cyberdocs:wifi-hacking
======================================================== MODULE 5 ============================================================= ========================================================WiFi Hacking ========================================================== WiFi - IEEE 802.11a/ b/ g/ n a -range 5Ghz b - 2.7Ghz g n Some types of Encryotion for Wireless WEP WPA/WPA2 # Wireless is not safe because it broadcasts data in all directions # SSID - its the name of the Wireless Network # BSSDI - its the MAC address of the wireless device(s) #### Aircrack-NG Toolkit # Airmon-ng ( intterfejsin tone me vendos ne monitor mode ) # Airodump-ng ( it allows us to see access points and becons ) # Aireplay-ng handshake ( it can kick everyboy out ) | its like a fake client | used to capture the handshake # Aircrack-ng We can use this to compare the info gathered with other tools -> airmon-ng -> airmon-ng start wlan0 ( it can couse problems ) -> airmon-ng check kill ( kills troublet proceses) # tells when the operation starts in the monitorin mode -> airodump-ng wlan0mon # u -> airodump-ng --channel 6 --write CapFiles --bssid 02:xx:xx:xx wlan0 # me testu me bo inject -> airplay-ng -9 wlan0mon # per me ndal inerfjesin ne mon -> airmon-ng stop wlan0mon # to be able to access the wireless # WEP # the easiest way to di ist give a pass like 12345 and 64bit # IV komunikimi behet me dy qeles # nese me airodoumt i mer becaons edhe e krahason me wordlist easy to find the password # Enkriptimi Simetrik dhe Asimetrik # POO Proof of Origin ============================== - airmon-ng - airmon-ng check kill - airmon-ng start wlan0 ( interfejsi .. mundet me qene edhe ndryshe ) # take the bssid and channel - airodump-ng --channel 11 --write CyberAcademy --bssid < MAC > wlan0mon # crunch is used to create wordlists -> crunch 5 5 12345 > wordlist.txt ( minimumi i wordit me qene 5 ,) -aircrack -ng -b 10:xx:xx;(bssid) -w CybAcademy-01.cap wordlist.txt CSV Comma Seperated Values tr -deletes a character ifconfig lo | tr -d ":" gets the interfaces : ifconfig | grep "mtu"| cut -d " " -f 1|tr -d ":" ifconfig | grep "flags"| cut -d " " -f 1|tr -d ":" Hello^HI, 2 Dimensional CSV # AWK # me maru nje skript qe automatikisht i prionton interfejsat asks cilin interfejs po do me perdor ne monitoring mode ============================================================================================================ ============================================================================================================ 25_KORRIK_2018 FLAGS jane parametra qe tregojne per gjendjet te caktuar ( kur jemi tu fol per interfejsat ) cat icmp_echo_ignore cat /etc/sysctl.conf sysctl -p cat /proc/sys/net/ipv4/icmp_echo_ignore_all loopback perdoret per me testu vetveten ose servicet te cilat jane running on our local machine dallimi mes qasjes me 127 dhe me 172 . eshte se me localhost nuk gjenerojm trafic frekuencat ne wireless 2.4 , 5.0 , 3.9 ( rarely used ) 2.4 ka me pak BANDWIDTH ( but it reaches further due to wavelength ) Dallimi mes DEDICATED dhe SHARED 802.11 b/g/n A/C 1.3Gbs how to scann ne menyre aktive per wireless : ## iwlist wlan0 scanning ( me kete interfejs skanno accesspointat qe mundet me i mbrri ) AUTHENTICATION MODES : WEP WPA2 WPA3 Open WEP - CCMP Encryption Mekanizem ( Ekziston nje vulnerability ) The more beacons we get the better our chances are to crack it # Beacons jan frames qe containing network information #access points send becaons all the time to the connected users RX -received packets TX - transmited packets CRC - to check for errors # If you are subject to DoS attack there will be alot of DROPED packets CARRIES eshte fusha elektromagnetike qe e percjell sinjalin ( nese kemi CARRIER jo 0 kemi pengesa ne transmetim te sinjallit ) HUB - Very prone to collisions ( not used anymore ) and SNIFFING FULL DUPLEX ( 2 way un-interrupted communication ) HALF DUPLEX ( 2 way but in turns) Wireless eshte HALF DUPLEX # One of the main reasons why servers now dont use WIRELESS its because its HALF DUPLEX # if we want to see how many clients are there in an access point airodump-ng ESSID ## MAC Filtering It makes possible to define access rights -> nmap 172.16.60.1 ( scanning the GATEWAY ) -> ssh 172.16.60.1 - prompts password -> duhet me bo MAC FILTERING # you whitelist somebody ( admin ) others are denied macchanger eth0 -r ( random change the mac adress on the specified interface ) ( it has the current MAC , PERMANENT MAC ) you can clone the MAC of the ADMIN and you send DEAUTHENtICAION packages to kick the guy out ( :P ) ## macchanger -d dd:xx:aa:vv:ee:bb <interface> # how to view hidden SSID # ESSID is not being BROADCAST # whoever knows the ESSID enter it MANUALLY # we can do this be sending DEAUTH packets ============================================================================================ aireplay-ng --deauth 1 -c <:MAC CLIENTI:> -a <:ACCESSPOINT:> <:interface:> =============================================== * cleaning state service network-manager restart -> airmon-ng start wlan0 -> airmon-ng check kill -> airmon-ng start wlan0 # GET THAT DATA NEEDED -> airodump-ng wlan0mon -> airodump-ng --bssid --channel --write <:INTERFACE:> # START CAPTURING beacons for the paritular # airodump-ng -b BSSID -c CHANNEL -w WRITE <:INTERFACE:> -> aircrack-ng <:CAPTURE_FILE:> ======================= WPA2 After we have captured the handshake ====================== -> aircrack-ng -w <:WORDLIST:> -b <:BSSID:> <:INTERFACE:> ============================================================================================================= aircrack is fast because cracking happens in file not in device WEP vulnerability e ka ne cryptographic algorithm WPA we use brute force When ESSID is hidden we can find it by sending DEAUTHENTICATION packages Vulnerability to pinpoint SIM Cards airmon-ng # monitoring and managing airdump-ng # get something , dump it aireplay-ng # generate and prompt requests # ne secilen pakete qe e dergon kemi ESSID dhe BSSID # sa here qe sistemi e pranon ni DEAUTH package it stops communications # monitoring mode ta jep mundesine me capture every possible package # wireless access points nuk jane low security # gabimin qe e beje shumica e kompanive shqiptare # we have a wireless router , ne te cilin lidhen paisje te ndryshme # if all those devices are connected # usualy in the same wirless network they allow access to critical infrastructure # wirlesses waves are not limited to walls # from e nearby caffee you can see the request in the wireless router #Wireless Cracking Unlikely to apper in final exam # in security architecture is important # in PENTESTING in most of cases 80% of the time you are checking the architecture # Rouged Access Point # Evil Twin # MAC Address can be overriden temporarily # Nese autoconnect is on it goes for the stronger signal !!!! ( EVIL TWIN ) # Hidden Access Point ( It does not stream the ESSID ) # if we send DEAUTH packages to the wireless ( hidden ) it will tell the ESSID # when it is hidden you must manually enter the network # if a network represents length 0 and we see decent signal strength we can send DEAUTH or wait for a user to Re-authenticate # -enc (Define the authentication protocol ) ( WEP , WPA ) # Pinneapple Access Point # LAN Turtle # its a USB - RJ45 Connector =========== airmon-ng check kill airmon-ng start <:INTERFACE:> airmon-ng --help ( We can see the options what we can use ) airodump-ng <:INTERFACE:> --encrtypt WPA for i in $(cat mac); do machchanger -m $i <:INTERFACE:> dhclinet -r -v # we force the server to give us an IP # when we get into a network ====================TRYING TO CRACK GUEST ICK THAT IS USING A VOUCHER =================== netdiscover # we basically tring to get a MAC Address of a loged in user # change the mac using macchanger -m <:MAC:48bits:> # dhclient -r -v # force the router ( server into sending us a new IP address ) ### SO FAR NOT WORKING
cyberdocs/wifi-hacking.txt · Last modified: 2019/02/05 16:26 by dardan