So many readers have an urge to learn how to hack Wi-Fi networks that I thought I should write a "how-to" on selecting a good Wi-Fi hacking strategy. Many beginners come here looking to hack Wi-Fi, but have no idea where or how to start. Not every hack will work under every circumstance, so choosing the right strategy is more likely to lead to success and less wasted hours and frustration. Here, I will lay out the strategies based upon the simplest and most effective first, through the most complex and difficult last. In general, this same continuum will apply to the probability of success.
1. Crack WEP
WEP, or the Wireless Equivalent Privacy, was the first wireless encryption technology developed. It was quickly found to be flawed and easily cracked. Although you will not find any new WEP-encrypted wireless access points being sold, there are still many legacy WEP APs still around. (On a recent consulting gig with a major U.S. Department of Defense contractor, I found nearly 25% of their APs were using WEP, so it's still out there.)
WEP can easily be cracked with Aircrack-ng using a statistical cracking method. It is nearly foolproof (don't prove me wrong on this). If you can collect enough packets (this is key), it's a simple process. This is one of the reasons you need an Aircrack-ng compatible wireless adapter. You must be able to inject packets simultaneously to capturing packets. Most off-the-shelf wireless cards are incapable of this.
To know whether an AP is using WEP, you can simply hover your mouse over the AP and it will display its encryption algorithm. Note that this approach only works if the AP is using WEP. It does not work on any of the other encryption schemes on wireless. If you are lucky enough to find a wireless AP with WEP, you can expect to crack its password within 10 minutes, although some claim to have done this task in less than 3 minutes.
check this link out for step by step guide for WEP Cracking
2. Crack WPS
Many Wi-Fi APs were equipped with Wi-Fi Protected Setup, or WPS, to make it simpler for the average home user without knowledge of Wi-Fi security measures to set up their wireless AP. Fortunately for us, if we can crack that WPS PIN, we can then access the control panel of the AP.
This PIN is relatively simple; just eight digits with one being a checksum, leaving just seven (7) digits, or 10,000,000 possibilities. A single CPU can usually exhaust those possibilities in a few days. Although this might seem slow, brute-forcing the PSK with many times the possibilities can take much longer.
If the wireless AP has WPS enabled, this is the preferred method of cracking modern wireless APs with WPA2. You can use either the Reaver or Bully in conjunction with Aircrack-ng to break these WPS PINs.
3. Crack WPA2
After the disaster that was WEP, the wireless industry developed a new wireless security standard known as WPA2, or Wi-Fi Protected Access II. This standard is now built into nearly every new wireless AP. Although more difficult to hack, it is not impossible.
When a client connects to the AP, there is a 4-way handshake where the pre-shared key (PSK) is transferred from the client machine to the AP. We can capture that PSK hash and then use a dictionary or brute-force attack against it. This can be time-consuming and is not always successful. Success is dependent upon the wordlist you use and the time you have to crack it
4. Evil Twin
If we can't crack the password on the AP, another strategy that can be successful is creating an Evil Twin—an AP with exactly the same SSID as the known AP, but controlled by us. The key is for the target to connect to our AP, rather than the authentic AP. Generally, computers will automatically connect to the AP with the strongest signal, so turning up the power on your AP can be a critical element of this hack. When the user connects to our AP, we can then capture all their traffic and view it, as well as capture any other credentials they present to other systems.
An effective variation on the Evil Twin is to set up a system with the same SSID and then present the user with a logon screen. Many corporate offices, hotels, coffee shops, etc. employ this type of security. When the user presents their credentials in our fake logon screen, we capture the credentials and store them. We can then use those credentials on their authentic AP to gain their access.
This process has been automated by a script called Airsnarf. Unfortunately, Airsnarf is out of date, but I have been working on updating it and will present the script and tutorial soon.
Before You Begin Wi-Fi Password Cracking
I strongly suggest that you read this article to become familiar with the terminology and basic technology of wireless hacking. In addition, to really be effective at Wi-Fi password cracking while using Aircrack-ng, the premier Wi-Fi cracking tool, you will need to have an Aircrack-ng compatible wireless adapter. Although it is not the perfect wireless cracking adapter, the Alfa AWUS036H is inexpensive, effective, and plug and play on Kali Linux.1. Crack WEP
WEP, or the Wireless Equivalent Privacy, was the first wireless encryption technology developed. It was quickly found to be flawed and easily cracked. Although you will not find any new WEP-encrypted wireless access points being sold, there are still many legacy WEP APs still around. (On a recent consulting gig with a major U.S. Department of Defense contractor, I found nearly 25% of their APs were using WEP, so it's still out there.)
To know whether an AP is using WEP, you can simply hover your mouse over the AP and it will display its encryption algorithm. Note that this approach only works if the AP is using WEP. It does not work on any of the other encryption schemes on wireless. If you are lucky enough to find a wireless AP with WEP, you can expect to crack its password within 10 minutes, although some claim to have done this task in less than 3 minutes.
check this link out for step by step guide for WEP Cracking
2. Crack WPS
Many Wi-Fi APs were equipped with Wi-Fi Protected Setup, or WPS, to make it simpler for the average home user without knowledge of Wi-Fi security measures to set up their wireless AP. Fortunately for us, if we can crack that WPS PIN, we can then access the control panel of the AP.
This PIN is relatively simple; just eight digits with one being a checksum, leaving just seven (7) digits, or 10,000,000 possibilities. A single CPU can usually exhaust those possibilities in a few days. Although this might seem slow, brute-forcing the PSK with many times the possibilities can take much longer.
If the wireless AP has WPS enabled, this is the preferred method of cracking modern wireless APs with WPA2. You can use either the Reaver or Bully in conjunction with Aircrack-ng to break these WPS PINs.
3. Crack WPA2
After the disaster that was WEP, the wireless industry developed a new wireless security standard known as WPA2, or Wi-Fi Protected Access II. This standard is now built into nearly every new wireless AP. Although more difficult to hack, it is not impossible.
When a client connects to the AP, there is a 4-way handshake where the pre-shared key (PSK) is transferred from the client machine to the AP. We can capture that PSK hash and then use a dictionary or brute-force attack against it. This can be time-consuming and is not always successful. Success is dependent upon the wordlist you use and the time you have to crack it
If we can't crack the password on the AP, another strategy that can be successful is creating an Evil Twin—an AP with exactly the same SSID as the known AP, but controlled by us. The key is for the target to connect to our AP, rather than the authentic AP. Generally, computers will automatically connect to the AP with the strongest signal, so turning up the power on your AP can be a critical element of this hack. When the user connects to our AP, we can then capture all their traffic and view it, as well as capture any other credentials they present to other systems.
An effective variation on the Evil Twin is to set up a system with the same SSID and then present the user with a logon screen. Many corporate offices, hotels, coffee shops, etc. employ this type of security. When the user presents their credentials in our fake logon screen, we capture the credentials and store them. We can then use those credentials on their authentic AP to gain their access.
This process has been automated by a script called Airsnarf. Unfortunately, Airsnarf is out of date, but I have been working on updating it and will present the script and tutorial soon.
No comments:
Post a Comment