The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » hack_wireless_hack
hack_wireless_hack

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
hack_wireless_hack [2020/04/18 18:57] – created gmanhack_wireless_hack [2020/05/31 17:45] (current) gman
Line 1: Line 1:
-====== Wireless ======+====== Wireless: Hack ======
  
 ===== Packet Sniffing (airodump) ===== ===== Packet Sniffing (airodump) =====
- 
-General wireless packet sniffing is done with ''airodump-ng'', part of the ''aircrack-ng'' suite. 
- 
-**//This will give you general information about the wireless __networks__ around you.//** 
  
 **man page:** airodump-ng is used for packet capturing of raw 802.11 frames for the **man page:** airodump-ng is used for packet capturing of raw 802.11 frames for the
 intent of using them with air‐ crack-ng.  NOTE: Ctrl-c to exit. Syntax: intent of using them with air‐ crack-ng.  NOTE: Ctrl-c to exit. Syntax:
 +  * General wireless packet sniffing is done with ''airodump-ng'', part of the [[https://www.aircrack-ng.org/documentation.html|aircrack-ng]] suite.
 +  * This will give you general information about the wireless **//__networks__//** around you.
 +
 +Syntax:
  
 <code>airodump-ng [options] <interface name></code> <code>airodump-ng [options] <interface name></code>
  
-Must first enable monitor mode (see above). Then run (assuming interface name wlan0):  +Must first enable monitor mode ([[hack_wireless_setup#change_adapter_mode|see here]]). Then run (assuming interface name wlan0): 
- +
-<code>airodump-ng wlan0  # 2.4Ghz only, quicker</code> +
- +
-To get airodump to sniff on 5Ghz ... or all of them... +
  
 <code> <code>
 +airodump-ng wlan0             # 2.4Ghz only, quicker
 airodump-ng --band a wlan0    # 5Ghz, quicker airodump-ng --band a wlan0    # 5Ghz, quicker
 airodump-ng --band abg wlan0  # 5Ghz + 2.4Ghz, slower airodump-ng --band abg wlan0  # 5Ghz + 2.4Ghz, slower
Line 53: Line 50:
 <code> <code>
 aireplay-ng --deauth=10000000 -a XX:XX:XX:XX:XX:XX -c XX:XX:XX:XX:XX:XX wlan0 aireplay-ng --deauth=10000000 -a XX:XX:XX:XX:XX:XX -c XX:XX:XX:XX:XX:XX wlan0
-# program     repeat lots        MAC addr router      MAC addr client   wireless adpater+# program     repeat lots        MAC: access point      MACclient     wireless adapater
 </code> </code>
  
-The ''-c'' argument is the MAC address of the client machine on the network you are deauthenticating. It is not the MAC address of your attack machine.+Option -a is the MAC address of the access point and ''-c'' the client machine on the network you are deauthenticating.
   * Remember: to get a client MAC address, you run airodump-ng and specify the network in order to see all the clients. The clients show up in the second (lower) block of information, under STATION:    * Remember: to get a client MAC address, you run airodump-ng and specify the network in order to see all the clients. The clients show up in the second (lower) block of information, under STATION: 
  
Line 125: Line 122:
 The only difference is the ecryption method: WPA uses TKIP and WPA2 uses CCMP. The same methods will work with both WPA and WPA2. The only difference is the ecryption method: WPA uses TKIP and WPA2 uses CCMP. The same methods will work with both WPA and WPA2.
  
-**Misconfiguration Exploit:** WPS (allows clients to connect without the password).+---- 
 + 
 +=== WPS Misconfiguration Exploit=== 
 + 
 +WPS (allows clients to connect without the password).
   * Originally provided to simplify connecting printers and other peripherals.   * Originally provided to simplify connecting printers and other peripherals.
   * "PBC": Push Button Configuration (peripherals and router had a WPS button).   * "PBC": Push Button Configuration (peripherals and router had a WPS button).
Line 157: Line 158:
   * If WPS is not misconfigured or PBC is set... then this won't work. Move on...   * If WPS is not misconfigured or PBC is set... then this won't work. Move on...
  
-**WPA/WPA2 CRACKING:** The only packets that can aid cracking are the handshake packets. +---- 
-  * These are 4 packets sent when a client connects to the network+ 
 +=== WPA/WPA2 CRACKING === 
 + 
 +The only packets that can aid cracking WPA and WPA2 are the handshake packets. 
 +  * These are 4 packets sent when a client connects to the network
 +  * Here's the process...
  
 1. Run ''airodump-ng'' against all reachable networks... 1. Run ''airodump-ng'' against all reachable networks...
Line 182: Line 188:
  
 5. Use that WPA handshake value to get the key for the wireless network (see next). 5. Use that WPA handshake value to get the key for the wireless network (see next).
 +
 +6. Wordlist: a very large text file of words to use against the handshake value
 +  * You can either create one of your own or download one (or combine the two).
 +
 +**Create your own word list with ''crunch''**
 +
 +<code>
 +crunch [min] [max] [characters] -t [pattern] -o [filename]   # syntax
 +crunch 6 8 123abc$ -t a@@@@b -o wordlist                     # example
 +</code>
 +
 +^  option  ^  description  ^
 +| min | minimum number of characters for the password to be generated |
 +| max | maximum number of characters for the password to be generated |
 +| characters | specificy the characters you want to generate passwords from |
 +| pattern | if you know something about the password (e.g., starts w/ "a") |
 +
 +**Links to wordlists:*
 +  * ftp://ftp.openwall.com/pub/wordlists/
 +  * http://www.openwall.com/mirrors/
 +  * https://github.com/danielmiessler/SecLists
 +  * http://www.outpost9.com/files/WordLists.html
 +  * http://www.vulnerabilityassessment.co.uk/passwords.htm
 +  * http://packetstormsecurity.org/Crackers/wordlists/
 +  * http://www.ai.uga.edu/ftplib/natural-language/moby/
 +  * http://www.cotse.com/tools/wordlists1.htm
 +  * http://www.cotse.com/tools/wordlists2.htm
 +  * http://wordlist.sourceforge.net/
 +
 +7. Use aircrack-ng: wordlist + handshake to crack the password
 +  * ''aircrack-ng'' will unpack the handshake and extract the useful information
 +  * The MIC (Message Integrity Code) from the handshake is used by the access point to verify whether a password is correct or not.
 +  * It will take each word in the wordlist, combine it with the information in the handshake, and generate a MIC.
 +  * It will compare that MIC with the MIC in the handshake. If they match, your word is the password.
 +  * TAKE-AWAY: Success depends on your word list.
 +  * This will take a lot of time. If you have a GPU, it can be used to speed up the comparison process.
 +  * Make sure you are in the directory with your airodump-ng .cap file (that captured the handshake) and the .txt wordlist... 
 +
 +<code>
 +aircrack-ng filename-01.cap -w wordlist.txt
 +#           |--> name of file from the airodump-ng
 +</code>
  
 ---- ----
  
 We'll have some more goodies later...  :-) We'll have some more goodies later...  :-)
hack_wireless_hack.1587236221.txt.gz · Last modified: by gman