LabEx
Log InJoin Free

Use John the Ripper to Crack Wi-Fi WPA/WPA2 Handshakes

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will explore the process of cracking Wi-Fi WPA/WPA2 passwords using a common penetration testing tool, John the Ripper. While the primary goal is educational, understanding these techniques is crucial for improving network security. You will learn how to capture a WPA/WPA2 handshake, which contains the necessary information for offline password cracking, and then use specialized tools to convert this handshake into a format that John the Ripper can process. Finally, you will attempt to crack the password using a dictionary attack. This lab will also cover the underlying security flaws in WPA/WPA2 and provide best practices for creating strong Wi-Fi passwords to protect your own networks.

Capture a WPA/WPA2 Handshake

In this step, you will understand the concept of capturing a WPA/WPA2 handshake. In a real-world scenario, this involves putting your wireless adapter into monitor mode and using tools like airmon-ng and airodump-ng to capture the 4-way handshake that occurs when a client connects to a Wi-Fi access point. This handshake contains the necessary cryptographic material to perform an offline brute-force or dictionary attack on the Wi-Fi password.

For the purpose of this lab, we will simulate the existence of a captured handshake file. The setup script has already created a dummy .cap file named dummy_capture.cap in your ~/project directory. This file represents a captured network traffic file that would contain a WPA/WPA2 handshake.

To verify the presence of this dummy capture file, use the ls command.

ls -lh ~/project/dummy_capture.cap

You should see output similar to this, indicating the file exists:

-rw-r--r-- 1 labex labex 48 Oct 26 08:00 /home/labex/project/dummy_capture.cap

This step focuses on the conceptual understanding, as actual network interface manipulation is beyond the scope of this virtual lab environment.

Convert Handshake to John the Ripper Format

In this step, you will learn how to convert a captured WPA/WPA2 handshake file (typically a .cap file) into a format that John the Ripper can understand. John the Ripper, by default, does not directly process .cap files for WPA/WPA2 cracking. Instead, it requires a specific hash format, often generated by tools like aircrack-ng or hcxpcaptool. The aircrack-ng suite includes a utility that can extract the WPA/WPA2 handshake from a .cap file and output it in a format suitable for cracking.

For this lab, the setup script has already created a dummy .hccapx file named dummy_handshake.hccapx in your ~/project directory. This file simulates the output of such a conversion process, containing the extracted handshake information in a format ready for John the Ripper.

To verify the presence of this dummy handshake file, use the ls command.

ls -lh ~/project/dummy_handshake.hccapx

You should see output similar to this, confirming the file's existence:

-rw-r--r-- 1 labex labex 78 Oct 26 08:00 /home/labex/project/dummy_handshake.hccapx

This step emphasizes the necessity of format conversion before using John the Ripper for WPA/WPA2 cracking.

Crack WPA/WPA2 Handshake with John the Ripper

In this step, you will use John the Ripper to attempt to crack the WPA/WPA2 password from the converted handshake file. John the Ripper is a powerful password cracking tool that supports various attack modes, including dictionary attacks. A dictionary attack involves trying a list of common passwords (a wordlist) against the captured handshake.

You will use the john command with the --wordlist option to specify the wordlist file and the path to the handshake file. The setup script has already created a simple wordlist named wordlist.txt in your ~/project directory.

Execute the following command to attempt cracking the dummy handshake:

john --format=wpapsk --wordlist=~/project/wordlist.txt ~/project/dummy_handshake.hccapx
  • --format=wpapsk: Specifies the hash format John the Ripper should expect, which is WPA-PSK for Wi-Fi handshakes.
  • --wordlist=~/project/wordlist.txt: Points John to the dictionary file containing potential passwords.
  • ~/project/dummy_handshake.hccapx: The path to the converted handshake file.

After running the command, John the Ripper will attempt to crack the password. If a password from the wordlist matches, it will be displayed. For our dummy handshake and wordlist, the password labex123 should be found.

Example output:

Using default input encoding: UTF-8
Loaded 1 password hash (WPA-PSK [PBKDF2-SHA1 256/256 AVX2])
Will run till completion
Press 'q' or Ctrl-C to abort, almost any other key for status
labex123         (dummy_essid)
1g 0:00:00:00 DONE (2023-10-26 08:00) 100% (ETA: 08:00) 1.000g/s 5.000p/s 5.000c/s 5.000C/s labex123
Session completed.

The line labex123 (dummy_essid) indicates that the password labex123 was successfully cracked for the ESSID (network name) dummy_essid.

Understand WPA/WPA2 Security Flaws

In this step, you will gain a deeper understanding of the security flaws inherent in WPA/WPA2 (Wi-Fi Protected Access II) that make handshake cracking possible. While WPA2 was a significant improvement over its predecessors (WEP and WPA), it is still susceptible to certain types of attacks, primarily offline dictionary attacks against the 4-way handshake.

The core vulnerability lies in the fact that the Pairwise Master Key (PMK), from which the Pairwise Transient Key (PTK) is derived, is based on the Pre-Shared Key (PSK) and the nonces exchanged during the handshake. If an attacker captures this 4-way handshake, they can perform an offline brute-force or dictionary attack against the PMK. This means the attacker does not need to be actively connected to the network to try different passwords; they only need the captured handshake.

Key points to understand:

  • Offline Attack: The cracking process happens offline, meaning the attacker can take the captured handshake and try millions of passwords without interacting with the target network. This makes it very difficult to detect.
  • Dictionary/Brute-Force: The success of this attack heavily relies on the strength of the Wi-Fi password. If the password is weak, common, or part of a dictionary, it can be cracked relatively quickly.
  • No Direct Access: The attacker does not gain direct access to the network during the cracking process; they only obtain the password.

This vulnerability highlights the critical importance of using strong, unique passwords for Wi-Fi networks. Even with WPA2's robust encryption, a weak password can compromise the entire network.

Implement Strong Wi-Fi Passwords

In this final step, you will learn and understand the best practices for implementing strong Wi-Fi passwords to mitigate the risks of WPA/WPA2 handshake cracking. As demonstrated in the previous steps, a weak password is the primary vulnerability that allows these attacks to succeed.

To protect your Wi-Fi network effectively, consider the following guidelines for creating strong passwords:

  1. Length: Aim for a password of at least 12-16 characters. Longer passwords significantly increase the time and computational resources required for cracking.
  2. Complexity: Use a mix of uppercase letters, lowercase letters, numbers, and special characters (e.g., !@#$%^&*). This makes dictionary and brute-force attacks much harder.
  3. Uniqueness: Do not reuse passwords across different services or networks. If one password is compromised, others remain secure.
  4. Avoid Common Words/Phrases: Do not use dictionary words, common phrases, personal information (like birthdays, names), or sequential numbers (e.g., 12345678). These are the first targets in dictionary attacks.
  5. Passphrases: Consider using a passphrase – a sequence of unrelated words. For example, CorrectHorseBatteryStaple is much stronger and easier to remember than P@$$w0rd!.
  6. Regular Changes: While not strictly necessary for very strong passwords, changing your Wi-Fi password periodically (e.g., once a year) can add an extra layer of security.

By following these recommendations, you can significantly enhance the security of your Wi-Fi network and make it extremely difficult for attackers to crack your WPA/WPA2 password, even if they manage to capture a handshake.

Summary

In this lab, you have gained practical experience and theoretical knowledge regarding Wi-Fi WPA/WPA2 security. You learned the process of capturing a WPA/WPA2 handshake (conceptually), converting it into a format suitable for John the Ripper, and then using John the Ripper to crack the password through a dictionary attack. Furthermore, you explored the underlying security flaws that make these attacks possible and, most importantly, understood the critical importance of implementing strong, complex, and unique Wi-Fi passwords to protect your networks from such vulnerabilities. This knowledge is crucial for both offensive security understanding and defensive network protection.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux