The other two tools, aireplay and airodump I used to sniff the wireless traffic and then inject packets into the wireless stream in order  to speed up my WEP crack. These three tools provide very deep levels of control.

You can modify the TCP traffic to, for instance, inject a certain number of packets during a specific period of time. You can really fine tune your attack with aireplay. Aircrack also provides a huge list of options when attacking a password.

This level of granularity and control can really help you when you are out on wireless security audits. However, I’m going to discuss the Fern WiFi Cracker with you. It’s a pretty nifty utility, and you can use Fern to automate a WiFi crack with just a few mouse clicks.

Automation Using the Fern WiFi Cracker

Just so you know, I still prefer and recommend you study the other methods to crack WEP as well, by using airodump, aireplay, and aircrack.

Why? Because in order to be a good network security professional, you need to KNOW how this stuff works. It’s not enough to be able to click a few buttons. We call those people keyboard jockies or tool monkeys.)  Understand what’s going on under the surface. WiFi hacking software  comes and goes, but aircrack, airodump, and aireplay have been around for a long time. They’re all quality products and you should know how each of these three tools works and how they can be used in conjunction with one another for a successful WiFi crack. The Fern WiFi cracker is an example of some fairly new WiFi hacking software that’s worth it.

Fern is a great WiFi cracker to use in a pinch and it’s already included in Back Track and Kali Linux. However, you can download Fern’s source code right here. We can use Fern to do a WiFi crack against a WEP encrypted network. Start by launching Fern from the Applications menu button at the top-left corner of the screen.

If you’re running Kali Linux:

Applications > Kali Linux > Wireless Attacks > Wireless Tools

If you’re running Back Track:

Applications > Back Track > Exploitation Tools > Wireless Exploitation Tools >WLAN Exploitation

Launch the Fern WiFi Cracker and Crack WEP

From the menu, click Fern-wifi-cracker to launch the tool.

You should already have your wireless card in monitor mode. If not see my previous article right now.

Click the drop down menu at the top of Fern and select your wireless adapter from this list. Click OK to any message boxes you get. After a few moments, the message Monitor Mode Enabled on… should appear in green as seen in the image.

Then click Scan for Access Points.

Fern will scan for WiFi networks in range, and will begin populating the WEP and WPA boxes.

Once the the Fern WiFi Cracker finishes scanning for networks, you can select the network you are targeting by finding it in either the  WEP section or the WPA section. In this example, I am targeting a WEP encrypted network with an SSID of Hack-WiFi.

You will have to select your target network from the drop down box and then clicking the WiFi Attack button to the right.

The Fern WiFi Cracker will now begin an automated WEP crack against the hack-wifi network. This may take some time, so if you need to get some coffee or take a dump, go for it. You’ll have a Please Wait… screen for a long time, as Fern goes through the process.

Remember, Fern is completely automated WiFi hacking software, so there isn’t anything left to do at this point than to just allow Fern to sniff the WiFi network, authenticate to the device, begin injecting replay traffic, and finally to crack WEP.

In my case, the Fern WiFi cracker didn’t succeed until it captured about 25,000 IVs.

But finally, if everything worked as it should, you’ll get the message below:

The post How to Use Fern WiFi Cracker to Crack WEP Encrypted Networks appeared first on How To Hack WiFi.

If you happened to say yes, then you’re on the right path so far. In my opinion, IT Security is where it’s at. Maybe I’m biased, but the career IS exciting. And specifically, being a wireless security auditor is something special in my mind. Because wireless requires you to be close to the access point, you get to travel around to all your engagements. It’s awesome, I don’t know of a single wireless security auditor who sits at a cubicle for more than a day a week. With me so far?

A Wireless Security Auditor is Super Smart

The first thing you need to do is study. Lots of studying. I’m not going to tell you to go to school or take this exam or that one.  Some of these security guys are all self-taught. What I’m saying is, in this industry, what matters is what you know. And it ends there. Walk into that interview and show the room you know what you’re taking about. As we say in the industry, “Don’t be a paper cert.” However, no matter what method of learning you undertake, one rule of them to keep in mind:

The ratio of hands-on learning to theory. Keep the hands-on training at around 80%.

Don’t get me wrong, THEORY is necessary, especially to produce a great wireless security auditor and not just a keyboard jockey. But let’s be honest, in the field, what matters most are results. If security experts can memorize charts of common TCP ports and types of viruses, worms, and trojans, but they cannot perform basic penetration testing, then they have failed. That’s the cold, hard truth. Just lean more toward hands-on and you’ll be fine.

Why Should You Become a Wireless Security Auditor?

Money isn’t everything, but the average salary for a wireless security auditor ranges from $60,000 upto $120,000 per year, more depending on experience and technical knowledge.

As you learn this stuff and take the time to actually read, follow tutorials (like the many free ones on this website), and do things hands on, you’ll start to have little “ahh ha” moments.

They will be infrequent at first but I promise you this: stick to it long enough and you will have one of these moments, and when you do, you’ll KNOW it. And they’ll come more frequently as time goes on and you continue to study. You’ll form more breakthroughs in your understanding.

You’ll deepen and broaden. And then you’ll have gotten it. You’ll be a wireless security auditor. And you know what else you’ll be? CONFIDENT! Enjoy all of the extra attention you get from this subliminal change in your behavior. But it will happen! Trust me, human nature is hardwired. Hard work pays off in the long run!

Once you do study up on this (for a long time and with great energy!) you will become armed with a keen understanding of attack methods and mannerisms. The very best wireless security auditor is the one who can analyze, attack, AND secure a wireless access point, finishing the IT Security Lifecycle full circle. You should strive to be like those guys.

You need to understand networking. Basic TCP knowledge. The best advice I can give you, that’s free, is to read up on all the different protocols from the Internet Engineering Task Force. These protocols come in the form of RFC documents.

Focus on the RFCs related to network security to get an understanding of TCP level protections. You will need to be able to read a TCP packet structure and analyze it. You will have to learn how to locate any malicious activity on any network. A wireless security auditor needs a shitload of tools to get the job done. But read up and get comfortable with IP tracing techniques and tools. Figure out where specific sources of traffic are coming from.

A wireless security auditor must offer protection against any possible attacks that might occur. Think of a wireless network like a football game. You need to develop a defense strategy from all angles. And I do mean all angles. Get creative? What if the mail guy slips into the building and jacks his laptop into the local network? Something like that happens and your entire digital security structure is bypassed.

Think especially about the security of the wireless network. You need to know how wireless security auditing is done in order to harden your own systems against the same attacks.

It will be a long process, but should you undertake the journey to becoming a wireless security auditor, you’ll reap great dividends for years to come. You’ll be able to walk into any organization and start auditing. Wireless security experts are in high demand throughout the world and studying up on this stuff will definitely help you. Choose your desired course and become a certified professional to make your future bright.

My free WiFi hacking tutorials are right here, totally free and a great place to start.

The post How to Become a Wireless Security Auditor appeared first on How To Hack WiFi.

You’ve run through all the command options, all of the tools. You’ve tried a dictionary attack, a WPS attack, and a precomputed attack. You’ve even tried spoofing the access point to trick others into connecting to yours and giving up the keys. You have done everything right, but still have failed. You’re defeated. Angry. Vengeful. God damn it, this secure wireless network is really pissing you off. You want to take it down. And I’m going to let you in on a little secret. Most wireless security analysts would stop right here, go to the network owners, and proudly declare “Your WiFI network has weathered all WiFi hacking techniques. There’s no way anyone is going to hack WiFi here, now about that fee…”

Here’s another secret. In order to become a really good wireless security expert, you shouldn’t just stop there. So what if WiFI hacking didn’t work… Because a lot of hackers follow the mantra, If you can’t hack it, DoS it.

WiFi Hacking Doesn’t Always Require Unauthorized Access

Not always, anyway. As I mentioned above, many black hats out there will simply resort to a denial of service attack against your wireless network if they’re unable to break into it. A denial of service attack is basically a sudden and sustained flood of traffic directed at another network device. It’s a dirty trick, and one that isn’t very subtle. In fact, denial of service attacks are loud and sloppy. Most black hat hackers are just in it for the yucks anyway. They’ll bring a wireless network down using sheer force if it’ll get them off.

The attacker will start off by performing some recon on the wireless network. At this stage, they’ll sniff around, may try to authenticate to the wireless access point, and they may send deauth packets to legitimate clients connected to the access point. If they do, watch out! You really should be capturing logs off the access point and reviewing them regularly. This is absolutely critical to stopping WiFi hacking attacks before they get anywhere.

Again, if an attacker fails to crack the wireless key, he may just DoS the whole network. And with wireless, this is very easy to do. It’s scary easy. I’m afraid. You should be too. Aahh.

In this scenario, we’re going to use the MDK3 network stressing utility. Network stressing is the legitimized word for denial of service. Security analysts use network stressing tools to determine how susceptible their networks are to denial of service attacks. Keep reading for a comprehensive MDK3 tutorial.

Use MDK3 for DoS WiFi Hacking Tests

MDK3 stands for Murder Death Kill 3. And it’s a tool that definitely lives up to its name. Because it’s designed specifically for WLAN environments, MDK3 does a marvelous job at crushing wireless network access by sending floods of traffic all at once. The flood of traffic prevents others from being able to connect.

Imagine you are a CEO of a small business. You’re traveling for work, and connected to the hotel’s WiFi connection. It’s vital that you get some information send out tonight. But what happens when your competitor is sitting in the room next door, and he’s slamming your laptop with mdk3 packets? You won’t be able to get anything done, that’s what. You may lose important contracts as a result. Your business may suffer. So now you see just how dangerous denial of service attacks can be. They don’t destroy data or steal it, but they are perfect tools for reputation assassination.

Getting Started with MDK3 – DoS WiFi Hacking

As a prerequisite, make sure your wireless adapter is in packet injecting mode, otherwise this won’t work right at all.

To put the wifi adapter into packet injecting mode, look at the link above or use the syntax below to get an idea:

airmon-ng start <wireless interface>

Let’s test our wireless AP, named “WiFi hacking” against wireless DoS attacks. MDK3 is installed by default in the latest versions of Back Track and Kali Linux. To access the tool from Back Track 5 R3, go to Applications -> Back Track -> Stress Testing -> WLAN Stress Testing. Select MDK3 from the list. To access it from Kali Linux,

MDK3 should launch with the help menu already printed on the screen.

Be sure to go through the list of test modes one by one. Don’t be a shitty security professional, be a damn good one. KNOW how this stuff works. Because while MDK3 is an awesome proof-of-concept tool, it does not have a man page and the help options are somewhat limited. You’re pretty much on your own with this tool. But embrace it and learn this tool the old fashioned way, by trial and error. More verbose help is available by running:

mdk3 –fullhelp

SSID Flooding with MDK3

One neat trick that MDK3 can do is SSID flooding, or beacon flooding. What this means is that MDK3 can broadcast hundreds or even thousands of fake access points. Others that are in the area will see all of these fake access points when they go to search for WiFi access points to connect to. As you can probably see, SSID flooding is not denial of service. However, this is still a pretty cool trick. Potentially, you could set up a dedicated computer with a wireless access point and have MDK3 running in SSID flooding mode at all times. You could, in effect, hide your legitimate wireless access point in a sea of fake access points. A sort of security through obscurity to prevent WiFi hacking attacks.

Here is the syntax to enable simple SSID flooding (MDK3 will generate random fake access point names:

mdk3 <interface> b -c 1

Just replace <interface> with the name of your wireless interface. Remember, usually it’s monO.

The b option tells MDK3 to use beacon/SSID flooding mode.

-c1  tells MDK3 to broadcast all the fake access points on channel 1. (To better hide the fact these are all fake access points, you can try running multiple instances of MDK3 and specify a different channel each time.

You can also specify a list of specific SSID names from a file by appending the command above with:

-f <file name>

Let’s say your business’s wireless AP broadcasts as “ACME Business”. You want to use MDK3′s SSID flooding mode to hide your access point amongst a bunch of similarly named but decoy access points. You could create a text file named “SSIDs” and fill with fake access point names, perhaps names like “ACME WiFi” “ACME Network” “WiFi ACME”. Then, to bring this all together, you can simply run:

mdk3 <interface> b -c 1 -f SSIDs

There are tons of possible options for the SSID flooding mode:

b – Beacon Flood Mode

This spoofs tons of SSIDs. Remember, security through obscurity

OPTIONS:

-n <ssid>

Use a specific SSID <ssid> instead of randomly generated ones

-f <filename>

Read SSIDs from a file

-v <filename>

Read MAC addresses and SSIDs from a file.

-d

Display Ad-Hoc APs

-w

Set WEP bit (Generates encrypted networks)

-g

Display APs as 54 Mbit

-t

Display APs using WPA TKIP encryption

-a

Display APs using WPA AES encryption

-m

Use valid accesspoint MAC from OUI database

-h

Hop to the channel where the AP is spoofed

-c <chan>

Fake an AP on a channel <chan>.

-s <pps>

Set the DoS speed in packets per second (the default: 50)

Authentication Flooding with MDK3

Moving on to MDK3′s actual DOS options, you will first look at authentication flooding, then conclude with deauthentication flooding. The idea behind authentication flooding is simple. Too many authentication requests at one time may cause the wireless access point to freeze up and perhaps stop working entirely (until someone reboots the thing, that is).

I will warn you that in my experience, authentication flooding doesn’t always work. Most wireless access points are robust enough to handle an authentication flood from one instance of MDK3. (However, if you had multiple laptops running authentication floods this may work.)

Deauthentication flooding works MUCH better (that’s why I am saving it for last) and it doesn’t require the resources that authentication flooding does.  So let’s look at authentication flooding. A simple command to do authentication flooding is:

mdk3 <interface> a -a <ap_mac address>

All you need is the AP’s MAC address as you can see above.

The list of all possible options are below:

a – Authentication DoS mode

Send authentication frames to all APs found in range. By flooding the target AP with authentication requests, we can try to knock it offline.

OPTIONS:

-a <ap_mac address>

You need the access point’s MAC address, which can be obtained with airodump

-m

Use a valid client MAC from OUI database

-c

Don’t check that the test was successful, just run the attack

-i <ap_mac>

Performs an intelligent test on the access point (-a and -c will be ignored). This test connects clients to the AP and reinjects sniffed data to keep them alive

-s <pps>

Sets the speed in packets per second (Default: unlimited)

Deauthentication Flooding with MDK3

The DoS WiFi hacking technique that works best uses deauthenticate requests rather than faking authentication requests.

mdk3 <interface> d -b blacklist_file

Again, the only thing you need is the target access point’s MAC address. Save that MAC address in a text file and specify it after the -b option. This will sent deauth packets to any and all clients connected to the access point specified in the file. (You can add more MAC addresses to deauth if you are evaluating multiple APs in range.

d – Deauthentication / Disassociation Amok Mode

Kicks everybody found from AP

OPTIONS:

-w <filename>

Read file containing MAC addresses to ignore (Whitelist mode)

-b <filename>

Read from a file containing MAC addresses to attack (Blacklist Mode)

-s <pps>

Set the speed in packets per second (Default: unlimited)

-c [chan,chan,chan,...]

Enables channel hopping. Without providing any channels, mdk3 will hop all channels until it finds the target you specified

So there you have it. Multiple ways to perform DoS WiFi hacking attacks using the MDK3 utility. Good luck in your penetration testing and network security careers!

The post When WiFi Hacking Fails – DoSing Wireless Networks with MDK3 appeared first on How To Hack WiFi.

Network security professionals need a vast range of hacking tools to assist them. The more they have available to them, the greater their changes of success. In this example, I am going to show you how to use another utility, called Crunch, to hack WiFi networks encrypted with WPA or WPA2. Crunch is an easy way to try to crack WPA passwords without using dictionary files. Sometimes, your WPA dictionary attacks fail, and the access point you’re targeting doesn’t use WPS, so  a WPS attack is out too. What are you left with?

Give Crunch a Try – It Can Hack WiFi Too

Crunch is not like most password hacking tools most security professionals will use. Crunch is a wordlist generator. It can calculate combinations of letters, numbers, and symbols, and then test your password hashes against all the combinations. This is a brute force attack, so it should be your last resort when dictionaries fail and WPS hacking isn’t an option. There are a few caveats with using Crunch to hack WiFi keys. The first thing to keep in mind is that you’ll still need to capture a WPA or WPA2 handshake. So refer back to the first half of my WPA cracking tutorial linked above. It walks you through capturing the handshake.

The command we will be using to try and hack WiFi is relatively simple. But it will take a bit of time to type out, and make sure you don’t have any mistakes!

Open a terminal window and type:

crunch 8 12 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 | aircrack-ng –bssid 00:11:22:33:44:55 -w- hack-wifi-01.cap

We’re basically telling Crunch to auto-generate a list of passwords with a minimum of 8 characters and a maximum of 12 characters, and a mix of lowercase and uppercase characters with numbers thrown in as well. We’ll pipe the Crunch syntax and aim it at our WPA handshake capture file we sniffed in the beginning of our other tutorial. I’ll break down the command for you in proper fashion:

• The  8 and 12 just tell Crunch to auto-generate a brute force list with a minimum of eight characters and a max of twelve. Since WPA requires at least eight characters we can save time by not testing anything under eight. I capped the number of characters tested at 12,  but you may want to do your own research on the average length of a WPA passphrase.
• What comes after is the alphabet in lowercase and then uppercase followed by the numbers zero through 9. Crunch will use this information to generate passwords of at least 8 characters and no greater than 12, all using the lowercase and uppercase letters with numbers.
• | aircrack-ng –bssid 00:11:22:33:44:55 -w- hack-wifi-01.cap – We will need to point Crunch to aircrack, and specify our target network’s BSSID and the handshake we captured. In my original WPA hack WiFi tutorial, my target network had a BSSID of 00:11:22:33:44:55 and I had named the capture file “hack-wifi.01.cap” Obviously your target’s BSSID and the name of your capture file may be different, so substitute accordingly. Know what you are doing!

Remember, knowing how to hack WiFi, actually understanding the mechanics behind it, is what separates the good network security professionals from the keyboard jockeys.

Now you are ready to use Crunch to break the WPA key. This alternate method may crack the password because it relies on brute forcing all combinations of a password rather than specific words in a dictionary.

More Troops for the Attack – Hack WiFi Using Hash Cat

An alternative to Crunch is using Hash Cat to hack the WPA or WPA2 password. If you use HashCat, you’ll need to first convert your .cap file to a .hccap file. And as long as you’re using the latest version Back Track or Kali Linux, you should just be able to use aircrack to convert your .cap file to a .hccap file. For instance, if the name of your capture file is “hack-wifi-01.cap”, just run:

aircrack-ng hack-wifi-01.cap -J capture

Hashcat needs the .hccap file and cannot use the .cap like Crunch can. From Kali Linux, you can get to hashcat from /usr/share/oclhashcat-plus.  To run Hash Cat, just type the command below from Hash Cat’s file location:

Hashcat-plus.bin -m 2500 -a3 hack-wifi-01.hccap abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 pause

• -m 2500 tells Hash Cat to test in WPA/WPA2 mode
• –a3 tells Hash Cat to use brute force mode, and we need to point it at “hack-wifi-01.hccap” which is my converted capture file containing the WPA/WPA2 handshake
• As with Crunch, we can specify a character set to include in the brute force attempt.
• We should use the pause switch to throttle Hash Cat’s cracking attempts.

So there you have it, two alternative brute force methods to hack WiFi networks, specifically encrypted with WPA or WPA2. Remember these are very time intensive attacks, but because of their nature, they are almost guaranteed to crack the password.

But you have to ask, how long? Brute forcing complex WPA/WPA2 passwords could take YEARS. Or hundreds of years. Or hundreds of thousands of years. As with most WPA2 attacks, this one is in no way guaranteed to work any time soon. But, it’s yet another useful tool you should keep in your IT Security toolbox.

The post Hack WiFi with the Crunch Utility – No Dictionaries Needed appeared first on How To Hack WiFi.

I originally included these steps to change your MAC address and enable packet injection in each of my other WiFi hacking tutorials. But it was redundant seeing the same thing so many times, so I’ve decided to create this separate detailed post where I show you how to spoof (fake) your MAC address.

1. Getting Kali or Back Track Linux to use your adapter in packet injection mode. This is necessary, and you cannot do any of these tutorials if your wireless adapter doesn’t use packet injection. Again, I really recommend that you check out the Alfa network cards. They’re great and they work out of the box with Kali and Back Track.

2. The last step is optional. I’ll teach you how to spoof the MAC address. Attackers regularly run MAC spoofing before an attack, so it’s helpful to know how this works and what to look out for.

Before MAC Spoofing, enabling Packet Injection

First things first, plug in your wireless network adapter. Then open a terminal Window and run:

iwconfig

Now you need to locate your USB wireless adapter from the list of devices iwconfig prints back for you. Mine is named wlan2, but remember, yours may be named differently, and you will need to use the name of your USB adapter in place of mine. WlanO is my internal WiFi card.

Now, put the adapter into packet capture mode by running:

airmon-ng start wlan2

(Don’t forget to substitute wlan2 for the name of your wireless adapter!)
The airmon command creates a virtual WiFi interface on top of the physical one. We will be doing our WiFi hack (all the sniffing, spoofing, and injecting) through the virtual interface. Make note of the monitor mode enabled on section. In my case, Back Track named the packet-injecting interface mon0.

We are now ready to run our wireless security audits. We can choose from a huge number of wireless cracking utilities that are available to us in Kali or Back Track. We’ll run these tools while specifying the monitoring interface we just created. (In my case, mon0).

MAC Spoofing Step-by-Step

As computer and network security professions, we should also be well aware of an attacker’s ability to spoof his MAC address. MAC addresses are vendor-specified identification numbers that all networking manufacturers put on their products. Each one is different. A MAC address is similar to a vehicle’s VIN number or a mobile phone’s IMEI number. If you know an attacker’s MAC address, you can determine what type of wireless antenna he is using.

However, if he’s done MAC spoofing, any logs that you manage to capture will only show the fake MAC address and not the real one.
As you can see, spoofing the MAC address prevents us from identifying the attacker. Just the type of thing a blackhat WiFi hacker would want to do.

Now that our adapter is in packet-injection mode, we should change our MAC address to cover our tracks. Security administrators and consultants take note. The bad guys have probably changed their MAC addresses.) The macchanger tool in Back Track and Kali Linux can change your adapter’s MAC address. But, if you run the commands in the images below, you will receive permission errors.

This is because wlan2 and mon0 are both active. We have turned them on earlier. In order to spoof their MAC addresses, we must disable them, run the macchanger command, then enable the adapters again. It’s very easy, just run the commands below:
(Of course, be sure to change the name of mon0 and wlan2 if yours is different).

ifconfig wlan2 down

Hit Enter. Then run:

macchanger -r wlan2

When you hit Enter, your MAC address will change to a randomly generated MAC address and display it for you. You can now bring the wlan2 interface back up by running:

ifconfig wlan2 up

You can verify that the spoofed MAC address is active by running:

ifconfig wlan2

Compare the Faked MAC: field that the tool generated matches the one listed in the ifconfig command. See the image below.

One strange thing I noticed was that if you change the MAC address of the physical network adapter, it will not actually change the MAC address of your virtual monitoring interface you created above. This means your real MAC address will leak through the monitoring interface. We can get around this by following the same steps to change wlan2’s MAC address. We will simply do the same set of commands on our virtual interface.
(Remember to change the name of your virtual interface if it’s different!)

ifconfig monO down
macchanger -r monO
ifconfig monO up
ifconfig monO

Be sure to verify that the MAC spoofing has worked on the virtual interface as well. And now you are finished, and ready to proceed to some of the other wireless security tutorials. Have fun!

The post MAC Spoofing and Packet Injection appeared first on How To Hack WiFi.

However, some IoT (Internet of things), devices that use the internet, or simply a WiFi network to work, like wireless security cameras, wireless printers, ‘smart’ thermostats, and even ‘smart’ refrigerators still use WEP security.

Numerous security holes exist in WEP which is why you’re less likely to encounter it on an engagement. WEP, or Wired Equivalency Protection) was the first serious attempt to secure wireless networks.

WEP sought to give users the same amount of protection and confidentiality as wired networks provided. We can easily perform WEP-based WiFi hacks on those access points still dumb enough to use it. By exploiting a flaw in WEP’s RC 4 stream cipher, we can decrypt the password based on traffic we collect from the access point over time.

We’ll need to capture a ton of packets (Tens of thousands). The more packets we capture from the wireless access point, the more likely we are to have enough data to perform statistical cryptanalysis to decode the password.  (But don’t worry, we’re going to drastically speed up the time it takes to collect enough packets to do this).

If you haven’t read my original post on the basics of a WiFi hack, you really should because it gives you a general understanding of WiFi security. There are, of course videos and hacking tutorials on more advanced wireless attacks. But stay here for right now, because as long as you’ve already read the overview, you can move forward in time.

The easiest WiFi hack – Cracking WEP Wireless Encryption

Let’s get started. Boot into your Back Track or Kali Linux Live CD. Make sure you are connected to the Internet, then run updates:

apt-get update

Then run:

apt-get upgrade

Connect your wireless network adapter.We need to discover the name Back Track (or Kali) has assigned to the adapter. Run the following command and hit Enter:

Before we can do this WiFi hack, we need to enable packet injection on our wireless adapter.

Now run:

airodump-ng monO

Airodump will literally dump the WiFi networks it detects in the air, as seen below:

As we can see above, only one network that airodump picks up uses WEP encryption, so we will focus our WiFi hack on this particular network. Once we make note of the BSSID and the CH, (Channel) fields, we are almost ready to perform our WiFi hack. We’ll run airodump again, but instead of a broad sweep of the WiFi spectrum, we will focus only on the access point we picked out above.

Our command syntax is:

airodump-ng -c (channel) -w (file name) —bssid (bssid) (interface)

We just need to plug in the channel, BSSID, our packet-injecting interface, and supply  a file name to save the packets to. To see the file (because you will need it soon) browse your Home directory and it should be there.

Hit Enter and let the packet capturing begin.

Now, we could simply wait to capture enough packets, but remember we need tens of thousands, and that could take way too long to reasonably wait. Wireless security consultants don’t have to to wait around. If time is short for a WiFi hack, you can use the aireplay took to inject the access points with packets. These packets trick the access point into tossing out even more of its own packets. This can happen very fast!  

(This particular WiFi hack may only take a matter of seconds, depending on the number of packets you capture and how close you are to the access point.)

Open a new terminal window.

Remember to plug in your target’s BSSID and ESSID into the correct fields, and be sure to specific the name of your monitoring interface. It’s usually monO, but yours may be different so check. Also, you need to specify your spoofed MAC address after the -h switch.

aireplay-ng -1 0 -a (bssid) -h (your spoofed MAC address) -e (essid) (interface)

You should get an Association successful message. Now you can begin flooding the access point in order to capture more packets. Plug in the target’s BSSID,your spoofed MAC address, and your interface again. Hit Enter.

aireplay-ng -3 -b (bssid) -h (your spoofed MAC address) (interface)

Plan on hanging around until enough packets are harvested to run your WiFi hack.

Go back to your second airodump window where you are capturing packets to file. Keep an eye on the number in the Data column. It needs to be between 10,000 and 20,000. When you’ve captured 10,000 to 20,000, you can hit Control C to stop the capture.

Now you can attempt the actual WiFi Hack by running the aircrack tool. Plug in the target’s BSSID and the name of the capture file you started with the airodump command.  (The capture file should be located in your Home directory.)

aircrack-ng -b (bssid) (yourcapturefilename)

If you captured enough packets, the WEP key will appear next to the triumphant message Key Found. Use that key without the colons to log into the target’s wireless network.

Read up on Aircrack’s website. You can do much more than crack WEP  (as we’ll see later), and any security consultant worth their salt should be familiar with the ins and outs of aircrack. Congratulations on your first successful WiFi hack! Keep going!

The post Basic WiFi Hacking – Cracking WEP Security appeared first on How To Hack WiFi.

The truth is that most access points not longer use WEP encryption these days. And that’s definitely a good thing. But as a computer security expert, the vast majority of your wireless engagements will not involve WEP. In fact, I know some security auditors in the industry who have never come across a WEP network!

Because WEP has been cryptographically broken for almost two decades, business owners and home Internet users are switching to the much more secure WPA and WPA2 encryption for their wireless networks. WPA security is much stronger. It doesn’t suffer from the same weaknesses that WEP does. WPA and WPA2 use additional checks in the algorithm that watch for changes in the flow of data through the air. That coupled with WPA/WPA2′s stronger encryption means we cannot simply capture X number of data packets in order to discover the password. We will need to Statistical analysis won’t work here. You should really check out this excellent resource on WEP vs. WPA vs. WPA2.

However, there are hacking tricks available to us which might allow us to crack a WPA or WPA2 network. I say might because there are no guarantees. In order for us to attempt to hack WPA or WPA2, we will need to use a dictionary. A dictionary – or password list – is a .txt file filled with a list of common passwords, one on each line of the .txt file. Dictionaries and password lists can be as simple or as complex as you want. They can be filled with just random words in all lowercase, or they can be common words and phrases with capitalization, numbers, and symbols. The best security consultants keep huge lists of possible passwords to increase their chances of success. Remember: You will only be able to crack the password if it also exists identically in one of your .txt files.

What hacking tricks will we use to attack WPA/WPA2?

Our attack is two-pronged. To hack WPA, we must capture a TCP 4-way handshake between a client (a PC, tablet, or smart phone for example) and the server (the wireless access point we are targeting.) We will need to capture the handshake using airodump, wireshark, or some other packet capturing utility. Remember that during our attack on WEP, we also used airodump to capture the packets. So in this example I will use airodump again to capture the 4-way handshake.

After successfully capturing a handshake, we will move on to the second phase of our hacking tricks – attacking the wpa passphrase. This is where we will use our dictionaries – massive .txt files of possible passwords and phrases- to try and guess the WPA passphrase. We will only guess the password if it exists in one of our dictionary files.

1. Attacking WPA Security – Capturing the 4 way handshake

Let’s begin our wpa hacking tricks by booting into Kali Linux or Back Track. Open a terminal window, plug in your wireless network adapter, and make sure to spoof the MAC address first. Then put it into monitor mode.

Then, don’t forget to run your updates (you need Internet access)

apt-get update

apt-get upgrade

Now, run:

airodump-ng monO

To start capturing information on the nearby wireless access points (and any clients connected to them.) When on a wireless security audit, make sure you are in range of the target. Otherwise you won’t see the target’s BSSID and what channel it’s on. When you find your target, right down or copy the BSSID and the Channel.

Open a new terminal window and run the command below to filter out everything and everyone else, and only capture the target AP’s packets.

airodump-ng -c 12 –bssid 00:11:22:33:44:55 –showack -w target-handshake monO

I’ll break this command down for you.

•  -c indicates the channel our target AP is on. In this case, the target’s channel was 12.
• –bssid If you’ve looked at my hacking tricks against WEP tutorial, you should know what a BSSID is. You will need to specify the target AP’s BSSID in here.
• –showack is an optional but very useful command that provides more information in our packet capture that will help us later on.
• -w tells airodump to write the packet capture to a file, which we named target-handshake in this case.
• Lastly, be sure to include the monitoring interface you want airodump to listen on.

Hit enter and DO NOT CLOSE THIS WINDOW.

Let’s continue our hacking tricks against the access point. At this point you need to keep watching that airodump window and look for another MAC address to appear under the MAC heading. Ideally, you want to see multiple MAC addresses under the MAC heading.

The more clients we have to chose from, our hacking tricks are more likely to be successful. The MAC addresses listed here are all clients who are connected to the access point right now. Any time one of these clients connect to the target access point, both ends exchange a 4-way handshake, basically a series of packets to ensure trust.

That is, the four-way handshake is way for the client to prove the access point’s identity and a way for the access point to prove the client’s identity.

You need to capture this 4 way handshake because it contains information you can use to run your WPA cracker to try and guess the password. You either have to wait for a new client to connect to grab the handshake, or you can speed up these hacking tricks by forcing one of the established clients to deauthenticate from the access point. When the client reauthenticates, you can capture the four-way handshake. That’s where one of those client MAC addresses come in.

Continuing on with your hacking tricks, chose which client you wish to deautheticate, and make note of its MAC address from the previous airodump screen. Then open a new terminal window and run:

aireplay-ng -0 5 -a 00:11:22:33:44:55 -c aa:bb:cc:dd:ee:ff mon0

I’ll break this command down again.

• -o tells aireplay to inject deauthentication packets. Because I typed 5 after -o it will send 5 deauth. packets. But I can change this number if I want. See what works for you.
• -a specifies the target’s BSSID.
• -c specifies the client we want to deauthenticate. Type in the client’s MAC address here.
• Last, remember to specify the monitoring interface.

(We can chose to send broadcast deauth packets as well. We don’t have to specify a client MAC, but it’s stealthier to do so.)

If our hacking tricks are successful so far, we’ll see plenty of ACK messages on the aireplay screen. ACKs are good. That means connected client has acknowledged the deauths we just injected. It will then disassociate from the target access point.

Now go back to the original airodump window that you’ve kept open. You want to see that the WPA handshake has been captured. It will tell you that in the upper right-hand corner of the airodump window. Once you have this WPA handshake, you are ready to try and crack the WPA password.

 2. Load the WPA Cracker and Fire Away

Halfway there with these WPA/WPA2 hacking tricks. Hang in there and stay focused. We will use aircrack to attack WPA security. We’ll also need one of the dictionary files we have, and the airodump capture file. (The one we called target-handshake.) We point aircrack to one of our dictionary files and to our capture file containing the handshake. Aircrack will then test all the words in our dictionary file to check if one of them is the password. If this fails, we’ll need to try again, specifying a different dictionary.

Open a new terminal window and run:

aircrack-ng -a 2 -w dictionary-1.txt target-handshake-01.cap

• -a 2 tells aircrack to use its WPA cracker method.
• -w tells aircrack which dictionary to use. Because we should have many dictionary files, I’ll specify the name of my first one.
• Lastly, we need to specify the name of our packet capture file we got from airodump. It may append a -0 after the file name so check

At this point we can only wait and see if our WiFi hacking tricks succeed or not. They’ll only succeed if the password is also in one of our dictionary files. If you are successful, aircrack will indicate KEY FOUND! and print the password on the screen for you.

But what do you do if the password is not in one of your dictionary files? You’re could try a WPS attack against the access point.

Kind of scary, isn’t it? Think about it, is the wireless password you use right now easy to guess? Do you think it may be something common, something that could conceivably appear in a WiFi hacker’s dictionary files?

Protecting Yourself Against WPA/WPA2 Hacking Tricks.

So how can you protect yourself against wireless hacking tricks like these and others?

To start, use a completely random passphrase of at least 14 characters. Something like:

hr#yN728ADqgx#12z

WPA security can be robust enough to protect you if you chose a passphrase like that. Basically the longer and more random the passphrase, the better. Think this is paranoid?

Think again. And yes, it is a pain. I get that. It isn’t easy to remember passwords like this, but there are some pretty neat ways to think of complex yet easy to remember phrases.

Otherwise, you may even want to switch to using WPA2 Enterprise for authentication. This is much stronger wireless security than using a WPA or WPA2 Personal preshared key. You can set it up yourself or purchase an Enterprise WiFi system. This looks just like a regular wireless access point, but all the enterprise authentication is contained within the device. There is a virtual radius server with users set up, so you don’t have to configure

The absolute best for the money is the Uqiwiu Access Point.

The post Hacking Tricks for WPA and WPA2 WiFi Networks appeared first on How To Hack WiFi.

One of the most popular operating systems that IT Security Professionals and Penetration Testers use is called Kali Linux. Kali is a specialized, locked down Linux OS that comes preloaded with tons of security tools and utilities. If you’re an aspiring IT Security Professional you need to be using Kali Linux. Period. Get to know this Linux distribution intimately, and you’ll be well on your way to mastering the world of IT Security.

Thus, it’s not unusual that one of the common questions is “enable WiFI Kali Linux” Or, “How do I connect to the wireless network I am auditing, once I obtain the password or passphrase?” It’s actually quite simple to do and I am going to show you how below. You’ll find that you can use an easy GUI (Graphical User Interface) tool to do so. Because, what if you’re out on a security audit or penetration test and you need to verify access to the client’s wireless network?

Again, it’s easy. So let’s take a look below. And if in the unlikely event you still aren’t able to connect, check out the troubleshooting documents from Kali.org. They are extremely helpful. In this example, I am using the Alfa Long Range USB WiFi Adapter (model AWUS036H) and if you’re serious about doing this for a living, you really should be investing in one of these adapters as well. Why? Because they’re pretty cheap, and best of all they have plug-and-play support in Kali and BackTrack Linux. Yes, you don’t have to install any drivers to get this thing working. Just plug it in and you’re ready to go.

Enable WiFi Kali Linux – GUI Method

Moving on, we’ll explore the easiest method:

1. When you are logged into Kali,open a terminal window. We first need to bring the wireless adapter online for the operating system to see it. Study the following sets of commands below to do this:

iwconfig

This first command will print a list of all wireless adapters the OS detects. Usually, it will detect the wireless adapter as wlan0 as seen in the image. If you have connected a WiFi adapter capable of packet injection like the ALFA AWUS036H you will have two WiFi adapers (wlan0 & wlan1), one is the built in adapter of your laptop or PC, and the other is the ALFA. You can use either to connect to a WiFi network if you already have the password, but for packet injection you need to make sure you select the correct one (WiFi card with a chipset that supports monitor mode and packet injection).

To bring wlan0 online run the command:

ifconfig wlan0 up

Now that the wireless adapter is up, click the icon of the computer at the upper right-hand corner of the screen.

The drop down box will display all the wireless networks that are within range, and you can connect to your target after successfully applying the wireless password.

The post How To Enable WiFi On Kali Linux appeared first on How To Hack WiFi.

Sounds complicated? It’s really not. WiFi Protected Setup (WPS) is a technology that allows easy access to secure wireless home networks. WPS-capable access points come hard-coded with an 8 digit PIN number. Users can connect their devices to a WPS-capable access point without having to type the long passphrases commonly associated with WPA/WPA encryption. WPS only uses this 8 digit PIN to connect.

8 digits has 100,000,000 variations, but luckily (for us) there are some additional WPS vulnerabilities that reduce our workload to only 11,000 variations. Statistically, we will crack the password in ½ the time, so count on only having to churn through roughly 5,500 PIN guesses before we crack the WPA WPA2 password.

To get started on this advanced WiFi password hack, make sure you have the right tools:

• Back Track or Kali Linux Live CD
• A wireless Network Card Capable of Packet Injection like the ALFA AWUS036H High Power Wireless adapter.

First update Back Track or Kali Linux by performing the commands below (make sure you are updating as the root user. Open up a terminal window and update the distribution before proceeding:

apt-get update

When that finishes, also be sure to run:

apt-get upgrade

Once our MAC address is spoofed on both the physical adapter and on the virtual one, which we’ll use to sniff and inject with. We are ready to scan the surround air and pick out our target wireless network to perform a WiFi password hack on.

Then run the follow command:

airodump-ng mon0

It will start picking up a ton of WiFi access points in the area, and your screen will fill up similar to the image below. I have however, blocked out the BSSID and ESSID fields.  You will want to pay careful attention to the BSSID, ENC, and ESSID fields.

The BSSID field display’s target access points’ own MAC address (which you will use soon).

The ENC field shows the access point’s encryption method. For the WPS-based WiFi password hack to succeed, the ENC field must show WPA or WPA 2. This attack does not work against WEP WiFi networks.

The ESSID field shows the access point’s name.

Pick out your target’s access point. The easiest is to check the ESSID and try to determine it that way. Once you find your target access point, press control C when you want to stop listening on the interface. For reference, my target is outlined in purple below.

We are now ready to launch our attack against WPS. This is an online attack, so we’ll need to keep Back Track or Kali Linux online for the entire engagement. Keep another thing in mind. This particular wifi password hack may or may not work. The reason is because it’s a blind attack. Not all access points use WPS, and saavy administrators know to turn WPS off entirely. We cannot be 100% certain that our target access point uses WPS, but we can be pretty sure that the odds are in our favor.

We will use an off-the-shelf wifi password cracker called Reaver, to do most of our work. Open up another terminal window in your Back Track or Kali Linux live CD, and run the command:

reaver -i monO -b (the target’s BSSID)

-i signifies the adapter we are going to run reaver from. In my case, it is monO. (Again, for you it may be different)

-b specifies the target’s BSSID field. The BSSID is the target’s MAC address. We will need to copy the target access point’s BSSID and enter it,

Hit Enter, and you’ll get some output similar to the image below.

Reaver may scan channels, but it should eventually associate with your target’s BSSID and then it will start the cracking process. Cycling through 11,000 variations of an 8 digit PIN.

Eventually, reaver will crack the WPA password! I’ve highlighted it in purple. And even though all this is marked out it is VERY exciting when you get to this point! You now have the target access point’s WPA PSK. Also known as the wireless password. This is the key you will be able to type in to connect to the WiFi network. Congratulations, you’ve just performed a pretty gutsy WiFi password hack.

The most important thing to take away from this exercise is to NOT USE WPS. If your wireless router or access point uses WPS, it’s vulnerable to this form of WiFi password hack. How can you protect yourself? Check your wireless access point or wireless router. Look at the back, the bottom, and the sides, for a sticker.  If you see a WPS PIN number listed anywhere on the device, it definitely uses WPS. Contact the manufacturer and ask about this. Usually an manufacturers will release updated firmware to close the WPS vulnerability. If they are not or haven’t disabled WPS with a firmware update, raise hell. At the end of the day though, you’re probably better off moving to a wireless AP that does not use WPS at all. You’ll sleep better at night.

Troubleshooting:

Reaver may time out. It may lose association with the target access point from time to time. In most cases, it’s best to Google the exact error you receive and you will find lots of suggestions. Reaver has a large, active user base and there are plenty of people out there to help.

Also, after 10 bad pins, expect a warning message from Reaver. This may be another sign the AP is rate limiting the connection (rather than temp locking) or is just being overwhelmed and cannot keep up with processing the influx of PIN guesses. You can tell Reaver to sleep for a specified period of time by appending your Reaver commands with:

–fail-wait=300 – Some access points will temporarily lock their WPS state if it detects anything suspicious. Like a sudden influx of WPS Pin attempts.
–fail-wait=300 command tells Reaver to stop testing different PINs, then check back after 300 seconds. You can play with the value to see what works best when on an engagement. This may help in situations where you are losing connection to the access point.

Good luck on your WiFi password hacks!

The post Advanced WiFi Password Hack Techniques – WPS Attack appeared first on How To Hack WiFi.

Your WiFi access signal often extends outside your own home, sometimes well outside and it could bleed across the street and to other people’s houses. (Just go outside your house with your cell phone, search for wireless networks, and most likely your wireless network will still show up).

If the connection to your router is not password protected, you face a huge risk. Computer security is a growing concern for consumers, businesses, and anyone who connects to wireless networks. Why is that? Because thousands of identities are stolen each and every day. PCs and servers get hacked thousands of times every day.

The Information Age is actually the greatest arms race the world has ever seen. As security administrators develop new protection tools, monitoring platforms, and virus definitions, hackers are also creating new ways to beat them. Cyber-crime studies show that 65 percent of Internet users worldwide have been hacked at one time or another. Often, this comes in the form of a wireless attack. Using wireless networking equipment exposes a user to all sorts of wireless hacking attempts, and possible liability should the hackers gain access. It’s now more important than ever to know about and practice E Safety.

Always remember:

– An attacker could connect to your unsecured WiFi network and send humiliating e-mails. They may even be able to hack any laptops and PCs you have connected to your wireless network.

-Or they may simply use your network as a staging ground to launching more hacking attacks. Using you as a “digital beachhead”, hackers can launch attacks through multiple compromised networks to cover their tracks.

– They may also download illegal content through your WiFi network. (Think of all the people locked up for illegal file sharing and child porn. Imagine if just one of those people had been victim of an attack like this.)

– A computer forensics investigation into illegal activity will point right to you. People who are wrongly accused didn’t know about E Safety. That’s the hard, bottom line.

– A WiFi hacker who has gained access to your network can try to steal your banking information by spoofing bank websites. And it’s often undetectable to anyone not looking out for it.

It’s not enough to just know about E Safety. You need to know what to do to keep yourself safe.

1   Make sure your wireless access point is using WPA2 authentication. (If you’re a medium sized business or larger, you need to be using WPA2 Enterprise.

2. Be sure that the WPA2 password you have chosen is HARD. It should include letters, numbers, and symbols. The password should be long. 15 to 20 characters are best, but do not use the minimum number of 8 characters. That’s too short. Any wireless hacking tool would have a good chance cracking an 8 character password.

3. Use a router that does not use WPS authentication. It’s marketed as being an easier way to connect devices to a WPA/WPA network (WPS lets you connect without entering the passphrase.) WPS is broken and there are several off-the-shelf tools that can decrypt the WPA/WPA2 passphrase using the WPS vulnerability. It’s complicated, and you can read more about it in my advanced WiFi password hack article. Don’t use WPS.

4. Update your wireless router or access point to the latest firmware version available. One of the things you’ll come to learn about E Safety is how important it is to keep all your software and hardware updated. Contact the manufacturers or check their websites. You should be able to find firmware updates easy. Firmware updates often fix critical issues with their devices like security tools. In fact, most access point manufactures should be releasing firmware updates to close WPS. If not, ditch that product and use one without WPS. Trust me, you’ll sleep better at night.

5.   Regularly update your operating system. Always install the latest updates and security patches for Windows, Linux, and any other devices you may be using. And yes, this includes smart phones. This is one of the easiest ways to stay safe online.

6.   When practicing good E Safety, using a firewall is a must. Windows and Linux have built-in firewalls. Use these, read about them, and did I mention use them? There are also a ton of free firewall products available for download. However, when it comes to firewalls, you get what you paid for. Free doesn’t always mean they’re the best. Paid firewall products usually offer greater levels of control as well as more accurate virus definitions.

7.  Install a decent virus scanner and spyware scanner and make sure to update the definitions every single day. As I mentioned above, the Information Age is an arms race. Digital assaults are happening every day, and virus and spyware definitions are one of the ways the good guys are combating cyber-attacks. When you know the basics of E Safety, and you use all of these steps, you can rest assured that your data, privacy, and reputation is completely under your control.

These seven steps are easy for everyone to follow, and they provide a solid foundation for a secure network. By implementing the above, you’re already ahead of the curve. Don’t stop there, keep reading! And spread the word. Online safety is important, so you should be teaching (and yes, annoying) your friends and family on E Safety, what it is, and why it’s so important.

The post E Safety Online – A Beginners Guide to Online Safety appeared first on How To Hack WiFi.