It is possible to crack WPA/WPA2 wireless network credentials using any number of open source tools available now including oclHashcat+, aircrack-ng, or pyrit to name a few. If you are having trouble cracking a password it is possible that the network uses RADIUS authentication instead of pre-shared keys(PSK). Now you could see this when if you looked at the details of the network you were attempting to capture authentication packets for as it would display as WPA Enterprise versus WPA Personal. It definitely happens though that this is not considered during the capture so you may need to verify that a network is WPA/WPA2 Personal versus WPA/WPA2 Enterprise once you are attempting to crack the authentication. You can do this using Wireshark and the details below.
Verify Wireless Network Auth Type Is PSK By Examining Wireless Packets:
First a quick definition of a couple terms used in this article.
- PSK: Pre-Shared Key
- WPA: Wi-Fi Protected Access
- WPA2: Wi-Fi Protected Access II
- EAPOL: EAP Over LAN
- EAP: Extensible Authentication Protocol
- RADIUS: Remote Authentication Dial In User Service
OK so below we will examine two different wireless network captures. One of the captures below uses pre-shared keys authentication which is typical for personal wireless networks or small businesses and the other wireless network capture that uses RADIUS authentication and is typically used in medium to large size businesses. The first thing you will want to do is open the capture in Wireshark and filter on “wlan_mgt.rsn.akms.type == psk” as shown in the below example image. This will filter out any packets that include PSK as the wireless authentication key management type. There are two types of packets that include this information. The first are beacon frames which are broadcast out to the entire network providing the information to potential wireless clients. This is how the wireless networks show up in the list of available wireless networks on your computer or other wireless capable device. The second packet is part of the 4-way EAPOL handshake and involves communication between the wireless access point and a specific wireless device connecting to the WAP. So if you only had a single wireless handshake captured once you filtered on “wlan_mgt.rsn.akms.type == psk” or even just wlan_mgt.rsn.akms.type the packets left visible would look similar to the below include the second EAPOL packet and possibly a broadcast beacon frame.
Filter Wireless Network Authentication Packets In Wireshark:
Now if you filtered on the AKM type being PSK and you can see packets with the SSID in question then you already know the answer which is that wireless network supports pre-shared keys for authentication. If you filtered only on the fact that the packet included AKM type then you could drill down into the packet as shown below to verify PSK is supported.
Example Wireless Authentication Key Management Type Of PSK Viewed In Wireshark:
As you can see in the RSN Information tag above you can clearly see that PSK is displayed next to Auth Key Management. Now below we see that the AKM type is WPA which indicates WPA Enterprise and use of a RADIUS server.
Example Wireless Authentication Key Management Type Of WPA Viewed In Wireshark:
So now using Wireshark you can see if a wireless network is WPA Personal or WPA Enterprise by filtering on wlan_mgt.rsn.akms.type.
Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide (Paperback)
|
||||||||
Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems (Paperback)
|
||||||||
