Author Topic: Wireless Hacking Tutorial for WEP, WPA1/2, and WPS Networks  (Read 2275 times)

0 Members and 1 Guest are viewing this topic.

Offline peskybear

  • Adherent
  • *
  • Posts: 72
    • View Profile
Courtesy of GhostPrototype from the totse2 archives circa 2012. Kali Linux has replaced BackTrack now, so you'll want to download that instead. At the time of this writing, I can't confirm if Kali and BackTrack work exactly the same, but the basic principles of this tutorial should be the same. Ignore mentions of BackTrack and replace them with Kali in your brain:

Too many times, have I found myself at an extreme inconvenience due to a crippling lack of internet. Looking for available wireless networks, it's disappointing to find nothing but locked access points. But, are they really too locked? This tutorial will explore a few methods of gaining access to wireless networks. Keep in mind, that following this tutorial without consent of whomever owns the networks you attack may be illegal where you live. Use caution, and don't break the law, k? I'm not responsible for your actions. Now that that's out of the way, let's get to cracking.

First thing you need to do, is get your hands on a Linux OS. Why Linux? Because there are many great tools available, that are more capable than their Windows counterparts. If you don't know where to start, I'd recommend the Backtrack 5 OS Kali Linux, available from www.backtrack-linux.org/downloads/ http://www.kali.org/downloads/ as a burnable .iso file. If you have Windows 7, right-click the .iso file and click "open with Windows Disk Image Burner", to burn to a DVD. If you don't have Win 7, and don't know how to burn a .iso, I might recommend the software CD Burner XP. It's small, free, and will do the job. If you have a USB drive available, there is a Backtrack release for them available as well, and directions can be found on the backtrack-linux http://www.kali.org/downloads/ website.

Boot from the DVD. You may have to select your optical drive from a boot menu at power-on. If prompted for a version of Backtrack to load, just select the default. Once the computer boots to a # prompt, type 'startx' without the quotes to launch the GUI. Welcome to the Backtrack 5 desktop. We're ready to get started. Open a command prompt "konsole" on BT5. The first thing we must do, is enable monitoring mode on our wireless card. Enter "airmon-ng start wlan0" without the quotes. This creates a virtual wireless interface called "mon0". We will use this, instead of "wlan0" (the common name for the primary wireless card on linux systems), in all of our commands. Protip for future use: holding "Ctrl" and pressing "c" stops the application in the current window. This is useful later on.

We'll be using the aircrack-ng suite for most of our cracking. If you aren't running Backtrack, and don't have it installed, you can get it by running "wget http://download.aircrack-ng.org/aircrack-ng-1.1.tar.gz", unpacking with "tar -zxvf aircrack-ng-1.1.tar.gz", and then running "./configure", "make" and "make install" at it. If you've already got a linux installation, this shouldn't be too difficult for you.

CRACKING WEP
"Wired Equivalent Privacy" is the most basic form of security available on most routers. It is still commonly used, which is surprising, as it is the easiest to crack. For testing purposes, I set up a wireless router at my apartment with 64-bit WEP encryption, affectionately named "DongsLOL" for the network name (SSID). To find which networks are near you, we'll use the Airodump-ng command. In my example, I used the command "airodump-ng -w /media/disk/capture mon0" without quotes. This executes the airodump-ng program, writes the output to a file saved in the directory /media/disk/, and used the wireless interface mon0. Keep in mind, that airodump will automatically append "-01.cap" to the end of the file, so in my example, it saved it as "capture-01.cap". If you're running Backtrack, I might recommend you change the directory to "/home/root".

Here's my output for the airodump command:



Here's a run-down of the important things:
BSSID - the device's MAC address.
PWR - signal strength. If you have shit signal, it will take longer to crack, if you can at all.
Beacons - transmitted from the wireless router, they tell whatever devices that can pick them up that they exist. This is how your computer normally detects a wireless access point.
#Data - Received packets
ENC - Type of Encryption
ESSID - Name of the network.
STATION - clients (such as laptops, phones, and other wireless-enabled devices) that are connected to the BSSID listed adjacent to it.

Okay, so now that we have our bearings on what exactly is going on around us, let's select a target. As I stated previously, I want access to dongslol. So, we will use the program aircrack-ng to decrypt the captured packets.

I used the command shown in the image below.



I apologize for the double-image - Backtrack5 default uses transparent windows, and I had airodump running in the background. The extra commands I added, were "-a 1" to force attacking WEP verses WPA, "-n 64" to force 64-bit keys, and "-s" to show the key as it's being cracked. Otherwise, the basic input for this command is "aircrack-ng (filename)"

As you can see, we captured almost 80,000 packets from dongslol. It's labeled as number one in our packet capture, so we select it by entering "1" at this prompt. If all goes well, you should see something similar to this:



In our example, "01:23:45:67:89" was my WEP key. We successfully cracked into a 64-bit WEP network.

If you are unable to get in, after capturing over 75k packets, start adding the "-f" command, starting with "-f 2", then if it continues to fail, progress through "-f 4", "-f 8", and "-f 16". In the program aircrack, this is called the "fudge factor". It expands the program's scope for brute-forcing the encryption key from the packets. A higher fudge factor increases cracking length, but also increases the liklihood of discovering the WEP key.

If we've reached over 100k packets, I might recommend switching to 128 bit cracking. I re-set up my network (renaming it to dongsII) with 128-bit WEP encryption.



I tried cracking the 128-bit key a few times, without success. I had to let it run, and capture additional keys. However, I finally got through, a little bit after the 100k packet mark.



CRACKING WPA / WPA2
"Wi-fi Protected Access" is the most common form of wireless encryption. It's much more robust than WEP, and to my knowledge, it's impossible to crack with the above method. Luckily for us, there is still a way to get in!

In my example, I started with the airodump-ng command, saving the captured data to /home/root/wpa this time. My capture file was named wpa-01.cap.
"airodump-ng -w /home/root/wpa mon0"



This time, my dongsII network (which I forgot to change to dongsIII. Drats.) showed in the airodump window as WPA2. We know there is someone connected, because we are receiving data packets, and we can see a device with MAC address 00:1B:77:BA:02:69" is connected to BSSID 00:18:39:C3:A4:C9, which corresponds with the dongsII network. Running aircrack-ng against the capture file, shows the following:



This time, we notice instead of IVs, it says 0 handshake. This is because instead of capturing every packet, we need to capture a device connecting to the wireless access point. This is known as a 'handshake'. We have two options. We can wait for another device to connect to the network, but that is boring. We know someone is connected, so we'll get a little creative. We're going to perform a deauthentication attack, to trick the client into thinking it was disconnected, and attempt to reconnect. We will use the aireplay-ng software. In another konsole window, we run the following:
"aireplay-ng -0 0 -a 00:18:39:C3:A4:C9 -c 00:1B:77:BA:02:69 mon0" without quotes.
"-0 0" tells aireplay-ng to run a deauthentication attack, continuiously. If we change the second 0 to any other number, it will perform the deauth that many times. "-a" tells it which BSSID to connect to. "-c" tells it which client to deauthenticate.

Here is what the output will resemble:



Let's check back on our capture file in our first window.



As you can see, we've successfully captured the reconnection handshake! The final step in this process, is to go at it with a dictionary attack. I re-ran the aircrack-ng program, with the command:
"aircrack-ng /home/root/wpa-01.cap -w /pentest/passwords/wordlists/*" without quotes. In Backtrack 5, there is a wordlist file at /pentest/passwords/wordlists/, called darkc0de.txt, or something like that. I couldn't remember, so I told it to include all files in that directory by using the wildcard. There are numerous wordlists available online, if you wish to expand the possible combinations. aircrack can only decode WPA networks with a dictionary attack, so if the password isn't in the dictionary file(s), you won't be getting in this way. Here's the output during the attack:



This can take some time, so sit back and think about your life. Where are you going? How will you get there? The trick here is to be patient, or to do something else. Let your computer do its thing. If all goes well...



Congradulations, you've hacked in to a WPA or WPA2 network! In my example, it took a hair over 26 minutes.

WPS HACKING
"Wireless Protected Setup" isn't an encryption, rather, it's a way most new routers allow users to connect. It's also EXTREMELY vulnerable to attack. My favorite thing about this attack, is that it doesn't require a client to be connected to the access point for it to work! We will use a program called Reaver for this attack. It is not included in Backtrack, so you'll have to either install it while you do have internet, or carry the file on a USB drive. You can get the software from http://reaver-wps.googlecode.com/fil...ver-1.4.tar.gz

If you wish to download a fresh copy on Backtrack 5, run the following commands in a konsole window, one line at a time:
wget http://reaver-wps.googlecode.com/fil...ver-1.4.tar.gz
tar -zxvf reaver-1.4.tar.gz
cd reaver-1.4/src
./configure
make
make install

On my laptop running Crunchbang linux, I had to run the following before Reaver would install with the previous commands:

apt-get install flex
apt-get install byacc
apt-get install libsqlite3-dev
wget http://www.tcpdump.org/release/libpcap-1.2.1.tar.gz
tar -zxvf libpcap-1.2.1.tar.gz
cd libpcap-1.2.1
./configure
make
make install
cd ..


Now, Reaver is set up, and ready to go! First, let's check for WPS enabled routers near us with a program included with Reaver, called Wash:



I didn't have a wireless router with WPS available for testing, so I decided to do some real-world penetration testing. After gaining permission from the owner of the network "The Teacher's Aide", I began my attack. Since my target was on Channel 2, I turned off mon0 with "airmon-ng stop mon0" without quotes, and restarted it with "airmon-ng start wlan0 2", to restart it only on that channel. Then, I ran Reaver against it:



This will take a while. I let it run overnight. It may show multiple time-out messages, but they can generally be ignored. After returning in the morning, I found the following:



I had made it through! I now have the access PIN to the network, and can connect. For reference, I retyped the command I ultimately used, while tweaking it here and there in an attempt to boost performance. The -vv command told Reaver to show all output and errors. "-d 5" set a delay of 5 seconds to each PIN it tries. To see all the commands Reaver supports (including seeing what the rest of those options do) just type 'reaver' without any options.

That's the end of my tutorial! Post with any feedback, questions, or tips! Have fun!
« Last Edit: July 12, 2014, 01:08:05 am by peskybear »

Offline PurpleCow

  • Adherent
  • *
  • Posts: 96
    • View Profile
Re: Wireless Hacking Tutorial for WEP, WPA1/2, and WPS Networks
« Reply #1 on: June 04, 2014, 12:05:18 pm »
I cracked so many wifi networks in my area but the problem that I ran across several times was the internet connection being suspended for non payment. One day I logged to a neighbors wifi that was suspended and I was able to access the internet thru Tor Browser. Any idea why this was so?
Where's Edify?

Offline peskybear

  • Adherent
  • *
  • Posts: 72
    • View Profile
Re: Wireless Hacking Tutorial for WEP, WPA1/2, and WPS Networks
« Reply #2 on: June 04, 2014, 05:10:27 pm »
I cracked so many wifi networks in my area but the problem that I ran across several times was the internet connection being suspended for non payment. One day I logged to a neighbors wifi that was suspended and I was able to access the internet thru Tor Browser. Any idea why this was so?
That's a good question, but not one that I can answer...Riv3r might know but I don't see him around here that often

Offline Riv3r

  • Devotee
  • **
  • Posts: 168
    • View Profile
Re: Wireless Hacking Tutorial for WEP, WPA1/2, and WPS Networks
« Reply #3 on: July 04, 2014, 11:45:40 pm »
I cracked so many wifi networks in my area but the problem that I ran across several times was the internet connection being suspended for non payment. One day I logged to a neighbors wifi that was suspended and I was able to access the internet thru Tor Browser. Any idea why this was so?

To be honest, I'm not 100% sure on this one.  It could be that you are working around the ISP's DNS servers by using TOR. Instead of seeing you as one of their customers, they see you as an outside IP. I'll ask Ghost next time I talk to him.

Update:
"Either that, or your isp is only blocking ports 80 and 443." - Ghost
« Last Edit: July 05, 2014, 04:40:42 pm by BXKNLM »

Offline peskybear

  • Adherent
  • *
  • Posts: 72
    • View Profile
Re: Wireless Hacking Tutorial for WEP, WPA1/2, and WPS Networks
« Reply #4 on: September 18, 2014, 08:44:30 pm »
What's the likelihood of getting detected when one is trying to break in? Do routers log this sort of behavior? I imagine this would be much safer to do on small home networks than a network in an office building or something like that

Offline STD

  • Devotee
  • **
  • Posts: 127
    • View Profile
Re: Wireless Hacking Tutorial for WEP, WPA1/2, and WPS Networks
« Reply #5 on: September 27, 2014, 10:15:23 am »
Thanks for this, I remember writing one up just after everyone went to zoklet :)

Offline Hewfil1

  • Devotee
  • **
  • Posts: 117
  • Zoklet Survivor/Thriver
    • View Profile
Re: Wireless Hacking Tutorial for WEP, WPA1/2, and WPS Networks
« Reply #6 on: October 02, 2014, 05:12:39 pm »
Appreciate this post, thanks man.
Hewfil1: Are we insane?
Schplew: No son. It is the world around us that is insane.
FatMax: Did I ever tell you about that one time I was in Juvie?

Offline Riv3r

  • Devotee
  • **
  • Posts: 168
    • View Profile
Re: Wireless Hacking Tutorial for WEP, WPA1/2, and WPS Networks
« Reply #7 on: October 09, 2014, 06:07:33 pm »
What's the likelihood of getting detected when one is trying to break in? Do routers log this sort of behavior? I imagine this would be much safer to do on small home networks than a network in an office building or something like that

1.) Home network? 99.9% chance you won't be caught. My neighbors have zero clue and same with local coffee shops.
1a.) Corporate network? Depends on your own precautions. Spoofed mac will help prevent people from matching you to the network logs. Also, a VPN or trusted proxy connection to hide your location. IP can reveal a lot of information. A sysadmin will likely look for any mac or computer connected to the network that isn't supposed to be there. A big company will likely have custom NIDS (Network Intrusion Detection System) akin to snort but on a much larger scale. Also, logs will show access attempts coming from a single MAC. Delay will help with an automated system that is set up to timeout the person attempting to crack a login.

2.) Some routers do log the behavior. Secure routers can be purchased from a company like watchdog. We have one of those at my work but the staff doesn't know how they work so they aren't doing a very good job of mitigating DoS and DDoS. The security system is ported through it so you can watch all traffic. Same with the credit system. It's fucking stupid. I log into it all the time with the default credentials.

All in all, it's safer inside of a home network than it is an office building because an office or company is going to have it's own IT or infosec staff and know what tools are going to help secure them.

It also depends on the type of attack you're using. A deauthentication attack is going to raise some concerns when they lose connection to the router several times. Depends on who owns the network.
« Last Edit: October 09, 2014, 06:12:21 pm by Riv3r »

Offline STD

  • Devotee
  • **
  • Posts: 127
    • View Profile
Re: Wireless Hacking Tutorial for WEP, WPA1/2, and WPS Networks
« Reply #8 on: November 09, 2014, 09:43:48 am »
1. You probably won't be caught. Maybe their son is a geek playing with wifi and will see you. But they won't go call police on you, probably; jujst spoof your MAC address and computer's shared name.

Offline aldra

  • Arch Disciple
  • ***
  • Posts: 623
  • albrecht drais
    • View Profile
Re: Wireless Hacking Tutorial for WEP, WPA1/2, and WPS Networks
« Reply #9 on: November 09, 2014, 09:49:03 am »
even in a large office/corporate environment, they may have measures to flag your devices to keep you from getting connected, but unless you're actually on their property and you shouldn't be there's little more they can do to figure out exactly who you are.

ie. if you work there and don't do anything to stand out, they're not going to be able to triangulate your device within the building. if you're caught using a personal wireless device in an area where they're prohibited, different story.

if you're outside at the coffee shop across the street, they're not about to march over there and pull angry faces at you.