Post Sun Jun 09, 2013 3:13 am

Wireless Hacking Beginner’s Guide Part one

Hi there, in these articles I’m going to cover many subjects about wireless hacking step by step. The audiences of this article are beginners and because of that I’ll explain everything in detail but I extremely need expert’s comments to help me find the best way to learn or let me know if I made any mistake. I’ll write this article in four parts (If I’ll get good comments!) to cover many aspects of the wireless hacking. .These articles is going to have four parts:
1. Introduction and WEP cracking.
2. Cracking WPA/WPA2 with dictionary and Brute force attacks.
3. Cracking WPA/WPA2 using Reaver by taking advantage of WPS vulnerability(with reaver)
4. Bypassing mac filtering

I think wireless hacking is a great way to start learning hack, because it gives you the idea about how Linux works, how to work with terminal, what is backtrack and so on. If your newbie in hacking world I think following this article helps you start, and keep in mind practice is the key of everything so do not skip it.

Requirements
Because this article is for newbies you don’t need any experience of wireless hacking however if have some skills of it, is much better. To following these articles you will need these things:

• A compatible Wireless adapter (Which is the first and so important requirement)
• The latest version of Backtrack Linux which is version 5 R3.
• A wireless modem or Access point.
• A Desktop or laptop computers (Two computers is recommended)
• Internet connection (LAN internet connection is better)
• Some experience of Linux (Its recommended, again if you have no experience its ok)
I’m going to explain some of these requirements in detail (Specially the first one).

A compatible Wireless adapter
As I mentioned above it’s the first requirement for this article because you can’t hack wireless access points without it. Any wireless adapter which is supported by Backtrack and Aircrack is a compatible adapter (Aircrack is a suite of wireless hacking tools that I’ll cover it later). But the question is which adapters are supported? We can’t say this one is fully support it or that one is not until we test it. I think the most important thing in a wireless adapter is the chipset because it handles all of the tasks, you can find good resources about chipsets and drivers here:

http://www.aircrack-ng.org/doku.php?id= ... ty_drivers

Which wireless card is great to buy?
If you have no wireless adapter or you have an incompatible one, you already know that you have to buy a compatible wireless card but with above conditions how can you make sure that the adapter which you want to buy is compatible? As I mentioned before we can make sure about the compatibility until we test the adapter so you must be careful about the adapter which you want to choose.

The worse thing about wireless adapters is many manufactures create some reversions of their wireless adapters and maybe the new version doesn’t work like the first one for example TP-link tl-wn722n version 1.8 is compatible but TP-link tl-wn722n version 1 is not as you see the brand and the model is same but just because of the version you can’t use the second one. If you ask an expert which wireless adapter is the best for hacking without any doubt you will get this answer Alfa AWUS036H but maybe you can’t find the adapter (Because of your location for example). In this situation I suggest you to buy one of these tested cards:

USB wireless adapters:
• Linksys WUSB54GC
• Linksys WUSB600N
• D-Link G DWA-110
• Dell Wireless 1510
• ZyXEL AG-225H v2
• Netgear wg111v2
• Airlink101 AWLL3026
• Belkin F5D7050 V1
• MicroEdge MEG55A

PCI Wireless adapters
• Asus WL138G V2
• Belkin F5D8001
• CNet CWP-854
• Dlink DWL-AG530
• Dlink DWA-510 (I have this wireless card it works great)
• Dlink DWL-G520
• Netgear WG311T
• Netgear WPN311

Linux Backtrack 5 R3
Backtrack is a Linux based operating system which is developed for penetration testing purpose. They installed many hacking tools such as Metasploit, Aircrack, reaver and so on and because of this and many other features backtrack becomes to a great platform for hacking. There are many Linux distributions which is created for hacking purpose but I prefer to use backtrack and I recommend you to use it too. If you don’t have backtrack you can download it from this link (For free): http://www.backtrack-linux.org/downloads/

Image

As you see in above figure you can register in backtrack’s website for feature support but you can download it without registration, so just click on download button and go to next page. Backtrack is released with many different options, but in general they released it in both KDE and GNOME desktop managers. KDE has many desktop features some Gadgets and so on. But for beginners I suggest you to download the Gnome (Because I saw many times the KDE has some difficulties with VGA’s driver and it’s so hard for none Linux experts to resolve this problem). In the next page choose the version of backtrack (which is 5 R3 now) and choose the desktop manager and as I mentioned before GNOME is better (Figure 2).

Image
(Figure 2: backtrack download options)

Then you must specify the architecture which is depends on your computer’s hardware. Always select ISO image because you can install it on VMware later but with VMware image you can’t boot your real computer with backtrack. After you specified all of the download options simply press the click to download button and then after the download process is finished, burn the ISO file on a DVD. You will use it in future steps.

A wireless modem or Access point
You need a wireless modem or access point to be a target for all of these attacks (please do not use your neighbor’s access points because it’s not ethical. If you want to do that please do not follow these articles).

Having the access point is one of the requirements but you must to configure it to use WEP as the network security method. There is many ways to do that it depends on your access point’s manufacture but the process is same. If you don’t know how to configure WEP use the access point’s manufacture but I provided a link for that:

http://www.ehow.com/how_6404276_enable- ... modem.html

Or this one is old but useful:

http://www.techrepublic.com/article/use ... rk/1055215

A brief history about WEP
In my opinion cracking WEP without having any knowledge about WEP itself is possible but it’s not a good idea, so I’m going to a brief discussion about it (I don’t want to cover it in detail because it can be technical and this article is dedicated for beginners).

When we have a wired network we know that the only way to connect and to use the network’s resources is get access to the switch and connect the pc to it through a cable, and because of that generally wired networks are more secure than wireless networks.

But as wireless network transfers data over radio signal, everybody (who is near to the access point) can pick up the signal and connect to the network and use some resources like internet connection and so on.

To avoid this IEEE includes WEP protocol in their 802.11 standard in 1997. WEP means Wired Equivalent Privacy it encrypts data with a password, they created WEP to simulate the LAN’s physical security conditions for wireless.

But today we know they failed! Because the WEP protocol is so insecure and it can be crack with software like Aircrack within minutes but unfortunately even now we can see a lot of wireless networks in home or office or public places like coffee shops and so on with WEP protocol for security, and it becomes to a dangerous vulnerability for those networks.

Start cracking WEP
After you meet the requirement it’s time to start cracking WEP to do that firstly you must boot your computer from the Backtrack DVD which you burned in previous steps. If you don’t know how to configure your computer’s bios to boot from it you can check this below link

http://yourbusiness.azcentral.com/boot- ... 18067.html

in the first menu which you see after you inserted the DVD and turned your computer on select the first option: BackTrack text – Default boot text mode (with arrow keys and enter button figure 3) and wait until it initializes itself then type startx command to switch from txt mode to user interface mode.

Image
(Figure 3: select the first option)

After that you can see your desktop and depending on the GNOME or KDE desktop manger it can be different
Note: if you didn’t see anything after you typed the startx command probably you have driver problem and you can get help from Backtrack’s official website http://www.backtrack-linux.com.
Every network adapter in every operating system has a name (no matter if the adapter is LAN or WLAN) and for this attacks you need to know the name of your wireless adapter. You can easily open terminal (under accessories menu) and type airmon-ng command (figure 4)

Image

As you see in the above picture my adapter’s name is wlan0 and the chipset and the driver are detected and working well (if you see unknown in chipset or driver’s part it means your card is not supported and probably you can’t use it for this attack in some cases you can use Windows drivers on Linux to resolve this problem).

Mac changing
It’s not necessary to change your adapter’s mac address but it’s better to do it because it makes the further steps easier and it can be good test for your adapter because if you get error for changing the mac it means your adapter is not ready for this type of attack. But firstly I want to tell you that the mac address of any adapter is an static thing and you will never can change it!! You just can make it to use a fake mac address.

To do this, firstly you must disable you wireless adapter. In windows operating system you can simply right click on the adapter and choose disable item. But in Linux you must do it with these two commands (figure 5):

airmon-ng stop (adapter’s name)
ifconfig (adapter’s name) down


Image
(Figure 5: Disable the adapter)

Then after that you can give a fake mac address to the wireless adapter with this command (I choose 00:11:22:33:44:55 for the faked mac but its optional you can use something else figure 6):

macchanger - -mac (the fake mac address) (adapter’s name)

Image

Monitoring mode
After you changed the mac address successfully you must put your adapter in monitor mode to capture traffic from the access point which is configured with WEP security protocol. But before you do it I suggest you to check your operating system’s process to find and kill some processes which are working with your adapter and make it busy. The reason of doing this is maybe Aircrack tools stops working during capturing or cracking operation. You can easily use this command to find and kill those spam processes!! (Figure 7):

airmon-ng check kill

Image

If you didn’t get same results as me it means you don’t have any processes which are needed to terminate. But if you find some processes it doesn’t mean you can’t go further, just kill them then put your adapter in monitoring mode using this command (Figure 9):

arimon-ng start (adapter’s name)

It will give a new name to your adapter. If you remember we disabled the adapter to change the mac address when you put your adapter in monitor mode, it will enable your adapter automatically. But sometimes it doesn’t do that so you must do it manually with this command:

Ifconfig (adapter’s name) up

Image
(Figure 9: Monitoring mode)

Finding Access point(s)
After we configured everything we need to search and find the victim’s access point victim’s access point. You can use this command to find near access points (Figure 10):

airodump-ng (adapter’s name)

Image

As you see in above picture you can see my modem’s name and some details (except the name because I hided it) you need to write down some information about the victim something like BSSID, Channel, and access point’s name. It will be useful for further steps.

After you found the victim’s access point press Ctrl + C button to stop searching then copy the BSSID into clip board. Sometimes you can’t find the access point, in these situations stop searching (again using Ctrl + C) then repeat the last step again do it again and again until you find it. If you didn’t find at all check the access point’s setting and decrease the distance between modem and computer.
Capturing packets

To crack the WEP password you have to capture enough packets from access point while fake authentication then Aircrack can decrypt it. But keep in mind after you typed this command, do not close the terminal window or stop the process until we done cracking. You can use this command to capture the packet (figure 10):

airodump-ng –c (the victim’s channel) –w (a file name) –bssid (the victim’s bssid) (monitored adapter’s name)

Image
(Figure 10: capturing packets)
If you wrote down everything about the victim’s access point you already know what is the channel number and you don’t have problem in –c switch and about –w you must enter a file name it’s better to use single word names and the name can be whatever but don’t forget it you will need it in cracking step, for example I choose whack.

Fake authentication
In this step you must perform fake authentication to provide the efficient information which aircrack needs to decrypt the password. To do this, opens another terminal (do not close or stop capturing as mentioned above) then type the below command (figure11):

aireplay-ng -1 0 –a (the victim’s BSSID) –h (faked mac of your adapter) (monitored adapter’s name)

Image
(Figure 11: Fake authentication)

If the access point is far from your computer or if you have any difficulties with signal or connection I suggest you to use fake authentication with sending keep-alive packet this feature will send some keep-alive packet after fake authentication process and it helps to keep connectivity between the access point and your computer. Here is the command (figure 12):

aireplay-ng -1 6000 –o 1 –q 10 -a (the victim’s BSSID) –h (faked mac of your adapter) (monitored adapter’s name)

Image

ARP Replay
It’s the latest step before we perform password cracking. This step will take some minutes so be patient and after you typed the command give it 20 minutes or more to collect enough information to perform password cracking. If you are using keep-alive feature in previous step open another terminal and type this command (figure 13):

aireplay-ng -3 –b (the victim’s BSSID) –h (faked mac of your adapter) (monitored adapter’s name)

Image
(Figure 13: ARP Replay)

After some second from when you type the command the terminal window gets mad! And it starts reading and writing packets. Again do not close or stop any window until the end of password cracking progress. In this time you can leave computer alone and for example you can go make something to drink and come back after 20 minutes.
Password cracking
I think it should be the best part of this article for you, because you did all of these efforts for now! So after 20 minutes open another terminal and type the final command of this article:

aircrack-ng –b (the victim’s BSSID) (the file name which you specified in previous step)-01.cap

If Aircrack couldn’t crack the password for first time, don’t get disappointed just give it more time to collect more info then it will try automatically it happens especially on 128 bit encryption keys.
I know this article is not technical and for most of people here it’s so easy and ancient! But as mentioned before if your newbie it’s a good place to start. I next article I’ll tell you how to crack WPA/WPA2 with dictionary and Brute force attacks. I hope you enjoy this article and please let me know the quality of these articles.