. This mode is called "WPA Pre-Shared Key (WPA-PSK)", which only requires a key to be pre-entered in each WLAN node (AP, wireless router, network card, etc.). This key is only used for the authentication process, not for the encryption of transmitted data. The key for data encryption is dynamically generated after successful authentication. The system will ensure "one user, one password", and there is no situation where the entire network shares an encryption key like WEP, thus greatly improving the security of the system.

3. WPA2-PSK (AES) (higher security, more difficult to crack)

After the release of 802.11i, the Wi-Fi Alliance launched WPA2, which supports AES (Advanced Encryption Algorithm), so it requires new hardware support, and uses CCMP (Counter Mode Cipher Block Chaining Message Integrity Protocol). In WPA/WPA2, the generation of PTK depends on PMK, and PMK is obtained in two ways, one is in the form of PSK, which is a pre-shared key, in which PMK=PSK, and in the other way, the authentication server and the site need to negotiate to generate PMK.

IEEE802.11 sets technical standards, while Wi-Fi Alliance sets commercial standards. The commercial standards set by Wi-Fi are basically in line with the technical standards set by IEEE. WPA (Wi-Fi Protected Access) is actually a security standard set by the Wi-Fi Alliance. The purpose of this commercial standard is to support the technology-oriented security standard IEEE802.11i. WPA2 is actually the second version of WPA. The reason why there are two versions of WPA is the commercial operation of the Wi-Fi Alliance.

We know that the purpose of establishing the 802.11i task force is to create a more secure wireless LAN, so two new security encryption protocols are standardized in the encryption project - TKIP and CCMP (some wireless network devices will use AES, AES-CCMP to replace CCMP). Although TKIP has made major improvements to the weaknesses of WEP, it retains the RC4 algorithm and basic architecture, which means that TKIP also has the weaknesses implied by RC4 itself. Therefore, 802.11i creates a new encryption protocol - CCMP, which is more secure and more suitable for use in wireless LAN environments. So before CCMP is ready, TKIP has been completed. However, it may take some time to release the complete IEEE802.11i standard after CCMP is completed. In order to deploy the new security standard as soon as possible to eliminate users' concerns about the security of wireless LANs and expand the wireless LAN market rapidly, the Wi-Fi Alliance used the IEEE802.11i third draft (IEEE802.11idraft3) that had already completed TKIP as a benchmark to develop WPA. After IEEE completed and published the IEEE802.11i wireless LAN security standard, the Wi-Fi Alliance also published WPA version 2 (WPA2). WPA=IEEE802.11idraft3=IEEE802.1X/EAP+WEP (optional item)/TKIPWPA2=IEEE802.11i=IEEE802.1X/EAP+WEP (optional item)/TKIP/CCMP

4. The last encryption mode is WPA-PSK (TKIP) + WPA2-PSK (AES)

This is the highest encryption mode in wireless routers. Due to compatibility issues, this encryption mode has not been used by many users. The most widely used encryption modes are WPA-PSK (TKIP) and WPA2-PSK (AES). I believe that after encryption, the wireless network will allow our users to surf the Internet with peace of mind. Therefore, this method is very secure, but considering compatibility issues, it has not been widely used.

2. Methods for cracking passwords for WiFi networks

1. Mainstream methods:

• A cracking method that does not require any technical skills can be used to hack into the Internet using software such as "WiFi Master Key" on a mobile phone.
• After capturing the handshake packet between the client and the target WiFi, a brute force crack based on the password dictionary is implemented. The success rate depends on the password strength of the target WiFi, the size or accuracy of the dictionary, and the computing performance of the machine implementing the brute force crack.
• On a WiFi with the wps function enabled, use the PIN code guessing method to obtain the WiFi password.

2. Principle:

The real principle of "WiFi Master Key" type apps is to collect the WiFi accounts and passwords that have been successfully connected on the user's mobile phone, upload and store them on the App's server, and when nearby freeloaders search for the same network, the App can automatically match and obtain the corresponding password from the server based on the configuration information of the nearby hotspots, and send it to the mobile phone through data traffic, thus completing the WiFi connection.

(1) Principle of brute force cracking

Ordinary wireless routers generally use WPA, WPA2 or WEP for encryption. WEP is too insecure and can be easily cracked, so it has been basically cancelled on current wireless routers. Therefore, the WiFi we searched for to be cracked is basically encrypted by WPA or WPA2. As for WPA authentication using an authentication server (such as RADIUS), it is basically impossible in the field of personal wireless WiFi, so the WiFi we usually searched for to be cracked is WPA or WPA2 encrypted WiFi based on local passwords.

The basic principle of cracking the WiFi network encrypted by wpa and wpa2 is generally speaking that we need to first collect the information of the target WiFi in the wireless network card monitoring mode, such as ssid (WiFi name), BSSID (that is, the MAC of the target WiFi wireless router), the connected client mac, signal strength and other information. Then send a forged disassociation data packet to force the client connected to the WiFi to disconnect from the WiFi. The key point is that after the connection is disconnected, the client will try to initiate a connection to the WiFi network again. At this time, the client will send a data packet with an authentication password to request to reconnect to the WiFi. This packet is commonly known as a handshake packet. At this time, our attack machine uses the attack program and the wireless network card to monitor and capture this handshake packet. This handshake packet contains the WiFi password, but this password is of course encrypted, so we need to use the attack program to call the password dictionary in combination with the obtained BSSID, client MAC and other information for calculation, and continuously calculate each password in the dictionary until there is a password that can use the wpa algorithm to calculate an encrypted string consistent with the captured handshake packet. This is the password of the target WiFi. If after counting every password in the dictionary, there is still no one that matches the encrypted string of the captured handshake packet, the cracking fails, exit, construct a new dictionary and try again.

(2) Decrypt WiFi password using pin code

The wps function was enabled on early wireless routers. Simply put, this function is to facilitate the device to connect to WiFi, without the tedious input of the password every time. The client can quickly associate the router WiFi through the pin code. The original intention of the design of the wps function was to facilitate users to connect to WiFi, but it has become the most effective means to crack WiFi, because the 8-digit pure digital pin code has a maximum of 100 million possible combinations, and since the last digit is the checksum of the first seven digits, only the first seven digits need to be guessed, and the number of possible combinations is only 10 million. In addition, since the error message returned when the first 4 digits of the pin code are wrong and the error message returned when the last three digits are wrong when sending the pin code to connect to WiFi are different, you only need to guess the first four digits first, and then guess the last three digits if the first four digits are correct. After all are correct, the checksum of the last digit can be automatically calculated, so in reality, you only need to guess 10,000+1,000 combinations at most. Generally, we try a pin code in 2 seconds, so theoretically, it takes up to 6 hours to guess the pin code of the target router and obtain the WiFi password.

It should be noted that although the pin code is considered to be the most effective method of WiFi cracking, it is not easy to implement in practice. First, the problem of the insecurity of the pin code has been widely recognized by wireless router manufacturers, so the wireless routers purchased nowadays have basically cancelled this wps function. Second, during the pin process, you need to continuously send the pin code to the target router for attempts, and the other router must return a response message. Sometimes, due to the instability of the router itself or the performance of the router, the router is pinned to death without us knowing it, making it impossible to continue guessing or the router will automatically rest for a period of time after receiving too many wrong pin codes, and will not receive pin codes during this period, which makes our pin code guessing too long and meaningless.

3. Example of cracking process

1. Prepare tools

• notebook
• USB wireless network card (required)
• Kali system
• Password Dictionary

2. The first method: brute force cracking

What is brute force cracking? It actually means trying passwords one by one until the correct password is found.

Nowadays, WiFi is generally encrypted as follows:

• WEP (Wired Equivalent Privacy) - uses WEP 64-bit or 128-bit data encryption.
• WPA-PSK[TKIP]——WI-FI protected access with pre-shared key, using WPA-PSK standard encryption technology, and the encryption type is TKIP.
• WPA-PSK[TKIP]+WPA2-PSK[AES]—Allows the client to use WPA-PSK[TKIP] or WPA2-PSK[AES].

3. Start the experiment:

(1) First step

Enter kali and enter the following in the terminal

 airmon-ng

List network card information

(2) Step 2

enter:

 airmon-ng start wlan0

Enable network card monitoring

You can use the ifconfig command to view the network card information:

 ifconfig

You can see that the name of the network card has changed.

(3) Step 3

 airodump-ng wlan0mon

Scan wifi signal

Here I use my own home wifi to do the experiment

(4) Step 4

As can be seen from the figure above

BSSID is 50:3A:A0:33:B2:8C Channel (CH) is: 2

enter:

 airodump-ng -w freedom -c 2 --bssid 50:3A:A0:33:B2:8C wlan0mon --ignore-negative-one

Grab the handshake package

• -c: specify channel
• -w: specifies the storage location or name of the captured handshake packet. freedom is the name of the handshake packet that will be captured later.
• --bssid: Specify the router's MAC

(5) Step 5

Open another terminal and enter the command:

 aireplay-ng – -deatu 10 -a router MAC -c client MAC  
 wlan0mon – -ignore-negative-one

Use the airplay-ng tool to force disconnect the device that is already connected to the wifi and reconnect to the router to capture the data packets.

• –deatu: specifies the number of anti-authentication packets to send. You can also use -0 (Alibaba number 0) to specify the number of anti-authentication packets.
• -a: Specify the router's MAC
• -c: Specify the client's MAC

(6) Step 6

Cracking the handshake packet

 aircrack-ng -a -w dict freedom-*.cap

• -a1: Specify WEP encryption method
• -a2: Specify WPA-PSk encryption mode
• dict: the name of the dictionary
• freedom-*.cap: handshake package

This is my wifi password

The cracking is complete, and success depends on a strong dictionary and luck.

4. Second method

(1) First step

Wash scans the network with WPS turned on

 wash -i wlan0mon [-C]

Since there is no Wi-Fi with WPS function turned on around, the above picture will appear. Don't be anxious at this time, because some of them are hidden, so let's go directly.

Use the previous command to scan wifi:

 airodump-ng wlan0mon

See the MAC circled by the editor? Select a wifi cracker with an absolute value of PWR less than 70

(2) Step 2

Choosing a Router

I have selected the wifi named: FAST_F70E

This is it: E4:D3:32:7F:F7:0E -45 2 0 0 6 54e. WPA2 CCMP PSK FAST_F70E

Then the command is as follows:

 reaver -i mon0 -b E4:D3:32:7F:F7:0E -a -S -vv

E4:D3:32:7F:F7:0E This mac is changed according to the mac of the router. The mac of the wifi I cracked is E4:D3:32:7F:F7:0E

As shown in the figure, it can be cracked and the wps function is enabled

If the above picture appears, it means that the crack cannot be cracked. Try another wifi to crack it.

This means it's cracked.

Note:

• If the password has been changed and you know the PIN code of his wifi, use the following command: reaver-i mon0 -b MAC -p PIN
• The pin code has 8 digits: so it is 10 to the 8th power, which requires 1000000000 times
• There are also restrictions on pinning in this way. For example, the router to be pinned must have the wps function enabled; it seems that many routers now have anti-pin or 300-second pin limits.
• Some router PIN codes can be obtained by calculation: For Tenda and Leco products, if the router MAC address starts with "C83A35" or "00B00C", the PIN value can be directly calculated.
• For example: bssid: Tenda_579A18 mac: C8:3A:35:57:9A:18 Use a calculator to convert the last 6 digits of the mac into a decimal number, and you get 5741080 (the first 7 digits of the pin code). Try up to 10 times or use software to get the router pin code!

This command is recommended for cracking:

 reaver -i mon0 -b E4:D3:32:7F:F7:0E -a -S –d9 –t9 -vv

Because the –d9 –t9 parameters can prevent the router from being pinned.

4. How to prevent being hacked

(1) You can set a complex password that contains characters, symbols, and numbers. The length of the password should be set to more than 12 characters. The more complex the wireless password is, the more difficult it is for the other party to crack it. The encryption method is WPA-PSK/WPA2-PSK encryption.

(2) Hide your wireless network name.

After we hide the wireless authentication, others cannot find our network connection point, so they cannot connect to our network. Click the wireless basic settings in the upper left corner of the router page. On the right side, you can see an SSID service broadcast. Uncheck the previous one and click Save below. Then you can hide the wireless signal.

(3) Set up a whitelist, enable the MAC address filtering function, and manually add the MAC addresses of your home Internet access devices. In this case, even if someone cracks the WIFI password, they will not be able to access the Internet.