TEAM Betatesters &

Editor-in-Chief

Joanna Kretowicz 

Proofreaders
joanna.kretowicz@eforensicsmag.com
Lee McKenzie
Editors:
Hammad Arshed
Marta Sienicka

sienicka.marta@hakin9.com Olivier Caleff

Dominika Zdrodowska Ali Abdollahi

dominika.zdrodowska@eforensicsmag.com
Robert Fling
Marta Strzelec

marta.strzelec@eforensicsmag.com Paul Mellen

Bartek Adach Bernhard Waldecker

bartek.adach@pentestmag.com
Avi Benchimol
Proofreader:
Lee McKenzie Ivan Gutierrez Agramont

Senior Consultant/Publisher: 
 Humberto A. Sanchez II

Paweł Marciniak 
Sebastian Koszyk
CEO: 

Joanna Kretowicz 
 Marcello Gorlani
joanna.kretowicz@eforensicsmag.com 
Craig Thornton
Marketing Director: 

Joanna Kretowicz 
 Amit Chugh
joanna.kretowicz@eforensicsmag.com
Kevin Goosie
DTP 

Marta Sienicka
 Raymond Obinaju
sienicka.marta@hakin9.com
Brad Tumy
Cover Design
Hiep Nguyen Duc Jeff Barron
Joanna Kretowicz
Markus Gerber
Publisher 

Tom Updegrove
Hakin9 Media Sp. z o.o.

02-676 Warszawa

Francesco Consiglio
ul. Postępu 17D 

Phone: 1 917 338 3631 

www.hakin9.org

All trademarks, trade names, or logos mentioned or used are the

property of their respective owners.

The techniques described in our articles may only be used in private,

local networks. The editors hold no responsibility for misuse of the
presented techniques or consequent data loss.
Dear readers,

Welcome to another edition of Hakin9! In those last days of November we would like to

send best wishes to everyone who celebrates Thanksgiving! We also hope that the

craziness of Black Friday didn’t leave you you scared or traumatized!

Wireless hacking will forever remain one of the most popular topics, this time, however,

we decided to take a bit different approach and focus just on the tools. Inside this issue

you will find tutorials and guides, all about tools used to crack WPA/WPA2 and their

passwords. You will see articles such as how to attack wifi with Bettercap & Pwnagotchi,

the (almost) immortal AirCrack-NG, cracking wireless network with Fern, Reaver in

practice, Fluxion step by step, stealing wifi passwords with an Evil Twin Attack, and much

more.

This edition is one big compendium about wireless tools and techniques, from which you

will learn various tips and tricks to improve your hacking skills!

Feel free to leave us a comment or send us a message! As always, special thanks to all the

contributors, reviewers, and proofreaders involved in the process of creating of this issue.

Enjoy the reading,

Hakin9 Editorial Team

3
4
5
Attacking WPA-2
PSK Wireless
Networks using
Aircrack-ng
Matthew Miller
 Attacking WPA-2 PSK Wireless Networks using Aircrack-ng

Introduction

Wireless networks are a quick and easy method for connecting devices in workplaces or at home. Users can plug-in a
wireless router to their ISP’s modem (or use the provided wireless modem) and connect all their devices to the
Internet. This article will show how to attack WPA-2 PSK (Pre Shared Key) networks that are used by most consumers.

Software Installation

On Debian based versions of Linux you can use the apt command to install aircrack-ng.

$ sudo apt install aircrack-ng

Wireless Card Modes

Wireless protocols use multiple frequency bands within the wireless spectrum for sending data. The frequency used by
802.11 is 2.4 GHz and 5 GHz, each of which are unlicensed and available to be utilized by consumers. Wireless cards
have the ability to receive and decode wireless signals on the LAN that are destined for both it and other wireless
devices in the area. This is the nature of Ethernet networks as well as the physics of how wireless signals propagate. To
sniff data on your network that are not destined for your wireless device, you must have a wireless card that can enter
monitor mode. This will involve root or Administrator access to the device and normal programs will not be able to
access the Internet.

Enable Monitor Mode

$ sudo airmon-ng

PHY Interface Driver Chipset

phy0 wlp5s0 iwlwifi Intel Corporation Wireless 8265 / 8275 (rev 78)

$ sudo airmon-ng start wlp5s0

If your card is being used by the operating system, you may have to run the check kill command with airmon-ng.

$ sudo airmon-ng start wlp5s0

Found 5 processes that could cause trouble.If airodump-ng, aireplay-ng or airtun-ng stops working after a short period
of time, you may want to run 'airmon-ng check kill'

7
Test for
penetration in
Wi-Fi network:
attacks on
WPA2-PSK and
WPA2
Tamara Radivilova

Hassan Ali Hassan

 Test for penetration in Wi-Fi network: attacks on WPA2-PSK and WPA2

In this work the wireless networks security algorithms were analyzed. The fundamentals of the WPA and WPA2 safety
algorithms, their weaknesses and ways of attacking WPA and WPA2 Enterprise Wireless Networks are described. A
successful attack on the WPA2-PSK and WPA2-Enterprise was carried out during the performance of work. The
progress of this attack and its results were described.

I. INTRODUCTION

The problem of protecting corporate data every year is more relevant. More and more critical data is transmitted over
wireless networks, and information security (IS) increasingly depends on the skills of IT professionals. Many
organizations and individuals use wireless local area networks (WLANs) as an irreplaceable addition to traditional
wired LANs. WLANs are necessary for mobility, special networks and for access to hard-to-reach places. Many modern
devices that we use (smartphone, tablet, laptop, router, TV), can work with wireless networks Wi-Fi. The most
common at the moment is the IEEE 802.11i standard.

Any interaction between an access point (network) and a wireless client is built on: authentication - both the client and
the access point are presented to each other and confirm that they have the right to communicate among themselves;
encryption - which algorithm of scrambling transmitted data is used, how the encryption key is generated, and when it
is changed [1,2].

A lot of attention is given to Wi-fi network security. However, networks can be tested for security. The purpose of this
work is to implement attacks on the Wi-fi network protected by the protocols WPA2-PSK and WPA2-Enterprise.

II. SECURITY OF WI-FI NETWORK

The parameters of the wireless network, primarily its name (SSID), are regularly announced by the access point in the
broadcast beacon packets. In addition to the expected security settings, QoS wishes, 802.11x parameters, supported
speeds, information about other neighbors, etc. are transmitted. Authentication determines how the client is
presented to the point. Possible options: open – so-called open network, in which all connected devices are authorized
immediately; shared – authenticity of the connected device must be verified with a key/password; EAP – authenticity
of the connected device must be verified by EAP with an external server [1,3,4].

The openness of the network does not mean that anyone can work with it with impunity. To transmit data in such a
network, it is necessary to match the encryption algorithm used, and, accordingly, to correctly establish the encrypted
connection. Encryption algorithms are as follows: none – no encryption, the data is transmitted in clear text; WEP – is
a cipher based on the RC4 algorithm with different lengths of a static or dynamic key (64 or 128 bits); CKIP –
proprietary replacement of WEP from Cisco, early version of TKIP; TKIP – improved WEP replacement with
additional checks and protection; AES/CCMP – is the most advanced algorithm based on AES256 with additional
checks and protection [3,4].

The combination of Open Authentication, No Encryption is widely used in guest access systems such as providing

9
WiFi Attacks with
Bettercap &
Pwnagotchi
Daniel Dieterle
 WiFi Attacks with Bettercap & Pwnagotchi

In this article, we will look at Bettercap, one of

the best network recon & attack tools available.
The tool author has spent a lot of time creating an
extensive installation and usage Wiki, which I
highly recommend. So, this will not be a
thorough step-by-step tutorial. Rather, it will be a
quick usage guide for WiFi key and handshake
attacks with the tool. We will also briefly cover
Evilsocket’s latest WiFi attack tool based on
Bettercap - the ridiculously cute and intelligent
Raspberry Pi Zero W based “Pwnagotchi”.

Installation Overview

Tool Author: Evilsocket

Tool Website: https://www.bettercap.org/

Tool Wiki: https://www.bettercap.org/usage/

Install Bettercap following the instructions in the Bettercap Wiki; there are several options available. In this article, I
will cover installing the latest and greatest version of Bettercap in Kali Linux. These instructions will work on both a
standard Kali Linux install and a Raspberry Pi (RPi) Kali Linux install. I use a Raspberry Pi in this article, but
following the exact same instructions, you can use it on a standard Kali desktop. I prefer to use it on a Raspberry Pi as
a “drop box” type unit - a unit that you leave on a target site, and then remote into it. You can easily connect to
Bettercap remotely using the Web UI, which I cover in this article.

Disclaimer: The information in this article is for informational use only. It is illegal to access or attempt to
hack any network, wired or wireless, that does not belong to you or that you do not have permission to do
so. This is just a quick overview of both tools; it is imperative to read and understand the tool author’s
documentation as it is important to fully understand these tools before usage.

Enough intro, let’s get started!

11
Cracking Wireless
with Fern Wifi
Cracker
Jeff Minakata
 Cracking Wireless with Fern Wifi Cracker

In this article, we will be looking at the Python program Fern Wifi Cracker for cracking wireless passwords. Fern is a
powerful and easy to use program that comes preloaded in Kali Linux. As with any pentest, be sure to only test on your
own network.

Equipment used:

In this article, I am using Kali Linux version 2018.3 running in a laptop. You can run Kali from a VM. If you do, you
will need to also use a secondary wireless adapter. My personal recommendation is the Alfa AWUSO36NH High Gain
USB Wireless G wireless adapter for this. The adapter is pretty inexpensive and has a high gain antenna. Be sure that
whatever wireless adapter you use is capable of monitor mode, as not all wireless cards will work.

Before we begin, it’s always best to make sure that our Kali OS is up-to-date. Open a terminal and enter the following
command:

apt-get update && apt-get upgrade

13
Hacking WPA2
Wi-Fi password
using Evil Twin
Attack | DNSMASQ
and Hostapd
Debojyoti Chakraborty
 Hacking WPA2 Wi-Fi password using Evil Twin Attack | DNSMASQ and Hostapd

Wireless protocols have drastically evolved since 2003 after the invention of WPA in terms of secured Wi-Fi access.
These days, wireless networks have become a part of our daily life. Almost every home, business, corporate sectors,
stores, industries, and institutions have their personal Wireless AP (Access Point). Moreover, to make the internet
free to every individual, some organizations have established public open Wi-Fi APs in almost every public place, like
airports, railway stations, libraries, bus terminals, etc. But when the question comes about security, even after
implementing the best security practices available, a wireless network will always be less secure than a wired network,
just like David Bernstein once said, “FOR EVERY LOCK, THERE IS SOMEONE OUT THERE TRYING TO PICK IT OR
BREAK IT”.

An Evil Twin is like a rogue Wi-Fi AP (Access Point), where an attacker creates a fake AP to lure the users into thinking
it is a trusted wireless network. The attacker amplifies the signal in a way that the victim automatically connects to the
rogue AP because of its faster beaconing and strong range.

Practical Scenario: The logic behind an Evil Twin attack is so simple, you just have to create a fake access point
with the same name of the targeted Wi-Fi. Then you need to create a webpage to show the victim that he needs to enter
the password to access the internet and store it in a database.

Prerequisites: Below is a list of hardware and software used in this article. You can use any hardware as long as it is
compatible with the software you will be using.

Hardware Used:

• A Laptop (4gb RAM, Intel i5 processor)

• USB Wireless TP-LINK Adapter – 150MBPS (TP-Link WN722N)

15
NetAttack2 and
Cracking Wireless
Network
Ome Mishra
 NetAttack2 and Cracking Wireless Network

Hello hacking folks,

This is my first article on Hakin9 and in this article I am going to introduce you to a tool that is OLD but GOLD. First
of all, this is for educational purposes only, I am not responsible for any bad cause.

NETATTACK2

So what is it? NETATTACK 2 is a Python script that scans and attacks local network devices as well as wireless
networks. There are different modules for different attacks. As it is very simple and easy to understand, you don't need
much knowledge to run this tool. Everything is super easy because of the GUI that makes it unnecessary to remember
commands and parameters.

How to download: You can find the whole detailed guide here: https://github.com/chrizator/netattack2 However,
below I will present the steps for the installation process.

Requirement:

1. Linux (Kali Linux prefered)

17
Cracking WPA
using Reaver
sparksp33dy
 Cracking WPA using Reaver

Cracking Wi-Fi has always been a keen interest for novices, being one of the first few things to try when getting into
the world of hacking and penetration testing. A key reason for this can be associated with a relatively generative
vulnerability landscape. The improved WPA/WPA2 protocol is much better than WEP in terms of security, but has
still proven to be hackable. In 2006, due to the speedy increase in utilization of Access Points, WPS was introduced to
make the process of setting it up convenient for everyday usage by concurrently pressing a button at the access point
and the client device together to set up a WPA connection. However, in 2011, a registrar (device or service that issues
and repeals credentials to a network) design flaw was discovered in the standard that made the WPS Pin used by WPS
devices susceptible to brute force requiring only 11,000 attempts. After the discovery of the vulnerability by Stefan
Viehböck, Craig Heffner developed the first version of Reaver, which became the first, open-source, and the most
famous, tool exploiting this vulnerability and comes preinstalled in KaliOS.

DEMONSTRATION

• Put Network Adapter in Monitor Mode:

Run airmon-ng check kill command to stop any interfering processes:

And then run airmon-ng start wlan1 (can be wlan0 depending on your wireless interface) to put the network
adapter or wireless adapter to monitor mode:

The message at the bottom states wlan1mon as the monitor interface. To confirm, run iwconfig:

19
Crack any
WPA/WPA2 WiFi
password using
Fluxion – no
password list
required
Richard Azu
 Crack any WPA/WPA2 WiFi password using Fluxion – no password list required

Introduction

Truth be told, there is no wireless network that is 100% secured. The only way to secure a wireless network is just to
disable it – not hiding the SSID. This article will introduce Fluxion and demonstrate how it is used in conjunction with
Aircrack-ng to hack any WPA/WPA2 wireless password – no matter how complex it is. The systems required for this
demonstration are:

I. Computer running Kali Linux OS – minimum of 1GB memory, internal wireless card and 50GB hard-disk
space

II. Wireless card must support monitor mode

III. Fluxion tool

Testing wireless card for monitor mode compatibility

In order to successfully run the Fluxion tool, it is recommended to first test the installed wireless card on your PC for
monitor-mode compatibility.

To do this, launch terminal and type the command iw list for a full list of all capabilities of the installed physical
wireless card. If the list of supported interface modes indicates monitor, the installed wireless card is compatible for
this demonstration.

21
 Crack any WPA/WPA2 WiFi password using Fluxion – no password list required

Figure 1. Checking wireless card for monitor-mode compatibility

Fluxion – the future of wireless hacking

Fluxion is basically a security auditing and social-engineering research tool 1. It is a tool that combines technology and
social engineering to convince users to give up their wireless passwords no matter how strong or complicated the
password is. Having the most complicated password cannot protect users against a Fluxion attack because it is
implemented based on social engineering. The advantage of Fluxion is that it has simplified wireless hacking by
removing the need to brute-force a network with hundreds to thousands of passwords in a list.

Theoretical summary of a Fluxion attack:

a) Download, install and launch Fluxion tool

22
Pentest: Wireless
Network Attacks
and tips on how to
make attacks more
efficient
Joas Antonio

Felipe Gomes

Thiago Vieira
 Pentest: Wireless Network Attacks and tips on how to make attacks more efficient

Performing a infrastructure Pentest service is laborious, but have you ever wondered how a Pentest works on wireless
networks? Many companies hire professionals to audit their wireless network infrastructure. This is achieved by
increasing the number of devices connected to the IoT (Internet of Things), where many companies have IoT devices
connected without any protection, thus being exposed to attacks and vulnerabilities that can compromise the integrity
and device availability. Therefore, having knowledge Pentest in wireless networks is essential to ensure that the
wireless infrastructure is not compromised and criminals take control of devices that use this technology, thus
eliminating dangers of these devices become Botnets or having a data leak.

Introduction

Before we begin our testing, we will set up our laboratory; after all, we will not use real environments, but laboratories
controlled by me which will simulate a real attack. This laboratory will contain:

• Kali Linux (machine that I use for the attacks)

• Recommended Adapters:

• TP-Link - WN772N

• ALFA -AWUS036NHA

• ALFA-AWUS036NH

"You can use other adapters, but ensure that they support monitor mode, packet injection and are
compatible with Kali Linux."

Planning

How to plan an attack on a wireless network

1. List the tools you will use in the attack

2. Identify your target

3. Learn to what end that network is used, and what is used in that network company (Visitor? Workstation?
Only for IoT devices? etc.)

4. Use powerful machines to perform the attack

5. Only use aggressive methods if all options remain scarce.

24
 Pentest: Wireless Network Attacks and tips on how to make attacks more efficient

Practice

Now let us put into practice some methods to compromise a wireless network. It is noteworthy that many of the
methods presented are already used in controlled environments configured to receive attacks. In a real network, you
will come across many security mechanisms that restrain these attacks, so you will need to study these types of
mechanism (WIDS, WIPS, Honeynet, hardening and other safety devices). Furthermore, many wireless networks have
high levels of authentication configured on a RADIUS server. In this environment, we will present attacks using the
following tools:

• Aircrack-ng: A complete set of tools to pentest and audit wireless networks

• Reaver: A tool that aims to make a brute force attack on WPS

• Bully: A tool to perform brute force attacks on WPS

• CoWPAtty: A tool to perform a brute force attack quickly using keys pre-computed

• Genpmk: It works in conjunction with CoWPAtty, but your job is to generate a rainbow tables wordlist

• Wifite2: A Tool to facilitate and automate a pentest wireless network

• Fluxion: A Tool that uses social engineering to compromise a wireless network

These are the tools that we will use for our statements. To begin,will demonstrate the basic way cracking of passwords
in WPA2 and WPS protocols, using the tools presented using different methods. Before going into practice, we will
check if our network adapter supports monitor mode and packet injection:

First we will list our wireless network card, usually by default it’s the wlan0, but you may end up running into
another.

After this just start monitoring mode of our network card:

25
THC Hydra, The
Next Generation
Andrea Cavallini
 THC Hydra, The Next Generation

HISTORY PILLS

A password is a mystery word used for the user verification procedure in different applications and it is used in order
to access records and assets. A secret key shields our data from all unapproved access. From the beginning of
cybersecurity, but in general from the time that people needed to protect their information, passwords are used in
order to increase the security of the communications. However, if a password exists there is also a method to try to
break it. Over the years, the attacks have improved in effectiveness and performance, passing from the test of
combinations of characters to prepared words with a considerable gain in time in the cracking process. The
methodologies that we are going to explain are called brute force attack and dictionary attack.

BRUTE FORCE ATTACK

Starting from a set of characters and trying every single combination of them, a brute force attack aims to identify a
password. The time to get the password depends on the computer's CPU and on how many and which characters were
used. This method consists of trying all the possible combinations of letters, special characters and numbers until it
finds the right sequence. This type of attack is not efficient because requires a number of tests that can be very high in
execution time, depending on the password complexity.

DICTIONARY ATTACK

An alternative to brute force attack is dictionary attack. Its purpose is the same as a brute force attack but it tests a
password or an encrypted code with a precise and finite number of strings that we have already generated and stored
in a file called dictionary. This method reduces the elaboration time and is more efficient in the attack.

MODERN APPROACH TO PASSWORD CRACKING

When we speak about password cracking, the modern approach to this technique is oriented on dictionary attack
because performances and accuracy are the most important requirements. Our purpose will be more simplified if the
dictionary used is complete and the rules used are efficient. In most cases when trying to recover a user's password,
the dictionary attack is the best method because the user usually uses ordinary words as his password. The situation
becomes more complicated if the system uses random combinations of alphanumeric characters; in this case the brute
force attack is the only one possible, even if the time required is greater than dictionary attack.

FROM JOHNNY THE RIPPER TO THE FUTURE: HYDRA

John the Ripper is the most important password cracker developed and available for Unix, Windows and MAC OS. It's
fast and free and can do both types of attacks, brute force and dictionary. It’s a tool included in Kali Linux and it can be
considered as the father of the most modern and flexible network password cracker: Hydra.

27