At present, WiFi WPA cracking mainly in "aircrack-ng" as the representative, running on Linux systems (such as Kali Linux), Windows system is relatively rare, mainly in Windows system WiFi NIC Transceiver Original package is more difficult, And the lack of a mainstream WiFi network card open source code can be consulted. The WPA cracking process is therefore usually preceded by a Linux machine (or Linux virtual machine) grabbing the WPA four handshake package, and then cracking under windows with the password dictionary blasting software represented by "ElcomSoft Wireless Security Auditor".
0X01 WiFi Protocol BasicsHandled by specific hardware, the actual only need to consider Mac (Media Access Control) and LLC (Logical link Control), specific data frames are as follows:
MPDU is the protocol header for the MAC layer, which is commonly used in framecontrol fields and ADDR1, ADDR2, ADDR3, and so on.
The MPDU header length of the WiFi protocol is not fixed and is variable.
Type/subtype: Specifies the format of the next data frame, where type 2bits indicates the frame type, subtype 4bits, further specifying the specific format of the data.
| Type | 00/Manage Frames | 01/Control Frame | 10/Data Frame | 11/Reserved |
WPA cracked the main use of WiFi management frames and data frames, where the management frame corresponding to the subtype situation is shown in the following table:
STA before logging in to the AP, the first need through a series of management frames, to establish the data contact with the AP, and then to implement the login and enable encryption number, while the WiFi management frame is not encrypted, the process is as follows:
| Serial Number | subtype | Description |
|---|---|---|
| 1 | 8 | Beacon,sta accepts AP Beacon Frame, perceives AP, obtains SSID and AP parameters |
| 2 | 4 | STA proactively sends probe probe requests |
| 3 | 5 | AP Answer STA Prob Response |
| 4 | 11 | STA sends authentication request authentication |
| 5 | 11 | AP Answers authentication request indicating success or failure of STA authentication |
| 6 | STA sends Association request | |
| 7 | 1 | AP Answer Association Response |
Once the STA has completed the above process, the data frame can be transferred between the STA and the AP for subsequent WPA user authentication.
0x02 WPA password cracking principleWPA-PSK (WPA Personal Edition) uses the EAPOL (Extensible Authentication Protocol over LAN) protocol to process the user's login credentials after the STA and AP have been established, consisting of four handshakes, such as.
The AP first sends a 32-byte anonce random number to the STA (which is actually an accumulation counter), and after the STA receives the random number, it also generates a 32-byte snonce random number, which calculates a ptk based on the two random numbers and the login password (pairwise Transient Key), the specific calculation process is as follows:
1. PMK = PBKDF2 (HMAC−SHA1, PWD, SSID, 4096, 256)
First, using the PBKDF2 (password-based key derivation Function 2) algorithm to generate a 32-byte PMK key, the algorithm needs to execute 4096*2 wheel, WPA cracking when the computation is mainly concentrated in the calculation of the key, Also, the use of the SSID (0-32 characters) for salt makes it difficult to pre-calculate with a rainbow table.
2. PTK = PRF-512 (PMK, "pairwise key Expansion", Min (Ap_mac, sta_mac) | | Max (Ap_mac, sta_mac) | | Min (anonce, snonce) | | Max (Anonce, snonce))
The PTK uses the PRF-512 (pseudo random functions 512bits) algorithm to generate a 64-byte Ap_mac via PMK, fixed string, Sta_mac, Anonce, snonce, PTK six input parameters.
The PTK consists of 5 parts, as follows:
WPA1 Tkip's PTK length 512bits,wpa2 ccmp ptk length 384bits, where KCK used to calculate the WPA EAPOL key message Mic;ap use KEK to encrypt the WPA EAPOL key message with additional key data ; Tek is used for unicast data encryption.
The most critical part of WPA cracking is the calculation of the mic via KCK, which has the following algorithm:
WAP Mic = HMAC (evp_sha1 (), KCK , eapol_data,eapol_size) WAP2 Mic = HMAC (evp_md5 () , KCK , Eapol_data,eapol_size)
Summarize the WPA specific cracking process as follows:
| Serial Number | Description |
|---|---|
| 1 | Grab the 4-way handshake package, in fact it only takes the first two |
| 2 | Calculating PMK through a cipher dictionary |
| 3 | Calculated PTK by PMK, Anonce, Snonce, MAC1, MAC2 |
| 4 | KCK is calculated by PTK, and the mic corresponding to the 2nd time EAPOL message is computed. |
| 5 | The correct password is matched with the mic comparison in the 2nd time EAPOL message |
Currently under Windows more mature WiFi packet transceiver software is commview for WiFi, the software is a commercial software, compatible with more network cards, more powerful features. The software's BMD directory has a more general WiFi Capture Driver, combined with the data collected by the Internet to discover that the Windows NDIS6 framework is able to implement the WiFi packet transceiver function, decided to use the NDIS6 Filter Driver to send and receive WiFi packets.
Debugging the development environmentUsing VirtualBox + VIRTUALKD + Windbg + RTL8187 USB WiFi card, target system Window7 x86, note VirtualBox need to install VirtualBox expansion pack, Otherwise, the host USB adapter cannot be switched to the virtual machine for debugging. The Windows WDK 7600 compilation environment, the filter in the WDK, the Usbnwifi sample source code is very reference value, filter is the NDIS 6 NDIS Filter Sample codes, Usbnwifi is a USB WiFi card driver of a reference code, In the absence of the actual USB card driver source code, you can get a general understanding of the underlying network card implementation details.
WiFi Data sniffingThe underlying NIC in the NDIS6 framework eventually receives the packet by calling Ndismindicatereceivenetbufferlists to instruct the upper-level NDIS driver to see the function call as follows:
There are three main places called the function, namely mphandlerawreceiveinterrupt, Mphandledefaultreceiveinterrupt, Mphandlesafemodereceiveinterrupt, which focuses on the first two functions, has the following initialization code in the mpadjustreceivehandler function:
Obviously, these two functions correspond to the data reception function of the WiFi network card in different network card mode, the network card must be set to monitoring mode when WiFi hack.
Mpadjustreceivehandler is called at Mpsetcurrentoperationmode , in the Mpsetinformation function:
OID_DOT11_CURRENT_OPERATION_MODEis the NDIS standard WiFi OID request, which is used to set the working mode of the WiFi NIC, the defined mode is:
Summing up the WiFi hack, the data acceptance process is: first set up the network card for monitoring mode (promiscuous mode), and then on the network card driver in the filter driver, processing the original packet acceptance, usually can first accept the temporary queue, and then the application layer using IOControl read the queue, Implement WiFi packet sniffing.
WiFi Data sendingThe NDIS small port driver registers the driver through the ndismregisterminiportdriver, registering the NDIS data sending function at the same time.
The function will first check the status of the network card, if the status is not appropriate, will not continue to send packets, the specific check code is as follows:
MP_ADAPTER_CANNOT_SEND_PACKETSThe macro is defined as follows:
MP_ADAPTER_CANNOT_SEND_MASKThe mask is defined as follows:
Note that the highlighted section, obviously, Microsoft's NDIS USB WiFi driver Sample code is not allowed in the monitoring mode by default, due to the authority of the WDK sample code, there is reason to believe that the WDK template code modified by the USB WIF driver can not be in the monitoring mode of the packet, This is also a big problem that Windows WiFi hack needs to face.
Since the official driver can not be in the monitoring mode of the contract, then you can only do it yourself, directly to the official drive to make a simple patch, find the key detection location, and then manually patch it. Of course, the actual manufacturer of the driver may be different, need more debugging and testing good.
Summing up the WiFi hack, the process of data transmission is as follows: first find a support monitoring mode can be contracted to the network card and driver (CommView for WiFi comes with the driver should be able to), or manual patch good official driver, and then in the application layer IOControl write Raw WiFi data to filter driver, filter construction net_buffer_list, and finally use ndisfsendnetbufferlists to send data to the underlying WiFi NIC driver.
0x04 WPA cracking processWPA cracking is divided into the following specific steps, one is to turn on network card sniffing mode, to capture the surrounding WiFi packets, the second is to analyze the distribution of the surrounding APS and STA, prepare for the Deauth attack, three is to implement Deauth attack, and four is to capture EAPOL handshake data packets.
Turn on network card sniffingNDIS6 by OID_DOT11_CURRENT_OPERATION_MODE Setting the operating mode of the network card, so directly through the driver sends the OID to set the network card mode, the oid corresponding parameter data structure is DOT11_CURRENT_OPERATION_MODE , specific as follows:
There are some problems with sending OIDs directly through the kernel, which is that the Windows WiFi application layer is unable to get notifications immediately, causing the Windows application layer to attempt to connect to the network after the sniffing Mode setting feature, but the Commview will not be present.
After analyzing the Commview drive, it was found that Commview did not set the specific mode in the driver, but instead called the WLAN API Settings monitoring mode in the application layer Ca2k.dll.
The opcode code for Wlansetinterface is 12, corresponding to:
wlan_intf_opcode_current_operation_mode(12), the specific code is as follows:
WPA crack requires the AP's SSID and MAC address, AP detection is mainly through the beacon frame and probe response frame to achieve, as follows:
The WiFi Beacon frame format is as follows
| Dot11_mgmt_header | Dot11_beacon_frame | Dot11_info_element | INFO ... |
Where DOT11_MGMT_HEADER , DOT11_BEACON_FRAME is fixed, the MAC address of the AP can be DOT11_MGMT_HEADER obtained from, the fixed header followed by a DOT11_INFO_ELEMENT list, defined as follows:
You need to traverse the ElementIDin turn to get a series of properties for the AP, some commonly used IDs are defined as follows:
Corresponding to the SSID of AP, current channel, WPA2 parameter, etc.
STA detection mainly through the data frame to achieve, WPA crack currently only use the STA's MAC address, according to each data frame Fromds, tods situation, parse the packet MAC address, can be implemented to crawl the STA address of the online communication, as follows:
Deauth attackAccording to the WiFi protocol, the client should actively disconnect from the AP after receiving the Deauth management frame, and once disconnected, the STA will automatically attempt to reconnect, which makes it easy to grab the Eapol four-time handshake package, so the successful implementation of the Deauth attack can greatly improve the efficiency of WPA cracking.
Aircrack inside of the Deauth attack template is as follows:
Which \xC0\x00 indicates that the frame is Deauth management frame, the last \x02\00 specified the Deauth code code, Aircrack is, for the \x06\x00 sake of difference, modified the next.
When sending a deauth attack, the DA is replaced with the MAC address (or broadcast) of the target STA, and SA and BSSID fill in the AP's Mac.
EAPOL captureEAPOL frame recognition is relatively simple, Since the 802.1x data frame, the LLC (logical link Control) header will have an identity of 0x888e, the direct memory search can locate the EAPOL frame, a little more troublesome is to determine the current EAPOL package in four handshake order, because in the actual network sniffing, there is a large likelihood of a missed catch situation.
The EAPOL packet format is as follows:
Where protype=3 represents the Key,key describes the data structure as follows:
The KEY_INFO data defines a series of flags, EAPOL four handshake, the different stages of the flag will be different, by analyzing these flags, you can get their order in four handshake. Once the full four-time handshake is monitored, the current AP handshake packet is considered successful.
WIFI wpa1/2 Crack for Windows
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
