Category: WiFi Hacking

Posted on by

Beginners guide to wifipumpkin 3

Hello, aspiring ethical hackers. In our previous blogpost on wifi hacking, you learnt what is a rogue access point and why hackers or pentesters use it. In this article, you will learn about Wifipumpkin 3, a powerful framework for creating rogue access points. The features of wifipumpkin 3 are,

  • 1. Creating Rogue access point attack
  • 2. Performing Man-in-the-middle attack
  • 3. Performing deauthentication attack
  • 4. Module for extra-captiveflask templates
  • 5. Creating Rogue DNS server
  • 6. Performing captive portal attack (captiveflask)
  • 7. Intercepting, inspecting, modifying and replay web traffic
  • 8. WIFI networks scanning
  • 9. DNS monitoring service
  • 10. Credentials harvesting
  • 11. Phishkin3 (Support MFA phishing attack via captive portal)
  • 12. EvilQR3 (Support Phishing QR code attack)
  • 13. Transparent Proxies
  • 14. RestFulAPI (new)
  • and more!

Let’s see how to create a rogue access point using this tool. For this, we will be using Kali Linux as this tool is present in its repositories by default in it. We will also need a wireless adapter that can monitor wireless packets. I am using ALFA AWVS036NHA adapter for this article.

It can be started using command as shown below.

sudo wifipumpkin3

Here’s its nice artwork once started.

To see all the commands that can be run using wifipumpki3, use the command shown below. 

help

To see all the available modules of Wifipumpkin3, use the “show” command.

show

To use any module, we have to use the command “use” literally.

use <module name>

For example, let’s load the wifi-wifiscan module. As its name implies, this module of wifipumpkin scans for all wireless access points and devices trying to connect to them.

We can see all options of a module by using the “options” command as shown below.

This module just requires the name of the wireless interface which can be set as shown below.

After all options are set, we need to use “run” command to execute the module. Then, the module displays all access points as shown below.

Select the access point you want to target. For this blogpost, we will select “Hackercool_Labs” access point. We want to create a rogue access point for this access point. For this, go back and use “Proxies” command to see all the available proxies.

As you can see, a proxy named pumpkinproxy is enabled by default. A rogue access point should provide internet just as the original wifi access point of which we are creating a rogue in order not to raise suspicions. Use “ap” command to view all the settings for our rogue access point.

We can change any options we want as shown below. Let’s change the SSID to “Hackercool_Labss” from “Wifi Pumpkin”. The name of the rogue access point should be almost similar to the original one. Here, we added extra “s” so that you can differentiate easily.

We can use “start” command to start the access point. Note that this access point is “open” and has no password. When any client connects to the rogue access point assuming it as the original one, the tool identifies the device as shown below.

We can see their browsing data to some extent. For example, our client is trying to visit Facebook.

Instead of allowing clients to directly connect to our rogue access point, we can present a login page to the client. For this, we have to use the captiveflask proxy.

Now, as soon as anybody connects to our rogue access point, he/she will be presented with a login screen as shown below.

As soon as the user enters credentials assuming that he connected to the original access point and it was prompting for credentials for some reason,

wifipumpkin 3 captures and displays the credentials as shown below.

Thus, we can capture credentials using this. To see all the devices connected to our rogue access point, we can use “clients” command.

We can even see all the information about connected devices using “dump” command.

Posted on by

Beginners guide to reaver

Hello, aspiring ethical hackers. In our previous blogpost on wifi hacking, you learnt what is a WPS pin, why it is used, it’s strengths and weaknesses etc. In this article, you will learn about Reaver, a tool that brute force attacks WPS pins in order to retrieve WPA/WPA2 passphrases.

Let’s see how this tool works. For this we will be using Kali Linux as reaver is installed by default on it. We will also need a wifi adapter that allows packet monitoring. For this, we will be using ALFA AWVS036NHA wifi adapter.

After turning on Kali and plugging in the wireless adapter, the first thing we need to do is enable monitoring mole on our wireless adapter as shown below. Monitoring mode allows the wifi adapter to see all the available wireless networks.

Let’s use airodump to dump all the wifi access points it is monitoring.

Here are the wifi access points detected by our adapter.

We can also use wash to detect WPS enabled access points.

Next, we have to set our target. For this tutorial, we will be setting “Hackercool_Labs” access point as our target. We need to note its MAC address. Then, use reaver as shown below.

Here is the explanation for the options we set.

-i: interface

-b: -bssid or MAC address of the wireless access point.

-c: Channel on which this access point is advertising.

-V: Verbose output

Reaver starts trying to crack the WPS pin as shown below.

You can even use Pixiedust attack to crack WPS pins by specifying the “-k” option.

You can even specify the channel of the wifi access point for quicker cracking using the ‘-c’ option as shown below.

Depending on the access point, reaver can take between 4-10 hours to retrieve the WPA/WPA2 passphrase from the WPS pin while it takes around half of this time to crack the WPS pin itself. Learn how to crack WPS pins with Bully tool.

Posted on by

Beginners guide to Kismet

Hello, aspiring ethical hackers. In our previous blogpost, you learnt everything about wifi hacking. In this article, you will learn about kismet, a wifi security assessment tool.

Kismet is a wireless network and device detector, sniffer, war driving tool and intrusion detection system (WIDs) for not just wifi but also Bluetooth, Zigbee, RF and more. Let’s see the working of this tool. For this, I will be using Kali Linux as kismet is installed by default on Kali or is present in its repositories. We will also be needing a wireless adapter that can monitor wireless packets. I am using ALFA AWVS036NHA adapter for this article.

First thing we do is to plugin the adapter to the system and check if it is connected to the device using command shown below.

iwconfig

In the above image, you can see our wireless interface is named “wlan0”. Next, we start monitor mode on our wireless adapter using command as shown below. Monitor mode allows the adapter to scan for all wireless networks in the air. 

sudo airmon-ng start wlan0

We can confirm if monitor mode is enabled on the adapter by once again using “iwconfig” command.

As you can see in the above image, the mode of the adapter changed from managed to monitor and its name changed to wlan0mon from wlan0. Now we have to start kismet on this interface. It can be done as shown below.

sudo kismet -c <wireless interface>

kismet starts capturing data immediately as shown below.

You can see the wireless network and wireless devices in a browser with the link given at the beginning of the capture. The URL is “localhost:2501”. Go to the URL using a browser. As soon as you do that, you will be faced with a login screen as shown below.

Since you are setting up kismet for the first time, set a username and password and most importantly don’t forget them.

Then click on “Continue” to see the interface of kismet.

Kismet will show you all the wireless access points it has detected.

While the top shows all the wifi access points and client devices, in the bottom you can see messages. Just beside the “messages” tab there is a “Channels” tab where you can see all the channels and active devices on each channel.

Coming to the top, while devices tab shows you all the wireless devices, clicking on the SSIDs tab displays all wireless access points. You can even search for a access point of your choice. For example, let’s search for wifi access point named “Hackercool_Labs”.

Clicking on the resulting entry shows more details about the wireless access point as shown below. We can see that the access point is a router from TP-Link.

It will also show the MAC addresses of the devices or clients connecting to this particular access point as shown below.

We can even learn more about the devices connecting to this access point. For example, the device that connected to our target access point is a mobile from Xiaomi. Similarly, we can identify other devices like cameras, smart devices etc.

We can learn the channel on which it is running and its frequency.

To the top left, there is a kismet menu.

Click on “Data sources”. This will give you information from where your data is coming.

By default kismet hops from one channel to another channel (channels are explained in our wifi hacking article) to collect information. You can even lock kismet to a single channel. For example, say 7.

That’s all for now. In our future updates we will show you what more you can do with kismet. Learn about wifipumpkin3 tool.

Posted on by

Aircrack-ng: Complete guide to beginners

Hello, aspiring ethical hackers. In our previous blogpost, you learnt what is Wifi hacking and different techniques to hack wireless networks. In most of these hacking techniques, a tool named aircrack plays a very important role.

In this blogpost, you will learn about this tool. Aircrack-ng or aircrack ng is a complete suite of tools used to test wi-fi network security. The various functions of aircrack include,

  1. Monitoring: It can be used to capture wireless packets and save data in text file which can be processes by third party tools.
  2. Attacking: We can use it too perform various wireless attack like Replay attacks, DE authentication access points and other attacks.
  3. Testing: Checking Wi-Fi cards and capability of the drivers. (capture and injection)
  4. Cracking: For cracking WEF and WPA PSK (WPA 1 and WPA 1) passwords.

Just now, we have learnt that aircrack-ng is a combination of tools. Let’s understand what those tools are and what are they used for.

1. airbase-ng:

It is a multi purpose tool that can be used to attack the Wi Fi client instead of the Wi Fi access point.

2. airdecap-ng:

With this tool, you can decrypt WEP/WPA/WPA2 capture files. It is also used to remove the wireless headers from an unencrypted wireless capture.

3. aircrack-ng:

It is key cracking program.

4. airdecloak-ng:

Some wireless Intrusion Prevention System (WIPS) prevent WEP from being cracked by using fake WEP frames. This tool removes the WEP cloaking frame a captured pcap file.

5. airdrop-ng:

airdrop-ng is a program used to de authenticate users from access points. It uses rule based de authentication techniques that can be MAC address, type of hardware, etc.

4. aireplay-ng:

This tool is used to inject frames. It is used to generate traffic which can be used later by aircrack-ng for WEP and WPA-PSK key cracking.

5. airmon-ng:

It is used to enable monitor mode on wireless interfaces.

6. airodump-ng:

This tool is used to capture raw 802.11 packets. It is used particularly for collecting WEP IVS or WPA handshakes to crack later with aircrack.

7. airolib-ng:

This is a tool designed to store and manage ESSID and password lists. calculate their Pairwise Master Keys (PMK’s) and use them in WPA/WPA2 cracking.

8. airtun-ng:

This tool creates a virtual tunnel interface. It has two basic functions. They are, allowing all encrypted traffic to be monitored for wireless interface detection system (WIDS) and injecting arbitrary traffic into a network.

9. Besside-ng:

It is used to automatically crack WEP and WPA networks . See how to automatically crack WEP and WPA networks with Besside. Learn more about it .

10. dcrack-ng:

dcrack is used to distribute WPA2 / PSK cracking process across multiple servers.

11. easside-ng:

This tool is a magic tool that allows you to communicate with a WEP access point without knowing its WEP key.

12. packetforge-ng:

This tool is used to create encrypted packets to be used for packet injection. Using this tool, we can create various types of packets like ARP requests, UDP, ICMP and custom packets.

13. tkiptun-ng:

This tool is used to inject a few frames into a WPA TKIP network.

14. wesside-ng:

Wesside-ng is another auto-magic tool that uses a variety of techniques to get the WEP key.

    Cracking WEP passwords with aircrack

    Let’s see how to crack WEP passwords with aircrack. All wifi hacking attacks require a wireless adapter that supports packet injection. For this tutorial, I am using ALFA Wireless USB adapter. My attacker machine is Kali Linux which is installed on VMware. So I first connected the ALFA wireless adapter to my laptop and make sure it is connected to the Kali Linux virtual machine. Now, I open a terminal in Kali Linux and type command shown below that shows all the wireless interfaces connected to the machine. 

    iwconfig

    Then I start monitor mode on the wireless interface. Monitor mode is just like promiscuous mode on wired interfaces. When in monitor mode, the wireless adapter sniffs on all the wireless traffic around.

    I once again run the “iwconfig” command to have a look at the wireless interfaces to confirm monitor mode started on the Wireless interface.

    As you can see the name of the wireless interface changed from waln0 to wlan0mon. The monitor mode is on. To see all the traffic being observed by the wireless interface, I run the command airodump-ng on the wireless interface.

    how to crack wep with aircarck

    As you can see, this shows all the wireless traffic around us. There are many wireless networks available but my target is the Wi-Fi Access point I named “Hack_Me_If_You_Can”. I use the same airodump-ng to target the MAC address of target’s Access point and route all the traffic it has to a file named wep_hc_crack.

    In the above image, you can see the clients connected to the targeted Wi-Fi Access point. All the traffic belonging to the Wi-Fi access point “Hack_Me_If_You_Can” will be saved in the file “wep_hc_crack.cap”. What I am looking for is the initialization vectors that are useful in cracking WEP. This initialization vectors play a key role in cracking the password of any WEP enabled Wi-Fi access point.

    Just remember the more IV’s we have, the more the chances of cracking the WEP password. Since I need more traffic to crack the WEP password fast, I can use some tricks to create more traffic. A feature of aircrack-ng, aireplay-ng helps us to create more traffic. It has various methods of creating additional traffic. One such method is ARP request replay attack.

    The classic ARP request replay attack is the most effective way to generate new initialization vectors (IVs), and works very reliably. The program listens for an ARP packet then retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a ne- w IV. The program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IVs. It is all these new IVs which allow you to determine the WEP key. This attack can be started as shown below.

    where “-h” option is used to specify the MAC address of any client we want to use. Here is another way in which you can start the ARP replay attack.

    As initialization vectors start collecting in the wep_hc_crack file, I can use aircrack to try cracking the password. The command is “aircrack-ng wep_hc_crack.cap“.

    If the initialization vectors are too less (in this case I have a new 20) aircrack wait for enough initialization vectors. I continue the ARP request replay attack until traffic increases.

    You can see the traffic increasing. All have to do is play the game of patience now .

    After collecting almost 25000 IV’s aircrack finally cracked the WEP password. The password of the Wi-Fi access point is 1234567899. It’s a 64bit hexadecimal key. As you can see, it took me around one hour thirty five minutes for me to crack the password.

    Cracking WPA / WPA2 passwords with aircrack

    Now, let’s see how to crack WPA / WPA2 with aircrack. WPA stands for Wifi Protected Access. It is an encryption system to secure WLAN networks. It eliminates all known vulnerabilities in WEP(Wired Equivalent Privacy).  WPA uses 128 bit key and  48 bit initialization vector while WEP uses 108 bit key with 24 bit initialization vector. WPA2 is the successor of WPA. Both WPA and WPA2 use temporal key integrity protocol(TKIP) for encryption and  pre-shared key(PSK) authentication.  The only difference between WPA and WPA2 is that they use Rivest Cipher(RC4) and Advanced Encryption Standard(AES) encryption algorithms respectively. Both can be configured to use counter cipher block chaining mode(CCM) though. They are by far considered  most secure for Wifi networks.

    I am using the same arrangement I used for cracking WEP above. So let’s start. Once you have booted into Kali Linux, open terminal and type command “iwconfig”. It lists your wireless interfaces just like ifconfig shows wired interfaces.

    We can see that we have a wireless interface wlan0. Now we are going to start monitor mode on our wireless interface. Monitor mode is same as promiscuous mode in wired sniffing. Type command shown below. We can see below that monitor mode has been enabled on “mon0″.

    airmon-ng start wlan0

    Now let’s see all the traffic collected by our wireless interface. Type command airodump-ng mon0.

    Hit Enter. We can see all the wireless networks available as shown below.

    crack wpa

    We can see that all the wifi networks are configured with  WPA2 or WPA. We are going to hack the network “shunya”. We will collect the shunya’s network traffic into a file. Open a terminal and type command “airodump-ng –bssid <Mac address of wifi access point> -c 13 –write wpacrack mon0″.

    where

    • –bssid stands for base station security identifier
    • <MAC address> is the Mac address of access point.
    • -c is used to specify the channel the wifi network is operating on.
    • –write to write to a file.
    • “wpacrack”  is the file name we are writing into.
    • mon0 is the interface.

    Hit Enter. We will see the result as below.

    We can only hack a WPA/WPA2 protected Wifi network by capturing its handshake process or association( when the client is trying to connect to the wifi network.).  So let’s try to disconnect all the clients connected to the wireless network “shunya” first. Open a new terminal and type the command 

    aireplay-ng –deauth 100 -a <MAC> –ignore-negative-one mon0

    where

    –deauth are the de authentication packets,

    100 are the number of de authentication packets we want to send.

    -a stands for access point.

    <MAC> is the MAC address of the wireless access point.

    This command will send 100 de authentication packets to the broadcast address of the wireless access point. This will make all the clients connected to the “shunya” get disconnected. As soon as this happens, all the clients will try to connect back to the wireless network once again. We can see that a WPA handshake has happened in the previous terminal.

    Now let’s see where our capture file is located. Type “ls”. We will do dictionary password cracking here. So let’s find out where the dictionaries are.  Type command “locate wordlists”. This will show us a number of wordlists available by default in Kali Linux.

    Our captured traffic is stored in .cap file. We will use the wordlist big.txt for cracking the password. Open a new terminal and type command 

    aircrack-ng wpacrack-01.cap -w /usr/share/dirb/wordlists/big.txt

    Hit Enter. If our dictionary or wordlist has this password, the result will be as below. If our dictionary doesn’t have the password, we have to use another dictionary or wordlist.

    Remember that the choice of dictionary or wordlist will play a key role in WPA/WPA2 password cracking. So that is one way in which we crack wpa wpa2 password  with aircrack for you. Hope this was helpful. Learn how to crack WPA WPA2 with Fern Wifi cracker.

    Posted on by

    WPS pin is cracked but WPA key is not shown

    Hello aspiring ethical hackers. In this article, you will learn how to solve a problem that you experience while cracking WPS pin. We have seen how to retrieve WPA key by cracking WPS pin with both Bully and Wifite. Well, If you get WPA key as soon as you crack WPS pin, you are lucky. However, sometimes the WPS pin is cracked but the WPA-PSK key is not shown. For example, see the image below.

    In the above image, we can clearly see that the Wifite cracked WPS pin successfully but failed to get the WPA key. To get the WPA key in such cases, open a new terminal and type the command shown below.

    sudo systemctl stop NetworkManager

    Then using your favorite text editor open the file wpa_supplicant.conf located in  /etc directory.

    You should see the contents of the file as shown below.

    If there is any data more than this, delete it and just leave the above three lines. Then, run the command shown below.

    sudo wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf

    Leave this terminal open and open another new terminal window and run the command as shown below.

    sudo wpa_cli

    It goes into interactive mode.

    While interactive mode is active, type the following command as shown below.

    status

    Many events will take place but what we are looking for is an event that says “connected”.  Once that happens, check the wpa_supplicant.conf file and you should be seeing WPA-PSK key of the wireless network as shown below.

    wps pin