Hello readers, currently I am putting the finishing touches on the second edition of my book Linux, Programming and Hacking. As such I will be posting a few sample chapters for review until release in late December. This chapter is on wireless hacking, specifically WPA/WPA2 and WPS. Enjoy and please do leave a comment below.
Chapter 4 Wireless hacking
How to hack Wi-Fi for free internet
One of the basic tenants of hacking is to ensure no one can trace you. I am certain nobody will send any attack helicopters if you break into their network. People generally feel a sense of futility when hacked. However, it is possible you will be traced if you provoke a target long enough or you hack somebody who really doesn’t appreciate it.
One way to diminish the risk of being traced is to use wireless internet, or Wi-Fi. Now you are not stuck to an Ethernet cable that goes to your own router (that’s a smoking gun), but instead you use somebody else’s Wi-Fi connection. I am certain you are familiar with the list of possible Access Points (APs) that you see when you switch on Wi-Fi on your device. All you need is the password to gain access to a wireless network.
In this chapter we will go over the basics of obtaining access to a wireless network. I will detail some minor issues related to encryption and how your wireless network interface goes about connecting to an AP. That said, I will try to keep it light so you can easily follow the examples.
To gain access to a Wi-Fi network there are three levels of difficulty. The first two are trivial. Either the AP has no password protecting it all or it makes use of the now obsolete Wired Equivalent Privacy (WEP).
- No password protection
This was once the most popular Wi-Fi set up. No one bothered to put up a password. However, people have gotten smart and are unwilling to have somebody ride along on their Wi-Fi network. Also, because manufactures of wireless routers put a password on them as standard procedure means this is becoming uncommon in residential areas. However, a lot of businesses such as coffee shops and lunchrooms offer free Wi-Fi internet. Just don’t forget that you shouldn’t access anything on the internet with your name on it because if you’re going the way of the black hat hacker the police can reconstruct a lot using digital forensics. In a section below I will explain why and how you should also change your Media Access Control (MAC) address with the macchanger application. If you use that with the anonsurf application from the start of this part of the book you almost as safe as you can be.
- WEP protection
As mentioned, the second difficulty level is a wireless set up protected by the WEP protocol. These are also becoming uncommon because they were cracked rather easily.
WEP uses a 24-bit Initialization Vector. Why is this important? Because it is way too short. Many cryptographic schemes use more than 256 bits. With 24-bits there are 2 to the power 24 possible combinations, or 16.777.216 to be exact. Thus there are 16 million 700 hundred thousand-something possible Initialization Vectors. IVs are used to as a seed to further encrypt a Wi-Fi packet. With WEP the remaining encryption is done with the RC4 protocol. This protocol requires that an IV never be re-used. If two data packets use the same IV and have the same general message it can be easily decrypted. And though 16.7 million may sound a lot on a busy Wi-Fi network the same IVs would show up as often as 5 to 7 times per hour.
WEP is now rarely used despite ever more complicated encryption protocols it retained the use of the weak 24-bit Initialization Vector.
- WAP/WAP2 encryption
WEP has been replaced by WAP/WAP2 encryption. In theory, to hack this is pretty much impossible if it is a truly random password the users have chosen. However, its security is flawed when people fill in simple passwords that they can easily remember. And so enter the hacker word list. A word list is a very long list of commonly used names, phrases and such that we will use one by one to test as the password for the system. One popular list is darkc0de.lst. You can download it from the internet. Essentially it is text file around 17 Mb in size which has been compiled by hackers. We will be using the list to perform our hacks. Another list that come standard with Kali Linux is the rockyou.txt list. You can find it in the directory /usr/share/wordlists. You can also make your own list with crunch.
The guide below will give you an overview of what is needed to hack into a WPA/WPA2 Wi-Fi network.
But first we will need to configure our own network interface to ensure anonymity and its ability to intercept packages from any wireless network of our choosing.
To find your own network device use the ifconfig command.
You should see the details for your wireless card under the heading wlan0, or wlan0mon if it is already set in monitor mode. This literally means that your first wireless card is used as an interface. Of course you could have multiple wireless interfaces, perhaps a USB-card next to your built-in network interface. Then the second option would be marked with wlan1. Note that you can limit your search to just one interface.
In the example:
root@kali:~# ifconfig wlan0mon
This returns only the details for interface wlan0mon.
As mentioned mon stands for monitor. To attempt to hack a WPA/WPA2 protected network we need to place the network interface into promiscuous mode – also known as monitor mode. This is performed with the airmon-ng application as follows:
root@kali:~# airmon-ng check
The result is an overview of possible problems for putting the interface into monitor mode. Most of the time the warning can be ignored. Run the following command to override the results of the check.
root@kali:~# airmon-ng check kill
Now we can place the network interface into monitor mode as follows
root@kali:~# airmon-ng start wlan0
A quick run of ifconfig should reveal that wlan0 has been changed into wlan0mon. Now we are able to liberally capture data packets. That only leaves us with ensuring our privacy is maintained.
Changing the MAC address
Every network interface device in the world comes with a unique MAC address set in the factory. This includes every wired and wireless interface. I am sure you must have seen what a MAC address. It consists of 12 unique numbers or characters divided into 6 pairs. MAC addresses are used for communication between 2 pieces of hardware. Considering the OSI-model they exists one level lower than IP-address, which is used to connect on the internet.
Kali Linux comes equipped with the application macchanger. The name says it all. Use the –h switch to get an overview of what it can do. Macchanger is thankfully really simple in its use. If you use the –I switch you get a list of all MAC addresses assigned to hardware manufacturers. The first six characters are fixed for a manufacturer.
To change our own MAC address we first need to shut down our network device. Ifconfig is used for this. This is almost the same as putting it in Flight Mode. Then we run the macchanger application again with the –r switch and the state the network interface for whom the change is needed. As you can see from the screenshot below a new MAC is assigned. But it will only remain changed for the duration of this computer session. After a reboot the permanent MAC is re-assigned.
It is also possible to manually assign a MAC to a network interface. The switch –m followed by the desired MAC is used. An example is as follows.
root@kali:~# macchanger -m 00:11:22:33:44:55 wlan0mon
Note the structure of the MAC address will need to be the same as before. But any new series of numbers will do. After changing it put the network device back on with ifconfig.
Scanning for targets
Now we are set to start scanning for potential targets. We will use the airodump-ng application for this.
root@kali:~# airodump-ng wlan0mon
You should see a list of wireless networks. You should also see your own network otherwise or you are doing something wrong. In which case use ifconfig to see the status of your network interface, perhaps you left it on ‘down’ when you performed a MAC address change.
It could also be that many of the networks are out of range and that you can only access you’re own. Well, for the purposes of this exercise you should hack your own so you at least know how it is done. Next time you can use a place which you know has Wi-Fi to try your luck. Word to the wise, usually wireless signals travel further in the morning.
However, chances you should see a healthy, long list of potential targets for intrusion. Let the application run for a while before stopping it with Ctrl-c.
I will start this discussion with a few observations to narrow down your list of targets.
- The signal strength is vital for an attempted hack. The column PWR designates the power of the signal strength. Contrary to what you might think a lower number is better. My own home wireless station has a value of around -20. Anything greater -50 will become problematic.
- Below the list of possible wireless access appoints is a list of stations. These are clients that are currently connected to an access point. This is important to consider because we need to capture a four-way handshake between a client and an access point to have a chance at infiltrating the network. You should be able to see that each client has 2 MAC address. The first. Designated BSSID, is that of the access point and you can probably see it in the list above. The second MAC address is that of the client device itself. Both are important to note down for a potential attack.
- As you look at the column ENC (Encryption) you will mostly see WAP2, some WAP and maybe even a WEP encrypted network once in a while. Perhaps you even see one or two open networks. Just pick a WPA2 network as our method will work the same for WPA.
Capturing a four-way handshake
Now that we have a potential target: one with a strong signal and a client connected, we can move on to capturing the handshake. Open another terminal and use the airodump-ng command to now target 1 specific target or access point.
root@kali:~# airodump-ng –channel 13 –bssid 11:22:33:44:55:66 –write targetfilename wlan0mon
The switches are for the most part self-explanatory, but one may require some understanding. In the command we note down the channel used by the access point as well. In this case the target of my choosing used channel 13. Channels are not really important; a lot of access point will use the same ones. But to prevent wasting time having airodump-ng try them all the channel is specifically denoted.
With –bssid we set the target, in this case a fictional 11:22:33:44:55:66. With the switch –write we state what the name is of the output files we will generate. These will be needed later on to complete the hack so pick something that can be easily distinguished. Finally, we note which network interface we want to use to collect all this information. In this case ‘wlan0mon’.
Right now your interface is capturing the relevant beacons. In the example seen in the screenshot there are 3 clients connected to the access point. Yet I have so far not been able to capture the actual handshake. That only happens when a client connects to the access point. In theory you could end up waiting for ages for that to happen. That said, if the access point is in frequent use, you might get a handshake within minutes. Airodump-ng will report it captured a handshake by stating so in the top right corner. As you can see, there is currently nothing there and the application has been running for 7 minutes.
To see a handshake capture in progress you can connect to the target access point with another wireless device if you happen to have access. There is also a more exciting method to get a handshake. We can kick clients off the access point and force them to reconnect. This is known as a de-authentication attack.
If you attempt this on your own home wireless interface which happens to have a smartphone connected to it, you should be able to see a difference. Momentarily the connection should be lost. That said, the deauth attack does not always work – router vendors have taken steps.
The attack can be performed with aireplay-ng, another application in the well-stocked ng stables. Here the MAC address after the switch –a denotes the access point and that after the switch –c that of the client. Remember with airodump we captured the client MACs.
As you can see at the top of the upper most window we now have WPA handshake. With that accomplished we can turn off airodump-ng and aireplay-ng and move to the final phase of the attack.
Cracking the password
After we have captured the handshake we can attempt to hack the wireless access point using the captured data. For this we use the aircrack-ng command and a word list of potential passwords.
root@kali:~# aircrack-ng nameoftarget.cap –w /Desktop/wordlist.txt
The application will now go through the list of possible password one by one, at a speed of roughly 500 attempts per second.
Congratulations. You are now performing a dictionary attack on an access point. The potential for free and limitless is at the tips of your finger. Chances you are not going to find the correct password though. Though the rockyou.txt and darkc0de.lst.txt are pretty good most software vendors require users to fill out lengthy passwords or have a new password assigned during the initial installation of the router at home. My own router requires no less than 16 characters interspersed with hyphens. That said, I don’t remember that password. I connect to a Wi-Fi repeated that has a much simpler password that ‘I hope’ only I know.
Here the science of password list comes into play. Remember the paragraph on crunch where you created your own list?
That said, not all is lost. First off, you should really try a number of password lists on your target. You may never know. Secondly, there is a chance to bypass the password security altogether so we won’t have to wait until the moment of universal heat death to crack an access point. This option targets the Wi-Fi Protected setup or WPS for short.
So what is WPS? Basically with the advent of WPA/WPA2 concerns arose that security of a home wireless network was becoming too complicated for users to understand. While good default values and automation helped a lot users were left in the dark when they wanted to assign new devices to their Wi-Fi. If you have friends over you may be hesitant to share your access point password. WPS came to the rescue with the option of generating a temporary PIN number. It worked so well that since the standard was introduced practically all access points come equipped with PIN. But the PIN is only eight digits long and the last digit is actually a checksum (so the PIN is really just 7 digits) . With 10 to the power of 7 possibilities the good old days of WEP cracking are almost back. So let’s try it out.
Step 1. Use Wash to identify WPS networks
First we use a tool called Wash to find the wireless access points that have WPS enabled. It is similar to the aircrack-ng suite but its focus is on WPS. Use the –h switch to see the options
root@kali:~# wash –h
Next we will Wash in scanning mode
root@kali:~# wash –i wlan0mon
At first glance the output is similar to airodump. There is a list with columns such as BSSIS, ESSID, Ch (channel) and dBm (power). However, we are interest in the column Lck, only those with values set to ‘No’ can be attacked through the method that is explained in this section. That does not mean it will always succeed – a lot remains trial and error.
Step 2. Use Reaver to determine the pin
Just as with Wash checkout the ‘help’ file for Reaver with the –h switch
root@kali:~# reaver –h
As you can see in the description Reaver is described as being a “WiFi Protected Setup Attack Tool”. We have thus moved on from scanning to offensive infiltration. Determining the PIN number is no longer an innocent exploration so you better make sure you have permission to hack the wireless network you have selected.
Most of the Reaver command must look familiar. However, ensure you use the switch –N or –no-nacks, this will ensure that Reaver iterates through all possible PIN numbers and not get stuck trying the same one over and over. Other possible options include –d that will ensure there is a delay between attempts at getting the pin. –lock-delay will set a delay when the access point locks out attempts at getting the pin. Finally, you can also set the level of verbosity with the –v (-vv –vvv) options. The more v the more feedback you are shown
root@kali:~# reaver –i wlan0mon 11:22:33:44:55:66 –vv -N
At first Reaver is waiting for a beacon. If none arrive you can do nothing but wait.
If a beacon has been obtained Reaver switches into high gear. At first it will attempt to get the right channel. You can define one with the –c switch but Reaver will eventually get there on its own as well. Afterwards Reaver will start its brute-force attack by trying every PIN combination. You should also get a message [WARNING] that the access point is rate limiting. This process can take anywhere between 5 minutes to 2 days. One important factor is if the PIN start with a low digit such as 0 or 1. Reaver goes through the number sequentially so lower numbers are tried first.
That said, the rate-limiting is an indication manufactures know of the WPS flaw. Sometimes they will even stop WPS access for a period of 24 hours. That said, eventually you will get there. A possibility exists to a small single-board computer such as a Raspberry Pi to perform the hack. Reaver also allows you the possibility to stop and continue your brute-force attack. So do not delete anything if you think it is taking too long.
Step 3. Use Bully to find the WPA2 password for that pin
Finally, we can try and use the tool Bully to get the associated WPA2 password for that PIN. Bully can almost immediately obtain the password for a PIN, but use the switch –h to have a look at its options
root@kali:~# bully –h
Remember, when using bully only enter the first seven digits of the PIN obtained. The eight PIN digit is a checksum and will cause an error when used. Bully will ask you to enter less than 8 digits.
root@kali:~# bully –b 11:22:33:44:55:66 –p 0123456 wlan0mon
Success, you have obtained a password to a wireless access point.