Things You Should Know : Wireless Hacking Intermediate

In the previous post in the 'things you should know' series I discussed Wireless Hacking basics. It's recommended that you go through it before starting this tutorial.

Pre-requisites

You should know (all this is covered in Wireless Hacking basics)-

• What are the different flavors of wireless networks you'll encounter and how difficult it is to hack each of them.
• What are hidden networks, and whether they offer a real challenge to a hacker.
• Have a very rough idea how each of the various 'flavors' of wireless networks is actually hacked.

Post-reading

You will know -

• Know even more about different flavors of wireless networks.
• How to go about hacking any given wireless network.
• Common tools and attacks that are used in wireless hacking.

The last two points would be covered in detail in the coming posts. A rough idea about the cryptographic aspects of the attacks, the vulnerabilities and the exploits. A rough idea about the cryptographic aspects of each 'flavor' of wireless network security.

Pirates of the Caribbean

Suppose you are in ship manufacturing business. These are times when pirates were rampaging the seas. You observed how the merchant ships are all floating unguarded in the seas, and the pirate industry is booming because of easy targets. You decide to create fortified ships, which can defend themselves against the pirates. For this, you use an alloy X. Your idea was appreciated by merchants and everyone started using your ships....

The most iconic pirates of modern times

Unfortunately, your happiness was short lived. Soon, the pirates found out flaws in your ships and any pirate who knew what he was doing could easily get past your ship's defense mechanisms. For a while you tried to fix the known weaknesses in the ship, but soon realized that there were too many problems, and that the very design of the ship was flawed.

You knew what flaws the pirates were exploiting, and could build a new and stronger ship. However, the merchants weren't willing to pay for new ships. You then found out that by remodeling some parts of the ship in a very cost efficient way, you could make the ship's security almost impenetrable. In the coming years, some pirates found a few structural weaknesses in alloy X, and some issues with the core design of the ship (remnant weaknesses of the original ship). However, these weaknesses were rare and your customers were overall happy.

After some time you decided to roll out an altogether new model of the ship. This time, you used a stronger allow, Y. Also, you knew all the flaws in the previous versions of the ship, and didn't make any errors in the design this time. Finally, you had a ship which could withstand constant bombardment for months on end, without collapsing. There was still scope for human error, as the sailors can sometimes be careless, but other than that, it was an invincible ship.

WEP, WPA and WPA-2

WEP is the flawed ship in the above discussion. The aim of Wireless Alliance was to write an algorithm to make wireless network (WLAN) as secure as wired networks (LAN). This is why the protocol was called Wired Equivalent Privacy (privacy equivalent to the one expected in a traditional wired network). Unfortunately, while in theory the idea behind WEP sounded bullet-proof, the actual implementation was very flawed. The main problems were static keys and weak IVs. For a while attempts were made to fix the problems, but nothing worked well enough(WEP2, WEPplus, etc. were made but all failed).

WPA was a new WLAN standard which was compatible with devices using WEP encryption. It fixed pretty much all the flaws in WEP encryption, but the limitation of having to work with old hardware meant that some remnants of the WEPs problems would still continue to haunt WPA. Overall, however, WPA was quite secure. In the above story, this is the remodeled ship.

WPA-2 is the latest and most robust security algorithm for wireless networks. It wasn't backwards compatible with many devices, but these days all the new devices support WPA-2. This is the invincible ship, the new model with a stronger alloy.

But wait...

In last tutorial I assumed WPA and WPA-2 are the same thing. In this one, I'm telling you they are quite different. What's the matter?

Well actually, the two standards are indeed quite different. However, while it's true there are some remnant flaws in WPA that are absent in WPA-2, from a hacker's perspective, the technique to hack the two networks is often the same. Why?

• Very few tools exist which carry out the attacks against WPA networks properly (the absence of proof-of-concept scripts means that you have to do everything from scratch, which most people can't).
• All these attacks work only under certain conditions (key renewal period must be large, QoS must be enabled, etc.)

Because of these reasons, despite WPA being a little less secure than WPA-2, most of the time, a hacker has to use brute-force/dictionary attack and other methods that he would use against WPA-2, practically making WPA and WPA-2 the same thing from his perspective.

PS: There's more to the WPA/WPA-2 story than what I've captured here. Actually WPA or WPA-2 are ambiguous descriptions, and the actual intricacy (PSK, CCMP, TKIP, X/EAP, AES w.r.t. cipher used and authentication used) would required further diving into personal and enterprise versions of WPA as well as WPA-2.

How to Hack

Now that you know the basics of all these network, let's get to how actually these networks are hacked. I will only name the attacks, further details would be provided in coming tutorials-

WEP

The Initialization vector v passed to the RC4 cipher is the
weakness of WEP

Most of the attacks rely on inherent weaknesses in IVs (initialization vectors). Basically, if you collect enough of them, you will get the password.

1. Passive method
   • If you don't want to leave behind any footprints, then passive method is the way to go. In this, you simply listen to the channel on which the network is on, and capture the data packets (airodump-ng). These packets will give you IVs, and with enough of these, you can crack the network (aircrack-ng). I already have a tutorial on this method, which you can read here - Hack WEP using aircrack-ng suite.
2. Active methods
• ARP request replay - The above method can be incredibly slow, since you need a lot of packets (there's no way to say how many, it can literally be anything due the nature of the attack. However, usually the number of packets required ends up in 5 digits). Getting these many packets can be time consuming. However, there are many ways to fasten up the process. The basic idea is to initiate some sort of conversation in the network, and then capture the packets that arise as a result of the conversation. The problem is, not all packets have IVs. So, without having the password to the AP, you have to make it generate packets with IVs. One of the best ways to do this is by requesting ARP packets (which have IVs and can be generated easily once you have captured at least one ARP packet). This attack is called ARP replay attack. We have a tutorial for this attack as well, ARP request replay attack.
• Chopchop attack
• Fragmentation attack
• Caffe Latte attack

I'll cover all these attacks in detail separately (I really can't sumarrize the bottom three). Let's move to WPA-

WPA-2 (and WPA)

There are no vulnerabilities here that you can easily exploit. The only two options we have are to guess the password or to fool a user into giving us the password.

1. Guess the password - For guessing something, you need two things : Guesses (duh) and validation. Basically, you need to be able to make a lot of guess, and also be able to verify if they are correct or not. The naive way would be to enter the guesses into the password field that your OS provides when connecting to the wifi. That would be slow, since you'd have to do it manually. Even if you write a script for that, it would take time since you have to communicate with the AP for every guess(that too multiple times for each guess). Basically, validation by asking the AP every time is slow. So, is there a way to check the correctness of our password without asking the AP? Yes, but only if you have a 4-way handshake. Basically, you need the capture the series of packets transmitted when a valid client connects to the AP. If you have these packets (the 4-way handshake), then you can validate your password against it. More details on this later, but I hope the abstract idea is clear. There are a few different ways of guessing the password :-
• Bruteforce - Tries all possible passwords. It is guaranteed that this will work, given sufficient time. However, even for alphanumeric passwords of length 8, bruteforce takes incredibly long. This method might be useful if the password is short and you know that it's composed only of numbers.
• Wordlist/Dictionary - In this attack, there's a list of words which are possible candidates to be the password. These word list files contains english words, combinations of words, misspelling of words, and so on. There are some huge wordlists which are many GBs in size, and many networks can be cracked using them. However, there's no guarantee that the network you are trying to crack would have it's password in the list. These attacks get completed within a reasonable timeframe.
• Rainbow table - The validation process against the 4-way handshake that I mentioned earlier involves hashing of the plaintext password which is then compared with the hash in handshake. However, hashing (WPA uses PBKDF2) is a CPU intensive task and is the limiting factor in the speed at which you can test keys (this is the reason why there are so many tools which use GPU instead of CPU to speed up cracking). Now, a possible solution to this is that the person who created the wordlist/dictionary that we are using can also convert the plaintext passwords into hashes so that they can be checked directly. Unfortunately, WPA-2 uses a salt while hashing, which means that two networks with the same password can have different hashing if they use different salts. How does WPA-2 choose the salt? It uses the network's name (SSID) as the salt. So two networks with the same SSID and the same password would have the same salt. So, now the guy who made the wordlist has to create separate hashes for all possible SSID's. Practically, what happens is that hashes are generated for the most common SSID's (the default one when a router is purchases like -linksys, netgear, belkin, etc.). If the target network has one of those SSID's then the cracking time is reduced significantly by using the precomputed hashes. This precomputed table of hashes is called rainbow table. Note that these tables would be significantly larger than the wordlists tables. So, while we saved ourselves some time while cracking the password, we had to use a much larger file (some are 100s of GBs) instead of a smaller one. This is referred to as time-memory tradeoff. This page has rainbow tables for 1000 most common SSIDs.
2. Fool a user into giving you the password - Basically this just a combination of Man in the middle attacks and social engineering attacks. More specifically, it is a combination of evil twin and phishing. In this attack, you first force a client to disconnect from the original WPA-2 network, then force him to connect to a fake open network that you create, and then send him a login page in his browser where you ask him to enter the password of the network. You might be wondering, why do we need to keep the network open and then ask for the password in the browser (can't we just create a WPA-2 network and let the user give us the password directly). The answer to this lies in the fact that WPA-2 performs mutual authentication during the 4-way handshake. Basically, the client verifies that the AP is legit, and knows the password, and the AP verifies that the client is legit and knows the password (throughout the process, the password is never sent in plaintext). We just don't have the information necessary enough to complete the 4-way handshake.
3. Bonus : WPS vulnerability and reaver [I have covered it in detail seperately so not explaining it again (I'm only human, and a very lazy one too)]

The WPA-2 4 way handshake procedure. Both AP and the client authenticate each other

Tools (Kali)

In this section I'll name some common tools in the wireless hacking category which come preintalled in Kali, along with the purpose they are used for.

1. Capture packets
• airodump-ng 
• wireshark (really versatile tool, there are books just covering this tool for packet analysis)
2. Crack handshakes
• aircrack-ng (can crack handshakes as well as WEP)
• hashcat (GPU cracking)
• cowpatty
3. WPS
• reaver
• pixiewps (performs the "pixie dust attack")
4. Cool tools
• aireplay-ng (WEP mostly)
• mdk3 (cool stuff)
5. Automation
• wifite
• fluxion (actually it isn't a common script at all, but since I wrote a tutorial on it, I'm linking it)

You can find more details about all the tools installed on Kali Tools page.

Okay guys, this is all that I had planned for this tutorial. I hope you learnt a lot of stuff. Will delve into further depths in coming tutorials.

Read More

Hack Any Android Phone : msfvenon - Metasploit payload generator

msfvenom is a kali linux hacking tool for android ,is a combination of Msfpayload and Msfencode, putting both of these tools into a single Framework instance known as msfvenom payload.

Hacking With METASPLOIT in Kali Linux is a old tool. Metasploit is enhanced by msfvenom in kali linux. Metasploit is now a outdated tool.

So, let's get started!!

Read More

Evil Twin Tutorial

Prerequisites

1. Kali Linux
2. Prior experience with wireless hacking

You will also need to install a tool (bridge utils) which doesn't come pre-installed in Kali. No big deal-

apt-get install bridge-utils

Read More

Hack WPA/WPA2 PSK Capturing the Handshake

 WPA password hacking

Okay, so hacking WPA-2 PSK involves 2 main steps-

1. Getting a handshake (it contains the hash of password, i.e. encrypted password)
2. Cracking the hash.

Read More

Wifite : Hacking Wifi The Easy Way : Kali Linux

Wifite

While the aircrack-ng suite is a well known name in the wireless hacking , the same can't be said about Wifite. Living in the shade of the greatness of established aircrack-ng suite, Wifite has finally made a mark in a field where aircrack-ng failed. It made wifi hacking everyone's piece of cake. While all its features are not independent (eg. it hacks WPS using reaver), it does what it promises, and puts hacking on autopilot. I'm listing some features, before I tell you how to use wifite (which I don't think is necessary at all, as anyone who can understand simple English instructions given by Wifite can use it on his own).

Features Of Wifite

• Sorts targets by signal strength (in dB); cracks closest access points first
• Automatically de-authenticates clients of hidden networks to reveal SSIDs
• Numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
• Customizable settings (timeouts, packets/sec, etc)
• "Anonymous" feature; changes MAC to a random address before attacking, then changes back when attacks are complete
• All captured WPA handshakes are backed up to wifite.py's current directory
• Smart WPA de-authentication; cycles between all clients and broadcast deauths
• Stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit
• Displays session summary at exit; shows any cracked keys
• All passwords saved to cracked.txt
• Built-in updater: ./wifite.py -upgrade

I find it worth mentioning here, that not only does it hack wifi the easy way, it also hack in the best possible way.  For example, when you are hacking a WEP wifi using Wifite, it uses fakeauth and uses the ARP method to speed up data packets (I wrote a full length post about something which it does automatically!).

Hacking WEP network

If you've followed my previous posts on Hacking Wifi (WEP), you know there's a lot of homework you have to do before you even start hacking. But not here. With Wifite, its as easy and simple as a single command.

wifite -wep

You might even have used the command

wifite

If you see any error at this stage move to the bottom of the page for troubleshooting tips. If your issue is not listed please comment. We reply within a day.
The -wep makes it clear to wifite that you want to hack WEP wifis only. It'll scan the networks for you, and when you think it has scanned enough, you can tell it to stop by typing ctrl+c. It'll then ask you which wifi to hack. In my case, I didn't specify -wep so it shows all the wifis in range.

 You can also select all and then go take a nap (or maybe go to sleep). When you wake up, you might be hacking all the wifi passwords in front of you. I typed one and it had gathered 7000 IVs (data packets) within 5 mins. Basically you can except it to hack the wifi in 10 mins approx. Notice how it automatically did the fake auth and ARP replay.

Here are a few more screenshots of the working of Wifite, from their official website (./wifite.py is not something that should bother you. You can stick with the simple wifite. Also, specifying the channel is optional so even the -c 6 was unnecessary. Notice that instead of ARP replay, the fragmentation attack was used, using -frag) -

 Hacking WPS wasn't fast (it took hours), but it was easy and didn't require you to do anything but wait.

 Note, the limitation that many reader on my blog are beginners forbid me from introducing too many attacks. I made a tutorial about ARP replay attack, and that too was detailed as hell. However, Wifite makes it possible for you to use any method that you want to use, by just naming it. As you saw in the screenshot above, the fragmentation attack was carried out just by typing -frag. Similarly, many other attacks can be played with. A good idea would be to execute the following-

wifite -help

This will tell you about the common usage commands, which will be very useful. Here is the list of WEP commands for different attacks-
    WEP
-wep         only target WEP networks [off]
-pps <num>   set the number of packets per second to inject [600]
-wept <sec> sec to wait for each attack, 0 implies endless [600]
-chopchop   use chopchop attack      [on]
-arpreplay   use arpreplay attack     [on]
-fragment   use fragmentation attack [on]
-caffelatte use caffe-latte attack   [on]
-p0841       use -p0841 attack        [on]
-hirte       use hirte (cfrag) attack [on]
-nofakeauth stop attack if fake authentication fails    [off]
-wepca <n>   start cracking when number of ivs surpass n [10000]
-wepsave     save a copy of .cap files to this directory [off]

As you can see, its the same thing as is there on the help screenshot. Play around with the attacks and see what you can do. Hacking WPA without WPS wouldn't be that easy, and while I don't usually do this, I'm providing a link to an external website for the tutorial . This is the best WPA cracking tutorial I've seen, and I can't write a better one. It's highly detailed, and I'm just hoping I don't lose my audience to that website. Here is the tutorial - Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux

Troubleshooting

Wifite quits unexpectedly, sating "Scanning for wireless devices. No wireless interfaces were found. You need to plug in a wifi device or install drivers. Quitting."

You are using Kali inside a virtual machine most probably. Virtual machine does not support internal wireless card. Either buy an external wireless card, or do a live boot / side boot with Windows. Anything other than Virtual machine in general.

Another attack automating script : Fluxion

Wifite is cool and all, but doesn't do much against the invincible WPA-2 networks. Using a combination of evil-twin and man in the middle sort of attacks, fluxion tries to fool a client into giving you the key to the WPA-2 protected access point. Sounds interesting? Take a look.

Hacking WPA/WPA-2 without dictionary/bruteforce : Fluxion

Read More

Hack WPA/WPA2 WPS - Reaver - Kali Linux

WPA/WPA-2

When it was known that a WEP network could be hacked by any kid with a laptop and a network connection (using easy peasy tutorials like those on our blog), the security guys did succeed in making a much more robust security measure WPA/WPA2.

Now hacking WPA/WPA2 is a very tedious job in most cases. A dictionary attack may take days, and still might not succeed. Also, good dictionaries are huge. An exhaustive bruteforce including all the alphabets (uppercase lowercase) and numbers, may take years, depending on password length. Rainbow tables are known to speed things up, by completing a part of the guessing job beforehand, but the output rainbow table that needs to be downloaded from the net is disastrously large (can be 100s of GBs sometimes). And finally the security folks were at peace. But it was not over yet, as the new WPA technology was not at all easy for the users to configure. With this in mind, a new security measure was introduced to compliment WPA. Wifi Protected Setup (WPS). Now basically it was meant to make WPA even tougher to crack, and much easier to configure (push a button on router and device connects). However, it had a hole, which is now well known, and tools like reaver can exploit it in a single line statement. It still might take hours, but it is much better than the previous scenario in which months of brute-forcing would yield no result.



Here's what wikipedia says about WPS-
Created by the Wi-Fi Alliance and introduced in 2006, the goal of the protocol is to allow home users who know little of wireless security and may be intimidated by the available security options to set up Wi-Fi Protected Access, as well as making it easy to add new devices to an existing network without entering long passphrases. Prior to the standard, several competing solutions were developed by different vendors to address the same need. A major security flaw was revealed in December 2011 that affects wireless routers with the WPS feature, which most recent models have enabled by default. The flaw allows a remote attacker to recover the WPS PIN in a few hours with a brute-force attack and, with the WPS PIN, the network's WPA/WPA2 pre-shared key. Users have been urged to turn off the WPS feature, although this may not be possible on some router models.

 Working Of WPS

Now while most of the things are the same as in WPA, there is a new concept of using pins for authentication. So basically, the client sends 8 digit pins to the access point, which verifies it and then allows the client to connect. Now a pin has 8 digits, and only contains numbers, so its a possible target for bruteforece. Under normal bruteforcing of WPA passwords, you have to consider the fact that there may be number, alphabets, and sometimes symbols (and more than 8 letters). This make the task a billion billion times tougher. However, we can try thousands of keys per second, which make it a tad bit easier. Now in WPS, there is a delay because we have to wait for APs response, and we may only try a few keys per second (practically the best I've seen on my PC is 1 key per 2 sec). Basically, 8 digits and 10 possibilities per digit (0-9) make it 10^8 (interpret ^ as raised to the power of)seconds if we assume one key per second. Now that'll be years. So, where is this taking us? The answer is, there are flaws in this technology that can be used against it. 

• The 8th digit is a checksum of first 7 digits. 10^7 possibilities, i.e. one-tenth time. Two months, still a way to go.
• The pin number for verification goes in two halves, so we can independently verify the first four and the last four digits. And believe me, its easy to guess 4 digits correct two times, than to guess 8 correct digits at once. Basically, the first half would take 10^4 guess and the second would take 10^3.

Now the guesses would be 10^4 + 10^3 (not 10^4 *10 ^3). Now we need 11,000 guesses.

So that'll take 3 hours approximately. And that's all the combinations, and most probably the correct pin will not be the last combination, so you can expect to reach the result earlier. However, the assumption is that bruteforcing will take place at a key per second. My personal best is a key every 2 seconds, and yours might drop to as low as a key every 10 seconds. 

How to carry out the attack

Now it might have been tough to carry out this attack at some point in history, but now, its a breeze. If you have all the prerequisites, then hacking the network would be as easy as

reaver -i <interface-name> -b <BSSID of target>

And if you are already familiar with hacking WEP, then just go to your Kali Linux terminal and type the above command (replacing what needs to be replaced). Leave your machine as is, come back 10 mins later, check the progress (must be 1% or  something), and go take a nap. However, if you're a newbie, then tag along.

Kali Linux

First off, you need to have Kali linux (or backtrack) up and running on your machine. Any other Linux distro might work, but you'll need to install Reaver on your own. Now if you don't have Kali Linux installed, you might want to go to this page, which will get you started on hacking with Kali Linux. (Reaver has a known issue : Sometimes it doesn't work with Virtual Machines, and you might have to do a live boot using live CD or live USB of Kali Linux. See the last section of this post on = troubleshooting by scrolling down a bit)

Information Gathering

Now you need to find out the following about you target network-

• Does it have WPS enabled. If not, then the attack will not work.
• The BSSID of the network.

Now to check whether the network has WPS enabled or not, you can either use wash or just use the good old airodump-ng. Wash is specifically meant to check whether a network has WPS enabled or not, and thereby is much easier to use. Here are the steps-

• Set your wireless interface in monitor mode- 

airmon-ng start wlan0

•  Use wash (easy but sometimes unable to detect networks even when they have wps enabled). If any network shows up there, it has WPS enabled.

wash -i mon0

This will show all the networks with WPS enabled

This is an error which I haven't figured out yet. If you see it, then you'll have to do some howework, or move on to airodump method. Update :  wash -i mon0 --ignore-fcs  might solves the issue.

• Use airodump-ng. It will show all networks around you. It tells which of them use WPA. You'll have to assume they have WPS, and then move to next steps.

airodump-ng mon0

None of them has WPS enabled, just saying.

BSSID of the network - Now irrespective of what you used, you should have a BSSID column in the result that you get. Copy the BSSID of the network you want to hack. That's all the information you need.

So by now you must have something like XX:XX:XX:XX:XX:XX, which is the BSSID of your target network. Keep this copied, as you'll need it.

Reaver

Now finally we are going to use Reaver to get the password of the WPA/WPA2 network. Reaver makes hacking very easy, and all you need to do is enter-

reaver -i mon0 -b XX:XX:XX:XX:XX:XX 

Explanation = i  - interface used. Remember creating a monitor interface mon0 using airmon-ng start wlan0. This is what we are using. -b species the BSSID of the network that we found out earlier.
This is all the information that Reaver needs to get started. However, Reaver comes with many advanced options, and some are recommended by me. Most importantly, you should use the -vv option, which increases the verbosity of the tool. Basically, it writes everything thats going on to the terminal. This helps you see whats happening, track the progress, and if needed, do some troubleshooting.  So final command should be-

reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv

After some hours, you will see something like this. The pin in this case was intentionally 12345670, so it was  hacked in 3 seconds.

WPA PSK : X
X is the password of the wireless network.

Here is an extra section, which might prove useful.

Known problems that are faced - Troubleshooting

1. As in the pic above, you saw the first line read "Switching wlan0 to channel 6". (Yours will be mon0 instead of wlan0). Sometimes, it keeps switching interfaces forever.
2. Sometimes it never gets a beacon frame, and gets stuck in the waiting for beacon frame stage.
3. Sometimes it never associates with the target AP.
4. Sometimes the response is too slow, or never comes, and a (0x02) or something error is displayed.

In most cases, such errors suggest-

1. Something wrong with wireless card.
2. AP is very choosy, won't let you associate.
3. The AP does not use WPS.
4. You are very far from the AP.
5. Rate Limiting implemented in the router (most new router have this)

Possible workarounds-

1. Sometimes, killing naughty processes helps. (see pictures below)
2. Move closer to target AP
3. Do a fakeauth using aireplay-ng (Check speeding up WEP hacking) and tell Reaver not to bother as we are already associated using -A (just add -A at the end of your normal reaver code)
4. If you are using Kali Linux in Vmware, try booting into Kali using USB. I don't know why, but sometimes internal adapters work wonders, and can't be used from inside of a VM. In my case, booting up from USB and using internal adapter increased the signal strength and speeded up the bruteforce process. Update : It has nothing to do with internal adapter. I have verified this with many others, and it is now a known problem with Reaver. It does not work well inside Virtual machines. It is recommended that you do a live boot.
5. As far as rate limiting is concerned, there are few workarounds available in forums across the web, but nothing seems to work with 100% certainty. Here is a relevant discussion of gitlab, here is a solution on hack5 forums which has a script and uses mdk5 tool (it doesn't work for me, it's supposed to DOS the router and reset the ban temporarily), and here is a thread on Kali Forums on the same issue, which has various possible solutions listed (including a method which changes your MAC address regularly [sorry if the download link on the thread there doesn't work] and hence allows reaver to work against routers which lock the particular MAC address which is attacking them and don't lock down completely). 
6. Update: For some people the reason Reaver is not working is because the version of Libpcap you are using is not compatible with the version of Kali you are using.

processes causing problems

Kill 'em all

A lot of people have shared their experiences in the comments section. Help out if you can, seek help if you need any. I can't always respond, but someone usually does.

Can't get it to work

Even after all your attempts, if you can't get it to work, then the AP just isn't vulnerable. You have the following alternatives-

1. If you were following the tutorials one by one in the order shown in the top navigation bar (Hack With Kali -> Wireless Hacking), then you have learnt all you needed in this tutorial (even if you failed to get WPA-PSK), and can move to the next ones.
2. If you just want to see if you can hack a WPA network, then there are three posts below which will help you with that without relying on WPS vulnerability.

Full blown cracking

Need to follow both these guides, as they are step 1 and step 2 in the procedure of hacking WPA2 wifi networks.

Capture 4 way handshake WPA/WPA2

Crack 4 way handshake WPA/WPA2

Shortcut method, attack the human, not the network

Fool a client who knows the password into connecting to a fake wifi network and giving you the password of the genuine one.

Crack WPA/WPA2 without dictionary attack, using fluxion 

Read More

Speeding Up WEP Hacking : ARP request replay attack

Now if you have followed the basic WEP hacking tutorial, and optionally have also read the basic troubleshooting guide, then you are ready to proceed to the stage where you follow an intermediate level hacking tutorial. In this tutorial, we will look at the intricate details of what is happening and approach the complicated methods and concepts.




To start with, I'll address a common question which was asked on my previous posts.

14 March 2014 19:28

i couldn't find any wlan when i write ifconfig in terminal

1. 
   
   
   
   
   
   
   
   
   Are you using Kali Linux on a virtual machine. Please note that a wireless adapter can only be used by only one machine at a time. Your host machine has access to the wireless adapter, not the virtual machine. This question has been discussed at length on superuser forums. The conclusion is that you can't directly connect internal wifi card using any Virtual machine software-
   "Unfortunately no virtualization software allows for direct access to hardware devices like that.
   
   Compare VirtualBox with VMware Fusion and Parallels for Mac. All 3 of those programs behave the same way. The only devices that can be directly accessed are usb devices. Everything else is abstracted though the virtualization engine. (Though you could argue that the vm has lower level access to cd rom's and storage devices).
   
   I wish I could give you a better answer, than simply to buy a usb wireless card."
   Basically you have to buy an external wireless card. They aren't very expensive. I personally use two of them myself. If you want to see what I use, take a look here, http://kalitutorials.net/2014/02/creating-dummy-wifi-for-hacking.html

So basically you have 2 choices. First, you can buy a new external wireless adapter (no referral links here). Secondly, you can side install Kali with Windows or run it via a USB. A virtual machine can only use computer hardware if it is externally connected via USB. Now there is another catch here. The internal adapters, almost all of them, don't support injection. This is extremely important for speeding up wireless hacking. So if you really want to go in depth of wireless hacking, then its time to buy an external adapter or two (the more the better). If that's not a possibility, you might want to spend hours trying to get a driver which might make your internal adapter support injection (I don't know anyone who succeeded in this, but it might be possible).

Kali Linux

I don't know why it needs mention here, but still, if you don't have Kali Linux (or Backtrack) installed yet, you will have to install it before you can start this tutorial. Here is the tutorial on Kali Linux hacking.

Check Injection Support

Aircrack-ng has a comprehensive article related to checking injection support. You might check their website out for it. I am just providing the commands which will be enough to find out whether injection is working or not. 

airmon-ng start wlan0  [or wlan1]

(Puts your wireless adapter in monitor mode. From now we'll refer to wlan0/wlan1 as mon0

airserv-ng -d mon0

 aireplay-ng -9 127.0.0.1:666

This basically sets up a temporary server sort of thing that is waiting for you to test your injection capabilities. The second command actually tries to inject the server, and succeeds. 127.0.0.1 is the IP which is reserved for loopback. It is always used when you are carrying out some command on yourself. 666 is the port we are using. Most of the time, what follows an IP and a colon is the port. The general form is somewhat like IP:port. So finally you have checked your injection capabilities, and the last line - "Injection is working!" should bring a smile to your face. If not, you'll have to buy a card which supports injection, or see some forum posts which will help you figure something out.

Check Signal Strength

While the basic hacking methods from the previous post don't have any real strength restriction, you need to be physically close to the access point in order to inject packets. There is information regarding the same in the same aircrack-ng tutorial. Again, I'm gonna summarize what you have to do here.

First, we will use airodump-ng mon0 to see the list of networks in range. See the one you want to hack.

Airodump-ng lists the networks in range.

Now we will hack the digisol network. Make a note of the BSSID of the network you want to hack.  A good practice is to store all the information gathered in any text editor. We should, at this stage, take a note of following:-

• ESSID -  DIGISOL
• BSSID - 00:17:7C:22:CB:80
• CH (channel) - 2
• Mac address of genuine users connected to the network:
• Interface : wlan1 - referred to as mon0

You should gather the equivalent information for the network you will be working on. Then just change the values whenever I use them in any of the commands

Note : We need at least one user (wired or wireless) connected to the network and using it actively. The reason is that this tutorial depends on receiving at least one ARP request packet and if there are no active clients then there will never be any ARP request packets.

Now, to check whether the signal strength will be sufficient, we will simply execute the following code-

airodump-ng [interface] -c [channel]

airodump-ng mon0 -c 2

This will make the wireless card only read packets in the channel no. 2, on which our target network is.

Now to test the network, type the following code-

aireplay-ng --test -e DIGISOL -a 00:17:7C:22:CB:80 mon0 

 The last time we checked whether the wireless card had the capability to inject packets. We tested it on our own computer. This time, we actually injected packets into the target computer. If this worked, then it's pretty good news, and it means that you are most probably going to be able to hack this network. The last line 30/30 : 100% determines how good the strength of the signal is. A very high percentage is a good sign, and 100 is ideal.

Capture Packets

Now we have already run airodump-ng a couple of times. However, this time we will pass the -w command which will instruct airodump-ng to save the output to a file.

airodump-ng -c [channel] --bssid [bssid]-w [file_name] [interface]

airodump-ng -c 2 --bssid 00:17:7C:22:CB:80 -w dump mon0

 Now the output will be saved in a file  dump-01.cap
Now we can keep this terminal running and it will keep saving the packets.  [In the previous tutorial we did only 2 things, capture the packet, i.e this step, and crack it, i.e. the step we are going to do last. While it makes our work easier to just follow two steps, it also makes the process much more time consuming, since we are simply a passive packet listener, who is not doing anything]

Speeding Things Up

Fake Authentication

Now to speed things up, we will inject the network. We will thus obtain ARP packets. These packets will fill up the data column of our airodump-ng capture, and data is what will help us obtain the password. As soon as we have 10000 data packets, we can start attempting to get the password using aircrack-ng.

Now to make the AP pay attention to your injected packets, you either have to be a connected client, or have to pretend to be one. You can either mask your mac address to one of the already connected clients, or use the fake authentication feature. We will do the latter. (If you see an error like the AP is on channel x and mon0 is on channel y then go to the bottom of the post for troubleshooting)

aireplay-ng -1 0 -e DIGISOL -a  00:17:7C:22:CB:80 mon0

Authenticated and capturing packets

 ARP request replay mode

ARP packets are your best bet at getting a lot of IVs or data. Without IVs you can't hack a network. Enter the following code to make aireplay-ng listen to the AP for ARP packets, and inject them as soon as they find one. This will create a lot of data very fast. This is the real speeding step. 

aireplay-ng -3 -b [BSSID] mon0

This is what the final code will look like-

aireplay-ng -3 -b  00:17:7C:22:CB:80 mon0

This is what it'll look like in the beginning

 Now you'll have to wait for some time till it gets an ARP request. As soon as it gets one, the terminal will sort of explode. And the data packets will start filling in with Godspeed. Now this is the part where an active user on the network is absolutely necessary.

Slow start

Everything got fine after some time

After some time I had enough packets to crack almost any network

The data filled in VERY fast

The video shows how fast the IVs flowed in after ARP injection started.

Cracking the network

Cracking the network is as easy as typing the following into the console

aircrack-ng name_of_file-01.cap

In our case, the command will be

aircrack-ng dump-01.cap

 After pressing enter, you will have a list of networks and you'll be prompted to select which one of them to hack. In my case there was just one network, so I couldn't get that screen, or a screenshot. The password was cracked in less than a second.

I have blurred out the password and some random stuff.

So finally you have obtained the password of the network you were trying to hack.

Troubleshooting

A person commented on another wireless hacking post. This is the problem he faced.

whenever i try to use aireplay-ng, with the options, always fail saying that mon0 is in channel -1 and the target is in other channel. How can i fixed this? i looked a lot for a real answer but nobody know what is this.

This is a possible solution

Okay, try the following-
1) When you start the monitor mode, specify the channel - 
usage: airmon-ng [channel or frequency]
Your code : airmon-ng start wlan0 6
Substitute 6 with the required channel.
2) While starting airodump, specify the channel
airodump-ng mon0 -c 6

I was facing this problem when my mon0 kept hopping from one channel to the other, and the second step alone solved my problem. If your airmon-ng assigns itself a fixed channel on its own will, without you even specifying it, then the problem might be more complicated. If the above steps don't solve the problem, take a look here - http://ubuntuforums.org/showthread.php?t=1598930

Read More

Creating A dummy wifi for hacking

What you'll need

At least 2 wireless adapters. I've got three. First one is the internal adapter which came with my laptop. The other 2 are DLink adapters.
This is what it looks like.

My Dlink Adapter

This is what it looks like on my Windows machine ( I blurred the names a bit. Its a sort of convention I guess)

What now

Now since we have multiple adapters, we can use one of them to create a wireless network on Windows and then practice hacking it on a virtual Kali Linux machine. Now here's a detailed guide on how to create a wireless ad-hoc network. I'll just post a screenshot of me doing it right now.

This is our newly created network. Now we can turn on our Kali machine and see if it is discovered there.

So it showed up pretty fine. We can use netsh to modify the security parameters as necessary (WEP, WPA, etc. and practice our hacking skills on our dummy wifi network)

Important Update : I couldn't figure out how to create a WEP network using command line. So if you wanna practice WEP hacking, then this will not help.



Read More

Create A Wireless Ad-Hoc Network on Windows 8 Using command line

For the hackers

This method works with all versions of Windows. This article is relevant and important here since the best way to start with hacking is to practice on yourself. You are going to need two adapters for this task. One on Windows which will create the network, and another on Kali Linux which will hack the network. This article concentrates only on the former part of the exercise, and we'll only create an ad-hoc network here. So non-hackers too can follow from here on.

For everyone

1. Get access to an elevated command prompt (with administrator privileges). [On Windows 8 : Press Windows key + X or hover your mouse to the lowermost corner on the left part of the screen and right click. Then click "Command Prompt Admin"
   
2. Now type netsh wlan show drivers 
   
   
3. If the hosted network supported says yes, move on to the next step
4. Now type - netsh wlan set hostednetwork mode=allow ssid=<enter_network_name_here> key=<enter_password_here>
5. Finally type  netsh wlan start hostednetwork. Your ad-hoc network is ready.
   
   
   

Read More

The missing ingredient

It didn't work!

Followed that tutorial right from the first line to the last one. Did everything it said, but still didn't get what you were looking for? Believe me, it was supposed to be that way. Step by step code execution on the cli is not what it takes to be a hacker. Every wireless adapter, computer system, operating system, and wireless network is different. There is no fixed set of code which is bound to work with all wifi's on all machines. Hacking is like mathematics. Knowing the formula doesn't mean you can solve all the problems, and seeing the solution of one problem will definitely not help you with another one. So, when you are hacking a WEP wifi network, what are you actually doing?

What were you doing?

Firstly, you are capturing the packets that the wifi network is... like throwing away in the air. The sole purpose of those packets is to indicate its presence. Airodump just takes all the packets that come its way and collects them. These packets usually contain some useful information.Secondly, you are using a program to extract the password from the captured data packets.

How were you doing it?

Now, firstly, we do something not completely required. We turn on monitor mode. Its just like creating a virtual interface which you'll use solely for monitoring purpose. Now this task is achieved my using airmon-ng and the new interface is called mon0.
Secondly, we use airodump-ng to capture packets from mon0 and store them in a file. Finally, we use aircrack-ng to use the data in the dump file to extract the password.

What problems are you going to face?

Most of the time, I have seen beginners are unable to configure their machines properly to a state where they can execute the commands. For this, look at the other tutorials.I am assuming you have Kali completely setup and running fine and accepting your wireless cards. So the problems-

1. Not enough data packets.
2. Not WEP encrypted. (i.e. WPA or WPA-2)
3. Hidden

Now the last two problems will be dealt with in the tutorials to come. The first problem is very common and there is no straightforward way to deal with it. You can only try to speed up the data capture rate. There are a lot of ways to do that. A lot depends on how far you are from the network. I am writing a complete tutorial for this. But remember, hacking requires patience. You're gonna need it when you get to higher levels where you will bruteforce networks for the passwords.
For now, here is a great tutorial on getting data packets fast.

Speeding Up WEP Hacking

Read More