How to Hack Wireless Networks

-Disclaimer-

The purpose of this information is for the knowledge and studies only, Please DO NOT make use of this information in wrong manner.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

What we are going to do here is to break into a wifi network and try to extract the data from the network.Let me not start with good story here rather let’s start the show.

Step1: First you need an O/S or say a tool, I would recommend Backtrack for our exercise. There are many other tools in the market but somehow I like this one, so lets go ahead in my way ;-) you can get the backtrack at http://www.backtrack-linux.org/

BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking. Regardless if you’re making BackTrack your primary operating system, booting from a LiveDVD, or using your favorite thumbdrive, BackTrack has been customized down to every package, kernel configuration, script and patch solely for the purpose of the penetration tester.

Once your system is booted you will see the following screen “I am using Backtrack -4 final version here”

Step 2: Lets start playing with WEP crack. Give the command airmon-ng to see what interfaces are available. “airmon-ng is a script that can be used to enable monitor mode on wireless interfaces. It may also be used to go back from monitor mode to manage mode.”

Step 3: Type the command #airmon-ng stop ath0 to stop ath0 interface and then fire the command 

#airmon-ng start wifi0 which will force ath0 into monitor mode

Step 4: now give the command ifconfig ath0 down and change the MAC address.

Give the command 

#macchanger –mac 00:11:22:33:44:55 ath0

Now lets start the interface back , give the command

#airmon-ng start wifi0

Step 5: lets start scanning to see available networks to play with #airodump-ng ath0

(INFO: airodump-ng is used for packet capturing of raw 802.11 frames for the intent of using them with the aircrack-ng. if you have a GPS receiver connected to the computer, airodump-ng is capable of logging the coordinates of the found access points. Additionally, airodump-ng writes out a text file containing the details of all access points and clients seen) 

Step 6: Now as we are associated, we can start sending packets back to the network, so we need to slowly increase the amount in #DATA field. Give the following command.

#aireplay-ng -3 –b $BSSID –h 00:11:22:33:44:55 ath0

Once you think the #DATA has climbed to a decent amount, open a new shell prompt and type the following

Aircrack-ng –n 64 –b $BSSID wepcrack-01.cap

(INFO: aircrack-ng is an 802.11 WEP and WPA/WPA2-PSK key cracking program. It can recover the WEP key once enough encrypted packets have been captured with airodump-ng. This tool uses 2 methods to determine the WEP key, 1 is PTW(Pyshkin,Tews,Weinmann) which requires few data packets to crack the WEP key and other is FM/Korek method which incorporates various statistical attacks to discover the WEP key and uses these in combination with brute forcing. There are other methods like dictionary method or a wordlist file or airolib-ng ) 

Congratulations!! You have got a Cake….. now you can restart your lappy with your regular O/S and connect to the network for which we have the WEP key.

Step 7: Now as we have successfully completed our journey till here , Let's try MITM(Man In The Middle) attack on friend to forward his internet traffic to our laptop . So lets get the tool “Ettercap NG-0.7.3” you can get that from http://ettercap.sourceforge.net/ This tool is available for almost all the O/S platform like Linux, FreeBSD, openBSD, NetBSD, Mac OS, windows 2000/xp/2003 and Solaris 2.X, you can download which ever you like, for the friends who wants to know what is Ettercap , Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many features for network and host analysis.

After installing if you are on linux, give the command

#ettercap –G on the shell and you will get the below GUI.

Step 8: Now go to Sniff -> unified sniffing and then choose your interface in my case it was ath0 Then go to hosts-> scan for hosts

Step 9: Now let’s see what all hosts are up for us to play with, to check this navigates to Hosts-> host list and you will find the list of ip address and Mac address. Get back to your basics of ip addressing, We all know *.*.*.1 IP is for the router which I am going to add to target1 and since I don’t know what all are the other ip’s I will put all other ip’s to target2

Now go to MITM-> arp poisoning and press ok, NOTE: Don’t check any other boxes here..

Lets start the Sniffing by navigating to Start-> sniffer

Step 10: Now we need to analyse the the traffic from their network , to do this we need 1 more tool (wireshark ) which you can download it from http://www.wireshark.org/ , but you have to be very much patience and get all your luck here, because they have to be using their internet when you are playing with their connections ;-).. now if you are using linux give the command #wireshark and you will get a GUI

Step 11: Navigate to capture-> interfaces and choose the interface you would like to use. To choose it, chick start that is next to the interface , you can get an idea of what interface to use by the amount of packets going in and out of it.

Now we have to sit back and wait till we get a bunch of packets , to make this test working I left my laptop for more then 2 hrs and got around 50K packets, now I had lots of packets to skim through on a laptop and it will take forever to search for one query so I have saved the pcap file (file -> save ) and will analyze it

Now lets see what all we got , click CTRL+F and clieck the by String bubble,

I am more interested in other persons password so I will look for password into that file and see what all I got and what all I see in the results was 2 account name and password.

You can now right click the packet highlighted and follow TCP stream you will be prompted with.. if you look into the results , you should be getting something like Email_textbox= nameofid@domain.com and Password_textbox=textpassword.

Play Safe !!


Cheers,
All the Best ...... :)