• Познакомьтесь с пентестом веб-приложений на практике в нашем новом бесплатном курсе

    «Анализ защищенности веб-приложений»

    🔥 Записаться бесплатно!

  • CTF с учебными материалами Codeby Games

    Обучение кибербезопасности в игровой форме. Более 200 заданий по Active Directory, OSINT, PWN, Веб, Стеганографии, Реверс-инжинирингу, Форензике и Криптографии. Школа CTF с бесплатными курсами по всем категориям.

Article Main trends of Wi-Fi networks security audit in 2018

I want to start this article with a preface. A long time ago I used to try wi-fi hacking, but because of my youth, an absence of essential equipment and the fact that I didn’t speak English at all, it was an unreal task. Taking into account all these facts I simply copied and pasted something into the terminal without understanding what I was doing, and waited for a miracle. Undoubtedly I failed and stopped even trying. But recently I have decided to raise the issue concerning wi-fi wireless networks hacking methods. When I started to read articles on this topic, I found out that there were a lot of hacking methods but it was impossible to understand what method to use in a specific situation, because a lot of them were very old. So it wasn’t clear what methods could still work. Then I decided to dive into this issue and try to understand all necessary points. I also wanted to analyze what methods are still relevant and try to bring out a more or less stable scheme of attacks. After I had tried most of wi-fi hacking methods I decided to write this article for others to know what way to choose while studying this topic. So it is the end of the preface, let’s start!

I carried out 4 main methods of wi-fi hacking that are still relevant nowadays. I am going to cover them one by one for you to have better understanding of them. Also I’ll attach links to the materials and programs you need to become acquainted with to implement these attacks. I will share some tips concerning all methods at the end of the article.

Types of wireless Wi-Fi networks attacks:
  • Pixie Dust
  • Wi-Fi Protected Setup (WPS)
  • Evil Twin
  • Handshake cracker
Pixie Dust

The problem of this vulnerability consists in generation of random numbers E-S1 and E-S2 on many devices. If we succeed in finding out these numbers, we can easily gain WPS pin, and the greatest point is that these very numbers are used in cryptographic function for protecting against WPS pin selection.
This type of attack is still vital, but the main problem lies in the fact that there are already very few devices exposed to this vulnerability (speaking about my personal experience, I have found only several wi-fi access points with this kind of vulnerability). But if you are lucky to find access point that has such vulnerability it will take you a few seconds to hack it.

To perform this attack you need a chipset compatible with or . Atheros chipset has the best compatibility with these programs.

Programs:
  • - linux
  • - linux
  • - windows
  • – linux
Useful Information:
Wi-Fi Protected Setup (WPS)

This problem was found in communication between routers and new device connected to it. An attacker who wants to hack an access point sends some PIN code for authorization in wireless network. If PIN code is wrong, attacker will get the following EAP-NACK response. Hence we can get the first part of the PIN code while the second part can be gained by analyzing a checksum that is calculated from the first one. All mentioned above leads us to brute force attack. This attack most likely will be successful as the number of required attempts decreases from 10^8 to 10^7.

29912

This attack can be carried out much more often than the previous one. It turned out, that 30% - 40% of routers on average have wps enabled (it is necessary to mention that the developers have taken the following measures: they added timeouts after several incorrect connection attempts. But still there are some routers without blocking). You can gain a password of necessary access point in 4 – 5 hours using this type of attack but sometimes it can take even 10 hours.

To perform this attack you need a chipset compatible with or . Atheros chipset has the best compatibility with these programs.

Programs:
  • - linux
  • - linux
  • – windows
Useful Information:
Evil Twin

This attack method is closely related to social engineering and it is implemented in two steps. The first step consists in DOS attack performing against victim’s access point. The second step – we need to create a copy of access point we have attacked. Thus, victim loses wi-fi connection and due to the DOS attack only our access point will be available in the list of networks. Now we have to wait a little for a victim starting connecting to our access point. When it is done there appears a page asking for confirmation of identity to access the Internet or update the firmware of the router for further access to the Internet. In fact all your actions depend only on your fantasy.
In 80% cases it happens this way but it is also possible that you can face some problems if the attack lasts not long or it is quite unstable.

29913

I prefer using fluxion for this attack. In my opinion it works more stable than its analogues. I advise you to make your own fishing pages in fluxion, as the default ones are not suitable for CIS countries or they are too old and can simply scare a victim away. I’ll provide an article concerning projects creation in fluxion a little bit later.

Programs:
  • fluxion - linux
  • – linux
Useful Information:
  1. Fake project creation for fluxion
Handshake cracker

This method is quite old, I dare say even ancient, but it is still efficient and suitable to any wi-fi access point as all of them allow handshake. A handshake can be received during connection of a user who knows the right password to the wireless access point. After the handshake has been received, we need to search passwords in the dictionary and in case we are lucky we will obtain the right password.

This method works in most cases, but as you have already noticed one of the main problem of this attack consists in the dictionary itself and in your computer’s power (if a password appears to be too complicated it can be quite difficult to hack an access point using this method). According to statistics, most home routers have a numeric password that ensures us a successful hacking.

If you have a good video card you can increase the speed of password searching by connecting it to password selection. Speaking about me I don’t have such an opportunity as I have MacBook and I really don’t like to waste much time for selecting password and loading my laptop only in order to hack a single access point. Fortunately there is a service that can help you to succeed in this task (searching and selecting) and it will do it much faster than my doing myself. On you can search and select a password only for 2$. It took me near 2 minutes to select the password last time I used this service (the password was numeric)

Programs:
  • - linux
  • - windows / linux
Useful Information:
  1. [Tools List] Cracking passwords WPA/WPA2
  2. WPA2/WPA passwords cracking with Hashcat
  3. Increasing speed of password searching with a help of video card using Hashcat
Tips:

For a successful audit you will need the right wi-fi adapter with an appropriate chipset. You can get more information about these adapter models . After you have chosen a model you shouldn’t buy it immediately. First read some articles about the chipset that is installed in the adapter on the . If you don’t find any problems or if you find some but they are solvable then you can buy it (it is necessary to point out that if you have any doubts it is better to ask the opinions of other users on the forum related to wardriving). As for me I use Alfa AWUS036NH and TP-LINK TL-WN722N v1.

It is necessary to take into account that adapter won’t solve all your problems. To make your connection perfect you will also need a good antenna. In my case I use both omnidirectional 9 dBi Yagi antenna and 16 dBi directional Yagi antenna. The first one is used when I need only to hack wi-fi for Internet using, and the second one I use to target a specific victim. One should always remember that a good signal makes your hacking successful.

Don’t forget to increase during the attack if your adapter allows you to do it and also try to .

Chipset Atheros is perfectly suitable for WPS cracking as it operates well with reaver or bully. Rialink chipsets are not so good especially when using in the reaver program. Rialink can more or less cooperate with bully but not always because sometimes you still need to make adjustments (so one should also take into account these factors)

You can buy Alpha adapter at website. I can ensure that you will have no problems with this site, I didn’t have them at all. And good news for those who don’t live in Russia, as this internet shop delivers to other countries (before buying the alfa adapter, it is necessary to read about all pros and cons of the chipset that is installed in the adapter).

I also strongly recommend you to take a look at Positive Technologies report on “Network Security Audit of standard 802.11 from 2017”

Network Security Audit of standard 802.11


Personal Opinion:

From my point of view these are four main attack types to gain the password to wireless access point nowadays. Only basic programs for implementing these four methods were presented in the article. I hope that this article appears to be useful for you and I didn’t waste my time while writing it.

The links that are attached can sometimes be repeated. It happens because the given material can refer to several attack methods (the links to another resources have no connection with advertising them, it is made because I found the material really useful and good written).

Before you start using programs for mass wi-fi hacking with only one button, first you should become familiar with those that I have attached to this article. Without realizing the way these programs work you simply won’t understand the reasons why some frameworks don’t work in certain situations during hacking process. At first don’t forget to perform these attacks with your own router or your friend’s one for you to learn the material better and realize its main principles.

Source: www.codeby.net
 
V

Valkiria

Valkyrie with its additions here as here))

Types of wireless Wi-Fi networks attacks:
  • WEP attack
  • Pixie Dust
  • Wi-Fi Protected Setup (WPS)
  • Evil Twin
  • Attack on Wi-Fi access point from the global and local networks
  • Attack on RSN IE
  • Handshake cracker
The list of programs in Windows is also not complete

Scan networks:

  • ALFA WiFi Scanner
  • Wi-Fi Scanner
Wi-Fi Protected Setup (WPS) :
  • Dumpper
  • Router Keygen
  • Router Scan
  • Waircut
Handshake cracker
  • Aircrack-ng
  • Elcomsoft.Wireless.Security.Auditor:
  • HashcatGUI
Handshake capture:
Came already in 2019))
 
Мы в соцсетях:

Обучение наступательной кибербезопасности в игровой форме. Начать игру!