Before anything else, HACKING IS ILLEGAL! Be it a WiFi network or a website or a facebook account.
You can go to jail for it.
All the information divulged is meant for educational purposes only. Be stupid, it'll be on your head.
Lets first understand how wireless networks work. In case of a wired connection, it is the job of the router to send relevant information to the computers.
Suppose 5 computers are connected through a wired connection.
Computer 1 wants to access facebook, Computer 2 wants google.
The router sends data packets that are relevant to facebook to Computer 1 and google to Computer 2.
But in case of a wireless connection this isn't possible. In extremely simple terms, any information requested by a number of computers from a wireless router is simply thrown out into the air and caught by whichever computer needs it.
Now in the same 5 computer example, Computer 1 will recieve data packets from facebook as well as google but since it needs only facebook, it dumps packets coming from google.
Similarly Computer 2 keeps google and throws facebook.
In WEP (Wired Equivalent Privacy), each data packet has a part of the WiFi access point password in them(sub pass key). What is our job?
We pull out the different sub passkeys from a sufficient number of data packets apply permutations and combinations and find the right password.
We need access to the access point's data packets to have the sub-passkeys.
By default, the computer keeps only those packets that are relevant to its request when connected to a network and receiving packets.
There are basically seven modes in which your computer can be wirelessly connected to a network.We need something that helps us keep as many packets as possible.
The default mode will definitely not allow this as it dumps packets the computer hasn't asked for.
However, in promiscuous mode, the computer may keep all packets sent to it including information other computers asked for .The drawback is that we still need to be connected to the network in this mode to receive all packets. We are trying to hack this network, we aren't connected to it yet!
The solution is monitor mode. This mode enables us to receive all packets from all wireless access points within range while being connected to just a single one of them.When we activate monitor mode, our computer begins to receive data packets from all access points.
Lets get to hacking the network.
Now you cant do this simply with windows.
You need Backtrack or an equivalent Linux system that can run the software needed.
Now simply mounting the iso file of a Linux sytem in a Virtual Machine may not do as the Virtual Machine may not be able to get access to your WLAN card(hardware).
So I use a bootable Backtrack 5 R3 USB drive for all such work.
(Refer to my article on how to make a bootable USB drive if you don't already know how to.)
Here are the steps with screenshots:
1. In your Linux system,open the terminal. In Backtrack you will find this in the bottom left corner of the screen. It is a little black rectangle.Its called konsole here.
2.
In the konsole write airmon-ng to see which interfaces are active. In my computer, wlan0 is active which is the default wireless interface.
3.
As mentioned earlier we need monitor mode to be enabled. Hence we need to start monitor mode on our default interface wlan0.
We do this by typing airmon-ng start wlan0
4.
To check if monitor mode has been enabled, we type airmon-ng once more. Here we see a new interface-mon0. This is our monitor interface.
5.
We will now take advantage of monitor mode to receive and analyse data from all access points within range. To do this we type- airodump-ng mon0. This will give us a lot of information about the networks, their names, their mac addresses etc.
I choose to hack the network with name:sweetps_EXT, mac address: 04:A1:51:9D:3D:9A( I can see this is a WEP network.)
Now remember I mentioned that you can change your ever unchangable mac address too?
Yes this is where you will need it. Your exploits in the wireless network can be tracked back to you through your mac address. Why not remain clear of suspicion. Spoof your mac. How?
Write this:
ifconfig mon0 down(press enter)
macchanger -m 00:11:22:33:44:55 mon0(press enter)
ifconfig mon0 up(press enter)
You will notice that I haven't done this. I'm actually hacking another router in my own house. I'm not afraid of being caught! In a realtime scenario, always hide your identity! Never show your IP or your mac anywhere.
6.
7.As I mentioned earlier, we need as many packets from the network as possible so we can apply permutations and combinations to find the complete passkey from the various subpasskeys we get in each packet(A packet is also called an IV)
We could very easily capture data packets if this was a busy network with many computers connected to it, but what if its not?Here's what you do(In a new Konsole window, let the airodump window run):
We send a command to the router faking authorisation. We use aireplay-ng to achieve this.
8.Our Next step is to inject packets into the network by using ARP requests.
Again, we use aireplay-ng to achieve this.
9. The longest step now is to wait while we get enough IVs(packets) to crack the password.In the above screenshot you can see about 60 IVs. After I made my network a bit busy and injected a few arp requests and also waited for an hour, I had about 214791 packets. More than good enough to crack the password:
10. This is where you begin to rub your palms in an evil hacker way, the last step is to crack the file you made previously that stores all your IVs. Here's how you do it(In another new Konsole window, if you don't have enough IVs, you will have to start all over again, Let the arp and airodump window run,keep an eye on the #Data column):
Why have I written WEP-01.cap whereas I had simply specified WEP as my filename?
Well, .cap is the default extension for files that can be cracked and store IVs. The Linux system automatically renames my file to WEP-01. If I were to use airodump once again with the filename WEP, the Linux system would rename it to WEP-02.cap.
Finally the day of reckoning has arrived!!!
If you have enough packets/IVs this is what happiness will look like:
MISSION ACCOMPLISHED! Password cracked! Copy it and paste it where you need it. Use free internet as and when you please :D
And well, obviously I couldn't go into too much detail about how a wireless system really works and how all these commands I used work so if you're interested in more click here.
And well, wait on for my article on how to hack WPA encrypted networks ;D.
SECURITY TIP: Don't use WEP, its outdated and anyone close to your access point can hack it quite simply.
WPA,WPA2, WPS are available, use them!
If your router is not WPA enabled, Get a newer version !
You can go to jail for it.
All the information divulged is meant for educational purposes only. Be stupid, it'll be on your head.
Lets first understand how wireless networks work. In case of a wired connection, it is the job of the router to send relevant information to the computers.
Suppose 5 computers are connected through a wired connection.
Computer 1 wants to access facebook, Computer 2 wants google.
The router sends data packets that are relevant to facebook to Computer 1 and google to Computer 2.
But in case of a wireless connection this isn't possible. In extremely simple terms, any information requested by a number of computers from a wireless router is simply thrown out into the air and caught by whichever computer needs it.
Now in the same 5 computer example, Computer 1 will recieve data packets from facebook as well as google but since it needs only facebook, it dumps packets coming from google.
Similarly Computer 2 keeps google and throws facebook.
In WEP (Wired Equivalent Privacy), each data packet has a part of the WiFi access point password in them(sub pass key). What is our job?
We pull out the different sub passkeys from a sufficient number of data packets apply permutations and combinations and find the right password.
We need access to the access point's data packets to have the sub-passkeys.
By default, the computer keeps only those packets that are relevant to its request when connected to a network and receiving packets.
There are basically seven modes in which your computer can be wirelessly connected to a network.We need something that helps us keep as many packets as possible.
The default mode will definitely not allow this as it dumps packets the computer hasn't asked for.
However, in promiscuous mode, the computer may keep all packets sent to it including information other computers asked for .The drawback is that we still need to be connected to the network in this mode to receive all packets. We are trying to hack this network, we aren't connected to it yet!
The solution is monitor mode. This mode enables us to receive all packets from all wireless access points within range while being connected to just a single one of them.When we activate monitor mode, our computer begins to receive data packets from all access points.
Lets get to hacking the network.
Now you cant do this simply with windows.
You need Backtrack or an equivalent Linux system that can run the software needed.
Now simply mounting the iso file of a Linux sytem in a Virtual Machine may not do as the Virtual Machine may not be able to get access to your WLAN card(hardware).
So I use a bootable Backtrack 5 R3 USB drive for all such work.
(Refer to my article on how to make a bootable USB drive if you don't already know how to.)
Here are the steps with screenshots:
1. In your Linux system,open the terminal. In Backtrack you will find this in the bottom left corner of the screen. It is a little black rectangle.Its called konsole here.
2.
In the konsole write airmon-ng to see which interfaces are active. In my computer, wlan0 is active which is the default wireless interface.
3.
As mentioned earlier we need monitor mode to be enabled. Hence we need to start monitor mode on our default interface wlan0.
We do this by typing airmon-ng start wlan0
4.
To check if monitor mode has been enabled, we type airmon-ng once more. Here we see a new interface-mon0. This is our monitor interface.
5.
We will now take advantage of monitor mode to receive and analyse data from all access points within range. To do this we type- airodump-ng mon0. This will give us a lot of information about the networks, their names, their mac addresses etc.
I choose to hack the network with name:sweetps_EXT, mac address: 04:A1:51:9D:3D:9A( I can see this is a WEP network.)
Now remember I mentioned that you can change your ever unchangable mac address too?
Yes this is where you will need it. Your exploits in the wireless network can be tracked back to you through your mac address. Why not remain clear of suspicion. Spoof your mac. How?
Write this:
ifconfig mon0 down(press enter)
macchanger -m 00:11:22:33:44:55 mon0(press enter)
ifconfig mon0 up(press enter)
You will notice that I haven't done this. I'm actually hacking another router in my own house. I'm not afraid of being caught! In a realtime scenario, always hide your identity! Never show your IP or your mac anywhere.
6.
Now it gets a little complex. This particular command has various parameters associated with it.
-c [Number] ------------------ Specifies the channel the network is on. You will see the channel when you run the simple airodump command.
-w [String] -------------------- Here you specify a filename in place of the string(I have specified WEP). This is the file that stores all the hacking you're going to do and ultimately be cracked to tell you the password.
--bssid [Hexadecimal]-------This is where you specify the mac address of the router you are about to hack.
mon0---------------------------Almost all commands end with mon0 now since this is the interface you want to work with(Monitor Mode).
This is what you get next:
7.As I mentioned earlier, we need as many packets from the network as possible so we can apply permutations and combinations to find the complete passkey from the various subpasskeys we get in each packet(A packet is also called an IV)
We could very easily capture data packets if this was a busy network with many computers connected to it, but what if its not?Here's what you do(In a new Konsole window, let the airodump window run):
We send a command to the router faking authorisation. We use aireplay-ng to achieve this.
8.Our Next step is to inject packets into the network by using ARP requests.
Again, we use aireplay-ng to achieve this.
9. The longest step now is to wait while we get enough IVs(packets) to crack the password.In the above screenshot you can see about 60 IVs. After I made my network a bit busy and injected a few arp requests and also waited for an hour, I had about 214791 packets. More than good enough to crack the password:
10. This is where you begin to rub your palms in an evil hacker way, the last step is to crack the file you made previously that stores all your IVs. Here's how you do it(In another new Konsole window, if you don't have enough IVs, you will have to start all over again, Let the arp and airodump window run,keep an eye on the #Data column):
Why have I written WEP-01.cap whereas I had simply specified WEP as my filename?
Well, .cap is the default extension for files that can be cracked and store IVs. The Linux system automatically renames my file to WEP-01. If I were to use airodump once again with the filename WEP, the Linux system would rename it to WEP-02.cap.
Finally the day of reckoning has arrived!!!
If you have enough packets/IVs this is what happiness will look like:
MISSION ACCOMPLISHED! Password cracked! Copy it and paste it where you need it. Use free internet as and when you please :D
And well, obviously I couldn't go into too much detail about how a wireless system really works and how all these commands I used work so if you're interested in more click here.
And well, wait on for my article on how to hack WPA encrypted networks ;D.
SECURITY TIP: Don't use WEP, its outdated and anyone close to your access point can hack it quite simply.
WPA,WPA2, WPS are available, use them!
If your router is not WPA enabled, Get a newer version !
No comments:
Post a Comment