Differences

This shows you the differences between two versions of the page.

--- hack_wireless_hack [2020/05/03 20:59] – [DeAuth Attack] gman
+++ hack_wireless_hack [2020/05/31 17:45] (current) – gman
@@ Line 1: / Line 1: @@
-====== Wireless ======
+====== Wireless: Hack ======
 ===== Packet Sniffing (airodump) =====
@@ Line 122: / Line 122: @@
 The only difference is the ecryption method: WPA uses TKIP and WPA2 uses CCMP. The same methods will work with both WPA and WPA2.
-**Misconfiguration Exploit:** WPS (allows clients to connect without the password).
+----
+=== WPS Misconfiguration Exploit===
+WPS (allows clients to connect without the password).
   * Originally provided to simplify connecting printers and other peripherals.
   * "PBC": Push Button Configuration (peripherals and router had a WPS button).
@@ Line 154: / Line 158: @@
   * If WPS is not misconfigured or PBC is set... then this won't work. Move on...
-**WPA/WPA2 CRACKING:** The only packets that can aid cracking are the handshake packets.
+----
-  * These are 4 packets sent when a client connects to the network
+=== WPA/WPA2 CRACKING ===
+The only packets that can aid cracking WPA and WPA2 are the handshake packets.
+  * These are 4 packets sent when a client connects to the network.
+  * Here's the process...
 . Run ''airodump-ng'' against all reachable networks...
@@ Line 179: / Line 188: @@
 . Use that WPA handshake value to get the key for the wireless network (see next).
+. Wordlist: a very large text file of words to use against the handshake value
+  * You can either create one of your own or download one (or combine the two).
+**Create your own word list with ''crunch''**
+<code>
+crunch [min] [max] [characters] -t [pattern] -o [filename]   # syntax
+crunch 6 8 123abc$ -t a@@@@b -o wordlist                     # example
+</code>
+^  option  ^  description  ^
+| min | minimum number of characters for the password to be generated |
+| max | maximum number of characters for the password to be generated |
+| characters | specificy the characters you want to generate passwords from |
+| pattern | if you know something about the password (e.g., starts w/ "a") |
+**Links to wordlists:*
+  * ftp://ftp.openwall.com/pub/wordlists/
+  * http://www.openwall.com/mirrors/
+  * https://github.com/danielmiessler/SecLists
+  * http://www.outpost9.com/files/WordLists.html
+  * http://www.vulnerabilityassessment.co.uk/passwords.htm
+  * http://packetstormsecurity.org/Crackers/wordlists/
+  * http://www.ai.uga.edu/ftplib/natural-language/moby/
+  * http://www.cotse.com/tools/wordlists1.htm
+  * http://www.cotse.com/tools/wordlists2.htm
+  * http://wordlist.sourceforge.net/
+. Use aircrack-ng: wordlist + handshake to crack the password
+  * ''aircrack-ng'' will unpack the handshake and extract the useful information
+  * The MIC (Message Integrity Code) from the handshake is used by the access point to verify whether a password is correct or not.
+  * It will take each word in the wordlist, combine it with the information in the handshake, and generate a MIC.
+  * It will compare that MIC with the MIC in the handshake. If they match, your word is the password.
+  * TAKE-AWAY: Success depends on your word list.
+  * This will take a lot of time. If you have a GPU, it can be used to speed up the comparison process.
+  * Make sure you are in the directory with your airodump-ng .cap file (that captured the handshake) and the .txt wordlist...
+<code>
+aircrack-ng filename-01.cap -w wordlist.txt
+#           |--> name of file from the airodump-ng
+</code>
 ----
 We'll have some more goodies later...  :-)