CEH 16- WiFi Hacking


WiFi Hacking is most important aspect in hacking devices.

If we compromise WiFi, we can do a lot in that network.

We can gain access to devices in that network.

We can also sniff the data, redirect the data of devices in the network.

Before we are going to hack WiFi, first we need to know about, what is WiFi? and how it works?

Disclaimer: The articles provided on HackWithV is purely for informational and educational purpose only, and for those who are willing and curious to know & learn about Ethical Hacking, Security and Penetration Testing. Anytime the word "Hacking" that is used on this site shall be regarded as Ethical Hacking.

What is WiFi?

  • WiFi is a short name for Wireless Fidelity.
  • WiFi is a wireless networking technology that allows devices such as computers (laptops and desktops), mobile devices (smart phones and wearables), and other  equipment (printers and video cameras) to interface with the Internet.
  • It allows these devices exchange information with one another, creating a network.
  • The exchange of information between devices can be done with the help MAC address.

 

How WiFi works?

  • IEEE 802.11 standard defines the protocols that enable communications with current WiFi enabled wireless devices.
  • A device connects to WiFi network with the help Handshake between device and wireless access point.
  • Every networking device has a physical static address known as MAC address. This address is unique and the card manufacturer assigns it.
  • This address is used between devices to identify each other and to transfer packets to the right place. Each packet has a source MAC and a destination MAC.
  • To protect the data exchanged in wireless networks, there are some security algorithms as follows:
    1. WEP
    2. WPA
    3. WPA2
    4. WPA3
    5. WPA3-Personal
    6. WPA3-Enterprise

Finding WiFi Networks:

1. War Walking

Attackers walk around the areas, with WiFi-enabled laptops to detect open wireless networks.  

2. War Chalking

A method used to draw symbols in public places to advertise open WiFi networks. 

3. War Flying: 

In this technique, attackers use drones to detect open wireless networks. 


4. War Driving: 

Attackers drive around the areas, with WiFi-enabled laptops to detect open wireless networks.  

5. Aircrack-ng:

   Aircrack-ng includes a set of tools to perform WiFi network hacking. 


  • Testing: Checking WiFi cards and driver capabilities (capture and injection).
  • Monitoring: Packet capture and export of data to text files for further processing by third-party tools.
  • Attacking: Replay attacks, de-authentication, fake access points and others via packet injection.
  • Cracking: Cracking passwords of WEP and WPA PSK (WPA 1 and 2).

1. Airmon-ng: 

  • This script can be used to enable monitor mode on wireless interfaces. 
  • It may also be used to go back from monitor mode to managed mode. 
  • Entering the airmon-ng command without parameters will show the interfaces status.

2. Airodump-ng:

  • Airodump-ng is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEP IVs (Initialization Vector) for the intent of using them with aircrack-ng. 
  • If you have a GPS receiver connected to the computer, airodump-ng is capable of logging the coordinates of the found access points.
  • Additionally, airodump-ng writes out several files containing the details of all access points and clients seen.

Terminology

  • BSSID = Mac Address of The Access Point 
  • ESSID = Name of The Access Point 
  • CH = Channel Number of Access Point
  • DATA = Data Packets Transferred 
  • BEACONS = Advertisement Packets Sent by Access Point 
  • PWR = Signal Strength of Access Point 
  • AUTH = Encryption Used by The Access Point 
  • CIPHER = Encryption Cipher Used by The Access Point

 

3. Aireplay-ng:

  • Aireplay-ng is used to inject frames. 
  • The primary function is to generate traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys. 
  • There are different attacks which can cause de-authentications to capture WPA handshake data, fake authentications, Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection. 
  • With the packetforge-ng tool, it's possible to create arbitrary frames. 
  • Most drivers need to be patched to be able to inject.

4. Airbase-ng:

  • Airbase-ng is a multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself. 
  • Since it is so versatile and flexible, summarizing it is a challenge. 
  • Here are some of the feature highlights: 
  1. Implements the Caffe Latte WEP client attack. 
  2. Implements the Hirte WEP client attack. 
  3. Ability to cause the WPA/WPA2 handshake to be captured. 
  4. Ability to act as an ad-hoc Access Point. 
  5. Ability to serve as a full Access Point. 
  6. Ability to filter by SSID or client MAC addresses. 
  7. Ability to manipulate and resend packets. 
  8. Ability to encrypt sent packets and decrypt received packets

WEP Cracking:

  • It uses a stream cipher algorithm called RC4 where each packet is encrypted at the AP and is then decrypted at the client. 
  • WEP ensures that each packet has a unique keystream by using a random 24-bit Initialization Vector(IV). 
  • This IV is contained in the packets as plain text.
  • In a busy network we can collect more than two packets with the same IV, then we can use the aircrack-ng suite to determine WEP key.

Cracking WPA/WPA2 Encryption:

  • Capturing WPA packets is not useful as they do not contain any info that can be used to crack the key. 
  • The only packet that contains info that helps us crack the password is the handshake packets. 
  • Every time a client connects to that AP a four-way handshake occurs between the client and the AP. 
  • By capturing the handshake, we can use aircrack to launch a word list attack against the handshake to determine the key.
  • To crack a WPA/WPA2 AP with WPS disabled, we need two things: 
  1. Capture the Handshake 
  2. A Wordlist

Cracking the WPA Key using a Wordlist:

  • Create wordlist using crunch tool to crack the WPA key.
  • Use aircrack-ng to crack the key. 
  • It performs the job by combining each password in the wordlist with AP names (ESSID) to compute a PMK (Pairwise Master Key) using the pbkdf2 algorithm. 
  • The PMK is then compared to the handshake file. 

Exploiting WPS Feature:

  • WPS is a feature that allows users to connect to WPS enabled networks easily, using a WPS button or only by clicking on WPS functionality. 
  • Authentication is done using an eight-digit long pin, this means that there is a relatively small number of pin combination and using brute force we can guess the pin in less than 10 hours. 
  • Tools like wifite or reaver can automate this process and recover the WPA key from that pin. 
    • Note: This flaw is in the WPS feature and not in WPA/WPA2. However, it allows us to crack any WPA/WPA2 AP without using a wordlist and without any clients.

      WiFi Password Cracking Summary:

      Mitigations:

      • Do not use WEP encryption, as it is easy to crack. 
      • Use WPA2 with a complex password, make sure the password contains small letters, capital letters, symbols and numbers. 
      • Ensure that the WPS feature is disabled as it can be used to crack your complex WPA2 key by brute-forcing the easy WPS pin. 
      • Enable MAC address filtering on access point or router. 
      • Set default router access password and enable firewall protection.
       
        `

        Be Aware, Be Secure.

        Thank You 🙏

        Comments

        Popular posts from this blog

        Demo 1- How to Track Location by a Link

        Snyk - Ubuntu 20.04 (Linux)

        Cracking VNC Password Using Hydra