Zer0Byte

Geekiest Techno News

Advance Wifi Network Pentesting Notes

Advance Wifi Pentesting Notes by Apache wolf

Advanced Wireless Network Pentesting Notes

First of all make sure to randomize your MAC address and clean your ARP tables, Use an ALPA usb wirless adapter device or whatever πŸ™‚

I- airdump-ng To Sniff The Traffic :

All people whom they do pentesting know this part i will not say all how packets works and how wireless AP works and how to use this tool by detail
just commands all people know out there πŸ™‚

commands :

1) ifconfig wlan0 up
2) macchanger –random wlan0
3) airmon-ng start wlan0
4) airodump-ng mon0

Now you will get all neighbors ( don’t do any pentest on peoples stuff please use this on your own lab )

II- WEP Cracking

Is easy that any noob can say i can hack the pantagon with this trick πŸ™‚
collecting IV keys :

minimal 5000 on 64 bit and 250000 on 128 bit

Commands :

1) airodump-ng -c (channel) -w (file name) Β—bssid (bssid) (interface)
2) aireplay-ng -1 0 -a (bssid) -h (Your bssid) -e (essid) (interface)
3) aircrack-ng -b (bssid) (file name-01.cap)

III- WPA and WPA2 The Hard Part :

This is what all people fears 128 bit to 256 bit encryption but if you do a pact with the devil you will take over your enemys ( i wouldn’t talk about RAID cause it will take long time to explain so, just i will explain how to pwnage APs using some social enginering methods and usual technical skills

1) Random Passwords :

Some people are very laisy to change thier configuration, so how we know they use default configs ?

For exemple you sniff the perimeter of AP signal you see sometimes people have default SSID like “DLINK_1DE62A3″,”Thomson_A1B2H3R5”, you fear if he use a strong password i say he don’t 90% of people who don’t have any knowledge about technical stuff wouldn’t change thier password, so go to any website like this one :

http://www.nickkusters.com/Services/Thomson-SpeedTouch

Here we see that this service can calculate random SSID to get the password
and its magicly works πŸ™‚

2) Numerical Password :

The title discribe itself its about numerical bassed password like this one “012345678” here people will kill thier self, so how do you know they use only numerical chars ?

Its easy try to capture 4 Way hand shake and use numerical chars first before trying anything else, make sure to use rainbow tables to make the brute force attack works faster, but it may not work 100% its up to your team work and material is it powerful or not to crack faster, for num chars it will be better than alpha num chars.

Commands :

  1. airodump-ng -c (channel) -w (file name) Β—bssid (bssid) (interface)
  2. I use this nasty tool πŸ™‚ MDK3 :

mdk3 d “stands for deauh ” -t “stands for target” “mac address” (interface)

exmple: mdk3 d -t xx:xx:xx:xx:xx:xx mon0

3. pentest/passwords/crunch/crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZ | pyrit -e BTHub3 -i – -o – passthrough | cowpatty -d – -r wpafile.cap -s WPAnum

And let it bump πŸ™‚

3) WPS Brute Force :

Everyone use this lol exploit, you just brute force the WPS that will take less than 10 hours by doing this simple commands right down her πŸ™‚

Commands :

1) Reaver -i mon0 -b xx:xx:xx:xx:xx:xx -c “channel” –session=”any name you like” ( this option to save your work even if they close the AP ) -vv -a (stands for automatic to make the work problem free )

Exemple :

Reaver -i mon0 -b ff:ff:ff:ff:ff:ff -c 1 –session=wps -a -vv

4) Online Rainbow Tables And Online Brute Force Services :

4-1) Online Rainbow Tables Services :


This part is simple take your dumped CAP file and upload it to any online website but wait ! we ain’t finished yet, cause you must have one rule to have success on this step, you need a random SSID like “Linksys”, “Cisco”…

if so upload and you get your enemy under your feet bagin you to forgive him !!

in real world pentesting no one still use default ssid’s because its very causty and you will sounds dummy to your work mate πŸ™‚

Trarget : WPA-PSK

Free :

http://wpa.darkircop.org/

Free and Payed services :

http://www.renderlab.net/projects/WPA-tables/

http://www.onlinehashcrack.com/WPA-WPA2-RSNA-PSK-crack.php

https://www.cloudcracker.com/

4-2) Online Brute Force Services :

This works the same as Rainbow Tables but here you don’t need to bother yourself pay and wait to have your key, this part its costy if you use Amazon clouds it will cost you +1000$/hour so 24 hours will cost 24k make sure to use this service if you know that the company you do pentest for will pay you more than what you will spint x5 or more time πŸ™‚

Free and Payed services :

https://gpuhash.com/

https://www.cloudcracker.com/

http://aws.amazon.com/ec2/ (very costy but very fast)

Conclusion :

These are dome major attacks that can be used to get the password but we hope someone find new vulnerabilities like the last one based on SSID but not effective, to kick AP asses, make sure to practice everyday to be ready.

More practices means more skills.

Enjoy

More resource and tutorials :

1) Book: BackTrack 5 Wireless Penetration Testing Beginner’s Guide
2) Video tutorials about Wireless attacks :
Link: http://securitytube.aircrack-ng.org/Wi-Fi-Security-Megaprimer/WLAN-Security-Megaprimer-v1.iso

3) Book: hacking exposed wireless second edition
4) Link: http://www.concise-courses.com/security/hackin9-wireless-hacking/
5) Link: http://resources.infosecinstitute.com/category/wireless-security/

Comments

  1. […] Zer0Byte var hupso_services_t=new Array("Twitter","Facebook","Google Plus","Pinterest","Linkedin","StumbleUpon","Digg","Reddit","Bebo","Delicious","Email");var hupso_background_t="#EAF4FF";var hupso_border_t="#66CCFF";var hupso_toolbar_size_t="medium";var hupso_twitter_via = "LostMyPassword_";var hupso_image_folder_url = "";var hupso_twitter_via="LostMyPassword_";var hupso_title_t="Advance Wifi Network Pentesting Notes"; Tags:Advance, network, notes, Pentesting, Wifi […]