The usual Sunday morning and read the Hacker News. I Found the title “How I hacked router”. Author hacked his friend for request and did it by hacking his router. After reading I was loaded with curiosity. I wanted to try something similar and I started to think what is my weak spot. Not so many thoughts later I realised that a most important thing which I have is a backups of my music library which are saved to Time capsule. Oh yes, Time capsule is a router and I am going to hack it.
Starting point
Time capsule is located in a safe place at my home. Something not so safe is a wlan-password which was finnish word: kultakala (goldfish in english). Secured with wpa2. The most critical thing was that a root-password to router was exactly the same as the wlan-password. So if I could crack wlan-password I could easily delete all backups in Time capsule. SICK!
Hacking Time capsule with reaver
I had no previous experience at all of password cracking or “hacking-hacking”. So I started by googling “How to crack wpa2”. It led me to lifehacker.coms step by step article from Adam Pash of How to crack wpa2 with reaver. Mr. Pash used Backtrack linux distro for cracking. In this point I remembered that Somehow I know that Backtrack is the ultimate hacking distro and new version of it is Kali linux.
I googled “crack wpa2 kali reaver”. I found this Secretlaboratory.orgs guide. First I downloaded kali linux from official web site. I went on Kali Linux 1.0.6 64 Bit and burned it to dvd. Since I was going to crack wlan I had to have Kali in machine which has wireless network adapter. I decide to use my macbook pro and turned out that holding alt-key on boot (dvd inside) – easily led me to boot live version of Kali.
I followed the Secretlaboratory.orgs step-by-step guide. At firs it actually went quite well but it failed very soon. I realised that the reaver is designed to crack acces points with wps. Basically it is a authorization system where you have a magic-button in access point. Pushing the button lets you to connect to acces point. Time capsule acces point does not have this ability which is actually very nice since it makes it little bit better secured. I had to figure out the new way of crack it.
Dictionarry attack against Time capsule
After 20minutes of googling I was again much more wiser. Turned out, if you can not exploit WPS – the only options are to brute force and dictionary-based attack. I decide to give dictionarry-attack a try and found this Drchaos.coms step-by-step guide of of cracking wpa2 with kali using dictionarry-attack.
Guide was very easy to follow. Last step of it when you have captured a password-hash and you are going to crack it you have to have dictionary-file. Basically it is file which contains words from dictionary.
At this point I started to thinking “Where the hell I could find finnish dictionary in one file – well, I could not find it!”. I still googled “finnish dictionarry attack” and BOOM second link let me to site which let me to site which is hosting file called word.finnish containing 287698 finnish words. I used that file and here is the result:
I cracked my Time capsules password in 43 seconds. SICK!
Worst of all, after that I could delete all my backups easily since I used same root-password and wlan-password.
Sources:
http://disconnected.io/2014/03/18/how-i-hacked-your-router/
http://lifehacker.com/5873407/how-to-crack-a-wi-fi-networks-wpa-password-with-reaver/all
Crack WPA/WPA2 Wireless Password Using Reaver in Kali Linux!
http://www.drchaos.com/breaking-wpa2-psk-with-kali/
ftp://ftp.funet.fi/pub/unix/security/dictionaries/Finnish/