Current WiFi Hacking Techniques

[Man]

What do you need to hack WiFi?​

A universal gentleman's set: a laptop with Linux and a WiFi adapter with a USB interface (they are also called dongles). You can also use a smartphone (see the link above), but some attacks simply require a second USB port. Even a laptop without an installed OS and without a drive at all will do.

All information is provided for educational purposes only and is intended for pentesters (white hat hackers). Neither the editors of www.spy-soft.net nor the author are responsible for any possible harm caused by the materials of this article.

Which OS to choose for WiFi hacking?​

Linux allows fine control of devices (in particular, dongles) through open-source drivers. Almost any distribution is suitable, but it is more convenient to use a ready-made assembly. For example, BlackArch, BackBox, Parrot Security, Kali Linux.

The most popular builds are Kali Linux, which already have integrated not only hacker utility kits, but also drivers for most chips potentially suitable for wardriving, plus minor tweaks made from the start.

The latest releases of Kali have seen a lot of changes. Now it can mimic Windows externally (so that the pen tester won't be caught seeing something strange on the monitor), root is disabled by default (either enable it or write sudo before commands that require superuser rights). Most importantly, Kali now immediately supports new 802.11ac dongles and it's extremely easy to increase the power of a Wi-Fi adapter.

How to use Linux on a laptop without deleting Windows?​

The developers do not recommend installing Kali on a hard drive, although technically the multi-boot option is quite feasible via the same GRUB. It's just that the boundaries of legal actions during an audit are very blurred, and for your own safety, it's better to use the Live Persistence mode. Working in it will be almost no different from working in the installed operating system. All updates, configs, new scripts and your personal files will be picked up the next time you reboot in Persistence mode. For greater privacy, it can be encrypted.

In my opinion, a memory card is more convenient than a flash drive, since it does not take up a USB port and does not stick out at hand. Ports (especially with separate power supply) are always in short supply on laptops. Choose a card with at least the Class 10 marking (the declared linear recording speed is 10 MB/s), or better yet, UHS-I V30 and faster (if the built-in card reader supports it).

How to make a bootable USB stick with Kali and Persistence partition?​

To do this, you need to create two partitions on the USB Flash or SD card. One will be FAT32 for running the OS - the image from kali.org is unpacked onto it. The second partition is ext3 for saving settings, personal files and session changes.

Which WiFi adapter is suitable for wardriving?​

In general, it is capable of switching to monitoring mode (mandatory) and performing network packet injection (desirable). Whether it can do this or not depends on the chip on which the adapter is built and its driver.

The wikidevi.com website has been down for a long time, so we use kernel.org instead.

This site has a table of WiFi drivers for Linux. We are not interested in all of them, but only those for which the monitor column indicates yes, the next column (PHY modes) contains the designation N or AC (a guarantee that relatively new standards are used), and in the Bus column - USB.

Additional information about drivers can be taken from two tables in the English-language Wiki. The principle is the same - we look for a combination of parameters: 802.11n(ac) + monitor mode + USB.

At the time of writing (March 2020), the following drivers were left: ath9k_htc, carl9170, mt76, mt7601u, p54, rt2800usb, rt2x00, rtl8187, rtl8192cu, zd1211, zd1211rw.

We click on the link to the description of each suitable driver and see a list of supported chipsets, and then devices. For example, here is a page about the ath9k_htc driver. It provides a list of chipsets (with USB - only AR9271) and devices released on it. Studying it shows that TL-WN722N will suit us, since it is equipped with a removable external antenna.

By analogy, we look at other drivers/chips/devices and make a list of models. Then we choose the newest one and buy one (for starters) or several dongles. Here you need to be careful with the version of the device. Often, models with the same number but different revisions are simply two different devices in the same case.

Driver lists are updated by volunteers, i.e. with unpredictable delays. In reality, the list of suitable chips is longer. Previously, it was limited mainly to models from Ralink and Atheros, and now Realtek RTL8812AU and RTL8814AU have suddenly been added. The latter works with 802.11ac and, in addition to the monitoring mode, supports packet injection. However, it requires USB 3.0 (900 mA and 5 Gbps instead of 500 mA and 0.48 Gbps for USB 2.0).

Why buy multiple WiFi adapters?​

To perform advanced attacks (such as "evil clone") and increase the success rate of any other. Simply because there is no universal adapter. Each has its own characteristics. For example, the above-mentioned dongles based on AR9271 cope better with attacks on WPS. Devices with RT3572, RT5572 and RTL881xAU chips can attack targets in the 5 GHz range, and old-timers with the RTL8187L chip see the target hundreds of meters away due to support for 802.11g. Of course, the standard is outdated, but it is often enabled in compatibility mode even on new routers with 802.11ac/ax support.

Why do they recommend Alfa Networks dongles for hacking WiFi?​

This Taiwanese manufacturer specializes in wireless equipment, and makes it slightly better (and much more expensive) than others. For example, many of its adapters have shielding (increases receiver sensitivity) or a built-in amplifier (increases the peak power of the transmitter). Almost all models are equipped with removable antennas (you can screw on your own, more suitable one). For ease of selection, there is even a special Kali WiFi USB section, which lists adapters that are guaranteed to work in Kali Linux in monitoring mode. If you have money but no time, take the "Alpha", you can't go wrong. It's like Cisco for admins.

What settings should be made before hacking WiFi?​

By running Kali in default configs and plugging in a freshly unpacked WiFi adapter, you will be able to hack only your router, there can be no talk of any pentest. To find out the possibility of a remote attack from the street (or at least from the next room), you need to do the following:

• disable power saving for WiFi adapter;
• increase the power of the dongle;
• prepare dictionaries for password cracking;
• update all integrated software and install additional software;
• check and save changes.

How to disable power saving for WiFi adapter in Kali?​

In the terminal we write:

iw dev # List Wi-Fi adapters and find an external dongle by its MAC address
iw dev wlan1 set power_save off # Here the external dongle is named wlan1

If you disable power saving and increase the adapter power, do not forget to organize cooling for it. It is also better to use USB 3.0 ports or power-enhanced USB 2.0. They are usually highlighted in color.

How to increase the power of a Wi-Fi adapter?​

There are two methods to get them going. The first is through global settings in Kali. It is suitable for those adapters that read the region code from the OS.

Method 1​

First, let's look at the current parameters:

• iw dev shows a list of wireless adapters and their maximum allowed power settings. Usually we see txpower 20.00 dBm (+20 decibels relative to milliwatt), which in theory means a transmitter power of 100 mW, and in practice - that your "whistle" the attacked routers will most likely not hear.
• iw reg get displays global settings for WiFi usage restrictions. In particular, the ISO 3166-1 country code, available frequency ranges and channel widths. If country 00 is specified, then the country is not set and strict restrictions apply

The most liberal WiFi standards are in Guyana (GY) and Belize (BZ), where WiFi adapters are allowed to be ten times more powerful. The corresponding entry in the database looks like this: country BZ: DFS-JP. (2402 - 2482 @ 40), (30). (5735 - 5835 @ 80), (30). The abbreviation DFS after the country code means Dynamic Frequency Selection. It can be performed according to the American (FCC), European (ETSI) or Japanese (JP) scheme. There is no need to change it.

Next, the frequency window in the 2.4 and 5 GHz ranges and the channel width in megahertz are indicated. These parameters determine how many channels you will see.

To change the region, simply write in the terminal:

iw reg set BZ # Mentally transported to Belize with a laptop
ip link set wlan1 down # Disable the external dongle designated as wlan1
iw dev wlan1 set txpower fixed 23 mBm # Double the transmitter power

The scale here is logarithmic, so doubling the power (to 200 mW) corresponds to a gain of 3 dBm (to 23 dBm). Simply put, TxPower(dBm) = 10 * LOG(P/1), where P is the power in milliwatts.

Don't rush to turn on the dongle at full power right away. Each device has a reasonable limit, which is selected experimentally. One of my adapters works more stably at 27 dBm (500 mW) than at 30 dBm (1000 mW), and the other one is completely useless to drive above 23 dBm.

If you are lucky enough to buy a high-quality dongle with a large power reserve (for example, an outdoor model), then try specifying the PA region. This is Panama, where transmitters up to 4 W (36 dBm) are allowed. However, you won’t get that much from a USB 2.0 port — you need USB 3.0 or additional power.

Method 2​

Used for those WiFi adapters that have a regional code programmed into their own memory. For example, these are all the Alfa Networks adapters I have encountered. They ignore global settings (including iw reg set BZ), so you will have to change the restrictions for the country that is already recorded in the dongle's memory.

iw reg get # Find out which country the adapter is released for
git clone https://kernel.googlesource.com/pub/scm/linux/kernel/git/sforshee/wireless-regdb # Clone the WiFi regional restrictions database
cd wireless-regdb/ # Go to this directory
gedit db.txt # Edit the database source

We find the required country by code and instead of 20 (dBm) in brackets we write 30 everywhere (or even 33, that is 2000 mW). We make similar changes for country 00 (or even for all countries) and save db.txt.

Previously, to compile a database from a text file and sign it, it was necessary to install the Python shell for the OpenSSL library, but the new version of Kali already has it (python3-m2crypto). Therefore, we simply write the make command and get a new regulatory.bin, where all restrictions are removed (or rather, set deliberately large).

Next, we delete the old (original) database, copy ours (modified) instead, copy our public key (since the database has a digital signature) and reboot.

rm /lib/crda/regulatory.bin
cp regulatory.bin /lib/crda/regulatory.bin
cp $USER.key.pub.pem /lib/crda/pubkeys/
reboot

That's it! Now after rebooting into Live USB Persistence, set the adapters to increased power in the standard way.

ip link set wlan1 down # Turned off the dongle
iw dev wlan1 set txpower fixed 23 mBm # Doubled the power
ip link set wlan1 up # Dongle enabled

Let's check the result:

iw reg get

It should be something like this (here the power increase is 10 dBm).

What antenna to use for WiFi hacking?​

Depends on the specific tasks. Some provide wide coverage, others allow you to reach a distant access point by focusing the EMI in a narrow beam.

It is more convenient to perform reconnaissance on the air with dipole antennas, which have a wide radiation angle, but a low gain factor (HF). These values are always interconnected, since the antenna does not add power, but simply focuses electromagnetic waves. Therefore, with a vertical orientation, the connection improves in the horizontal direction, and in the other (towards the upper and lower floors) it worsens.

The widest directional pattern is found in tiny antennas with a gain of up to 5 dBi. Here, for the sake of marketing effect, the decibel is used in relation not to a milliwatt, but to an isotropic radiator - a mathematical model of an antenna with a spherical pattern. If a buyer sees two antennas that say "5 dBi" and "3 dBm", he considers the first one to be "more powerful", although they are practically identical.

Simple dipole antennas are often offered in the kit, and they are quite enough for a start. Then I recommend trying the Alfa ARS-N19 antenna with a gain of 9 dBi - the most reasonable for omnidirectional antennas. This is a long rod with a narrower radiation angle, but the range of confident reception is greater.

The main disadvantages of such antennas are their dimensions (ARS-N19 is 39 cm, you can't put it in your pocket) and a small frequency range (either 2.4 GHz or 5 GHz). Therefore, one is not enough.

A more compact and versatile antenna is the Alfa APA-M25. It is a panel antenna (partially directional) and dual-band. At 2.4 GHz, it provides a gain of 8 dBi, and at 5 GHz, 10 dBi. It is convenient to attack pre-selected access points, the location of which you at least roughly know. The antenna will have to be tilted vertically and rotated horizontally to target the selected router.

The most hardcore options are directional antennas with a large gain and a very narrow beam (sector pattern). These can reach a target even a kilometer away, but it is extremely difficult to perform and record their precise guidance. They were developed primarily for the 802.11b/g standards - long-range, but slow. Trying to use them for communication according to the 802.11n standard and especially 802.11ac is justified only in exceptional cases.

How to select the antenna position?​

The easiest way is to run the Wifite2 script (more on that below). In the new version, the signal level of all found access points is updated every second - both during scanning and during an attack. Just slowly rotate the antenna first vertically and then horizontally. Fix the position in which the numbers are maximum.

Another important note: the signal-to-noise ratio also changes depending on the orientation of the adapter itself, especially if its board is not shielded. In my experiment, tilting the Alfa Tube-UNA WiFi adapter from vertical to horizontal added 7 dBm with the same antenna orientation. The selected access point left the weak reception zone and was successfully… inspected.

How to connect a non-standard antenna?​

In practice, antennas have to be replaced, so you should choose an adapter with a connector for connecting an external antenna. The problem is that they are different and do not fit together. Usually, a miniature RP-SMA connector is used for indoor equipment, and more powerful "outdoor" adapters such as the Alfa Tube-UNA have a large N-Type socket. Coaxial adapters help to make them friends. Choose the highest quality ones, otherwise the signal-to-noise ratio (SNR) will deteriorate significantly. The photo shows an N-Type - RP-SMA adapter. I used it to connect the ARS-N19 and APA-M25 antennas to the Alfa Tube-UNA with a built-in signal amplifier.

How to automate Wi-Fi access point auditing?​

The barrier to entry for learning to hack WiFi is constantly decreasing. Over the past couple of years, the selection of simple and effective utilities that automate the execution of most types of attacks over wireless channels has grown again. Once upon a time, Kali (then BackTrack) only had raw scripts, and now the eyes run wide from the abundance of ready-made tools.

Today, you don't even have to start by studying Aircrack-ng, the package that almost all Wi-Fi hacking tools are based on. WiFi-autopwner scripts by Alexey Miloserdov and Wifite2 by Derv Merkler (a pseudonym for a Seattle-based programmer) will help you quickly get practical results.

I like both scripts, but I am more familiar with Wifite2 and its popular fork. It competently uses additional utilities to increase the efficiency of auditing and allows you to automatically perform the five most common types of attacks on all at once or only on specified access points.

Wifite2 uses bully, tshark, and reaver to perform PixieDust or brute-force attacks on WPS. It uses coWPAtty and pyrit to examine handshakes captured during an attack on WPA(2), and implements a new attack on PMKID using hashcat.

All attack types are already sorted by execution speed. First, the fastest ones are used for the selected access point (WPS, WEP, PMKID), and in case of failure, the script moves on to the next options. Moreover, when you enable the verbose -vv mode, all used commands and their results are displayed in the terminal. In fact, this is a learning and debugging mode.

What is the fastest WiFi hacking technique?​

Previously, I would have answered: WPS. If Wi-Fi Protected Setup is enabled on the access point, then it is very likely to be hacked by enumerating known pins or a more elegant PixieDust attack. The list of pins to enumerate is taken from the manufacturer's default configs, which is determined by the MAC address. Doing an exhaustive enumeration of all options (brute force) is most often pointless, since after N unsuccessful attempts to authorize via WPS, the router blocks further ones for a long time.

In any case, attacking WPS took up to five minutes and seemed fast compared to waiting for a WPA handshake to be captured, which then had to be painfully brute-forced. However, a new type of attack has now appeared — PMKID (Pairwise Master Key Identifier). On vulnerable routers, it allows you to capture a handshake in a matter of seconds, and even if there are no clients connected to it! With it, you don’t have to wait for anyone or deauthenticate, one (even unsuccessful) attempt at authorization on your part is enough.

Therefore, the optimal hacking (audit) algorithm is as follows: determine whether the WPS mode is enabled on the target access point. If so, launch PixieDust. Unsuccessful? Then try known pins. No success? Check whether WEP encryption is enabled, which is also bypassed in a jiffy. If not, then perform a PMKID attack on WPA(2). If this still doesn't work, then remember the classics and wait for a handshake (so as not to be detected) or actively kick clients to catch their authorization sessions.

I found out the WPS PIN, what next?​

Then you can use it to connect to the router and find out the password, no matter how long and complex it is. In general, WPS is a huge security hole. I always turn it off on my equipment, and then check with a WiFi scanner whether WPS is really off.

I intercepted the handshake. What should I do with it?​

The four-way handshake is recorded by the Wifite2 script into a file with the .cap extension.

TCPdump, Wireshark, Nmap and other programs use the .pcap format. The PMKID handshake will be in the .16800 format.

By default, Wifite uses Aircrack-ng to crack passwords. It sends a command like

aircrack-ng yourhandshake.cap -w /yourwordlist.txt

In the simplest cases this is enough, but more often you have to convert the handshakes using hcxtools to feed them to one of the advanced password cracking utilities. For example, John the Ripper or hashcat.

I like hashcat better. To work with it, you need to convert .cap to .hccapx format. This can be done online or locally using the cap2hccapx utility. In the latter case, you will have to download the source code and compile it.

wget https://raw.githubusercontent.com/hashcat/hashcat-utils/master/src/cap2hccapx.c
gcc -o cap2hccapx-converter cap2hccapx.c

It is more convenient to drop the resulting executable file cap2hccapx-converter into /bin, so that you can then access it from anywhere.

[crayon-64caa59cd08b2917494700 inline="true" ]<span class="pln">mv cap2hccapx</span><span class="pun">-</span><span class="pln">converter </span> <span class="pun">/</span><span class="pln">bin</span>
[/crayon]

PMKID hashes are brute-forced in exactly the same way. You just need to explicitly tell hashcat the handshake type and dictionary.

hashcat64 -m 2500 -w3 Beeline.hccapx "wordlist\wpadict.txt" # We sort passwords by our dictionary wpadict.txt to the hash from the WPA(2) handshake in the Beeline.hccapx file
hashcat64 -m 16800 -w 3 RT-WiFi.16800 "wordlist\rockyou.txt" # Us

What to bruteforce WiFi passwords on?​

It is better to brute-force passwords locally on a desktop computer with a powerful video card, and if you don’t have one, use online services. They offer limited sets for free, but even they are sometimes enough.

Another interesting option is to use a distributed computing network. For example, Elcomsoft Distributed Password Recovery allows you to do this. This universal program understands dozens of password and hash formats, including .cap, .pcap and .hccapx. Up to ten thousand computers can work on one task at the same time, combining the resources of their processors and video cards.

Plus, it has a very advanced approach to dictionary attack. You can use masks, prefixes, and mutations, effectively expanding the dictionary size several times.

Why do they perform a dictionary attack instead of a brute force?​

The WPA(2)-PSK key is generated with a length of 256 bits. The number of possible combinations (2^256) is such that even a powerful server with graphics accelerators would require years to brute-force them. Therefore, it is more realistic to perform a dictionary attack.

Usually, Wifite2 does this itself. After capturing a handshake, it checks its quality. If all the necessary data is preserved, then an attack on the dictionary wordlist-top4800-probable.txt is automatically launched. As you might guess, it contains only 4800 of the most common passwords.

It is convenient because it works quickly even on an old laptop, but there is a high probability that the combination you are looking for will not be in this dictionary. Therefore, it is worth making your own.

How to create your own dictionary?​

First, I collected a collection of dictionaries from different sources. These were pre-installed dictionaries in password-crunching programs, the /usr/share/worldlists/ directory in Kali Linux itself, databases of real passwords from different accounts that had leaked onto the Internet, and collections on specialized forums. I brought them to a single format (encoding) using the recode utility. Then I renamed the dictionaries using the dict## template, where ## is a two-digit counter. I ended up with 80 dictionaries.

The next step was to combine them into one, removing obvious repetitions, and then run the PW-Inspector utility to clean the combined dictionary from garbage. Since a WiFi password can be from 8 to 63 characters, I removed all entries shorter than 8 and longer than 63 characters.

cat * > alldicts | sort | uniq
pw-inspector -i alldicts -m 8 -M 63 > WPAMegaDict

Then I thought that the file was too big and could be shortened further without any obvious loss of brute force efficiency. Have you ever seen a Wi-Fi password longer than 16 characters in real life? Neither have I.

pw-inspector -i WPAMegaDict -m 8 -M 16 > WPADict_8-16

The resulting dictionary can be downloaded from Kim Dotcom's file sharing site (647 MB in ZIP archive, 2.8 GB in unpacked form).

How to switch to 5GHz band?​

First, you need to connect a Wi-Fi adapter that supports 5 GHz and equip it with a suitable antenna (they are also made for different ranges). Then just run Wifite with the -5 key, and you will see 5 GHz access points. Usually, there are much fewer of them than 2.4 GHz. This is due to both their relatively small distribution and their smaller range. The higher the frequency, the faster the signal fades (all other things being equal).

Is it possible to attack a hidden network?​

Yes. If the network name (ESSID) is hidden, you can still see the MAC address of the access point when scanning the air. The first client that connects will reveal its name. So just wait for the connection or speed up the process by sending deauthentication packets.

Conclusion​

When I wrote this article, I set myself the goal of helping readers get a practical result from scratch as quickly as possible and with almost no damage to understanding the essence of the process. I wanted to fit everything into one publication for a powerful start and ignite a spark of interest that will encourage independent continuation.

During pentest courses, I noticed more than once that for your hard-earned money you get information that is not the freshest. In response, the teachers usually said that they are telling the basics, the essence does not change over the years, so you yourself google and refine our materials with a file. In my opinion, the essence is in the details, and they change very quickly. I hope that my forced notes will help to gain a steepness of your learning curve.