Wireless Pentesting
This is for educational purposes and only to be performed on networks you have permission to do so.
Basic info on Wireless can be found here. This will be a walkthrough used to obtain wireless handshakes and PMKID using various tools such as Aircrack-ng, HCXDumptool, Bettercap, and Wifite.
Then we will crack the hashes using Hcxtools and Hashcat
This will require having a WiFi Adapter that supports monitor mode, also known as packet injection.
I myself have and recommend these adapters:
Alfa AWUS036ACM <-- Capable of 2.4GHz and 5GHz
Alfa AWUS036ACHM <-- Capable of 2.4GHz and 5GHz
Alfa AWUS036ACH <-- Capable of 2.4GHz and 5GHz (This more than likely *will* require driver installation)
Panda Wireless PAU09 N600 <-- Capable of 2.4GHz and 5GHz
Aircrack-ng
Find your interface. If you have one network card(capable of monitor mode/packet injection) it will be wlan0
, but if you have a second wireless USB dongle, it will most likely be wlan1
.
Put interface into monitor mode
Now we start scanning for networks doing some recon.
Once we have found our target(s), we press CTRL+C
to stop the scan
Now we focus our scan onto our target
We can name the .cap file whatever we want, I typically just name it the targets SSID
Now we can see here at the bottom, we see BSSID
, STATION
, PWR
, Rate
, Lost
, etc. this indicates if a device is connected to that network. This may not always show devices but is helpful to keep an eye on.
At this point we can simply wait for a device to connect to the network to obtain the handshake, or we send deauth packets to the network to force a device to reconnect to the network to obtain the handshake. We can do this in various ways.
In a second terminal we will send 10 deauthentication packets to the network and stop.
We can also deauthenticate a specific device that is connected to the network with
Once we have obtained the handshake, we will see our airodump terminal change, it will specify in the top right with WPA Handshake: BSSID
.
Note: We can also obtain PMKID with this method as well if the AP is vulnerable to that attack.
This is handshake is saved into the .cap file we specified we when target our airodump-ng scan. Once we have a handshake from aircrack, we will want to turn it into a hashcat compatible file. First we want to extract the handshake from the .cap file
OR using HCXDumptool
HCXDumptool
This may depends on which version you have installed. Eg. v6.2.9 has a different interface than v6.3.0+. I'll be going with the most up to date (currently v.6.3.5)
This attack is not guaranteed!!. Not all access points(APs) are vulnerable to the PMKID attack, BUT this can still obtain us EAPOL M1M2M3 or EAPOL M1M2M3M4 auths.
Info on PMKID on Hashcat Forums
Like other methods, we find out interface and put it into monitor mode.
HCXDumptool v6.2.9
Once we obtain our PMKID we will see it at the bottom
We MAY see PMKID:XXXXXXXXXXXXXXX
OR PMKIDROGUE:XXXXXXXXXXXXXXX
, Even potentially M1M2ROGUE: XXXXXXXXXXXXXXX
.
PMKID:XXXXXXXXXXXXXXX KDV:2
means You captured a PMKID requested from a CLIENT. WPA version (Key Descriptor Version) is WPA 2. You can recover the password from this.PMKIDROGUE:
XXXXXXXXXXXXXXX KDV:2
means the PMKID is requested by hcxdumptool and not by a CLIENT. You can recover the password from this.M1M2ROGUE : EAPOL M2
is requested from a CLIENT by hcxdumptool and not from an ACCESS POINT. You can recover the password from this.
HCXDumptool v6.3.0+ (currently v6.3.5 as of writing this)
To target AP(s) we scan for target(s) with airodump-ng
Grab the BSSID(s) of our targets and put them in a Berkeley Packet Filter (BPF) .bpf
file. with tcpdump OR hcxdumptool.
TCPDump
HCXDumptool
** NOTE: We can target multiple APs
TCPDump:
HCXDumptool:
Now run it against our target
To target all APs around(Not recommended without given permission)
After a while we may see the + under the 3 or P of our target. Both of which can be used to obain the password with hashcat.
Bettercap
Handshake
Like with aircrack, we find out interface and put it into monitor mode.
Now we start bettercap selecting our interface
We begin scanning for networks
We can also show the WiFi Manufacturer of the AP
At this point we can again, simply wait for a device to connect to the network to obtain the handshake, or we may deauthenticate the network.
Once we obtain the handshake, we will see the notification in our event stream
PMKID
The PMKID method is much simpler method. Just like before, we find our interface, enable monitor mode, start bettercap with that interface.
We begin scanning for networks
We can also show the WiFi Manufacturer of the AP
To start the PMKID attack we simply run
Once we have successfully received the RSN frame containing PMKID and it has been saved in a pcap format
Wifite
Specify a wireless interface with
OR if we only have one WiFi interface on that is capable of monitor mode, we can just run it as is.
We can do a WPA attack on a target network with
This will enable monitor mode on the wireless interface and begin scanning for networks.
I will target Pixel7, number 2
This starts with a PMKID attack, then moves onto a WPA Handshake attack if a PMKID is unable to be obtained.
*Note, we can skip the PMKID attack by adding the argument --no-pmkid
When obtaining a WPA handshake attack, this will attempt to de-authenticate clients from the network until we have obtained the handshake.
When the handshake is captured we see where it was saved to with the name of it. It will attempt to crack it automatically with aircrack-ng
using their default worldlist wordlist-probably.txt
If you would like to use your own dictionary, such as rockyou.txt
we can use the --dict
argument.
Hash Cracking
So we now have our handshake in .cap format, we can crack the hash and find out the password.
Aircrack
We'll start with aircrack-ng
as that is what we originally captured our handshake with. When we chose the -w
output with the SSID name, or whatever name you chose, the files are saved in whatever directory you ran that airodump-ng
command from. You may have multiple files in there with that SSID name. Eg. Pixel.cap-01.cap
, Pixel.cap-02.cap
, Pixel.cap-03.cap
, etc. The handshake SHOULD be in the most recent one, the one with the highest number. So lets run aircrack against that .cap file.
sudo aircrack-ng -w (wordlist) (.cap file)
Now depending on the password and the dictionary you chose, this may take some time. I chose to attack my phones hotspot as I am allowed to attack my own devices and made the password simple enough that the basic rockyou.txt file could crack it with ease. Once it has found it the cracking will stop and will tell you the password.
Hashcat
We have our PMKID in the .pcapng format, we can use hashcat to crack it. First we must use the hcxpcapng
tool from HCXtools.
Dictionary
If we want to use a dictionary attack, like using rockyou.txt
for example
Depending on your hardware, the dictionary you chose, and the password, this may take some time. You can press S for a status to see the time time estimated on finishing, as well as the updated "Recovered.Total" to see the recovered keys"
We can run the same command again with --show appended to the end to see our cracked passwords.
Brute Force
If we wanted to run a brute force attack rather than a dictionary attack, it's a similar command
Replace the ?l
with whatever we deem fit.
?l = a-z
?u = A-Z
?d = 0-9
?h = 0-9a-f
?H = 0-9A-F
?s = !"#$%&'()*+,-./:;<=>?@[]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff
This will cover the basics of the hash cracking with hashcat but it can get SO much more advanced with hashcat.
Last updated