Pass Your ECCouncil CEH Certification Easy!

Prepare with top-notch ECCouncil CEH certification practice test questions and answers, vce exam dumps, study guide, video training course from ExamCollection. All ECCouncil CEH certification exam dumps & practice test questions and answers are uploaded by users who have passed the exam themselves and formatted them into vce file format.

Network Hacking - Gaining Access - WPA/WPA2

1. Introduction to WPA and WPA2 Cracking

In the previous lectures, we saw how to crack the WEP encryption in minutes, even if the target network is not busy. Now, in the next lectures, we will talk about cracking WPA and WPA Two. First of all, before we even start talking about how to crack these encryptions, it is very important to understand that both of them are very, very similar. The only difference between them is the encryption used to ensure message integrity. WPA uses TKIP, and WPA 2 uses an encryption called CCMP. In any case, this does not affect the methods that we're going to use to crack WPA and WPA Two. Therefore, all of the methods that I'm going to show you from now on will work on both WPA and WPA Two. Now, both of these encryptions came after WEP, and they were designed to address the weaknesses in it. Therefore, both of them are much more secure, and cracking them is more challenging. So before we start talking about how to crack them, I want to cover a feature that, if enabled and misconfigured, can be exploited to recover the key without having to crack the actual encryption. The feature is called WPS. It allows devices to connect to the network easily without having to enter the key for the network. So it was designed to simplify the process of connecting printers and such devices. You can actually see a WPS button on most wireless-enabled printers. If this button is pressed and then you press the WPS button on the router, you'll notice that the printer will connect to the router without you having to enter the key. This way, the authentication is done using an eight-digit digit Pin.So you can think of this as a password made up of only numbers, and the length of this password is only eight. So this actually gives us a relatively small list of possible passwords, and we can try all of these possible passwords within a relatively short time. Once we get this pin, it can be used to recover the actual WPA or WPA 2 key. So, as you can see with this method, we are not exploiting WPA or WPA Two; we are actually exploiting a feature that can be enabled on these encryptions. So for this to work, first of all, we need WPS to be enabled on the network because it can be disabled. Also, it needs to be misconfigured. As a result, it must be configured to use standard PIN authentication rather than push button authentication. If push button authentication is used, then the router will refuse any PINs that we try unless the WPS button is pressed on the router. Therefore, the method will not work if the push button, or PBC, is enabled. So in most modern routers, PBC is enabled by default and WPS is disabled by default. So this method might not work. But because WPA and WP2 are so secure and so challenging, it is always a good idea to check if WPS is enabled and try the method that I'm going to show you to crack the network. If it fails, then you can try the other methods that I'm going to show you after the next lecture.

2. Hacking WPA & WPA2 Without a Wordlist

Okay, now that we know what WPS is and how it can be used to recover the password for WPA and WPA2 networks, let's see how to do that in practice. So right here I have my calibre machine. I've already enabled Monitor Mode on my wireless adapter in 10. Now, usually we use Aerodump to see all the networks around us, but right now we want to see the networks that have WPS enabled because, like I said, it's just a feature and people can turn this feature off. So first of all, I'm going to use a tool called Wash to display all the networks around me that have WPS enabled. So we're going to do Wash interface and give it my interface in Monitor Mode, which is 10. So all we're doing is Wash is the nameof the tool interface to give it the interface,and 10 is my wireless adapter in Monitor Mode. If I hit Enter now, as you'll see, it will list my network straight away. Now, similar to Aerodoppng, I press Ctrl-C to cancel this because it will continue to run unless you cancel it. And as you can see, this is my target network. It's called TESTAP. It's given us the vendor of the hardware used in this network at this access point; the LCC tells us whether WPS is locked or not, because sometimes WPS locks after a number of failed attempts. So right now this says no, which means that we can actually go ahead and try to guess the version of WPS it's using. Version one, the signal strength is inhere, the channel and the BSSID. Now, I explained the meaning of all of these things before in my Aerodynamic NGV lecture, so I'm not going to talk about them. Now, if you forget the meaning of any of these terms, please go back to the aerodynamics lecture. Now, this network actually uses WPA 2. So just to confirm this to you, if I go here to my host machine and just try to connect to it, you'll see that it's telling me that this uses a WPA-2 password. But like I said, we don't care if it's WPA or WPA 2 because we're going to be exploiting a feature in these encryptions, which is the WPS feature. So now that we know our target network uses WPS, there's a good chance that this attack will work against it. The only reason it might fail is if the target uses PBC or pushbutton authentication. Like I said, if the target uses PBC, then it will refuse all the PINS unless the button is pressed on the router, and therefore this attack will fail. The only way to know is to literally try this attack and see if it works. So I'm going to copy the Mac address of this network or the BSSID, and the first thing that I'm going to do, similar to what we did with W EP, is to associate with the target network using a fake authentication attack. So basically I'll be saying, "I want to communicate with you; please don't ignore me" so that when I run the attack, the network will start accepting the pins and not ignore me. So to associate, we're going to use the exact same command that we used when we did it with WP. So we're going to use AirPlay. Ng. We're going to tell it I wantto run a fake authentication attack. We're going to give it that delay. So this is the time to wait between association attempts. Previously, we set it to zero, and we have to do this manually every now and then. Right now I'm going to set it to 30 so that we associate with the target network every 30 seconds. Then I'm going to do A to give it the Mac address of my target and DASH to give it the Mac address of my wireless adapter in monitor mode. And we see that we can get this by configuring and copying it from here. We said it's the first twelve digits, and I'll just replace the colon with the colon.And finally I'm going to give it the name ofmy wireless adapter in monitor mode, which is 10. So I explained this in details before; that's why I did it quickly. If you don't remember how I did this, pleasego back to the fake authentication attack lecture. So the command is ready now, but I'm not going to execute it. I'm going to go down to the bottom terminal and run Rever, which is the programme that will brute force the PIN for me. And only then will I associate with the target because, otherwise, a replay would have Ng fail to associate with my network. So I'm going to move to this terminal, right Here, I'm going to clear the screen and we're going to run Rever, which is the programme that's going to brute force the pin. So it's going to try every possible pin until it gets the right pin. Once it has the right pin, it will use it to compute the actual WPA key. So using Reverb is very, very simple. It's very similar to everything we've been doing so far. So first of all, we have to type the programme name, which is Rever. Then I'm going to do BSSID to give it the Mac address of my target network. So I'm just going to paste it. Then I'm going to do channel and give it the channel of the target network, which is one. Then we're going to do interface and give it my wireless adapter in monitor mode, which is 10. So a very, very simple command We're using reverb. This is the name of the programme that will do the brute-forcing for us and give us the key. We're giving it the BSSID, theMac address of my target. We're doing channel to give it the channel that my target is running on, and we're doing interface to give it the name of my wireless adapter in monitor mode. I'm also going to add two more options. I'm going to add VV to show us as much information as possible. This is really helpful. If it fails or things go wrong, we'll be able to know what's happening and why things are going wrong. And I'm also going to do "no associate" to tell Reaver not to associate with the target network because we're already manually doing that in here. So Rever can automatically do this stuff right here for you. But I've seen that it fails a lot. Therefore, it's actually better to do it manually here and then tell Rever not to associate. So now I'm going to hit Enter to get River to work, and I'm going to go up to the top terminal and I'm going to hit Enter to associate with the target network. Tell us, please don't ignore us. So that Rever at the bottom here can brute-force the pin and try every possible pin until we get the correct pin. which we'll use to get the password. Now, as you can see right now, I'm getting an error, and this is actually a bug with the latest versions of Reverb. So if you get this bug, this means they still haven't fixed it in the latest version. So it's better to go back and use an older version. I'm going to include an older version that works perfectly in the resources of this lecture, so you can access it from the top left of the lecture. If you tried Rever and got this error right here, then go ahead and download this older version right now. I already have it in my downloads, right here. So you can see I'm in Home Downloads, and I have it right here called Reverb. So what I'm going to do is I'm going to clear this again, and I'm going to navigate to my downloads. So for CD downloads, I'm going to list them, and you can see we have them right here. Now it's already in green for me, but for you, you'd want to change the permissions of this file to executable. As a result, you must perform mod plus x Rever. This will make it an executable. You can run it once it is an executable by doing a forward slash followed by its name. So, Rever, then you can do the exact same command exactly like I just did it with the one that comes preinstalled in Kali. So I'm actually just going to go back to what I had, and I'm just going to go to the start of the command and put a forward slash. When we use the forward slash, we are essentially running the file in the current working directory. We're using this instead of the standardReverb file that comes with Kali. Then we're using all of the options exactly the same way that we were using it with the built-in one. I'm going to hit Enter. And as you can see right now, Reverb is trying the pin 123-4567, which is perfect. You can see the pin was actually 123-45670. So it's a simple pin. It actually came with this pin. So I didn't manually set this pin. My router came from the factory with WPS enabled with this pin. So like I said, this still works. But again, not against all routers. From that, it was able to discover the WPA key, which is UAU RWS XR. And the name of the router is AP. So I can literally go ahead and connect with this password, and I'll be able to connect to the network and see and decrypt all of the packets sent.

3. Capturing The Handshake

Now, if WPS is disabled on your target network or if it's enabled but configured to use pushbutton or PVC, then the method that I showed you in the previous lecture will not work. Therefore, you will have to go and crack the actual WPA or WPA 2 encryption. And like I said, when these encryptions were designed, the developers knew about the weaknesses in WEP, and they made sure that they properly fixed these weaknesses. They actually did a pretty good job at this. Therefore, we cannot use the same method used in Weep to crack WPA and WPA Two. So in WPA 2, the keys are unique. They're temporary. They're much longer than they were in WEP. Therefore, the packets sent into the air contain no information that is useful for us. So it doesn't matter. Even if we capture 1 million packets, we can't use them to crack the key. The only packets that contain useful information are the handshake packets. These are four packets transferred between a client and router when the client connects to the network. So in this lecture, I'm going to show you how to capture these packets, and in the next lectures, we'll see how to use them to crack the WPA or WPA Two key. First of all, as usual, you'd want to run Arrow dumped against all the networks around you. I've already done that. And as you can see, this is my target right here. It's using WPA 2. And this is the Mac address. I'm going to copy it. And the first thing we'll do is run Arrow dump Ngon on this network and save the data in a file exactly like we did with Weep. So we're just going to do an Arrow dump on the BSSID and give it the BSSID of my target channel and the channel of my target, which is one way to specify a file name to store all the data that we're going to capture in. And let's call this the WPA handshake, because we're going to capture the handshake. And finally, we're going to put my wireless adapter in monitor mode, which is 10. So a very simple command We've done this multiple times by now. We're using Arrow Dump NG. We're giving it the MAC address of my target. Following the BSSID, I'm specifying the channel of the target I'm using to store all the data in a file. This file will contain everything that we capture. So if we capture the handshake, it will be in this file. And finally, I'm giving it the name of my wireless adapter in Monitor Mode. So now I'm going to hit Enter. And as you can see, Aerodomp is working against my target network. And right now, all we have to do is literally sit down and wait for the handshake to be captured. Like I said, the handshake is sent when a client connects to the network. So we'll literally have to sit down and wait until a new client connects to the network. Once a new client connects, we will capture the handshake, and you will see in the error message that the handshake has been captured. Alternatively, we can use something that we learned before, which is a deauthentication attack. We know that using that attack, we can disconnect a client from the network. So we can do this for a very short period of time. We can disconnect this client from the network. He will automatically connect once we stop the attack. Therefore, when he automatically connects, the handshake will be sent in the air and we will be able to capture it. This way, we will not have to sit down and wait for someone to voluntarily connect to the network. So we saw how to do this before, and it's going to be exactly the same command as we did it before. We used AirPlay. We did, Dauth Then we specified a really large number of packets to keep the client disconnected for a long period of time. This time, I'm going to set this task to only send the authentication packets. This way, my client will be disconnected for a very short period of time. They won't even feel that they got disconnected, but this is enough for the handshake to be sent. Because they will be disconnected, they will automatically connect. And when they do that, we will capture the handshake. Now, the next argument we want to set is the Mac address of my target. So we're going to do dasha, followed by the Mac address of my target. Then we're going to do "dash C," followed by the Mac address of the client that we want to disconnect. So it's this client right here. I'm going to copy-paste it here. And finally, we're going to give it the name of my wireless adapter in Monitor Mode, which is 10. And we are done. Again, I've spent a full lecture on this command explaining what the authentication attack is. So if it's a bit confusing, please go back and revise that lecture. Basically, all we're doing is using AirPlay N to run a deauthentication attack to disconnect this device for a very short period of time. That's why I'm only putting this at number four. Then I'm using dash A to specify the Macaddress of my target, and c to specify the Macaddress of the client connected to this network. And then I'm giving it my wireless adapter in Monitor Mode. Now I'm going to hit Enter and keep an eye on this side right here. You'll see that the handshake will be captured here. So we're going to hit Enter. The authentication packets are being sent and perfected. As you can see, once the client connected again, we received the handshake. So now we can click the arrow to dump NG. So Controlc, because we have the handshake now, it is stored in the file that we set after the right option, which is called WPA handshake. And in the next lecture, I'll show you how this handshake can be used to get the key for the network.

4. Creating a Wordlist

From the previous lectures, we learned that when it comes to WPA and WPA 2, the only packets that contain some information that can help us crack the key are the handshake packets. And in the last lecture, we learned how to capture the handshake and store it in a file. Now the handshake does not contain any information that can help us to recover or recalculate the WPA key. The information in it can only be used to check whether a password is valid or not. Therefore, what we're going to do is create a wordlist, which is basically a big text file that contains a large number of passwords. Then go through this file, go through the passwords one by one, and use them with the handshake in order to check whether this password is valid or not. You can get ready-made wordlists from the internet, but in this lecture, I'll show you how to make your own. And in the next lecture, I'm going to explain to you how the word list and the handshake are used in order to recover the password, and we'll see how to do that in practice. So in this lecture, we're going to learn how you create your onward list using a tool called Crunch. This is a really handy skill to have under your belt if you want to be a penetration tester because you're going to face a lot of scenarios where a wordlist attack can become very handy. So using the tool is very simple. All you have to do is just enter the name of the tool, and then you specify the minimum number of characters for the passwords to be generated. Then we're going to specify the maximum number of characters for the password. Then you specify the characters that you want to generate passwords from. For example, you can put all lowercase characters, all uppercase characters, numbers, digits, or you can just specify a smaller number to make the word list smaller. Option T, which is optional, can also be used to provide a pattern. So, for example, let's say that you are looking at the person while they are typing their password and you see that the password will start with an A. So you can tell Crunch that the password will start with an A and then give me all possible combinations of passwords that start with an A. And after that, we use the minus o option to specify the file name where the passwords are going to be stored. So we have a small little example here that will generate a list of passwords that contain characters that start from six characters to eight characters and contain these characters right here. So it's going to create combinations of one, two, three, ABC, and the dollar sign, and it's going to store it in a file called Wordlist. And these passwords are going to start with an A and end with a B, and it will generate passwords based on all possible combinations between the A and the B. So all of the generated passwords will always start with A and end with B. So let's have an example of the tool. Now the tool actually has a lot more options other than what we've seen so far. So if you just type in "Man Crunch," you'll see all the options that you can set and a detailed description of all of these options. So it's actually really, really good. You can go ahead and take some time to get familiar with the tool. Now I'm going to show you the example, and based on the example, you'll be able to run all of these commands. But if you want to run or create some advanced wordlists, then I highly recommend that you go over this. One of the really cool options that I want to highlight is the minus P option. The minus p option tells Crunch to generate passwords that don't have repeating characters. For example, when you specify all lowercase characters, you specify ABCD. It will start by generating passwords made of AAA and then A, then ABBB, and all of that. So when you do this, Crunch will actually ignore these types of passwords, and it will only create passwords that don't have any repeating characters, which will reduce the size of the wordlist from the number of characters to the power of the length to the number of characters factorial. If you scroll down, you'll actually seemore examples of commands and the typeof word lists that will be created. So again, you can have a look at these and get yourself familiar with them. Once you're done looking at the man, you can just press Q and you'll be out of it. And we're going to run our command here. So we're going to use Crunch, and I want to generate passwords of a minimum of six characters and a maximum of eight characters. And I want them to contain combinations of ABC and, let's say, the digits one and two. Now in here you can actually keep listing things. You can list characters; you can list uppercase characters or even symbols if you want to. Once you're done with listing the characters, we're going to specify the file to save it to, and we're going to save it in a file called Test TXT. So the command is very simple. It's crunch time: the minimum length of the password, the maximum length of the password, followed by the characters that we want to use to generate passwords from, and then the file that the passwords are going to be stored in. I'm going to hit Enter. And as you can see now it's tellingus that it generated 448,000 passwords approximately, andthey're all stored in a file called test. TXT. Now the size of the file is four megabytes. And now I can open this file by doing cat tests. TXT. And as you can see now, we can see all the passwords that have been generated. I'm going to control C out of it because it's a huge file and, as you can see, it actually contains all possible combinations of ABC. Twelve. I also want to show you anexample of using the T option. So I'm going to set this to only six or six. So it's only six characters. And we're going to use the minusT option, which is the pattern option. And I'm going to tell it that I want the password to always start with an A. And then I want you to fill in all possible combinations of characters between the A and the B. So I want passwords that start with an A and end with a B. And in the middle, at the add sign, you can fill in all possible combinations of ABC. One, two again, and hit enter. As you can see now, the number of passwords is much lower. It's only 625 passwords because I've narrowed down the possibilities of passwords again. If I do a CAT test on TXT, you'll see that I have all the passwords right here. So this is it. tool is really useful. can be used in many scenarios. I highly recommend that you spend some time with it and also have a look at some of the existing worklists out there on the Internet.

5. Cracking WPA & WPA2 Using a Wordlist Attack

Now, from the previous lectures we learned, in order to crack WPA or WPA 2, we need to first capture the handshake and, second, have a wordlist that contains a number of passwords that we're going to try, and hopefully one of them will be the password for the target network. So right now, I have both of these components, and we are ready to go and crack the password. To do this, Aircrack-NG is going to unpack the handshake and extract the useful information. The mic right here, or the message integrity code, is what's used by the access point to verify whether a password is correct or not. So it's going to separate this and put it to the side, and then it's going to use all of the other information right here, combined with the first password from the word list, to generate another MIC, or message integrity code. And then it's going to compare this mic to the one that's already in the handshake. If the microphone generated using this information plus the first password is the same, then the password used to generate this microphone is the password for the network. Otherwise, this password is wrong, and it will move to the next password again. It will do the same. It will use all of this information, combined with this password, to generate a new MIT. Compare this new MIT to the one that's already in the handshake. If it's correct, then this is the password. If it's not, then it's going to move on to the next password. And it will keep doing this through all of the passwords in my wordlist. If any of them generate the right mic, then this is the password for the network. Otherwise, we won't be able to get the password. That's why the success of this attack really depends on your wordlist. So let's see how to do this in practice. Right now, I have my wordlist right here. It's called Test TXT, and I've actually manually added my password to the end of the list right here, just so that when I run the wordlist against the handshake, I will actually find the password because the wordlist did not contain my password by default. I also have the handshake file right here, as you can see. And all of this is in myhome directory, which is my root directory. So if I do LS in here, you'll see I have the wordlist and the handshake file. So we're ready to run aircraft No. So we're going to type the name of the programme as usual, followed by the name of my capture file, which is WPA handshake one, cap. So far, it's identical to the way that we used to use it with Weep. The only difference right now is that, because this is a WPA 2-network, we have to specify a wordlist with the W often, and the name of my wordlist is Test TXT. so very, very simple. Aircrack is the name of my program, and WPA Handshake One Cap is the name of the file that contained my handshake. And I'm using W to specify my wordlist file. I'm going to hit Enter. And as you can see now, Aircraft ng is running through the word list, testing each word in the word list one by one as shown in this diagram, and calculating an MIC based on this information and the word list. And then if the MI C is correct, it's going to tell me that this is the password. Now, the speed of this depends on your processor and the size of your Wordlist file. So if you have a huge file, obviously it will take you a longer time. There are also online services that you can try where you upload the handshake, and they have huge word lists and supercomputers to run through these word lists and try to give you the password. Unfortunately, I can't share their links with you, but you can easily find them on Google if you search for them. And perfect. As you can see, we managed to find the key, the Selma. The key is found, and this is the key to the network. And this is the correct key because, as you know, this is the same key that we got when we exploited the WPS feature. So now we can go ahead and connect to the network, and we'll be able to run all of the cool stuff that I'm going to teach you in the post-connection attack section. Now, this is the only practical way known so far to crack WPA and WPA 2 keys. There are methods to speed up this process. So you can use the GPU for cracking because it's much faster than the CPU. That's if you have a GPU. You can also use rainbow tables. You can also pipe the wordlist to aircrack Ng as it is being created in crunch. This way, you can create bigger wordlists without using any storage on your computer. There are also methods by which you can pause your cracking process and then come back after a while without losing your progress. But the main idea is the same. The only way right now to crack WPA and WPA Two is through a wordlist attack. You can use social engineering, however, to get the password using an evil twin attack where you trick one of the users into giving it to you the password.This is actually all covered in my Advanced Network Hacking course: the cracking, using the GPUpipe and crunching to Aircrack NG, getting the password using an evil twin attack, and much more advanced network hacking techniques. If you're interested in that, then I highly recommend you have a look at my Advanced Network Hacking course. Check out the bonus lecture for this course. the last lecture of this course. It contains links to all of my other courses and the comparison between them.

ExamCollection provides the complete prep materials in vce files format which include ECCouncil CEH certification exam dumps, practice test questions and answers, video training course and study guide which help the exam candidates to pass the exams quickly. Fast updates to ECCouncil CEH certification exam dumps, practice test questions and accurate answers vce verified by industry experts are taken from the latest pool of questions.