Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Editor-in-Chief
Joanna Kretowicz
Proofreaders
joanna.kretowicz@eforensicsmag.com
Lee McKenzie
Editors:
Hammad Arshed
Marta Sienicka
sienicka.marta@hakin9.com Olivier Caleff
www.hakin9.org
Welcome to another edition of Hakin9! In those last days of November we would like to
send best wishes to everyone who celebrates Thanksgiving! We also hope that the
Wireless hacking will forever remain one of the most popular topics, this time, however,
we decided to take a bit different approach and focus just on the tools. Inside this issue
you will find tutorials and guides, all about tools used to crack WPA/WPA2 and their
passwords. You will see articles such as how to attack wifi with Bettercap & Pwnagotchi,
the (almost) immortal AirCrack-NG, cracking wireless network with Fern, Reaver in
practice, Fluxion step by step, stealing wifi passwords with an Evil Twin Attack, and much
more.
This edition is one big compendium about wireless tools and techniques, from which you
will learn various tips and tricks to improve your hacking skills!
Feel free to leave us a comment or send us a message! As always, special thanks to all the
contributors, reviewers, and proofreaders involved in the process of creating of this issue.
Introduction
Wireless networks are a quick and easy method for connecting devices in workplaces or at home. Users can plug-in a
wireless router to their ISP’s modem (or use the provided wireless modem) and connect all their devices to the
Internet. This article will show how to attack WPA-2 PSK (Pre Shared Key) networks that are used by most consumers.
Software Installation
On Debian based versions of Linux you can use the apt command to install aircrack-ng.
Wireless protocols use multiple frequency bands within the wireless spectrum for sending data. The frequency used by
802.11 is 2.4 GHz and 5 GHz, each of which are unlicensed and available to be utilized by consumers. Wireless cards
have the ability to receive and decode wireless signals on the LAN that are destined for both it and other wireless
devices in the area. This is the nature of Ethernet networks as well as the physics of how wireless signals propagate. To
sniff data on your network that are not destined for your wireless device, you must have a wireless card that can enter
monitor mode. This will involve root or Administrator access to the device and normal programs will not be able to
access the Internet.
$ sudo airmon-ng
phy0 wlp5s0 iwlwifi Intel Corporation Wireless 8265 / 8275 (rev 78)
If your card is being used by the operating system, you may have to run the check kill command with airmon-ng.
Found 5 processes that could cause trouble.If airodump-ng, aireplay-ng or airtun-ng stops working after a short period
of time, you may want to run 'airmon-ng check kill'
7
Test for
penetration in
Wi-Fi network:
attacks on
WPA2-PSK and
WPA2
Tamara Radivilova
In this work the wireless networks security algorithms were analyzed. The fundamentals of the WPA and WPA2 safety
algorithms, their weaknesses and ways of attacking WPA and WPA2 Enterprise Wireless Networks are described. A
successful attack on the WPA2-PSK and WPA2-Enterprise was carried out during the performance of work. The
progress of this attack and its results were described.
I. INTRODUCTION
The problem of protecting corporate data every year is more relevant. More and more critical data is transmitted over
wireless networks, and information security (IS) increasingly depends on the skills of IT professionals. Many
organizations and individuals use wireless local area networks (WLANs) as an irreplaceable addition to traditional
wired LANs. WLANs are necessary for mobility, special networks and for access to hard-to-reach places. Many modern
devices that we use (smartphone, tablet, laptop, router, TV), can work with wireless networks Wi-Fi. The most
common at the moment is the IEEE 802.11i standard.
Any interaction between an access point (network) and a wireless client is built on: authentication - both the client and
the access point are presented to each other and confirm that they have the right to communicate among themselves;
encryption - which algorithm of scrambling transmitted data is used, how the encryption key is generated, and when it
is changed [1,2].
A lot of attention is given to Wi-fi network security. However, networks can be tested for security. The purpose of this
work is to implement attacks on the Wi-fi network protected by the protocols WPA2-PSK and WPA2-Enterprise.
The parameters of the wireless network, primarily its name (SSID), are regularly announced by the access point in the
broadcast beacon packets. In addition to the expected security settings, QoS wishes, 802.11x parameters, supported
speeds, information about other neighbors, etc. are transmitted. Authentication determines how the client is
presented to the point. Possible options: open – so-called open network, in which all connected devices are authorized
immediately; shared – authenticity of the connected device must be verified with a key/password; EAP – authenticity
of the connected device must be verified by EAP with an external server [1,3,4].
The openness of the network does not mean that anyone can work with it with impunity. To transmit data in such a
network, it is necessary to match the encryption algorithm used, and, accordingly, to correctly establish the encrypted
connection. Encryption algorithms are as follows: none – no encryption, the data is transmitted in clear text; WEP – is
a cipher based on the RC4 algorithm with different lengths of a static or dynamic key (64 or 128 bits); CKIP –
proprietary replacement of WEP from Cisco, early version of TKIP; TKIP – improved WEP replacement with
additional checks and protection; AES/CCMP – is the most advanced algorithm based on AES256 with additional
checks and protection [3,4].
The combination of Open Authentication, No Encryption is widely used in guest access systems such as providing
9
WiFi Attacks with
Bettercap &
Pwnagotchi
Daniel Dieterle
WiFi Attacks with Bettercap & Pwnagotchi
Installation Overview
Install Bettercap following the instructions in the Bettercap Wiki; there are several options available. In this article, I
will cover installing the latest and greatest version of Bettercap in Kali Linux. These instructions will work on both a
standard Kali Linux install and a Raspberry Pi (RPi) Kali Linux install. I use a Raspberry Pi in this article, but
following the exact same instructions, you can use it on a standard Kali desktop. I prefer to use it on a Raspberry Pi as
a “drop box” type unit - a unit that you leave on a target site, and then remote into it. You can easily connect to
Bettercap remotely using the Web UI, which I cover in this article.
Disclaimer: The information in this article is for informational use only. It is illegal to access or attempt to
hack any network, wired or wireless, that does not belong to you or that you do not have permission to do
so. This is just a quick overview of both tools; it is imperative to read and understand the tool author’s
documentation as it is important to fully understand these tools before usage.
11
Cracking Wireless
with Fern Wifi
Cracker
Jeff Minakata
Cracking Wireless with Fern Wifi Cracker
In this article, we will be looking at the Python program Fern Wifi Cracker for cracking wireless passwords. Fern is a
powerful and easy to use program that comes preloaded in Kali Linux. As with any pentest, be sure to only test on your
own network.
Equipment used:
In this article, I am using Kali Linux version 2018.3 running in a laptop. You can run Kali from a VM. If you do, you
will need to also use a secondary wireless adapter. My personal recommendation is the Alfa AWUSO36NH High Gain
USB Wireless G wireless adapter for this. The adapter is pretty inexpensive and has a high gain antenna. Be sure that
whatever wireless adapter you use is capable of monitor mode, as not all wireless cards will work.
Before we begin, it’s always best to make sure that our Kali OS is up-to-date. Open a terminal and enter the following
command:
13
Hacking WPA2
Wi-Fi password
using Evil Twin
Attack | DNSMASQ
and Hostapd
Debojyoti Chakraborty
Hacking WPA2 Wi-Fi password using Evil Twin Attack | DNSMASQ and Hostapd
Wireless protocols have drastically evolved since 2003 after the invention of WPA in terms of secured Wi-Fi access.
These days, wireless networks have become a part of our daily life. Almost every home, business, corporate sectors,
stores, industries, and institutions have their personal Wireless AP (Access Point). Moreover, to make the internet
free to every individual, some organizations have established public open Wi-Fi APs in almost every public place, like
airports, railway stations, libraries, bus terminals, etc. But when the question comes about security, even after
implementing the best security practices available, a wireless network will always be less secure than a wired network,
just like David Bernstein once said, “FOR EVERY LOCK, THERE IS SOMEONE OUT THERE TRYING TO PICK IT OR
BREAK IT”.
An Evil Twin is like a rogue Wi-Fi AP (Access Point), where an attacker creates a fake AP to lure the users into thinking
it is a trusted wireless network. The attacker amplifies the signal in a way that the victim automatically connects to the
rogue AP because of its faster beaconing and strong range.
Practical Scenario: The logic behind an Evil Twin attack is so simple, you just have to create a fake access point
with the same name of the targeted Wi-Fi. Then you need to create a webpage to show the victim that he needs to enter
the password to access the internet and store it in a database.
Prerequisites: Below is a list of hardware and software used in this article. You can use any hardware as long as it is
compatible with the software you will be using.
Hardware Used:
15
NetAttack2 and
Cracking Wireless
Network
Ome Mishra
NetAttack2 and Cracking Wireless Network
This is my first article on Hakin9 and in this article I am going to introduce you to a tool that is OLD but GOLD. First
of all, this is for educational purposes only, I am not responsible for any bad cause.
NETATTACK2
So what is it? NETATTACK 2 is a Python script that scans and attacks local network devices as well as wireless
networks. There are different modules for different attacks. As it is very simple and easy to understand, you don't need
much knowledge to run this tool. Everything is super easy because of the GUI that makes it unnecessary to remember
commands and parameters.
How to download: You can find the whole detailed guide here: https://github.com/chrizator/netattack2 However,
below I will present the steps for the installation process.
Requirement:
17
Cracking WPA
using Reaver
sparksp33dy
Cracking WPA using Reaver
Cracking Wi-Fi has always been a keen interest for novices, being one of the first few things to try when getting into
the world of hacking and penetration testing. A key reason for this can be associated with a relatively generative
vulnerability landscape. The improved WPA/WPA2 protocol is much better than WEP in terms of security, but has
still proven to be hackable. In 2006, due to the speedy increase in utilization of Access Points, WPS was introduced to
make the process of setting it up convenient for everyday usage by concurrently pressing a button at the access point
and the client device together to set up a WPA connection. However, in 2011, a registrar (device or service that issues
and repeals credentials to a network) design flaw was discovered in the standard that made the WPS Pin used by WPS
devices susceptible to brute force requiring only 11,000 attempts. After the discovery of the vulnerability by Stefan
Viehböck, Craig Heffner developed the first version of Reaver, which became the first, open-source, and the most
famous, tool exploiting this vulnerability and comes preinstalled in KaliOS.
DEMONSTRATION
And then run airmon-ng start wlan1 (can be wlan0 depending on your wireless interface) to put the network
adapter or wireless adapter to monitor mode:
The message at the bottom states wlan1mon as the monitor interface. To confirm, run iwconfig:
19
Crack any
WPA/WPA2 WiFi
password using
Fluxion – no
password list
required
Richard Azu
Crack any WPA/WPA2 WiFi password using Fluxion – no password list required
Introduction
Truth be told, there is no wireless network that is 100% secured. The only way to secure a wireless network is just to
disable it – not hiding the SSID. This article will introduce Fluxion and demonstrate how it is used in conjunction with
Aircrack-ng to hack any WPA/WPA2 wireless password – no matter how complex it is. The systems required for this
demonstration are:
I. Computer running Kali Linux OS – minimum of 1GB memory, internal wireless card and 50GB hard-disk
space
In order to successfully run the Fluxion tool, it is recommended to first test the installed wireless card on your PC for
monitor-mode compatibility.
To do this, launch terminal and type the command iw list for a full list of all capabilities of the installed physical
wireless card. If the list of supported interface modes indicates monitor, the installed wireless card is compatible for
this demonstration.
21
Crack any WPA/WPA2 WiFi password using Fluxion – no password list required
Fluxion is basically a security auditing and social-engineering research tool 1. It is a tool that combines technology and
social engineering to convince users to give up their wireless passwords no matter how strong or complicated the
password is. Having the most complicated password cannot protect users against a Fluxion attack because it is
implemented based on social engineering. The advantage of Fluxion is that it has simplified wireless hacking by
removing the need to brute-force a network with hundreds to thousands of passwords in a list.
22
Pentest: Wireless
Network Attacks
and tips on how to
make attacks more
efficient
Joas Antonio
Felipe Gomes
Thiago Vieira
Pentest: Wireless Network Attacks and tips on how to make attacks more efficient
Performing a infrastructure Pentest service is laborious, but have you ever wondered how a Pentest works on wireless
networks? Many companies hire professionals to audit their wireless network infrastructure. This is achieved by
increasing the number of devices connected to the IoT (Internet of Things), where many companies have IoT devices
connected without any protection, thus being exposed to attacks and vulnerabilities that can compromise the integrity
and device availability. Therefore, having knowledge Pentest in wireless networks is essential to ensure that the
wireless infrastructure is not compromised and criminals take control of devices that use this technology, thus
eliminating dangers of these devices become Botnets or having a data leak.
Introduction
Before we begin our testing, we will set up our laboratory; after all, we will not use real environments, but laboratories
controlled by me which will simulate a real attack. This laboratory will contain:
• Recommended Adapters:
• TP-Link - WN772N
• ALFA -AWUS036NHA
• ALFA-AWUS036NH
"You can use other adapters, but ensure that they support monitor mode, packet injection and are
compatible with Kali Linux."
Planning
3. Learn to what end that network is used, and what is used in that network company (Visitor? Workstation?
Only for IoT devices? etc.)
24
Pentest: Wireless Network Attacks and tips on how to make attacks more efficient
Practice
Now let us put into practice some methods to compromise a wireless network. It is noteworthy that many of the
methods presented are already used in controlled environments configured to receive attacks. In a real network, you
will come across many security mechanisms that restrain these attacks, so you will need to study these types of
mechanism (WIDS, WIPS, Honeynet, hardening and other safety devices). Furthermore, many wireless networks have
high levels of authentication configured on a RADIUS server. In this environment, we will present attacks using the
following tools:
• CoWPAtty: A tool to perform a brute force attack quickly using keys pre-computed
• Genpmk: It works in conjunction with CoWPAtty, but your job is to generate a rainbow tables wordlist
These are the tools that we will use for our statements. To begin,will demonstrate the basic way cracking of passwords
in WPA2 and WPS protocols, using the tools presented using different methods. Before going into practice, we will
check if our network adapter supports monitor mode and packet injection:
First we will list our wireless network card, usually by default it’s the wlan0, but you may end up running into
another.
25
THC Hydra, The
Next Generation
Andrea Cavallini
THC Hydra, The Next Generation
HISTORY PILLS
A password is a mystery word used for the user verification procedure in different applications and it is used in order
to access records and assets. A secret key shields our data from all unapproved access. From the beginning of
cybersecurity, but in general from the time that people needed to protect their information, passwords are used in
order to increase the security of the communications. However, if a password exists there is also a method to try to
break it. Over the years, the attacks have improved in effectiveness and performance, passing from the test of
combinations of characters to prepared words with a considerable gain in time in the cracking process. The
methodologies that we are going to explain are called brute force attack and dictionary attack.
Starting from a set of characters and trying every single combination of them, a brute force attack aims to identify a
password. The time to get the password depends on the computer's CPU and on how many and which characters were
used. This method consists of trying all the possible combinations of letters, special characters and numbers until it
finds the right sequence. This type of attack is not efficient because requires a number of tests that can be very high in
execution time, depending on the password complexity.
DICTIONARY ATTACK
An alternative to brute force attack is dictionary attack. Its purpose is the same as a brute force attack but it tests a
password or an encrypted code with a precise and finite number of strings that we have already generated and stored
in a file called dictionary. This method reduces the elaboration time and is more efficient in the attack.
When we speak about password cracking, the modern approach to this technique is oriented on dictionary attack
because performances and accuracy are the most important requirements. Our purpose will be more simplified if the
dictionary used is complete and the rules used are efficient. In most cases when trying to recover a user's password,
the dictionary attack is the best method because the user usually uses ordinary words as his password. The situation
becomes more complicated if the system uses random combinations of alphanumeric characters; in this case the brute
force attack is the only one possible, even if the time required is greater than dictionary attack.
John the Ripper is the most important password cracker developed and available for Unix, Windows and MAC OS. It's
fast and free and can do both types of attacks, brute force and dictionary. It’s a tool included in Kali Linux and it can be
considered as the father of the most modern and flexible network password cracker: Hydra.
27