From 379cdf65dd3952ad92f3173914da616723a877ae Mon Sep 17 00:00:00 2001 From: ctmbl Date: Sun, 14 Jul 2024 14:03:27 +0200 Subject: [PATCH] Minor typos and style modifications --- .../posts/wifi-deauth-attack.md/index.md | 81 +++++++++++++------ 1 file changed, 56 insertions(+), 25 deletions(-) diff --git a/src/content/posts/wifi-deauth-attack.md/index.md b/src/content/posts/wifi-deauth-attack.md/index.md index bca8f3f..42603f4 100644 --- a/src/content/posts/wifi-deauth-attack.md/index.md +++ b/src/content/posts/wifi-deauth-attack.md/index.md @@ -1,66 +1,91 @@ -# Wifi Deauth Attack +--- +title: "Wifi Deauth Attack" +summary: "TODO" +date: 2024-06-03T20:00:00+0200 +lastUpdate: 2024-07-14T13:45:06+0200 +tags: ["hacking", "wifi", "network", "bruteforce"] +author: ClementS +draft: false +--- ## Abstract -**Initial State:** A Client is connected to a ***password securised Wifi*** +**Initial State:** A client is connected to a ***password securised Wifi*** The goal is to get the wifi password. To acheive this we must: 1) Detect WiFi 2) Detect connected computer to this WiFi 3) Send a huge quantity of package to this computer to make it disconnect from the WiFi -4) Get Password Hash when it tries to reconnect to WiFi -5) BrutForce it :) +4) Get the password hash when it tries to reconnect to WiFi +5) bruteforce it :) ## Network Package Structure + ![Network Package](ip_header.jpg) On each network package there are source & destination address. -By default, WiFi Card filters only package that have its Ip as destination address. That's a security layer often added in driver, so that's hard to bypass. +By default, WiFi Card only filters package that have its IP as destination address. That's a security layer often added in driver, so that is it hard to bypass. + +So how to bypass it ? -So how to bypass ? ->Buy a new WiFi Card with Monitor Mode capability that you can plug to your computer by USB. (Monitor Mode is the ability to get and read not destinated package). +Buy a new WiFi Card with Monitor Mode capability that you can plug to your computer by USB (Monitor Mode is the ability to get and read not destinated package). I bought & used AWUS1900. WiFi card will be considered as fully configured & driver installed for the following of this tutorial. -Use this GitHub to install driver for AWUS1900: https://github.com/morrownr/8814au/blob/main/README.md +Use this GitHub to install driver for AWUS1900: +https://github.com/morrownr/8814au/blob/main/README.md You will also have to install aircrack-ng on your linux. + ## Step 1: Enable Monitor Mode By default, your card is in Managed Mode (filter by destination address mode). You have to tell him to get and read every package. First get your card interface name: ->iwconfig +``` +iwconfig +``` + ![iwconfig](iwconfig.png) + **Interface name is often wlan0 or wlan1** Then turn Monitor Mode on. ->sudo airmon-ng interface_name +``` +sudo airmon-ng interface_name +``` + ![airmon-ngstart](airmon-ngstart.png) -***Interface name can change to < interface_name >mon. You Check it with iwconfig*** + +> Note: Interface name can change to `mon`. You can check it with `iwconfig` + ## Step 2: Detect WiFi ->sudo airodump-ng interface_name +``` +sudo airodump-ng interface_name +``` ![airodump](airodump.png) -This will detect WiFi Network. Each Network is associated with a station address (the rooter). -Note the BSSID (MAC address of an access point) of the Netwok you want. +This will detect WiFi networks. Each network is associated with a station address (the rooter). + +Note the BSSID (MAC address of an access point) of the netwok you want. Note also the channel used. ## Step 3: Detect Computer Connected Then, We just add a filter to filter by source or destination equal access point MAC address - ->sudo airodump-ng -c channel --bssid mac_bssid +``` +sudo airodump-ng -c channel --bssid mac_bssid +``` ![airodumpfiltered](airodumpfiltered.png) Here we can see connected computer(s) -Choose the one you want to hack and note the station mac address. +Choose the one you want to hack and note the station MAC address. ## Step 4: Listen Network while Deauth Attack To Victim @@ -68,13 +93,17 @@ We will perform a deauth attack to the victim's station. The goal is to make the We will do that with 2 commands: - listen and write in a file all authentification package catch threw this network. -> sudo airodump-ng -c channel --bssid mac_bssid -w outfilename interface_name +``` +sudo airodump-ng -c channel --bssid mac_bssid -w outfilename interface_name +``` ![airodumpfiltered2](airodumpfiltered2.png) - attack victim to make it deauth. ***We want to deauth victim while listening and writing network auth package when victim try to reconnect to his network => open a new terminal to perform attack*** -> sudo aireplay-ng -0 1 -a mac_bssid -c station_mac_address interface_name +``` +sudo aireplay-ng -0 1 -a mac_bssid -c station_mac_address interface_name +``` ![airplay](airplay.png) @@ -90,19 +119,21 @@ Then, if it works stop the listening we have what we want by Ctrl+C over listeni ## Step 6: Retreiving WiFi password -A new file was created, you can check it easlily with ->ls +A new file was created, you can check it easlily with the `ls` command. -### Time to Brutforce +### Time to bruteforce We will perform here a dictionnary attack. Choose your dictionnary, **rockyou.txt** by default. ->sudo aircrack-ng -w rockyou.txt outfile.cap +``` +sudo aircrack-ng -w rockyou.txt outfile.cap +``` + ![aircrack-ng](aircrack-ng.png) ## Conclusion -The harder thing to do is to force victim to reconnect. Sometime, victim OS does not reconnect automatically. +The harder thing to do is to force victim to reconnect. Sometimes, victim OS does not reconnect automatically. -Use strong passwords to protect your WiFi or use WPA3 protocol (hash function harder to calculate => lower hash rate). It makes the bruteforce method less efficient. +Use strong passwords to protect your WiFi and WPA3 protocol (hash function harder to calculate => lower hash rate). It makes the bruteforce method less efficient.