Wi-Fi (Wireless Fidelity) is the go-to wireless standard for networking found in homes, offices and nearly every public space, allowing devices to access the internet and communicate with each other without cables simply by being within the range of a centralized location (Access Point).
This three-part blog series demonstrates how a WPA handshake can be captured using a Raspberry Pi Zero and subsequently cracked using Hashcat, highlighting how attackers exploit weak passwords in Wi-Fi networks with little to no trace.
Disclaimer: Everything shown in this blog was performed within legal boundaries and with full authorization from the network owner. This content is strictly for educational purposes. The author does not condone or take responsibility for any misuse of the techniques demonstrated.
A quick peek into the series looks something like this:
- Configure the Raspberry Pi Zero with a compatible wireless adapter and prepare it for remote access.
- Remotely control the Pi from a mobile device via SSH.
- Scan and capture WPA handshakes from a target Wi-Fi network when a client connects to it.
- Transfer the captured file to a laptop/desktop and crack the password using Hashcat.
Before we proceed, let’s have..
A Quick Look at Wi-Fi Security
In today’s ever-evolving digital era, Wi-Fi has become an integral part of our lives, offering convenient access to the internet and seamless communication between devices, but convenience always comes at a cost.
Unlike wired networks, wireless data transmission is inherently exposed to eavesdropping and unauthorized access, along with other unique vulnerabilities.
With the general security principle of CIA (Confidentiality, Integrity, Availability) in mind, Wi-Fi security is built around:
- Confidentiality: Ensuring that the data or messages transmitted within the network are unintelligible to unauthorized third parties.
- Integrity: Ensuring that the data transmitted within the network should not be altered or tampered with in transit
- Availability: Ensuring authorized users have reliable access to the network and the data transmitted.
These principles are further enforced using proper authorization and access control mechanisms.
WEP (Wired Equivalent Privacy)
The first attempt in securing wireless networks was in 1997 with the introduction of WEP (Wired Equivalent Privacy).
The name itself suggests a brief idea behind the concept to provide a level of security similar to wired networks.
Confidentiality:
- For confidentiality, WEP uses Rivest Cipher (RC4), a stream cipher for encryption with a 24-bit Initialization Vector (IV).
Integrity:
- For message integrity, WEP uses a basic checksum algorithm called Cyclic Redundancy Check (CRC), which is not cryptographically secure.
Authentication and Access Control:
- WEP uses a shared key which is the same across all devices in the network for authentication, which is inherently insecure.
- For access control, WEP relied solely on the shared key as a single layer of security.
WEP had some major drawbacks and security vulnerabilities, the limited approach of single layer security using shared keys made it such that an attacker eavesdropping on the network traffic might potentially capture the shared key, the limited length of IV in the encryption process of WEP makes it vulnerable to key reinstallation attacks and the CRC algorithm employed by WEP for message integrity could be easily manipulated allowing attackers to alter data packets without detection.
WPA (Wi-Fi Protected Access)
As a quick fix to WEP, WPA (Wi-Fi Protected Access) was introduced in 2003.
WPA overcame the shortcomings of WEP through implementing stronger authentication mechanisms, improved encryption algorithms with larger IVs and better message integrity checks
Confidentiality:
WPA still used the same RC4 algorithm but with some key improvements, such as:
- Larger IV size offering a greater number of key variations, making key reinstallation attacks (KRACK) more challenging
- For encryption, TKIP (Temporal Key Integrity Protocol) dynamically generates a new key for each packet transmitted
WPA also uses a 4-way handshake, a process where devices securely exchange messages to verify identities and establish a session key for encrypting data transmissions.
Integrity:
- For message integrity, WPA uses Michael, which incorporates several key features such as a better hash function, larger checksum, sequence number and frame counter, which is much better compared to WEP’s CRC.
Authentication and Access Control:
The two major advancements in user authentication were:
- The introduction of EAP (Extensible Authentication Protocol) allowed various authentication mechanisms like password/username combination and token-based authentication, offering greater flexibility and security compared to WEP’s shared key approach.
- The introduction of PSK (Pre-Shared Key) allows users to share a passphrase, which is then converted into a stronger 256-bit encryption key for authentication.
WPA leverages EAP, which uses per-user authentication, allowing administrators to set access levels for each device, allowing more granular control over network resources
Despite these enhancements, WPA still used RC4, which was cryptographically weak by modern standards like AES (Advanced Encryption Standard). Moreover, PSK mode was vulnerable to dictionary and brute-force attacks if users chose weak passwords.
WPA2 (Wi-Fi Protected Access)
To overcome the shortcomings of WPA in this ever-evolving threat landscape, a more sophisticated security protocol, WPA2 was introduced in 2004
Confidentiality:
- One of the major advancements was the adoption of AES (Advanced Encryption Standard), which was much stronger compared to RC4.
Integrity:
- The MIC (Message Integrity Code) mechanism, first introduced in WPA, is still used for message integrity in WPA2.
- For message authentication, CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) is used to encrypt data.
Authentication and Access Control:
-
For user authentication, WPA2 uses AES along with EAP
-
For access control, passphrase-based authentication is used
WPA2 still had flaws like Key Reinstallation Attacks (KRACK) and the possibility of the pre-shared key being captured and cracked.
WPA3 (Wi-Fi Protected Access)
WPA3 was introduced in 2018 to fix some security vulnerabilities in WPA2. It uses more effective and efficient encryption algorithms for protecting data.
Confidentiality:
- WPA3 uses the GCM (Galois/Counter Mode) to perform 256-bit encryption on data
Integrity:
- For message integrity, each device in the network has its encryption key so that other devices cannot decrypt packets being transmitted.
Authentication and Access Control:
-
WPA3 uses the SAE (Simultaneous Authentication of Equals) protocol to authenticate users. SAE protocol uses the dragonfly handshake to implement a zero-knowledge proof between users and the access point. In simpler words, it securely exchanges passwords in a way that protects against guessing attacks, even if someone is watching the network.
-
For access control, client isolation is implemented, which makes sure that the devices cannot directly communicate with each other and aren’t even aware of each other.
WPA3 isn’t immune to attacks like ARP spoofing or rogue access points, etc.
With the basics of Wi-Fi security covered, it's time to get practical. In the next section, I'll walk you through setting up the Raspberry Pi Zero for remote access.