CEH 16- WiFi Hacking

By


WiFi Hacking is most important aspect in hacking devices.

If we compromise WiFi, we can do a lot in that network.

We can gain access to devices in that network.

We can also sniff the data, redirect the data of devices in the network.

Before we are going to hack WiFi, first we need to know about, what is WiFi? and how it works?

Disclaimer: The articles provided on HackWithV is purely for informational and educational purpose only, and for those who are willing and curious to know & learn about Ethical Hacking, Security and Penetration Testing. Anytime the word "Hacking" that is used on this site shall be regarded as Ethical Hacking.

What is WiFi?

  • WiFi is a short name for Wireless Fidelity.
  • WiFi is a wireless networking technology that allows devices such as computers (laptops and desktops), mobile devices (smart phones and wearables), and other  equipment (printers and video cameras) to interface with the Internet.
  • It allows these devices exchange information with one another, creating a network.
  • The exchange of information between devices can be done with the help MAC address.

 

How WiFi works?

  • IEEE 802.11 standard defines the protocols that enable communications with current WiFi enabled wireless devices.
  • A device connects to WiFi network with the help Handshake between device and wireless access point.
  • Every networking device has a physical static address known as MAC address. This address is unique and the card manufacturer assigns it.
  • This address is used between devices to identify each other and to transfer packets to the right place. Each packet has a source MAC and a destination MAC.
  • To protect the data exchanged in wireless networks, there are some security algorithms as follows:
    1. WEP
    2. WPA
    3. WPA2
    4. WPA3
    5. WPA3-Personal
    6. WPA3-Enterprise

Finding WiFi Networks:

1. War Walking

Attackers walk around the areas, with WiFi-enabled laptops to detect open wireless networks.  

2. War Chalking

A method used to draw symbols in public places to advertise open WiFi networks. 

3. War Flying: 

In this technique, attackers use drones to detect open wireless networks. 


4. War Driving: 

Attackers drive around the areas, with WiFi-enabled laptops to detect open wireless networks.  

5. Aircrack-ng:

   Aircrack-ng includes a set of tools to perform WiFi network hacking. 


  • Testing: Checking WiFi cards and driver capabilities (capture and injection).
  • Monitoring: Packet capture and export of data to text files for further processing by third-party tools.
  • Attacking: Replay attacks, de-authentication, fake access points and others via packet injection.
  • Cracking: Cracking passwords of WEP and WPA PSK (WPA 1 and 2).

1. Airmon-ng: 

  • This script can be used to enable monitor mode on wireless interfaces. 
  • It may also be used to go back from monitor mode to managed mode. 
  • Entering the airmon-ng command without parameters will show the interfaces status.

2. Airodump-ng:

  • Airodump-ng is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEP IVs (Initialization Vector) for the intent of using them with aircrack-ng. 
  • If you have a GPS receiver connected to the computer, airodump-ng is capable of logging the coordinates of the found access points.
  • Additionally, airodump-ng writes out several files containing the details of all access points and clients seen.

Terminology

  • BSSID = Mac Address of The Access Point 
  • ESSID = Name of The Access Point 
  • CH = Channel Number of Access Point
  • DATA = Data Packets Transferred 
  • BEACONS = Advertisement Packets Sent by Access Point 
  • PWR = Signal Strength of Access Point 
  • AUTH = Encryption Used by The Access Point 
  • CIPHER = Encryption Cipher Used by The Access Point

 

3. Aireplay-ng:

  • Aireplay-ng is used to inject frames. 
  • The primary function is to generate traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys. 
  • There are different attacks which can cause de-authentications to capture WPA handshake data, fake authentications, Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection. 
  • With the packetforge-ng tool, it's possible to create arbitrary frames. 
  • Most drivers need to be patched to be able to inject.

4. Airbase-ng:

  • Airbase-ng is a multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself. 
  • Since it is so versatile and flexible, summarizing it is a challenge. 
  • Here are some of the feature highlights: 
  1. Implements the Caffe Latte WEP client attack. 
  2. Implements the Hirte WEP client attack. 
  3. Ability to cause the WPA/WPA2 handshake to be captured. 
  4. Ability to act as an ad-hoc Access Point. 
  5. Ability to serve as a full Access Point. 
  6. Ability to filter by SSID or client MAC addresses. 
  7. Ability to manipulate and resend packets. 
  8. Ability to encrypt sent packets and decrypt received packets

WEP Cracking:

  • It uses a stream cipher algorithm called RC4 where each packet is encrypted at the AP and is then decrypted at the client. 
  • WEP ensures that each packet has a unique keystream by using a random 24-bit Initialization Vector(IV). 
  • This IV is contained in the packets as plain text.
  • In a busy network we can collect more than two packets with the same IV, then we can use the aircrack-ng suite to determine WEP key.

Cracking WPA/WPA2 Encryption:

  • Capturing WPA packets is not useful as they do not contain any info that can be used to crack the key. 
  • The only packet that contains info that helps us crack the password is the handshake packets. 
  • Every time a client connects to that AP a four-way handshake occurs between the client and the AP. 
  • By capturing the handshake, we can use aircrack to launch a word list attack against the handshake to determine the key.
  • To crack a WPA/WPA2 AP with WPS disabled, we need two things: 
  1. Capture the Handshake 
  2. A Wordlist

Cracking the WPA Key using a Wordlist:

  • Create wordlist using crunch tool to crack the WPA key.
  • Use aircrack-ng to crack the key. 
  • It performs the job by combining each password in the wordlist with AP names (ESSID) to compute a PMK (Pairwise Master Key) using the pbkdf2 algorithm. 
  • The PMK is then compared to the handshake file. 

Exploiting WPS Feature:

  • WPS is a feature that allows users to connect to WPS enabled networks easily, using a WPS button or only by clicking on WPS functionality. 
  • Authentication is done using an eight-digit long pin, this means that there is a relatively small number of pin combination and using brute force we can guess the pin in less than 10 hours. 
  • Tools like wifite or reaver can automate this process and recover the WPA key from that pin. 
    • Note: This flaw is in the WPS feature and not in WPA/WPA2. However, it allows us to crack any WPA/WPA2 AP without using a wordlist and without any clients.

      WiFi Password Cracking Summary:

      Mitigations:

      • Do not use WEP encryption, as it is easy to crack. 
      • Use WPA2 with a complex password, make sure the password contains small letters, capital letters, symbols and numbers. 
      • Ensure that the WPS feature is disabled as it can be used to crack your complex WPA2 key by brute-forcing the easy WPS pin. 
      • Enable MAC address filtering on access point or router. 
      • Set default router access password and enable firewall protection.
       
        `

        Be Aware, Be Secure.

        Thank You 🙏

        I'm a Cyber Security professional with expertise in Network, Application, Endpoint, Cloud Security, DevOps, and IT Ops. I have experience in various industries and am well-versed in relevant regulations and standards. My goal is to provide exceptional security solutions that protect organizations from evolving threats, while also streamlining workflows and improving collaboration between development, operations, and security teams through DevOps and IT Ops practices.

        Comments

        Post a Comment

        Popular posts from this blog

        Demo 1- How to Track Location by a Link

        By
        Image
        ↑ GPS: GPS stands for Global Positioning System . The Global Positioning System, originally NAVSTAR GPS, is a satellite-based radionavigation system owned by the United States government and operated by the United States Air Force. It is a global navigation satellite system (GNSS) that provides geolocation and time information to a GPS receiver anywhere on or near the Earth where there is an unobstructed line of sight to four or more GPS satellites. Obstacles such as mountains and buildings block the relatively weak GPS signals. Locator v1.0: Locator is a tool developed by "thelinuxchoice".This tool is implemented in Shell Scripting. This tool is implemented in Shell Scripting. Geolocator, Ip Tracker, Device Info by URL (Serveo and Ngrok). It uses tinyurl to obfuscate the Serveo link. Disclaimer:  Usage of Locator for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable lo
        Read more

        Snyk - Ubuntu 20.04 (Linux)

        By
        Image
        In this article, we are going to learn about Snyk, features, and hands-on demo on how to install, usage and uninstall on Ubuntu 20.04(Linux).   Disclaimer:   The articles provided on HackWithV is purely for informational and educational purpose only, and for those who are willing and curious to know & learn about Cyber Security, Ethical Hacking,  Software Development and  IT Operations. Anytime the word "Hacking" that is used on this site shall be regarded as Ethical Hacking. Table of Content What is Snyk ?   Jump to Features   Jump to Hands-On   Jump to Requirements   Jump to Download   Jump to Install   Jump to Usage   Jump to Uninstall    Jump to Cheat Sheet    Jump to    What is Snyk ?  Snyk is a developer security platform for securing code , dependencies , containers , and infrastructure as code .  Integra
        Read more

        Cracking VNC Password Using Hydra

        By
        Image
        Today we are going learn how to crack the password of VNC service using Hydra Tool.  Disclaimer: The articles provided on HackWithV is purely for informational and educational purpose only, and for those who are willing and curious to know & learn about Ethical Hacking, Security and Penetration Testing. Anytime the word "Hacking" that is used on this site shall be regarded as Ethical Hacking. What is VNC? Virtual Network Computing ( VNC ) is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol ( RFB ) to remotely control another computer.  What is Hydra? Hydra is a parallelized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, i
        Read more