Skip to main content

Wireless Hacking - Part7

WIFI HACKING

WIFI hacking, it's always been a hot topic for hackers (security testers) and techie guys. So let's start gaining a little knowledge about it.

What is WI-FI?

Wi-Fi or WiFi is a technology for wireless local area networking with devices based on the IEEE 802.11 standards.802.11 is the "radio frequency" needed to transmit Wi-Fi, it was defined by Vic Hayes who created the IEEE 802.11 committee. Wi-Fi is a trademark of the Wi-Fi Alliance, which restricts the use of the term Wi-Fi Certified to products that successfully complete interoperability certification testing.

Devices that can use Wi-Fi technology include personal computers, video-game consoles, smart phones, digital cameras, tablet computers, digital audio players and modern printers. Wi-Fi compatible devices can connect to the Internet via a WLAN network and a wireless access point.

What is WIFI-Hacking?

Cracking of wireless networks is the defeating of security devices in wireless local-area networks. Wireless local-area networks (WLANs), also called Wi-Fi networks, are inherently vulnerable to security lapses that wired networks are exempt from.

Cracking is a kind of information network attack that is akin to a direct intrusion. There are two basic types of vulnerabilities associated with WLANs: those caused by poor configuration and those caused by weak encryption.

Detailed Wireless Security Protocols: WEP, WPA, and WPA2

Wireless security protocols were developed to protect home wireless networks.

These wireless security protocols include:

● WEP
● WPA
● WPA2
each with their own strengths and weaknesses.

Wired Equivalent Privacy (WEP):
This is the original encryption protocol developed for wireless networks. As its name implies, WEP was designed to provide the same level of security as wired networks. However, WEP has many well-known security flaws, is difficult to configure, and is easily broken.

Wi-Fi Protected Access (WPA):
It was introduced as an interim security enhancement over WEP while the 802.11i wireless security standard was being developed. Most current WPA implementations use a preshared key (PSK), commonly referred to as WPA Personal, and the Temporal Key Integrity Protocol (TKIP, pronounced tee-kip) for encryption. WPA Enterprise uses an authentication server to generate keys or certificates.

Wi-Fi Protected Access version 2 (WPA2):
This protocol is based on the 802.11i wireless security standard, which was finalized in 2004. The most significant enhancement to WPA2 over WPA is the use of the Advanced Encryption Standard (AES) for encryption. The security provided by AES is sufficient (and approved) for use by the U.S. government to encrypt information classified as top secret — it’s probably good enough to protect your secrets as well!

About 802.11i
802.11i is a standard for wireless local area networks (WLANs) that provides improved encryption for networks that use the popular 802.11a, 802.11b (which includes Wi-Fi) and 802.11g standards. The 802.11i standard requires new encryption key protocols, known as Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). The 802.11i standard was officially ratified by the IEEE in June of 2004, and thereby became part of the 802.11 family of wireless network specifications.

















Security Issues:
    ● Weak password
    ● WPA packet spoofing and decryption
    ● WPS PIN recovery
    ● MS-CHAPv2
    ● Hole196

Detailed Security Issues

    ● Weak password

Pre-shared key WPA and WPA2 remain vulnerable to password cracking attacks if users rely on a weak password or passphrase. To protect against a brute force attack, a truly random passphrase of 20 characters (selected from the set of 95 permitted characters) is probably sufficient.

Brute forcing of simple passwords can be attempted using the Aircrack Suite starting from the four-way authentication handshake exchanged during association or periodic re-authentication. To further protect against intrusion, the network's SSID should not match any entry in the top 1,000 SSIDs as downloadable rainbow tables have been pre-generated for them and a multitude of common passwords.

● WPA packet spoofing and decryption

The most recent and practical attack against WPA is by Mathy Vanhoef and Frank Piessens, who significantly improved upon the WPA-TKIP attacks of Erik Tews and Martin Beck.They demonstrated how to inject an arbitrary amount of packets, with each packet containing at most 112 bytes of payload. This was demonstrated by implementing a port scanner, which can be executed against any client using WPA-TKIP. Additionally they showed how to decrypt arbitrary packets sent to a client. They mentioned this can be used to hijack a TCP connection, allowing an attacker to
inject malicious JavaScript when the victim visits a website. In contrast, the Beck-Tews attack could only decrypt short packets with mostly known content, such as ARP messages, and only allowed injection of 3 to 7 packets of at most 28 bytes. The Beck-Tews attack also requires Quality of Service (as defined in 802.11e) to be enabled, while the Vanhoef-Piessens attack does not. Both attacks do not lead to recovery of the shared session key between the client and Access Point. The authors say using a short rekeying interval can prevent some attacks but not all, and strongly recommend switching from TKIP to AES-based CCMP.

The vulnerabilities of TKIP are significant in that WPA-TKIP had been held to be an extremely safe combination; indeed, WPA-TKIP is still a configuration option upon a wide variety of wireless routing devices provided by many hardware vendors. A survey in 2013 showed that 71% still allow usage of WPA, and 19% exclusively support WPA.

● WPS PIN recovery

A more serious security flaw was revealed in December 2011 by Stefan Viehbock that affects wireless routers with the Wi-Fi Protected Setup (WPS) feature, regardless of which encryption method they use. Most recent models have this feature and enable it by default. Many consumer Wi-Fi device manufacturers had taken steps to eliminate the potential of weak passphrase choices by promoting alternative methods of automatically generating and distributing strong keys when users add a new wireless adapter or appliance to a network. These methods include pushing buttons
on the devices or entering an 8-digit PIN.

The Wi-Fi Alliance standardized these methods as Wi-Fi Protected Setup; however, the PIN feature, as widely implemented, introduced a major new security flaw. The flaw allows a remote attacker to recover the WPS PIN and, with it, the router's WPA/WPA2 password in a few hours. Users have been urged to turn off the WPS feature, although this may not be possible on some router models. Also note that the PIN is written on a label on most Wi-Fi routers with WPS, and cannot be changed if compromised.

● MS-CHAPv2
Several weaknesses have been found in MS-CHAPv2, some of which severely reduce the complexity of brute-force attacks, making them feasible with modern hardware. In 2012, the complexity of breaking MS-CHAPv2 was reduced to that of breaking a single DES key, work by Moxie Marlinspike and Marsh Ray. Moxie advised: "Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else.

● Hole196
Hole196 is a vulnerability in the WPA2 protocol that abuses the shared Group Temporal Key (GTK). It can be used to conduct man-in-the-middle and denial-of-service attacks. However, it assumes that the attacker is already authenticated against Access Point and thus in possession of the GTK.

LET GET OUR HANDS/SYSTEM WORKING

WIFI H@ck!ng with “Fluxion”

This article will be introducing a new method or cracking technique or script known as "Fluxion"

Tools Needed for H@ck!ng

    ● OS: Kali Linux
    ● Smart phone: Android/IOS
    ● Tool/Script Fluxion
    ● Most Important: Patience and Practice

What is Fluxion?

Fluxion is nothing but an advance script to crack Wifi passphrase. It's based on another script called "linset"(actually it's not much different from linset, think of it as an improvement, with some bug fixes and additional options), using something like a man in the middle attack/evil twin attack to get WPA password instead of going the brute-force/dictionary route.

How it works:

    ● Scan the networks.
    ● Capture handshake (can't be used without a valid handshake, it's necessary to verify the                       password)
    ● Use WEB Interface
    ● Launches a FakeAP instance imitating the original access point
    ● A DHCP server is launched in FakeAP network
    ● Spawns a MDK3 process, which de-authenticates all users connected to the target network, so              they can be made to connect to the FakeAP and enter the WPA password.
    ● A fake DNS server is launched in order to capture all DNS requests and redirect them to the               host  running the script
    ● A captive portal is launched in order to serve a page, which prompts the user to enter their WPA         password
    ● Each submitted password is verified against the handshake captured earlier
    ● The attack will automatically terminate once correct password is submitted

Installation of Fluxion

As we know that Kali Linux doesn't have this tool pre-installed, installation is the first process.
Link to download Fluxion:

    https://github.com/wi-fi-analyzer/fluxion

or

    https://github.com/Hacker-Inside007/fluxion
    (or search as per your compatibility)

Steps for Installation

    1. Create a folder “fluxion” and save the fluxion script (Downloaded from the above given links)
    2. Navigate to the folder
       ➡ Command : cd fluxion (or the name you have given the folder)
    3. Run the script
























        ➡ Command : ./fluxion or sudo ./fluxion
    4. By any chance you are getting a permission error, change the permission
        ➡ Command : chmod 755 fluxion (then try running the script again)
    5. If you get any dependencies errors or warnings, try running the installer script
        ➡ Command : ./installer.sh or sudo ./installer .sh




















Figure 2: “installer.sh” install all the dependencies and scripts into your OS KALI

6. When everything is installed absolutely fine then open fluxion
    ➡ Command : ./fluxion or sudo ./fluxion














Figure 3 : Main Page of Fluxion script

Now H@cK!nG Begins

Steps for hacking Wi-Fi password or passphrase

Step 1: As the main page welcomes you, it will ask to select language "English" (Please select language as per your compatibility).

Step 2: Select your interface (will be option "1"), as soon as you select your interface the scanning process starts (Terminal will open and close after 10 seconds) and it will show WIFI list.


















Figure 4: Selecting interface to start monitoring WIFI signals with BSSID and ESSID

Step 3: Choose the WIFI(#> ID(any wifi ID from the list)).



















Figure 5: WIFI list with their BSSID (MAC) and ESSID

Step 4: Choose option "1" (FakeAP – Hostapd).




















Figure 6: Selecting option 1 “FakeAP”

Step 5: Now we will capture the handshake, so press "Enter".
















Figure 7: Press “Enter” to start WPA Handshake

Step 6: Select option "1" (aircrack-ng) to capture the handshake (till you get "WPA handshake").












Figure 8: Select option “1” (aircrack-ng) for checking the handshake


















Figure 9: As there is “No” handshake with the WIFI router, will start “Deauth all” for WPA handshake

Note: When “Handshake” has been captured, then select option “1” (check handshake)

Step 7: Use option "1" (Web Interface), it will offer Login pages in different languages










































Figure 11: Select Option “1”(Web Interface) for selecting language




















Figure 12: Select option ”1” for creating fake login page in “English” and it will send it to the victim

Note: It's kind of a “phish” page, which is used to trick the victim.

After selecting the option for login page, you will see multiple windows popping up. DHCP and DNS requests are being made and also with "status reporting window" with deauth window.

Note: It’s basically getting victims off the actual AP to fake AP.

Now in the smartphone you will see two networks with same name. Here is the part where the attacker has to get lucky. If the victim opens the fake AP open network, they will be getting a fake login page to a wireless network. On clicking, a page will open and it will ask for "Password". As soon as the victim enters the password of the the WIFI (say it’s entering the passphrase of its own WIFI), and clicks on the "Submit" button and voilllaaaaa!!!! The password or passphrase appears on the screen.


































Figure 14: Fake login page will appear in browser as soon as victim selects the “FakeAP” in their smart phones

WIFI H@ck!ng with “Reaver”

What is Reaver?
Reaver is an open source tool that brute forces WPS (Wifi Protected Setup). This is the pin (usually printed on the bottom of your router) that you can use to authenticate other devices to your wireless network without typing in a password. With enough time, Reaver can crack this pin and reveal the WPA or WPA2 password.

What is WPS (Wifi Protected Setup)?
WPS stands for Wi-Fi Protected Setup and it is a wireless networking standard that tries to make connections between a router and wireless devices faster and easier. It works only for wireless networks that have WPA Personal or WPA2 Personal security. WPS doesn't provide support for wireless networks using the deprecated WEP security. Why are WPS pins vulnerable? Have a look at this paper => https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

How does it work?
Reaver has been designed to brute-force the WPA handshaking process remotely, even if the physical button hasn’t been pressed on the access point.
Reaver exploits the pin code which then reveals the password.

Tools Needed for H@ck!ng

    • OS: Kali Linux
    • Tool/Script: Reaver
    • Most Important: Patience and Practice

Now H@cK!nG begins

Steps for hacking WIFI password or passphrase

Step 1: Open terminal and check your WIFI interface.
            ➡ Command: airmon-ng













Figure 15: Checking Wireless Interface

Step 2: Start Monitoring mode of the interface.
            ➡ Command: airmon-ng start wlan0

As we can see, many PID (process Ids) are running, which can interfere with our hacking, so let’s kill them.




















Step 3: Kill all process Ids.
             ➡ Command: kill (type all PIDs) for example: kill 2646 2750 and hit “Enter”.

Step 4: Now to check how many routers have their WPS locked or not.
            ➡ Command : wash -i mon0















Step 5: Starting Reaver to attack WIFI router, brute-forcing WPS pin and getting password.
            ➡ Command: reaver -i mon0 -b [BSSID goes here] -d 30 -S -N -c 6 –vv
















Note: Cracking or retrieving passphrase time can vary system to system and strength of signal.

Sit back and have some coffee “Reaver” will do his work and present you with the passphrase.
Here we go with the passphrase or password of the WIFI router.
OK, so here we go with two good tools for WIFI hacking.



























Prevention of WIFI getting hacked

It's not always true that WIFI can be hacked, we can make sure they are protected with some small things to be done.

A simple method:
CHECK YOUR WIRELESS ROUTER LIGHTS

Your wireless router should have indicator lights that show Internet connectivity, hardwired network connections, and also any wireless activity, so one way you can see if anyone's using your network is to shut down all wireless devices and go see if that wireless light is still blinking.

Second method:
CHECK YOUR WIRELESS ROUTER DEVICE LIGHTS

Your router's administrative console can help you find out more about your wireless network activity and change your security settings. Go to your device list, it should provide a list of IP addresses, MAC addresses, and device names (if detectable) that you can check against. Compare the connected devices to your gear to find any unwanted users.


Now, how to keep your WIFI safe from being hacked

Don't let strangers use your network
Password-protect your wireless connection. Turn on WEP (wired equivalency privacy) or WPA (Wi-Fi protected access) on all of your devices, including your router, your media center, and your Microsoft Xbox entertainment system.

    • Make your password unique (like P@55w0rd@09)
    • Have WPA2 password encryption which has best security and high, too
    • Keep changing your password every 15 days or within a month.
    • Keep your WPS PIN locked

Move your wireless router
Place the wireless access point away from windows and keep it near the center of your house to decrease the signal strength outside of the intended coverage area.

Defend your computer
Keep all software current (including your web browser) with automatic updates. Make sure that your firewall is turned on and use antivirus and antispyware software from a source that you trust.

Keep Your Logins Secure
It’s easy to disable the feature in your browser that automatically types in log-ins and passwords. In a public place, do so as a best practice.Check the internet/downloading speed

When you are downloading something, see if the download speed is low :: it may be your WIFI is being used by others and the best way to check is an online test of internet speed.

So here we go with WIFI hacking and mitigation. Keep learning and Be Safe.

Note: Above article is for educational and security testing purpose only, to check your WIFI router’s vulnerability.

Popular posts from this blog

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was