Wireless Access Exploitation

Misc. Wireless Access Exploitation Tools

• Aircrack-ng Suite
  • Aircrack-ng
  • Aireplay-ng
  • Airodump-ng
• tshark [options] ... to dump and analyze network traffic.
• capinfos [options] <infile> ... to print information about capture files.
• captype [options] <infile> ... to print types of capture files.
• dumpcap [options] ... to dump network traffic.
• mmdbresolve -f db_file [-f db_file ...] to read IPv4 and IPv6 addresses and print their IP geolocation information.
• text2pcap [options] <infile> <outfile> to generate a capture file from an ASCII hexdump of packets.
• Wireshark
  • wireshark [options] ... [ <infile> ] to interactively dump and analyze network traffic.

Misc. Wireless Access Exploitation Resources

• CryptoKait article: Secret Information in Network Traffic Logs: NTA for NCL
• Packet Dissection: write your own dissector

Aircrack-ng Suite

Aircrack-ng

Aircrack-ng is an 802.11 WEP and WPA/WPA2-PSK key cracking program.

• Usage:

  aircrack-ng [options] <capture file(s)>
  

• Common options
  • -n to specify key length in WEP cracking.
• WEP and WPA-PSK cracking options
  • -w (param: words) : Path to a wordlist or “-“ without the quotes for stdin. Separate multiple wordlists by comma.
• To find the WEP network security key (password):

   aircrack-ng -a1 <capture file>
  

Aireplay-ng

Airplay-ng is part of the Aircrack-ng Suite; it is used to inject frames. Its primary function is to generate traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys.

• Attacks Implemented:
  • Attack 0: Deauthentication (flag: -0)
  • Other attack types (1-9) listed on Airplay-ng documentation website.
• Usage:

  aireplay-ng <options> <replay interface>
  

• Filter Options:
  • -b bssid : MAC address, Access Point
  • -d dmac : MAC address, Destination
  • -s smac : MAC address, Source
  • additional options in documentation.
• Replay Options:
  • -x nbpps : number of packets per second
  • -p fctrl : set frame control word (hex)
  • -a bssid : set Access Point MAC address
  • -c dmac : set Destination MAC address
  • -h smac : set Source MAC address
  • additional options in documentation.

Aerodump-ng

Airodump-ng is used for packet capture, capturing raw 802.11 frames.

• Options in documentation.
• Filter options
  • --encrypt <suite> : Filter APs by cipher suite
  • --netmask <netmask> : Filter APs by mask
  • --bssid <bssid> : Filter APs by BSSID
  • --essid <essid> : Filter APs by ESSID
  • --essid-regex <regex> : Filter APs by ESSID using a regular expression
  • -a : Filter unassociated clients
  • additional filter options in documentation.

Wireshark

• This CryptoKait Article describes some of the basics.

Symmetric Encryption Summary

Below are several important symmetric algorithms and their basic characteristics. | Algorithm | Method | Key Size | |———–|———————-|————————–| | AES | 128-bit block cipher | 128, 192, or 256-bit key | | 3DES | 64-bit block cipher | 56, 112, or 168-bit key | | Blowfish | 64-bit block cipher | 32 to 448-bit key | | Twofish | 128-bit block cipher | 128, 192, or 256-bit key | | RC4 | Stream cipher | 40 to 2048-bit key | | DES | 64-bit block cipher | 56-bit key |