What is WPA/WPA2?
WPA stands for Wi-Fi Protected Access. WPA is a security standard for wireless networks. It provides a sophisticated data encryption and better user authentication. These protocols are developed by Wi-Fi alliance. In order to cover the serious weaknesses provided by WEP(Wired Equivalent Privacy) encryption, WPA was developed. WPA provides much more security than WEP.
Difference between WPA and WPA2.
Both the WPA and WPA2 are very similar. The only difference between them is the encryption used to ensure message integrity. WPA uses RC4 and provides extra security through TKIP. While WPA2 uses standard AES encryption and CCMP to provide extra security. But in any case, these encryption standards do not affect the method used to crack WPA and WPA2. But both of these came after WEP. WEP is fairly easier to crack than WPA/WPA2.
How does WPA/WPA2 Cracking work?
Method 1 : Bruteforcing WPS
WPS feature should be enabled for this exploitation. WPS stands for Wi-Fi Protected Setup. This feature allows the connection between the router and the wireless devices easier and quicker. It works for the networks encrypted with WPA/WPA2 protocols. WPS involves the use of an eight-digit pin for faster authentication. All the routers with enabled WPS button, have a unique eight-digit auto-generated key that cannot be changed by users. It allows the devices to connect without the password. Authentication is done with an eight-digit pin.
So, an attacker takes the advantage of this feature. As the 8 digits are a small number, the attacker can try all the pins in a short period of time. This method of exploiting the WPS feature is called ‘Brute-forcing’. Then the WPS pin can be used to compute the actual password. Various tools like reaver are available on the internet for brute-forcing.
Method 2 : Capturing the Handshake
An attacker can use this method if the WPS feature is disabled. Unlike WEP, the packets sent in the air are useless in WPA/WPA2 due to encryption. Even if the attacker captures millions of packets, they can be useless. But, the attacker can capture the handshake in order to crack the key. The only packets that can aid with the cracking process are handshake packets. The attacker can only capture these packets when an authenticated device connects to the network.
These are the following steps to perform this attack.
1} Attacker disconnects the authenticated user for a period of a short time.
2} The attacker captures the handshake as soon as the device connects back to the network.
3} Attacker creates a word list dictionary of all possible passwords.
4} Then the attacker cracks the key using a wordlist attack.
The handshake is called a ‘4-way Handshake’. Capturing the handshake is quite difficult. The attacker might have to wait for days, in order to capture the handshake. In a wordlist attack, the attacker compares the captured handshake file with the wordlist file that contains all the possible passwords. So, if the password doesn’t exist in the wordlist, the attacker won’t be able to find the password.
Method 3 : PMKID Attack
For years, WPA/WPA2 cracking meant kicking some authenticated device off the network. And waiting for it to connect back to capture the handshake in an attempt to crack it. A new attack based on the PMKID allows the attacker to crack the network even when no device is connected.
PMKID is a robust security element that is part of some frames included by default in wireless networks. Now this attack depends on the manufacturer of the wireless network to include the PMKID packets or not. But this attack extends the functionality of brute-forcing WPA/WPA2 to the networks which have no devices connected.The way that this works is because of only a single part of the 4-way message required in order to attack the network.
In this attack, the attacker can use a single frame and use that to brute-force the password. This attack is better as the attacker doesn’t need to send the obvious de-authentication frames to disconnect the authenticated device on the network.
Instead, the attacker can directly capture PMKID frames and without getting the users of the other devices suspicious.