Content of the material
- What just happened?
- METHOD 2: HACK Wi-Fi Network using WIFIPHISHER
- How it Works?
- Tools You Will Need
- Sheep Connects to the Network
- WEP Crackin
- Setting up your tools
- Finding the Network
- Capturing IVs
- Using IVs to Decrypt the Key
- Anticipated Problems
- Practical attack
- Prepare adapter
- Find wireless network
- Start capturing
- Fake authenticate
- ARP re-injection
- Fragmentation attack
- Crack key
What just happened?
We set up WEP in our lab and successfully cracked the WEP key. In order to do this, we first waited for a legitimate client of the network to connect to the access point. After this, we used the aireplay-ng tool to replay ARP packets into the network. This caused the network to send ARP replay packets, thus greatly increasing the number of data packets sent over the air. We then used the aircrack-ng tool to crack the WEP key by analyzing cryptographic weaknesses in these data packets.
Note that we can also fake an authentication to the access point using the Shared Key Authentication bypass technique. This can come in handy if the legitimate client leaves the network. This will ensure that we can spoof an authentication and association and continue to send our replayed packets into the network.
METHOD 2: HACK Wi-Fi Network using WIFIPHISHER
Wifiphisher is a security tool that mounts the fast automated phishing attacks which are against WPA networks so as order to acquire all the secret passphrase of the particular Wi-Fi network. Unlike other methods of hacking, Wifiphisher is a type of social engineering attack that does not include brute forcing. It is very easy way to obtain WPA credentials of the users whom you wish to hack. Wifiphisher works on a platform that supports Kali Linux Operating System and is licensed under the MIT license.
How it Works?
Wifiphisher is a tool that is used to hack a Wi-FI network and this attack makes use of three phases:
- Victim is being deauthenticated from their access point.
- Wifiphisher tries to jam all the target access point’s wifi devices continuously that are available within range by sending deauth packets to the client from the access point.
- It discovers all the networks that are available in the access point range.
- This tool alters the access point of all the devices through the main server and broadcasts the address along with the deauth packets.
- It starts generating fake access points by copying an access point from a set of access points shown below:
- This is the second phase where the Victim joins a rogue access point.
- It asks for password authentication and in the backdrop, the tool tries to copy all the credentials of the possible Wi-Fi networks.
- Wifiphisher sniffs the area and copies the target access point’s settings.
- Now, this tool creates a rogue wireless access point that is modeled on the target by setting a NAT/DHCP server and forwards the right ports.
- Consequently, because of the jamming, clients will start connecting to the rogue access point. After this phase, the victim is Mitimed.
- Victim is being served a realistic router config-looking page where the Wifiphisher tool employs a minimal web server that responds to HTTP & HTTPS requests.
- As soon as the victim requests a page from the Internet, wifiphisher responds with a realistic fake page that asks for WPA password confirmation due to a router firmware upgrade.
Till now you have seen two techniques to hack Wi-Fi WEP, WPA/WPA2 Security using Wifite and WIFIPHISHER. By using these two server attacks, you can easily crack the Wi-Fi network.
Tools You Will Need
If you’ve already have sample capture (in a Wireshark readable format) the only thing you’ll need to install is Wireshark and Aircrack-ng. Again I’m on macOS have have Homebrew installed so installed Wireshark in terminal using the command
$ brew install wireshark
and for Aircrack-ng ran the command
$ brew install aircrack-ng
As mentioned above, for this attack you’ll need a device running Kali Linux. The steps for putting your wireless card in monitoring mode are slightly different between Kali 1 and Kali 2.
Sheep Connects to the Network
Before or while you are monitoring the network, you will have a new node connect to the network – the third party you’re connecting. Suppose it’s a hapless sheep streaming Pandora. The sheep joins the WEP network, and packet traffic begins.
A little theory first. WEP is a really crappy and old encryption techinque to secure a wireless connection. A 3-byte vector, called an Initalization Vector or IV, is prepended onto packets and its based on a pre-shared key that all the authenticated clients know… think of it as the network key you need to authenticate.
Well if its on (almost) every packet generated by the client or AP, then if we collect enough of them, like a few hundred thousand, we should be able to dramatically reduce the keyspace to check and brute force becomes a realistic proposition.
A couple of things will cause us some problems.
- If the key is not static, then you’ll mix up all your IVs and it’ll take forever to decrypt the key.
- Theres no traffic, therefore no packets – we can fix this.
- MAC Address Filtering – we can fix this too.
Setting up your tools
We’re gonna need 3 or 4 shells open, we have 5 tools:
- airodump – Grabbing IVs
- aircrack – Cracking the IVs
- airdecap – Decoding captured packets
- airreplay – (My Favourite) Packet injector to attack APs.
- kismet – Network Sniffer, can grab IVs as well.
For a standard WEP hack we’ll usally only need airodump, aircrack, and kismet (server and client). If we run into some problems we might have to use airreplay to fiddle about.
I’ll leave you to config all these tools up, for the most part they should just be defaults with the exception of kismet.
Finding the Network
First step is we need to find a netork to crack. Start up kismet and start sniffing for APs. Leave it on for a bit so that it can discover all the important information about the networks around. What we want from kismet is:
- Encryption type: Is it WEP 64-bit? 128-bit?
- What channel is it on? Can greatly speed up IV collection.
- AP’s IP Address
All this info isn’t required but the more you have, the more options you have later to crack and sniff. We can get a lot of this from airodump as well but I find the channel is important.
Alright, we know what we wanna crack, so lets start capturing packets. You can use kismet to capture files but I prefer airodump because it keeps a running count of all the IVs I’ve captured and I can crack and airodump will automatically update aircrack with new IVs as it finds them.
Note: kimset can interfere with airodump so make sure you close it down before starting airodump.
Airodump is pretty straight forward with its command line looking something like this:
- interface is your wireless interface to use – required.
- output prefix is just the filname it’ll prepend, – required.
- channel is the specific channel we’ll scan, leave blank or use 0 to channel hop.
- IVs flag is either 0 or 1, depending on whether you want all packets logged, or just IVs.
My wireless card is ath0, output prefix i’ll use “lucid”, the channel we sniffed from kismet is 6, and IVs flag is 1 because we just want IVs. So we run:
Airodump will come up with a graph showing us all the APs and their relevant info, as well as client stations connected to any of the APs.
The second line shows us some info about the AP as well as the number of beacons and data packets we’ve collected from the AP. The two last lines show us two authenticated clients. Where they are connected to and the packets they are sending. We won’t use this client info in a straight theory hack but in practice we’ll need this info to actively attack the AP.
This step may take a long time or could be very short. It depends how busy the AP is and how many IVs we are collecting. What we are doing is populating a file “lucid.ivs” with all the IV important packet info. Next, we’ll feed this to aircrack. To move onto the next step, we’ll want at least 100,000 packets (under # Data in airodump) but probably more.
Using IVs to Decrypt the Key
Ok, pretend you have enough IVs now to attempt a crack. Goto a new terminal (without stopping airodump – remember it’ll autoupdate as new IVs are found) and we’ll start aircrack. It looks something like this:
There are a lot of options so you can look them up yourself, i’ll be using common ones here that should get you a crack. Our input file is “lucid.ivs”, the options we will use are:
- -a 1 : forces a WEP attack mode (2 forces WPA)
- either -b for the bssid or -e for the essid : whichever is easier to type but I like using a BSSID because its more unique.
- -n 64 or -n 128 : WEP key length, omit if not known by now.
So our command will look like:
and off it goes, resembling the picture from the top. Keep an eye on the Unique IV count as it should increase if airodump is still running. For all intents and purposes you are done. That’ll pop open most old wireless routers with some traffic on them.
There are lots of problems that can come up that will make the above fail, or work very slowly.
- No traffic
- No traffic is being passed, therefore you can’t capture any IVs.
- What we need to do is inject some special packets to trick the AP into broadcasting.
- Covered below in WEP Attacks
- AP is only responding to connected clients. Probably because MAC address filtering is on.
- Using airodumps screen you can find the MAC address of authenticated users so just change your MAC to theirs and continue on.
- Using the -m option you can specify aircrack to filter packets by MAC Address, ex. -m 00:12:5B:4C:23:27
- Some of the statistical attacks can create false positives and lead you in the wrong direction.
- Try using -k N (where N=1..17) or -y to vary your attack method.
- Increase the fudge factor. By default it is at 2, by specifying -f N (where N>=2) will increase your chances of a crack, but take much longer. I find that doubling the previous fudge factor is a nice progression if you are having trouble.
- Find the AP by following the signal strength and ask the admin what the WEP key is.
This will show how easy it is to attack a WEP protected network. They key length does not matter and it can be done using regular customer-grade equipment.
The goal for this exercise is to gather initialization vectors (IVs) for cracking the key. A data packet always has a corresponding IV attached to it. By passively listening to a network it’s to gather the IVs neccessary, but it will take a lot of time. Instead, by re-injecting packets the AP is forced to resend selected packets, generating lots of traffic and IVs in a short time. For details see Simple WEP Crack on the aircrack-ng.com website.
I chose to use a Alfa AWUS036H adapter, based on the RealTek RTL8187 chipset. It’s USB powered, has a 500 mW amplifier, and RP-SMA antenna connector. The high power will allow for stronger signal and longer range, but also picking up more noise.
Change the MAC address and set the adapter in monitor mode. The drive has to support the ability to transmit and receive raw frames (monitor mode).
Find wireless network
Find the network you want to pen-test (use your own network as a test platform) using either Kismet or airodump. I’ll use the latter one here. Airomon-ng will start in interactive mode and start channel hopping (1-14).
Look for networks using WEP encryption under the ENC moniker. The PWR level should be above 4-5 to get a working connection.
Make a note of the BSSID and Channel (ctrl+c to exit and then mark the text). In Linux use shift+insert to paste the clipboard content. Here I’ll concentrate on the network ESSID dlink, on channel 3, BSSID 00:24:01:34:0E:23.
Quit the process when the details have been noted. To verify the power levels, use the following command to perform a ping test. It should return 30/30 or close to it.
Next, start the capture process to run in the background. It will capture all encrypted traffic going across the specific Access Point and save it to (filename).cap for later reference. The content will be used to filter out the IVs and cracking the key using aircrack-ng (PTW method).
Now, open another new terminal to perform a fake authentication. For injection to work the MAC address of the source has to be associated with the AP, else the packets are discarded by the AP.
This command will associate the MAC address of the adapter with the AP and allow further aireplay-ng attacks. Fake authentication will only work when MAC filtering is not enforced by the AP.
Alternatively use ‘-1 0’ instead of ‘–fakeauth 0’ for short.
When it’s done, it should report Authentication successful and Association successful.
For this step, open a new terminal window. This is the part where traffic is generated (stimulated) by injecting ARP packets back into the network. Once an ARP packet created by the AP it will be captured by aireplay-ng and re-injected into the network. The AP will normally rebroadcast them and then with a different IV. The rate of injection is in the range of 250-500 packets per second, depending on the signal/distance to the AP.
It can take little while before an ARP packet is created on the network. Alternatively try the –interactive mode if there are client(s) connected and look for any broadcast packets (FF:FF:FF..) or packets originating from one of the Clients, and where the destination is the AP. Try a few packets until the data packet count starts to increase rapidly.
Alternatively use ‘-3’ instead of ‘–arpreplay’ for short.
When a new ARP request is captured, aireplay will begin re-injecting the frame into the network. The numbers should start to rapidly build up, 500 packets/s max (default). After 20-30 000 read ARP packets, it’s safe to cancel the replay. Hopefully enough IVs has been captured to begin deciphering the key.
If the ARP re-injection attack didn’t work, try this.
It’s interesting how the key is cracked. The frame is first reversed XOR’ed to reveal a small part of the RC4 stream cipher, a table is build of IVs and stream ciphers, statistical and algorithmic methods (PTW methodology, -z parameter) are used to predict the missing RC4 bytes to further decipher the key using the public IVs. The PTW method only works on captured ARP request packets, use another aircrack-ng mode for other kind of traffic.
This process can also run in parallel to the aireplay to crack the key in pseudo real-time. In this instance it was a 40-bit key, relatively little time to crack (near instantly).
- First run (33 000 packets):
- Second run (27 000 packets):