Wireless Pentesting

Basic info on Wireless can be found here. This will be a walkthrough used to obtain wireless handshakes and PMKID using various tools such as Aircrack-ng, HCXDumptool, Bettercap, and Wifite.

Then we will crack the hashes using Hashcat

This will require having a WiFi Adapter that supports monitor mode, also known as packet injection.

I myself have and recommend these adapters:

• Alfa AWUS036ACM <-- Capable of 2.4GHz and 5GHz

• Alfa AWUS036ACHM <-- Capable of 2.4GHz and 5GHz

• Alfa AWUS036ACH <-- Capable of 2.4GHz and 5GHz (This more than likely *will* require driver installation)

• Panda Wireless PAU09 N600 <-- Capable of 2.4GHz and 5GHz

• Alfa AWUS036NEH

• Alfa AWUS036NH

• Panda Wireless PAU05

• TP-Link TL-WN722N

• Ralink USB WiFi RT5370

Aircrack-ng

Handshake

First we must find our adapter interface name and enable monitor mode on it.

sudo airmon-ng start (interface name)

Now we start scanning for networks

sudo airodump-ng (interface name)

Once we have found our target, we press CTRL+C to stop the scan

Now we focus our scan onto our target

sudo airodump-ng -c (channel) -w (SSID.cap) --bssid (bssid) (interface)

We can name the .cap file whatever we want, I typically just name it the targets SSID

Now we can see here at the bottom, we see BSSID, STATION, PWR, Rate, Lost, etc. this indicates if a device is connected to that network. This may not always show devices but is helpful to keep an eye on.

At this point we can simply wait for a device to connect to the network to obtain the handshake, or we send deauth packets to the network to force a device to reconnect to the network to obtain the handshake. We can do this in various ways.

In a second terminal:

sudo aireplay-ng -0 10 -a (bssid) (interface) will send 10 deauthentication packets to the network and stop.

sudo aireplay-ng -0 0 -a (bssid) (interface) will continuously send deauthentication packets to the network until you tell it to stop using CTRL+C

We can also deauthenticate a specific device that is connected to the network with sudo aireplay-ng -0 1 -a (bssid) -c (client station MAC) (interface).

Once we have obtained the handshake, we will see our airodump terminal change, it will specify in the top right with WPA Handshake: BSSID.

Note: We can also obtain PMKID with this method as well:

This is handshake is saved into the .cap file we specified we when target our airodump-ng scan.

Once we have a handshake from aircrack, we will want to turn it into a hashcat compatible file. First we want to extract the handshake from the .cap file

sudo aircrack-ng -j handshake capture.cap

Bettercap

Handshake

Like with aircrack, we find out interface and put it into monitor mode.

Now we start bettercap selecting our interface

bettercap -iface (interface)

We begin scanning for networks

wifi.recon on

We can also show the WiFi Manufacturer of the AP

set wifi.show.manufacturer true

wifi.show

set wifi.recon.channel (Channel)

set net.sniff.verbose true

set net.sniff.output (SSID).pcap

set net.sniff on

events.stream on

At this point we can again, simply wait for a device to connect to the network to obtain the handshake, or we may deauthenticate the network.

wifi.deauth (BSSID)

Once we obtain the handshake, we will see the notification in our event stream

PMKID

The PMKID method is much simpler method. Just like before, we find our interface, enable monitor mode, start bettercap with that interface.

We begin scanning for networks

wifi.recon on

We can also show the WiFi Manufacturer of the AP

set wifi.show.manufacturer true

wifi.show

To start the PMKID attack we simply run

wifi.assoc (BSSID)

Once we have successfully received the RSN frame containing PMKID and it has been saved in a pcap format

HCXDumptool

PMKID

Info on PMKID on Hashcat Forums

Like other methods, we find out interface and put it into monitor mode.

We then scan for our target using airodump-ng

sudo airodump-ng wlan0mon

Once we find out target, CTRL+C and we copy the BSSID into a file but remove the colons, I named my file target. I usually name the .pcap file after the SSID just to keep track of it.

Now we run

hcxdumptool -o (name).pcapng -i (interface) --enable_status=1 --filterlist_ap=target.txt --filtermode=2

Once we obtain our PMKID we will see it at the bottom

We MAY see PMKID:XXXXXXXXXXXXXXX OR PMKIDROGUE:XXXXXXXXXXXXXXX, Even potentially M1M2ROGUE: XXXXXXXXXXXXXXX.

• PMKID:XXXXXXXXXXXXXXX KDV:2 means You captured a PMKID requested from a CLIENT. WPA version (Key Descriptor Version) is WPA 2. You can recover the password from this.

• PMKIDROGUE:XXXXXXXXXXXXXXX KDV:2 means the PMKID is requested by hcxdumptool and not by a CLIENT. You can recover the password from this.

• M1M2ROGUE : EAPOL M2 is requested from a CLIENT by hcxdumptool and not from an ACCESS POINT. You can recover the password from this.

Wifite

Specify a wireless interface with

sudo wifite -i wlan0

OR if we only have one WiFi interface on that is capable of monitor mode, we can just run it as is.

We can do a WPA attack on a target network with

sudo wifite --wpa

This will enable monitor mode on the wireless interface and begin scanning for networks.

I will target Pixel7, number 2

This starts with a PMKID attack, then moves onto a WPA Handshake attack if a PMKID is unable to be obtained.

*Note, we can skip the PMKID attack by adding the argument --no-pmkid

When obtaining a WPA handshake attack, this will attempt to de-authenticate clients from the network until we have obtained the handshake.

When the handshake is captured we see where it was saved to with the name of it. It will attempt to crack it automatically with aircrack-ng using their default worldlist wordlist-probably.txt

If you would like to use your own dictionary, such as rockyou.txt we can use the --dict argument.

Hash Cracking

So we now have our handshake in .cap format, we can crack the hash and find out the password.

Aircrack

We'll start with aircrack-ng as that is what we originally captured our handshake with. When we chose the -w output with the SSID name, or whatever name you chose, the files are saved in whatever directory you ran that airodump-ng command from. You may have multiple files in there with that SSID name. Eg. Pixel.cap-01.cap, Pixel.cap-02.cap, Pixel.cap-03.cap, etc. The handshake SHOULD be in the most recent one, the one with the highest number. So lets run aircrack against that .cap file.

sudo aircrack-ng -w (wordlist) (.cap file)

Now depending on the password and the dictionary you chose, this may take some time. I chose to attack my phones hotspot as I am allowed to attack my own devices and made the password simple enough that the basic rockyou.txt file could crack it with ease. Once it has found it the cracking will stop and will tell you the password.

Hashcat

We have our PMKID in the .pcapng format, we can use hashcat to crack it. First we must use the hcxpcapng tool from HCXtools.

hcxpcapng -o CrackMe (.pcapng file)

Dictionary

If we want to use a dictionary attack, like using rockyou.txt for example

hashcat -a 0 -w 3 -m 22000 (hash file) (wordlist)

Depending on your hardware, the dictionary you chose, and the password, this may take some time. You can press S for a status to see the time time estimated on finishing, as well as the updated "Recovered.Total" to see the recovered keys"

We can run the same command again with --show appended to the end to see our cracked passwords.

Brute Force

If we wanted to run a brute force attack rather than a dictionary attack, it's a similar command

hashcat -a 3 -w 3 -m 22000 (hash file) '?l?l?l?l?l?l?l'

Replace the ?l with whatever we deem fit.

• ?l = a-z

• ?u = A-Z

• ?d = 0-9

• ?h = 0-9a-f

• ?H = 0-9A-F

• ?s = !"#$%&'()*+,-./:;<=>?@[]^_`{|}~

• ?a = ?l?u?d?s

• ?b = 0x00 - 0xff

This will cover the basics of the hash cracking with hashcat but it can get SO much more advanced with hashcat.