Hotspot Password Cracking

I have seen quite the influx in 4G hotspots recently. At SANS last week every time I turned my WiFi card on I could see at least 3 or 4 of them in my vicinity. A lot of people I know carry them with them as well. I had the chance to look at one a little closer recently. 


They usually ship with WPA PSK encryption enabled.  Some actually print the password on the router to make it easy to remember.  Most of the time there is some sort of default password. One in particular uses the last eight digits of the 14-15 digit IMEI number (International Mobile Equipment Identity). 


Most hotspot owners probably don't worry about changing the password because they only turn it on when they need it. But all it takes is a chance to deauthenticate the client from the

hotspot to intercept the WPA handshake. Once one has the handshake they just need to be able to crack it.  For example lets say we know there are only eight digits in the password.  That gives us a total of 100,000,000 possible combinations. My laptop can crank out about 2,000 password attempts per second so that equals out to around 14 hours of cracking time to go through every possible combination. It doesn't make much sense to use rainbow tables with this attack because you will still need to compute the tables based on SSID. Instead using John the Ripper to compute on the fly will will be quicker as you may crack the password by brute force.

So this is how you would do it:

Say you have been hired by a company to do a penetration test on their wireless infrastructure.  You first boot up Backtrack and plug your Alfa AWUS036H wireless card in.  

You need to kill any processes that may interfere with the wireless card.  Run airmon-ng check kill .  Follow that command with airmon-ng start wlan0 followed by airodump-ng mon0 .

This will start up the wireless  card in monitor mode so you can see what AP's are near without broadcasting any packets.  You notice an AP in your vicinity with SSID "So-and-so's Hotspot".  Since you read this how to you know that this hotspot could potentially have a default password.  Just as an example let's say the model has a default 8 digit pin.  Definitely worth trying to crack. Before you begin cracking make sure to find out if this is a company hotspot and get permission from the hiring company to try and break the password.  We wouldn't want to crack the encryption on anyone's personal device.  That is illegal.

Alright, ctrl+c your airodump session and stop your airmon session as well with airmon-ng stop mon0

This time start your card in monitor mode on the channel of the hotspot.  Mine happens to be broadcasting on channel 2.  To monitor channel 2 run airmon-ng start wlan0 2 .  Following this command you will need to start an airodump session on channel 2 watching the specific BSSID of the hotspot and writing to a file.  This can be done with the following command airodump-ng -c <channel> --bssid <bssid of the ap> -w <filename to write> mon0 .  Now that we have our airodump session running we now need to deauthenticate any clients associated to the AP and intercept the WPA handshake. 

To deauthenticate a client run aireplay-ng -0 1 -a <ap BSSID> -c <client MAC address> mon0 .  When you de-auth the client hopefully we will intercept the handshake as it reauthenticates to the AP.

As you can see in the image to the right we were able to capture the WPA handshake with ease.  Now that we have this handshake we can take the cap file back to wherever we want to crack it.   

The next step in cracking this password is to run John the Ripper against it.  There are a few things we need to set up first to ensure the quickest possible cracking.  

First you are going to need to change directories to /pentest/passwords/john/ and nano john.conf.  Find List.Rules:Wordlist and add this to the very end of the section: $[0-9]$[0-9]$[0-9]$[0-9]$[0-9]$[0-9]$[0-9].  When we run John with mangling rules in a few seconds this will tell it to go through every possible combination of seven digits.  We use seven digits here because we need to create a passlist file for John to use as a base.  Nano a new file called numlist.lst and add a line for every digit 0-9.  So the list will look like this:

Now we are all set to start cracking the captured handshake. Make sure you are in the /pentest/passwords/john/ directory and run ./john -wordlist=numlist.lst --rules --stdout | aircrack-ng -e <essid of SCH-LC11> -w - <capture file> . Once you begin this you should see John start to generate passwords for aircrack to use against the capture file. Like I said before this can take up 14 hours with a decent laptop to crack.


So set the laptop aside and go grab your axe and start shredding some riffs and crank that amp to eleven.  Come back in the morning before you head back for day two of pentesting.  In the morning you should see that your have cracked that lone hotspot's WPA encryption key.  

But wait, this is probably just a random hotspot probably not on the network...  Well maybe so but you can use your newly cracked password to jump on their AP and ARP poison them or even better set up Karmetasploit to take over their system.  If you ARP poison them you may be able to grab a login to a site or two.  Since most people tend to reuse passwords you can then try logging in to the domain with their creds.  This could be a work computer they are connecting to the AP with as well.  Any avenue that will help you get closer to getting on their domain is always welcomed.  

In conclusion this is a good example of when rogue AP detection would be nice to have.  If you must carry one of these hotspots with you changing the password is just as easy as it is on your home router.  Also, if you allow hotspot's in your companies environment make sure the that the default passwords are changed.  Navigate to, select to change the password.   Remember if you start up one of these AP's at a conference that no one will probably get your default pass the first day but by day two you may have some hackers snatching up all your bandwidth. 


The gadget spec URL could not be found