Mutt
Professional
- Messages
- 1,167
- Reaction score
- 835
- Points
- 113
This material is provided for educational purposes only and was created as part of the study of information security. The author did not publish material for malicious purposes. If someone uses the information for personal gain, then the author is not responsible for any harm or damage caused.
How to automate auditing of Wi-Fi hotspots?
The entry threshold for learning to hack Wi-Fi has been steadily declining. Over the past couple of years, a collection of simple and effective utilities has grown again to automate most types of wireless attacks. Once upon a time in Kali (then BackTrack) there were only raw scripts, but now your eyes run up from the abundance of ready-made tools.
Today, you don't even have to start by learning Aircrack-ng - the package on which almost all Wi-Fi hacking tools are based. The WiFi-autopwner scripts from Alexey Miloserdov and Wifite2 from Derv Merkler (the pseudonym of the Seattle programmer) will help you quickly get a practical result .
I like both scripts, but Wifite2 and its popular fork are more familiar . It intelligently uses additional utilities to improve audit efficiency and allows you to automatically execute the five most common types of attacks on all at once or only on specified access points.
Wifite2 applies bully, tsharkand reaverto carry out attacks on the WPS method PixieDust or bust pins. It also uses coWPAttyit pyritto check the handshakes captured during the WPA (2) attack and implements a new PMKID attack using hashcat.
Successful capture of PMKID handshake
All types of attacks are already sorted by execution speed. First, the fastest (WPS, WEP, PMKID) are used for the selected access point, and in case of failure, the script proceeds to the next options. Moreover, when you turn on the verbose mode, -vvall the commands used and their result are displayed in the terminal. Essentially, this is a learning and debugging mode.
What is the fastest attack on Wi-Fi?
Before, I would answer: WPS. If Wi-Fi Protected Setup is enabled on the access point, then it is most likely that it is opened by brute-force attacks on known pins or a more elegant PixieDust attack. The list of pins to search for is taken from the manufacturer's default configs, which is determined by the MAC address. To do an exhaustive search of all options (brute force) is most often pointless, since after N unsuccessful attempts to authorize via WPS, the router blocks further ones for a long time.
Successful selection of WPS PIN using WiFi-Autopwner
In any case, the attack on the WPS took up to five minutes and seemed to be fast compared to waiting for the WPA handshake to be taken, which then had to be brutalized for a painfully long time. However, now a new type of attack has appeared - PMKID (Pairwise Master Key Identifier). On vulnerable routers, it allows you to capture a handshake in a matter of seconds, and even if there are no clients connected to it! With it, you do not need to wait for anyone and deauthenticate, just one (even unsuccessful) authorization attempt on your part is enough.
Therefore, the optimal algorithm for cracking ... auditing is as follows: we determine whether the WPS mode is enabled on the target access point. If so, launch PixieDust. Unsuccessfully? Then the enumeration of known pins. Did not work out? We check if WEP encryption is enabled, which also bypasses the entry. If not, then we perform a PMKID attack on WPA (2). If it didn't work out that way, then we recall the classics and wait for the handshake (so as not to get fired) or actively kick clients in order to catch their authorization sessions.
I found out the WPS PIN, what's next?
Then you can use it to connect to the router and find out the password, no matter how long and complex it may be. In general, WPS is a huge security hole. On my equipment, I always turn it off, and then I also check with a Wi-Fi scanner if WPS is really turned off.
I intercepted the handshake. What to do with him?
The four-way handshake is written by the Wifite2 script to a file with the extension .cap.
Capturing classic WPA handshake
TCPdump, Wireshark, Nmap and other programs use the format .pcap. The PMKID handshake will be in the format .16800.
By default, Wifite uses Aircrack-ng to guess passwords. He sends a command like
aircrack -ng yourhandshake.cap -w /yourwordlist.txt
In the simplest versions, this is enough, but more often you have to convert handshakes using hcxtools to feed one of the advanced password brute force utilities. For example, John the Ripper or hashcat .
I like hashcat better. To work with it, you need to convert .cap to .hccapx. You can also do this online or locally using the utility cap2hccapx. In the latter case, you will have to download the source and compile it.
It is cap2hccapx-convertermore convenient to throw the resulting executable file into / bin, so that you can then access it from anywhere.
mv cap2hccapx-converter /bin
Successful guessing of Wi-Fi password in hashcat using WPA2 handshake
PMKID hashes are baked in the same way. You just need to explicitly specify the handshake type and dictionary to hashcat.
hashcat64 -m 2500 -w3 Beeline.hccapx "wordlist \ wpadict.txt" # We iterate over passwords in our dictionary wpadict.txt to the hash from the WPA (2) handshake in the Beeline.hccapx file
hashcat64 -m 16800 -w 3 RT-WiFi.16800 "wordlist \ rockyou.txt" # We use the PMKID handshake from the RT-WiFi.16800 file and a ready-made dictionary rockyou.txt
Brutus PMKID in hashcat
How to brute Wi-Fi passwords?
It is better to sort passwords locally on a desktop computer with a powerful vidyuha, and if not, use online services. They offer limited sets for free, but sometimes even they are enough.
Hacking two passwords online
Another interesting option is to use a distributed computing network. This can be done, for example, by Elcomsoft Distributed Password Recovery. This versatile program understands dozens of password and hash formats, including .cap, .pcap, and .hccapx. Up to ten thousand computers can simultaneously work on one task in it, combining the resources of their processors and video cards.
Distributed brute WPA hashes
Plus she has a very advanced approach to dictionary attack. You can use masks, prefixes and mutations, in fact, expanding the volume of the dictionary several times.
Why do they perform a dictionary attack instead of a brute?
The WPA (2) -PSK key is generated with a length of 256 bits. The number of possible combinations (2 ^ 256) is such that even on a powerful server with graphics accelerators it will take years to sort through them. Therefore, it is more realistic to perform a dictionary attack.
Usually Wifite2 does it itself. After capturing a handshake, he checks its quality. If all the necessary data is saved in it, then a dictionary attack is automatically launched wordlist-top4800-probable.txt. As you might guess, it contains only 4800 of the most common passwords.
It is convenient in that it works quickly even on an old laptop, however, with a high probability, the desired combination will not be in this dictionary. Therefore, it is worth making your own.
How to compose your own dictionary?
I first put together a collection of dictionaries from various sources. These were preinstalled dictionaries in password brute-force programs, a directory /usr/share/worldlists/in Kali Linux itself, databases of real passwords leaked to the Network from various accounts and collections on specialized forums. I have brought them to a single format (encoding) using the recode utility. Then I renamed the dictionaries using the template dict##, where ## is a two-digit counter. It turned out 80 dictionaries.
Combining 80 dictionaries by skipping identical entries
In the next step, I merged them into one, removing explicit duplicates, and then ran the PW-Inspector utility to clear the merged dictionary from garbage. Since the password for Wi-Fi can be from 8 to 63 characters, I deleted all entries shorter than 8 and longer than 63 characters.
Then I thought that this was a very healthy file that could be shrunk further without clearly compromising the efficiency of the iteration. Have you seen Wi-Fi passwords longer than 16 characters in real life? So I have not seen.
The resulting dictionary can be downloaded from Kim Dotcom's file hosting service (647 MB in a ZIP archive, 2.8 GB in an unpacked form).
How do I switch to the 5 GHz band?
First, you need to connect a Wi-Fi adapter with 5 GHz support and equip it with a suitable antenna (they are also made for different bands). Then just launch Wifite with the key -5and you will see 5 GHz access points. They are usually much less than 2.4 GHz. This is due to both their relatively small distribution and shorter range. The higher the frequency, the (other things being equal), the faster the signal decays.
Turn on 5 GHz mode in Wifite
Can a hidden network be attacked?
Yes. If the network name (ESSID) is hidden, you can see the MAC address of the access point in the same way when scanning the air. The first client to connect will reveal her name. Therefore, just wait for the connection or speed up the process by sending out deauthentication packets.
Finding out the name of the hidden network in passing
Conclusion
When I wrote this article, my goal was to help readers get practical results from scratch as quickly as possible and almost without compromising understanding of the essence of the process. I wanted to fit everything into one publication for a powerful start and ignite a spark of interest that would prompt an independent continuation.
On the courses on pentests, I have repeatedly drawn attention to the fact that for your hard-earned money you get information that is not the first freshness. In response, the teachers usually said that they tell the basics, the essence does not change for years, so you yourself google and modify our materials with a file. In my opinion, the point is in the details, and they change very quickly. Hopefully my tortured outline will help you pick up the steepness of your learning curve.
How to automate auditing of Wi-Fi hotspots?
The entry threshold for learning to hack Wi-Fi has been steadily declining. Over the past couple of years, a collection of simple and effective utilities has grown again to automate most types of wireless attacks. Once upon a time in Kali (then BackTrack) there were only raw scripts, but now your eyes run up from the abundance of ready-made tools.
Today, you don't even have to start by learning Aircrack-ng - the package on which almost all Wi-Fi hacking tools are based. The WiFi-autopwner scripts from Alexey Miloserdov and Wifite2 from Derv Merkler (the pseudonym of the Seattle programmer) will help you quickly get a practical result .
I like both scripts, but Wifite2 and its popular fork are more familiar . It intelligently uses additional utilities to improve audit efficiency and allows you to automatically execute the five most common types of attacks on all at once or only on specified access points.
Wifite2 applies bully, tsharkand reaverto carry out attacks on the WPS method PixieDust or bust pins. It also uses coWPAttyit pyritto check the handshakes captured during the WPA (2) attack and implements a new PMKID attack using hashcat.
Successful capture of PMKID handshake
All types of attacks are already sorted by execution speed. First, the fastest (WPS, WEP, PMKID) are used for the selected access point, and in case of failure, the script proceeds to the next options. Moreover, when you turn on the verbose mode, -vvall the commands used and their result are displayed in the terminal. Essentially, this is a learning and debugging mode.
What is the fastest attack on Wi-Fi?
Before, I would answer: WPS. If Wi-Fi Protected Setup is enabled on the access point, then it is most likely that it is opened by brute-force attacks on known pins or a more elegant PixieDust attack. The list of pins to search for is taken from the manufacturer's default configs, which is determined by the MAC address. To do an exhaustive search of all options (brute force) is most often pointless, since after N unsuccessful attempts to authorize via WPS, the router blocks further ones for a long time.
Successful selection of WPS PIN using WiFi-Autopwner
In any case, the attack on the WPS took up to five minutes and seemed to be fast compared to waiting for the WPA handshake to be taken, which then had to be brutalized for a painfully long time. However, now a new type of attack has appeared - PMKID (Pairwise Master Key Identifier). On vulnerable routers, it allows you to capture a handshake in a matter of seconds, and even if there are no clients connected to it! With it, you do not need to wait for anyone and deauthenticate, just one (even unsuccessful) authorization attempt on your part is enough.
Therefore, the optimal algorithm for cracking ... auditing is as follows: we determine whether the WPS mode is enabled on the target access point. If so, launch PixieDust. Unsuccessfully? Then the enumeration of known pins. Did not work out? We check if WEP encryption is enabled, which also bypasses the entry. If not, then we perform a PMKID attack on WPA (2). If it didn't work out that way, then we recall the classics and wait for the handshake (so as not to get fired) or actively kick clients in order to catch their authorization sessions.
I found out the WPS PIN, what's next?
Then you can use it to connect to the router and find out the password, no matter how long and complex it may be. In general, WPS is a huge security hole. On my equipment, I always turn it off, and then I also check with a Wi-Fi scanner if WPS is really turned off.
I intercepted the handshake. What to do with him?
The four-way handshake is written by the Wifite2 script to a file with the extension .cap.
Capturing classic WPA handshake
TCPdump, Wireshark, Nmap and other programs use the format .pcap. The PMKID handshake will be in the format .16800.
By default, Wifite uses Aircrack-ng to guess passwords. He sends a command like
aircrack -ng yourhandshake.cap -w /yourwordlist.txt
In the simplest versions, this is enough, but more often you have to convert handshakes using hcxtools to feed one of the advanced password brute force utilities. For example, John the Ripper or hashcat .
I like hashcat better. To work with it, you need to convert .cap to .hccapx. You can also do this online or locally using the utility cap2hccapx. In the latter case, you will have to download the source and compile it.
Code:
wget https://raw.githubusercontent.com/hashcat/hashcat-utils/master/src/cap2hccapx.c
gcc -o cap2hccapx-converter cap2hccapx.cmv cap2hccapx-converter /bin
Successful guessing of Wi-Fi password in hashcat using WPA2 handshake
PMKID hashes are baked in the same way. You just need to explicitly specify the handshake type and dictionary to hashcat.
hashcat64 -m 2500 -w3 Beeline.hccapx "wordlist \ wpadict.txt" # We iterate over passwords in our dictionary wpadict.txt to the hash from the WPA (2) handshake in the Beeline.hccapx file
hashcat64 -m 16800 -w 3 RT-WiFi.16800 "wordlist \ rockyou.txt" # We use the PMKID handshake from the RT-WiFi.16800 file and a ready-made dictionary rockyou.txt
Brutus PMKID in hashcat
How to brute Wi-Fi passwords?
It is better to sort passwords locally on a desktop computer with a powerful vidyuha, and if not, use online services. They offer limited sets for free, but sometimes even they are enough.
Hacking two passwords online
Another interesting option is to use a distributed computing network. This can be done, for example, by Elcomsoft Distributed Password Recovery. This versatile program understands dozens of password and hash formats, including .cap, .pcap, and .hccapx. Up to ten thousand computers can simultaneously work on one task in it, combining the resources of their processors and video cards.
Distributed brute WPA hashes
Plus she has a very advanced approach to dictionary attack. You can use masks, prefixes and mutations, in fact, expanding the volume of the dictionary several times.
Why do they perform a dictionary attack instead of a brute?
The WPA (2) -PSK key is generated with a length of 256 bits. The number of possible combinations (2 ^ 256) is such that even on a powerful server with graphics accelerators it will take years to sort through them. Therefore, it is more realistic to perform a dictionary attack.
Usually Wifite2 does it itself. After capturing a handshake, he checks its quality. If all the necessary data is saved in it, then a dictionary attack is automatically launched wordlist-top4800-probable.txt. As you might guess, it contains only 4800 of the most common passwords.
It is convenient in that it works quickly even on an old laptop, however, with a high probability, the desired combination will not be in this dictionary. Therefore, it is worth making your own.
How to compose your own dictionary?
I first put together a collection of dictionaries from various sources. These were preinstalled dictionaries in password brute-force programs, a directory /usr/share/worldlists/in Kali Linux itself, databases of real passwords leaked to the Network from various accounts and collections on specialized forums. I have brought them to a single format (encoding) using the recode utility. Then I renamed the dictionaries using the template dict##, where ## is a two-digit counter. It turned out 80 dictionaries.
Combining 80 dictionaries by skipping identical entries
In the next step, I merged them into one, removing explicit duplicates, and then ran the PW-Inspector utility to clear the merged dictionary from garbage. Since the password for Wi-Fi can be from 8 to 63 characters, I deleted all entries shorter than 8 and longer than 63 characters.
Code:
cat * > alldicts | sort | uniq
pw-inspector -i alldicts -m 8 -M 63 > WPAMegaDictThen I thought that this was a very healthy file that could be shrunk further without clearly compromising the efficiency of the iteration. Have you seen Wi-Fi passwords longer than 16 characters in real life? So I have not seen.
Code:
pw-inspector -i WPAMegaDict -m 8 -M 16 > WPADict_8-16The resulting dictionary can be downloaded from Kim Dotcom's file hosting service (647 MB in a ZIP archive, 2.8 GB in an unpacked form).
How do I switch to the 5 GHz band?
First, you need to connect a Wi-Fi adapter with 5 GHz support and equip it with a suitable antenna (they are also made for different bands). Then just launch Wifite with the key -5and you will see 5 GHz access points. They are usually much less than 2.4 GHz. This is due to both their relatively small distribution and shorter range. The higher the frequency, the (other things being equal), the faster the signal decays.
Turn on 5 GHz mode in Wifite
Can a hidden network be attacked?
Yes. If the network name (ESSID) is hidden, you can see the MAC address of the access point in the same way when scanning the air. The first client to connect will reveal her name. Therefore, just wait for the connection or speed up the process by sending out deauthentication packets.
Finding out the name of the hidden network in passing
Conclusion
When I wrote this article, my goal was to help readers get practical results from scratch as quickly as possible and almost without compromising understanding of the essence of the process. I wanted to fit everything into one publication for a powerful start and ignite a spark of interest that would prompt an independent continuation.
On the courses on pentests, I have repeatedly drawn attention to the fact that for your hard-earned money you get information that is not the first freshness. In response, the teachers usually said that they tell the basics, the essence does not change for years, so you yourself google and modify our materials with a file. In my opinion, the point is in the details, and they change very quickly. Hopefully my tortured outline will help you pick up the steepness of your learning curve.
