Similar presentations:
lecture 4 Aliya Abdiraman
1.
H AC K I N G LABLecture 4. Network hacking. Gaining access. WPA and WPA2 cracking
Senior-lecturer: Aliya Abdiraman, School of Cybersecurity
2. W E E K O U T L I N E S
WEE K OUTLI N E S• Wi-Fi technology basics
• Introduction to OPN,WPA2 and WPA3
• Hacking WEP & WPA2
3. History
Wi-Fi was developed in 1998 at the Commonwealth Scientific and Industrial ResearchOrganisation (CSIRO) in Canberra, Australia. The key contributor to this technology was engineer
John O'Sullivan, along with his research team, who were originally working on wireless signal
processing techniques for radio astronomy.
Wi-Fi was originally promoted with the slogan “The Standard for Wireless Fidelity,” which can
be translated as “a standard of wireless precision (or reliability).”
Later, the technology received the shortened name “Wireless Fidelity,” which eventually
evolved into the widely used term “Wi-Fi.”
4. History
In the early stages of wireless networking development, a key role was played by thecollaboration between NCR Corporation and AT&T. These companies worked together
through their research and engineering divisions to create one of the first practical wireless
local area network (WLAN) technologies.
This joint effort resulted in a system called WaveLAN, which is considered a direct
predecessor of modern Wi-Fi. WaveLAN was designed primarily for commercial and
enterprise environments, particularly in retail and logistics.
5. Standards
IEEE 802.11 is a set of communication standards for wireless local area networks (WLANs),operating in frequency bands of 0.9 GHz, 2.4 GHz, 3.6 GHz, 5 GHz, and 60 GHz.
•802.11n (Wi-Fi 4) – introduced increased data transfer speeds of up to 600 Mbps. Operates in
the 2.4–2.5 GHz or 5 GHz bands. Backward compatible with 802.11a/b/g (standardized in
September 2009).
•802.11ac (Wi-Fi 5) – a newer IEEE standard with data rates of up to 6.77 Gbps for devices
equipped with up to 8 antennas. Approved in January 2014.
•802.11ax (Wi-Fi 6) – an advanced standard supporting speeds of up to 10,747 Mbps (≈10.7
Gbps), with improved efficiency and performance in dense environments.
•802.11be (Wi-Fi 7) – supports 2.4 GHz, 5 GHz, and 6 GHz frequency bands. Provides data rates
of up to 30 Gbps for devices with up to 16 antennas. The Wi-Fi 7 certification program was
launched by the Wi-Fi Alliance in January 2024.
6. Wi-Fi 8 (802.11bn) - Ultra High Reliability (UHR)?
Wi-Fi 8 (IEEE 802.11bn) is a new initiative by the IEEE, with standardization expected by 2028.The main objectives of Wi-Fi 8 focus on improving network performance in real-world conditions,
especially in dense and mobile environments:
•Enhanced reliability
•Lower latency
•Reduced packet loss, particularly under heavy network load or during roaming between access
points
The concept of UHR (Ultra High Reliability) defines the key performance targets:
•+25% throughput improvement
•–25% latency (at the 95th percentile)
•–25% packet loss during roaming
7. Standards
•802.11ah (Sub-1 GHz, ~900 MHz) – designed for extended coverage and IoT applications.Provides longer range and lower power consumption, making it suitable for smart devices and sensor
networks.
•802.11 a/b/g/n/ax (2.4 GHz band) – widely used frequency range with good coverage and wall
penetration, but more susceptible to interference due to congestion.
•802.11 a/n/ac/ax (5 GHz band) – offers higher data rates and lower interference, but with shorter
range compared to 2.4 GHz.
8. Reading list
Историяhttps://habr.com/ru/company/zyxel/blog/528850/
https://ru.wikipedia.org/wiki/Wi-Fi
http://www.seoded.ru/istoriya/internet-history/wi-fi.html
Частоты и стандарты
https://www.electronics-notes.com/articles/connectivity/wifi-ieee-802-11/channels-frequencies- bands-
bandwidth.php
https://gsm-repiteri.ru/preimushchestva-wifi-5-ggc
https://wifigid.ru/besprovodnye-tehnologii/chastoty-wi-fi
https://ru.wikipedia.org/wiki/IEEE_802.11
Нормативные документы
https://online.zakon.kz/Document/?doc_id=31046023
http://law.gov.kz/client/#!/doc/20494/rus
9. Equipment
A Wi-Fi router is a device that performs the functions of a router while also incorporating thecapabilities of a wireless access point, enabling devices to connect to a network both via cables
and wirelessly.
A Wi-Fi access point is a device designed to provide wireless access to an existing network or to
create a new wireless network for connected devices.
10. What is the difference?
11. Characteristics of Wi-Fi
Transmitter power – is typically specified in two units: mW (milliwatts) and dBm (decibelsreferenced to 1 milliwatt).
•Receiver sensitivity – is the minimum signal level at which the receiver is still able to decode a
weak signal correctly.
It is usually expressed in negative dBm values and often labeled in software as RX Power.
This parameter is measured relative to power, but in negative values, meaning that the lower
(more negative) the value, the more sensitive the receiver is (i.e., it can detect weaker
signals).
Antenna gain is a parameter that indicates the ability of an antenna to transmit and receive signals in a
specific direction, effectively focusing energy to improve signal strength and coverage in that direction.
12. Frames and Packets in Networking
Frames are logically structured units of data usedat the data link layer (Layer 2) of the OSI model. A
frame acts as a container that organizes data in a
specific format so it can be transmitted over a
physical medium (such as Ethernet or Wi-Fi).
A packet is a unit of data transmitted across a
network at the network layer (Layer 3). It
represents a complete piece of information that is
sent from one device to another across potentially
multiple networks (e.g., over the Internet).
In simple terms:
•Packet = logical data unit for routing across
networks
•Frame = physical transmission unit within a local
network
13. Frame Structure
A frame header contains important control informationrequired for data transmission, including:
•Destination information – indicates where the frame is being
sent (e.g., MAC address)
•Data rate / transmission speed – defines how fast the data is
transmitted
•Encryption parameters – specifies the cipher suite used to
protect the data
•Fragmentation information – indicates whether the frame is
fragmented or not
14. Types of frames
All IEEE 802.11 frames belong to one of three maincategories:
•Management frames
•Control frames
•Data frames
Protocol Version and Type Fields
•The Protocol Version field is always set to 00,
indicating that the frame follows the 802.11 standard.
•The Type field specifies the general category of the
frame:
• Management
• Control
• Data
•The Subtype field provides more detailed information,
identifying the specific function of the frame within its
type (e.g., beacon, acknowledgment, request, etc.).
15. Overview of Basic Tools
Aircrack-ng SuiteThe Aircrack-ng suite is a collection of tools used for analyzing and testing the security of
wireless networks.
It includes several key utilities:
•airmon-ng – used to enable monitor mode on wireless network interfaces, allowing the capture
of all wireless traffic in the air.
•airodump-ng – a packet capture and traffic analysis tool. It collects wireless traffic and saves
it into files such as PCAP or IVS, while also displaying real-time information about nearby
networks (SSID, BSSID, channel, signal strength, encryption type, connected clients, etc.).
•aireplay-ng – a packet injection tool that can generate and replay traffic. It is commonly used
to simulate attacks (e.g., deauthentication) or to speed up the collection of data for analysis.
•aircrack-ng – used to recover (crack) WEP and WPA/WPA2 keys by analyzing captured packets
and applying various cryptographic techniques.
Wireshark
Wireshark is a powerful network traffic analyzer used for inspecting data traveling across
networks such as Ethernet, Wi-Fi, and others.
16. AIRMON-NG
17. AIRMON-NG
18. AIRODUMP-NG
airodump-ng <опции> <интерфейс>[,<интерфейс>,...]-w <префикс>
Создавать ли файл дампа. Если эта опция не задана, то данные будут только показаны на экране.
-c <канал>
Указывает канал(ы) для прослушивания. ПО умолчанию airodump-ng прыгает по каналам
2.4GHz.
--band <abg>
Указывает диапазон, по которому airodump-ng должен прыгать. Это может
быть
комбинация букв 'a', 'b' и 'g' ('b'
и 'g’ используют 2.4GHz а 'a' использует 5GHz).
--bssid <bssid>
Будут показаны только сети, соответствующие заданной bssid.
--essid
Фильтровать ТД по ESSID. Можно использовать несколько раз для поиска по ESSID.
19. Parameters
•BSSID – the MAC address of the access point.In the client section, “(not associated)” means that the client is not currently connected to any access
point.
•PWR (Power) – the signal strength level reported by the wireless adapter.
Typically shown in negative values (e.g., –40 is stronger than –80).
•RXQ (Receive Quality) – displayed only when monitoring a fixed channel.
It represents the percentage of successfully received packets (management and data frames) over the
last 10 seconds.
•Beacons – the number of beacon frames transmitted by the access point.
These frames are periodically broadcast to announce the network’s presence.
#Data – the number of captured data packets.
•For WEP networks, only unique IVs (Initialization Vectors) are counted
•Includes both unicast and broadcast data packets
•#/s – the number of data packets per second, calculated over the last 10 seconds.
•CH (Channel) – the channel number used by the access point, obtained from beacon frames.
•MB (Max Bitrate) – the maximum data rate supported by the access point.
•ENC (Encryption) – indicates the encryption algorithm used by the network (e.g., WEP, WPA, WPA2,
WPA3).
20.
Additional airodump-ng Field Descriptions•CIPHER – the encryption cipher detected.
Possible values include:
• CCMP (used in WPA2/WPA3, AES-based)
• TKIP (older WPA encryption)
• WRAP (rare/obsolete)
• WEP, WEP40, WEP104 (legacy encryption methods)
AUTH (Authentication) – indicates the authentication method used:
•MGT (Management) – WPA/WPA2 Enterprise using an external authentication server (e.g., RADIUS)
•SKA (Shared Key Authentication) – used in WEP with a shared key
•PSK (Pre-Shared Key) – used in WPA/WPA2 Personal
•OPN (Open) – no authentication (open network or open WEP)
ESSID – the network name (SSID).
It may appear empty if SSID hiding is enabled on the access point.
STATION – the MAC address of each client device:
•Includes both associated clients and those searching for networks
•Clients not currently connected will show BSSID as “(not associated)”
Lost – the number of packets lost that were sent from the client but not successfully received.
Packets – the total number of data packets transmitted by the client.
Probes – shows the ESSIDs (network names) that the client is probing for.
These are networks the client is trying to connect to when it is not currently associated with any access
point.
21. WI-FI PROTECTED ACCESS
WPA (Wi-Fi Protected Access) was introduced as an interim solution to replace the insecureWEP standard while waiting for the full implementation of the IEEE 802.11i security standard. It
was designed to significantly improve wireless security without requiring entirely new hardware.
WPA2, officially ratified in 2004, replaced WPA and became the mandatory security standard
for Wi-Fi networks. It is based on the full IEEE 802.11i specification.
Overall, the evolution from WPA → WPA2 → WPA3 reflects the continuous effort to strengthen
wireless network security in response to emerging threats and increasing demand for reliable and
secure connectivity.
22. O P N , W E P , W P A 2 A N D W P A 3
OP N , WEP, WPA2 AN D WP A3An OPN (Open Network) is a wireless network that does not use any encryption. This means that users
can connect to the network without entering a password. While this provides convenience, it also creates
significant security risks. All data transmitted over an open network is sent in plain text, which allows
attackers to easily intercept and analyze the traffic. Open networks are commonly found in public places
such as cafes, airports, and hotels, but they should always be considered insecure.
23. O P N , W E P , W P A 2 A N D W P A 3
OP N , WEP, WPA2 AN D WP A3WEP (Wired Equivalent Privacy) is an outdated encryption standard that was originally designed to
provide a level of security similar to wired networks. However, due to weaknesses in its design, WEP is
now considered highly insecure. It uses the RC4 encryption algorithm and relies on small key sizes and
reused initialization vectors. These flaws make it possible for attackers to recover the encryption key
within minutes using specialized tools such as aircrack-ng. For this reason, WEP is no longer used in
secure environments but is still commonly included in educational labs to demonstrate basic wireless
attacks.
24. O P N , W E P , W P A 2 A N D W P A 3
OP N , WEP, WPA2 AN D WP A3WPA2 (Wi-Fi Protected Access 2) is a much more secure and widely used encryption standard. It uses
the AES-based CCMP protocol, which provides strong data protection when configured properly. WPA2
networks typically use a pre-shared key (PSK), which is a password required to access the network, or an
enterprise authentication method using a centralized server. Unlike WEP, WPA2 cannot be easily
cracked directly. Instead, attackers must first capture a handshake between a client and the access
point and then perform a dictionary or brute-force attack to guess the password. The strength of WPA2
security depends heavily on the complexity of the password.
25. O P N , W E P , W P A 2 A N D W P A 3
OP N , WEP, WPA2 AN D WP A3WPA3 is the latest generation of WiFi security protocols, designed to address the weaknesses found in
previous standards such as WPA2. It provides stronger encryption, improved authentication
mechanisms, and better protection against modern attacks. One of the key features of WPA3 is the use
of SAE (Simultaneous Authentication of Equals) instead of the traditional pre-shared key (PSK)
mechanism used in WPA2. SAE is also known as the “Dragonfly handshake” and is designed to prevent
attackers from performing offline dictionary attacks. WPA3 introduces forward secrecy, which ensures
that even if a password is compromised in the future, previously captured traffic cannot be decrypted.
This provides an additional layer of protection for sensitive communications. Another important
improvement is enhanced encryption strength. WPA3 uses stronger cryptographic algorithms and
enforces better security configurations by default. For example, it requires the use of protected
management frames and eliminates outdated and insecure protocols.
26. O P N , W E P , W P A 2 A N D W P A 3
OP N , WEP, WPA2 AN D WP A3Although WPA3 significantly improves wireless security, it is not completely immune to attacks. For
example, misconfigurations or weak passwords can still introduce vulnerabilities. However, compared to
WEP and WPA2, WPA3 represents a major advancement in protecting wireless communications.
WPA3 is currently the most secure WiFi encryption standard, offering strong protection against common
attack techniques and addressing many of the limitations of earlier protocols.
27. Wi-Fi protected access
28. THE 4-WAY HANDSHAKE
The 4-way handshake is a process in which four messages are exchanged between a wirelessaccess point (authenticator) and a client device (supplicant) to securely generate and confirm
encryption keys used for protecting data transmission.
This mechanism is used in WPA/WPA2/WPA3 networks and plays a critical role in establishing a
secure connection after authentication.
29. Keys
30.
31. W I R E L E S S H A C K I N G
WI R E LES S H AC KI N GOver time, many homes and organizations have moved toward wireless networks. One of the reasons people
are switching to wireless networks is to overcome physical limitations. From a hacker’s perspective, wireless
networks are an easy target; when compared with wired networks, they are easy to sniff and attack.
Requirements for wireless hacking:
• Wireless access point
• Wireless adapter supporting packet injection
The access point is required because we don’t want to attack the neighbor’s access point, because it would be
unethical,and as a penetration tester or an ethical hacker, you should make sure that you follow ethics.
The second and the most important requirement is a wireless adapter that supports packet injection and is also
able to sniff in the monitor mode.
32. I N T R O D U C I N G W I - F I L A B S
I N TR OD UC I N G WI - FI LA B S33. W I - F I C H A L L E N G E L A B S
WI - FI C HALLE N GE LA B S34. U S E F U L L I N K S & R E C O M M E N D E D T O O L S
US E FUL LI N KS & R EC OM M EN D ED TOOLS• https://github.com/koutto/pi-pwnbox-rogueap/wiki
• wifi_db
• aircrack-ng
• airgeddon
• eaphammer
• hashcat
35.
When you open VirtualBox for the first time, you will see the main manager window. This is the central place where all virtualmachines are created, managed, and monitored.
At the top, there is a toolbar with key actions: Create, Open, Import and Export.
VirtualBox allows importing pre-configured virtual machines using the Import function. In the “Import Configuration” window:
The user selects the source of the VM (usually Local File System); then specifies the path to a file (typically .OVF or .OVA.
These formats contain a complete virtual machine (OS, settings, disk).
36.
At this stage, we need to select the virtual machine file from the local system. The file explorer window shows theDownloads directory, where the file “WiFiChallenge Lab v2.4.2” is located. This file is in OVA format, which is a
packaged virtual machine containing: virtual disk system configuration metadata
To proceed navigate to the folder where the VM file is stored and select the .ova file. Click Open. This step is
essential because VirtualBox needs a valid VM image to import and deploy.
37.
After the import is completed, the virtual machine can be started from the VirtualBox Manager.The system boots into the WiFiChallenge Lab environment A graphical interface is displayed, indicating the VM is
functioning correctly. The desktop includes standard system icons and a lab-specific interface. This confirms that:
the virtual machine was successfully imported and the environment is ready for use
38.
As a first step, we run command ip a.This command is used to display all
available network interfaces on the
system along with their configuration.
The output lists multiple network
interfaces, each with detailed
information, for example:
1.
2.
Loopback Interface (lo) Address:
127.0.0.1 Used for internal
communication within the system
Always active and required for
system processes
Ethernet Interface (eth0 /enp0s3)
Assigned IP address: 10.0.2.15
Status: UP (active) This is the main
network interface used for internet
connectivity in the virtual machine
Typically provided by VirtualBox
using NAT networking
39.
This command is used todisplay and configure
wireless network interfaces
in Linux systems.
The output distinguishes
between non-wireless and
wireless interfaces:
1. Non-Wireless Interfaces
such as: lo (loopback) eth0
(Ethernet) docker0, br-xxxx,
vethxxxx. This means these
interfaces do not support
WiFi functionality and they
cannot be used for wireless
attacks.
40.
2. Wireless Interfaces suchas: wlan0, wlan1, wlan2,
etc.
Each interface shows:
• Standard: IEEE 802.11
(WiFi protocol)
• Mode: Managed This
means the interface is
operating as a normal
client
• Access Point: NotAssociated The interface
is not currently
connected to any WiFi
network
• Tx-Power: Transmission
power (e.g., 23 dBm, 26
dBm)
• Encryption key: Off
• Power Management: Off
41. A I R M O N - N G
AI R M ON - N GAirmon-ng is a command-line tool that is specifically designed for putting wireless network interfaces
into monitor mode. In monitor mode, a network interface can capture and analyze all wireless traffic
within its range. This makes it an essential tool for security professionals who want to assess the security
of wireless networks and identify potential vulnerabilities. Airmon-ng is part of the Aircrack-ng suite,
which is a set of tools aimed at assessing the security of Wi-Fi networks. It works on various platforms,
including Linux, and can be used with a wide range of wireless network adapters.
42.
airmon-ng start wlan0This command switches
the wireless interface
wlan0 from Managed
mode to Monitor mode.
Monitor mode allows
capturing all wireless
traffic in the air.
airmon-ng check kill –
stops interfering services.
43. A I R M O N - N G K E Y F E A T U R E S
AI R M ON - N G KE Y FEATUR ESAirmon-ng offers a range of features that are crucial for setting up an attack with it:
• Monitor Mode: Airmon-ng allows you to easily put your wireless network adapter into monitor mode. In
this mode, the adapter can capture all wireless traffic, including data packets and management
frames.
• Interface Management: You can use Airmon-ng to list available wireless network interfaces, enable
monitor mode on a specific interface, and disable monitor mode when you're done with your analysis.
• Channel Switching: It enables you to switch the channel your wireless adapter is monitoring, which is
crucial for analyzing different segments of the wireless network.
• Interface Configuration: Airmon-ng also provides the capability to configure wireless interfaces and set
various parameters, such as the interface name, channel, and capture file location.
44. A I R M O N - N G S T A R T W L A N 0
AI R M ON - N G S TAR T WLAN 0After enabling monitor mode:
• A new interface is created: wlan0mon
• The original interface (wlan0) is modified or disabled
This indicates:
• Monitor mode is successfully activated
• The system is ready for packet capture
45. A I R M O N - N G S T A R T W L A N 0
AI R M ON - N G S TAR T WLAN 0Driver and Chipset Information
The output shows: Driver: mac80211_hwsim. This is a software-based WiFi simulator. No physical WiFi
adapter is required. Multiple virtual wireless interfaces are created for lab simulation.
46. A I R M O N - N G : H O W T O S C A N A V A I L A B L E N E T W O R K S
AI R M ON - N G: HOW TO S C AN AVA I LA B LE N E TWOR KSStep 1. To scan for available networks by using Airmon-ng, follow these steps: open a terminal and
ensure your wireless adapter is in monitor mode. You can do this by running the following command:
sudo airmon-ng start <interface>
Replace <interface> with the name of your wireless adapter, such as wlan0 or wlan1.
Step 2. After enabling monitor mode, you can use Airmon-ng to scan for available networks by running
the following command:
sudo airodump-ng <interface>
This command will display a list of wireless networks in your area, including their SSIDs, BSSIDs (MAC
addresses), channels, signal strength, and encryption types.
47.
Results of a command:airodump-ng wlan0mon
This command is used to:
• Scan nearby WiFi
networks
• Capture information
about access points and
connected clients
• Prepare for further
wireless security analysis
48.
Channel numberEncryption type
Network name
MAC
address of
the access
point
MAC
address of
the client
Probes – networks the client is
searching for
49.
This command is used notonly to scan wireless
networks but also to capture
and store data for further
analysis.
wlan0mon - the wireless
interface in monitor
mode
-w /home/user/labs/scan
saves captured packets
to a file
--manufacturer displays
the vendor of the access
point
--wps shows WPS (Wi-Fi
Protected Setup)
information
--band abg scans
multiple frequency
bands (2.4 GHz and 5
GHz)
50.
BSSID - the access
point the client is
connected to
STATION - MAC
address of the client
device
PWR - signal
strength of the client
Rate - data
transmission rate
Lost - number of lost
packets
Frames - number of
captured packets
Probes - networks
the client is actively
searching for
51.
Practice-1. First, let us test OPN wireless network “wifi guest”. Run command:airodump-ng – c 6 –bssid F0:9F:C2:71:22:10 – w capture wlan0mon
It will save results to a file called similar to “capture-01.cap”
Second, open wireshark as shown on the left and start analyzing saved packets
from wifi guest.
52.
All packets are listed on wireshark53.
We can set a filter to “http”to monitor traffic. Set also filters such as dns, https, ftp,telnet and check if we’ve got any other packets.
54. What we are primarily interested in is analyzing traffic on an open (OPN) wireless network in order to identify sensitive data,
such as user credentials. Since open networks do not use encryption, transmitted data can becaptured and inspected.
To focus on relevant traffic, apply
the following filter:
http.request.method == "POST”
This filter helps identify HTTP
POST requests, which are
commonly used to transmit data
such as login credentials from a
client to a server.
55.
Navigate to “HTML Form URLEncoded..” and there we can see user
credentials such as username and
password in cleartext format.
Multiple devices (192.168.10.101,
.10.100, .10,102) are sending requests
to the server (192.168.10.1)
The requested resource is /login.php
And multiple users are attempting to log
in to a web application.
In other words, HTTP POST request
contains form data submitted by a user.
It’s his/her credentials.
56.
This filter is used to display HTTP packets thatcontain cookies, which are small pieces of data
used by web applications to maintain user
sessions.
In the packet details section, we can observe
the following field:
Cookie:
PHPSESSID=a7c31810ec33745acf6babc…
This is a session cookie, specifically:
PHPSESSID - a session identifier used by
PHP-based web applications It is assigned
after a user interacts with the server (often
after login). It allows the server to recognize the
user across multiple requests.
57.
Because the traffic is transmitted over HTTP(not HTTPS): The cookie is visible in plain text.
It can be intercepted by anyone monitoring the
network.
This creates a serious vulnerability because an
attacker can capture the session cookie and
then reuse it to impersonate the user.
This is how OPN wireless network could be
cracked and analyzed. Next, we test WPA2.
58.
For WPA2 we’ve got multiple ESSIDs.Let’s choose, as an example,
MiFibra-5-D6G3.
Run command airodump-ng with
channel and mac address specified
for MiFibra-5-D6G3.
59.
As you can see WPA2 will not easily show us STATIONlists. Hence, we need to use another tool called
aireplay-ng as shown on the right.
Full information:
BSSID: 7E:13:61:4B:62:BE
Channel: 6
ESSID: MiFibra-5-D6G3
Encryption: WPA2
60.
The parameters used in the command are:-0 :deauthentication attack mode
20 :number of deauthentication packets to send
-a :target access point (BSSID)
wlan0mon :wireless interface in monitor mode
Deauthentication packets are being sent. They are
broadcasted to all connected clients. Clients are
being forcibly disconnected from the network.
61.
Deauthentication attack’s goal:• Disconnect users from the access point
• Force them to reconnect
• Capture authentication handshakes during
reconnection.
This attacks is commonly used in WPA/WPA2 attacks.
62.
Aireplay-ng and airodump-ng should be runsimultaneously on terminal tabs.
Wait for STATION to appear on airodump-ng results.
On this example, WPA2 cracking for MiFibra-5-D6G3
was not successfully accomplished. Let’s choose
another WPA2 wireless network.
63.
Choosing wifi-mobile and testing itfor handshakes.
64.
Deauthentication packets are being sent againand this time we get STATION list from wifimobile.
Now we can move to the next step.
65.
Run the command aircrack-ng. This commandis used to perform a dictionary attack on a
captured WPA/WPA2 handshake in order to
recover the network password.
• -w /root/rockyou-top100000.txt specifies
the wordlist used for password guessing
• -b F0:9F:C2:71:22:12 target access point
• wpa_capture-03.cap capture file containing
the handshake
66. KEY FOUND! [starwars1] means that aircrack- ng brute forced a password for wifi-mobile.
KEY FOUND! [starwars1] means that aircrackng brute forced a password for wifi-mobile.This was an example of how WPA2 could be
cracked.
67.
Now let’s test WEP ENC. For this example we have wifi-old with 3 channel.68.
69.
The output shows that a large number of packetshave been captured, specifically over 15,000
initialization vectors (IVs). In WEP cracking, IVs are
critical because the attack relies on collecting
enough of them to statistically recover the
encryption key.
The tool then begins testing possible key values
based on the captured data. It displays progress
information such as the number of keys tested and
the number of IVs collected so far. At this stage,
approximately 19,182 IVs out of a target of 20,000
have been gathered.
Despite this progress, the attack is not yet successful. Why?
70.
The fail message indicates that there is stillinsufficient data to recover the key. In WEP attacks,
success depends heavily on the number of
captured IVs, and more packets are required to
improve the probability of finding the correct key.
What should we do?
1) Don’t stop airodump, it should keep running
2) Rerun aireplay-ng and wait until it hits ~20k-30k
3) Launch again aircrack-ng
Despite this progress, the attack is not yet successful. Why?
71.
This figure indicates successful WEPcracking process using the aircrack-ng
tool.
The tool begins by reading the capture
file and identifies one available target
network:
BSSID: F0:9F:C2:71:22:11
ESSID: wifi-old
Encryption: WEP
The output indicates that a large
number of packets have been captured,
specifically over 60,000 initialization
vectors (IVs). This is significantly higher
than in the previous attempt and is
sufficient for successfully recovering the
WEP key. The tool then performs
statistical analysis on the captured IVs
and begins testing possible key values.
After processing the data, it successfully
recovers the encryption key, as shown
by the message: KEY FOUND
This value represents the WEP key for the network wifi-old.
Unlike WPA/WPA2, WEP keys are often displayed in
hexadecimal format rather than as human-readable
passwords.
72. P R A C T I C E T I M E
P R AC TI C E TI M ETest by your own OPN, WEP and WPA2 wireless networks.
For example: wifi-corp, wifi-global, wifi-regional, wifi-guest, wifi-event.
internet