How to hack wireless networks

Discuss any wonders of the modern age, as well as wonders of the old age...but mostly the modern age.

Moderator: dingo

Post Reply
eoinzy
Site Admin
Posts: 2289
Joined: Sun Nov 30, 2008 11:19 pm

How to hack wireless networks

Post by eoinzy »

Introduction
This is a quick guide for hacking your wireless networks. I will explain how to use it with a USB stick, a bootable CD and also vmware. I'll assume you're using Windows.
As I think of more stuff, I'll add it in.

What you need
A compatible wireless card

BackTrack
A USB stick
Daemon Tools Lite
or
VMware player
BackTrack3.vmx (right-click)
or
a blank CD/DVD

The USB key method
Preparing the USB stick - this is the hardest part
Download BackTrack3 USB version
Download Grub installer

Extract the Grub zip file to a folder. You may need WinRAR if you don't already have it.
Insert USB key.
As an Administrator, load up grubinst_gui.exe (this tool will make your USB stick bootable and compatible with BackTrack3) and select the Disk option, then click the Refresh button beside it and select your USB stick from the dropdown menu.

Next you need to go down to Part List and select the partition on your USB stick you want to use. Most USB sticks will have 1 partition so just select Whole Partition. Click Install and let it finish.
Your USB stick should now be bootable.

Now, all you have to do is copy the files over and set up your menu.lst file.
So, mount the backtrack iso image with daemon tools. Basically when you run Daemon Tools, you will see an icon down the bottom right of your screen. Right click and click Virtual CD/DVD-ROM and select Set Number of Devices to 1. Give it a second and right click the Daeon Tools icon again. Go back into Virtual CD/DVD-ROM and select the new Virtual device and select Mount image. Browse to where you downloaded your bt3final_usb.iso file and select it.

Now go to My Computer and you will see a new device called SLAX. Copy the contents of this device to your USB key.
Now, RENAME the boot folder to bootbt3.

All thats left now is to edit your menu.lst. You can get a sample menu.lst file from here: Boot files. This rar file contains a sample menu.lst that should work fine, as well as a couple of other files you may need. Simply extract them directly into your USB key, making sure they are not in any folder. They should be directly on your USB stick.

And you're done setting up the USB stick. You can now load up BaclTrack and start cracking. See below for continued instructions.

ps I like this method because it allows you to add another operating system simply by creating a new folder, copying the files into it, and modifying the menu.lst to point to that directory.


VMware method
Download and install vmware player.
You will also need a .vmx file. You can download one for BackTrack3 here: BackTrack3.vmx (right-click).
You can modify this file by changing the iso file name on line 39 to whatever operating system iso you have.

Ideally you should have the backtrack iso in the same folder as this vmx file. Double click the vmx file and this will load it up into VMware. You may be asked to login. The username is root, and the password is toor.

You are now up and running. See below for further instructions.

CD/DVD method
Simply download any version of BackTrack, burn to disc, and turn your computer on with the disc in the DVD drive, and follow below instructions for cracking.




Cracking WEP
This is the easier of the 2. WEP is a lot easier to crack than WPA.

So, load up BackTrack. Open up a command line by clicking the black box icon on the bottom left.

type iwconfig
This will list your wireless cards. On the left you will see the name assigned to your wireless card. On my laptop, i've seen it being called wlan0, eth1, and wifi0. Take note of what yours is. From now on, I'll assume its called wlan0.

In the command line, type
airmon-ng stop wlan0 (this is needed if you want to change your mac address)

Optional step - change your MAC address temporarily
macchanger --mac 00:11:22:33:44:55 wlan0

then type
airmon-ng start wlan0 (this will enable monitor mode)


Now type
airodump-ng wlan0 (this will scan for any wireless networks in the area)

Take note of any WEP wireless networks. You will need the bssid and the channel.
The bssis is the part that looks like "00:11:22:33:44:55".
The channel is the number under the "c" column.

Press CTRL+C to stop the scanning. Highlight the bssid, right click and select copy.


Now, click the "start menu", ie the little circle down the very bottom left. Now select Backtrack up the top if the menu. Select Radio and Network analysis, then 80211, then all, and finally click on SpoonWep.

Paste the bssid into the top of SpoonWep, select your interface in the dropdown menu, ie wlan0, then select the channel the wireless network is on.

Click Launch, and then wait. If all goes according to plan, it should crack the WEP password within a few minutes.


Cracking WPA
This is a lot harder. It requires a lot of luck and you're never guaranteed to crack the password.

This method uses dictionary files. These are basically just huge files containing words/possible passwords.

In order to do this, you need to intercept a packet called the "handshake". This is basically what happens when someone connects to their wireless. Obviously they'll know their own password and have it saved in their laptop so when the laptop connects, it automatically logs in. This is all done in the background and a standard user wouldnt even notice it happening. Basically the laptop sends a message to the wireless router saying "Hey I want to get online". The router then says "Well gimme the password". So, the laptop then says "OK, heres the password. its abcxyz123". Then the router finally says "OK, password correct. welcome aboard!".

This happens over a split. If you're lucky enough to be "listening" when this happens, you will capture the authentication "handshake". The reason it is so important is coz it contains the password, but it is encrypted so you can't just open it in notepad and see the password. What you need to do is step through all the words in your dictionary file, encrypt them and match the result with the encrypted password from the "handshake" file.

Luckily, all the hard dtuff is done for you. All you need to do is capture the packet, download and dictionary file, and hope for the best.

Here's how its done.

So, load up BackTrack. Open up a command line by clicking the black box icon on the bottom left.

type iwconfig
This will list your wireless cards. On the left you will see the name assigned to your wireless card. On my laptop, i've seen it being called wlan0, eth1, and wifi0. Take note of what yours is. From now on, I'll assume its called wlan0.

In the command line, type
airmon-ng stop wlan0 (this is needed if you want to change your mac address)

Optional step - change your MAC address temporarily
macchanger --mac 00:11:22:33:44:55 wlan0

then type
airmon-ng start wlan0 (this will enable monitor mode)


Now type
airodump-ng wlan0 (this will scan for any wireless networks in the area)

Now, you need to pick your wireless router and take note of its bssid. Sometimes, at the bottom of the screen, you can see if any computers are connected to the wifi router by matching the bssid with the station bssid (station = computer).

So, pick your wireless router, take note of the bssid, and the channel it is on. Press CTRL+C to stop scanning. This will also allow you to copy and paste the bssid.

Type the command:
airodump-ng -w FILE -c 6 --bssid 11:22:33:44:55:66 wlan0

airodump-ng is the name of the program you use from the command line.
the "-w FILE" part means "save all the collected data to a file called FILE". You can call the file whatever you want.
The "-c 6" means "scan on channel 6". Modify this for your own wireless router.
The "--bssid 11:22:33:44:55:66" part is the bssid
and "wlan0" is the name of your wireless card.

Now, this command will monitor a single wireless network point. If no computer is connected, you're pretty much outta luck. However, if someone is connected, and you can see a MAC address under the "station" part below, you can use the following command to force a re-authentication.

aireplay-ng -0 1 -a 11:22:33:44:55:66 -c :99:88:77:66:55:44 wlan0
OK, so aireplay-ng is the command you use for this.
-0 1 means that you are using the "-0" function, which is to force a reauthentication. The number after it denotes the amount of these requests you are going to send. 1 is enough, but if not, try 5 or 10.
-a is the bssid of the wireless router
-c is the "station"
wlan0 is the name of your wireless card.

If nothing happens, you may just need to be more patient.

If all goes according to plan, you should see a notice up the top right of your command window. This means you have captured the encrypted password. Next step, using the dictionary file.

At this point, you should have the captured password file, or the "handshake". You should also look into getting a good dictionary file. You will need one if you want to crack this password.

Incidentally, to verify you successfully captured a packet, type:
aircrack-ng -w FILE.cap, where "FILE" is the name of the file you specified above with airodump-ng.
This command will tell you if the file contains a handshake or not.

So, to crack the password, type the following:
aircrack-ng -w DIC_FILE FILE.cap

This can literally tke you 3 days if you have a huge dictionary file and not so fast computer.
Anyway, all that is required here is patience. If your dictionary file contains the password for the wireless network, it will definattely crack it. However, if your dictionary file does NOT contain the password for the wireless network, it will definately NOT crack it.
YOU NEED TO BE LUCKY ENOUGH TO HAVE THE WIRELESS PASSWORD IN THE DICTIONARY FILE.
eoinzy
Site Admin
Posts: 2289
Joined: Sun Nov 30, 2008 11:19 pm

Re: How to hack wireless networks

Post by eoinzy »

some people have said they had trouble getting the first steps to work, ie preparing the usb stick.

If so, try this:
http://unetbootin.sourceforge.net/

It basically does a lot of the work for you.

Simply load it up, select ISO and the path to the backtrack iso, select type =usb, pick a drive letter and click OK.
ripce
Posts: 2
Joined: Fri Jan 25, 2013 10:19 pm

Re: How to hack wireless networks

Post by ripce »

This method is good but could take you several hours till several days. I just have a simpler solution that will work 100% to crack you neighbor wireless keys.

Step 1. Download SterJo Wireless Passwords from http://www.sterjosoft.com/wireless-passwords.html
Step 2. Copy the software to you USB drive because it doesn't require installation.
Step 3. Ask him to prepare a cup of coffee or tea and while preparing just plug the USB into the PC and run the software. Save all passwords in text file. Procedure takes no more then 10 seconds :D

No need to thank me :)
eoinzy
Site Admin
Posts: 2289
Joined: Sun Nov 30, 2008 11:19 pm

Re: How to hack wireless networks

Post by eoinzy »

haha yes that is another way. But if they're nice enough to make you a cup of coffer or tea, maybe they'll be nice enough to give you their password if u ask!!

Also, does your software just read from the registry? Is there any problems accessing the registry if the user is not administrator?
I think that software would be good in some places like Internet Cafe's that have a wireless password so only let their own PCs and laptops connect.
ripce
Posts: 2
Joined: Fri Jan 25, 2013 10:19 pm

Re: How to hack wireless networks

Post by ripce »

The software automatically tries to run with administrator privileges but I don't know if a guest user could view the saved passwords.
I've never tried this but I doubt it.
Subbotacroca
Posts: 42
Joined: Mon Jun 12, 2017 1:53 am

How to hack wireless networks

Post by Subbotacroca »

Afternoon eValid.

I just found out my favorite testing tool...well, OK, its webdriver... doesnt support frames.

How does eValid support frames?

Thanks in advance.
Post Reply