Scribd
Upload
12 views8 pages

Exploring Wireless Network Security

The document describes the execution of a de-authentication attack and WPA hash cracking against a wireless access point using an Alfa AWUS 036H antenna. It outlines the methodology for performing the de-authentication attack, including steps to capture the four-way handshake and crack the WPA/WPA2 password using tools like Aircrack-ng. The successful execution of these attacks is demonstrated with a test Wi-Fi network named 'Google's Pixel 7a' and a password of '11111111.'

Uploaded by

iam.rms7779
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
12 views8 pages

Exploring Wireless Network Security

The document describes the execution of a de-authentication attack and WPA hash cracking against a wireless access point using an Alfa AWUS 036H antenna. It outlines the methodology for performing the de-authentication attack, including steps to capture the four-way handshake and crack the WPA/WPA2 password using tools like Aircrack-ng. The successful execution of these attacks is demonstrated with a test Wi-Fi network named 'Google's Pixel 7a' and a password of '11111111.'

Uploaded by

iam.rms7779
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

In this part, De-authentication attack and WPA hash crack attack has been planned to be done towards the

wireless access point. Here, we use Alfa awus 036h high gain antenna on our wireless card.

Figure 1 Alfa aws 036h

Deauthentication Attack
The act of forcing a device to disconnect from a network is known as a de-authentication attack. This kind
of Denial-of-Service (DoS) attack prevents the router and the device from communicating with one another.
Here, the attack is facilitated by a streamlined methodology instead of using more intricate techniques. The
four-way handshake procedure within the de-authentication frame is exploited by the attack. In technical
terms, this is known as:
“A sanctioned technique to inform a rogue station that it has been disconnected from the network”
(Autumn, 2018).
In essence, the router sends a de-authentication frame to the device, notifying it of disconnection

Figure 2 De-authentication attack

A legal device is used in a de-authentication attack, when the attacker notifies the router, "I am
disconnecting." In order to carry out this attack, the attacker first gets the device's BSSID, then impersonates
the device and sends the router a de-authentication frame. By doing this, the device will be guaranteed to
disengage from the network. The absence of encryption beneath Layer 3 of the OSI model is the main factor
making this attack feasible. Attackers can more easily sniff and take advantage of data packets at lower
layers since they are not encrypted, but those above Layer 3 are.

Advanced Exploits
• WPA/WPA2 Cracking: During the interruption of a four-way handshake, the user attempts to reconnect
to the network. At this point, the attacker captures the handshake frame and cracks it using tools such as
Hashcat or Aircrack-ng.
• Man-in-the-Middle (MITM) Attack: Hackers establish a rogue access point to intercept and obtain
sensitive information from the target.
• Service Interruption: A de-authentication attack is a specific type of Denial of Service (DoS) attack that
disrupts the connection between a device and the network here

1
For this attack, I created a test Wi-Fi network named "Google's Pixel 7a" and set the password for this
network as "11111111".
Hardware: Wireless Network Adapter (AWS 036nha).
Software: Aircrack-ng

Figure 3 Wi-Fi Name

Figure 4 Wi-Fi password

2
Step 1: Open Terminal in Kali Linux
• Open a terminal and list all the network adapters connected to the PC.

Figure 5 iwconfig

Step 2: Wireless Adapter in Monitor Mode


• Next, we need to put the network adapter in monitor mode using the command "airmon-ng start
wlan0." Here wlan0 is the adapter's name. Here I used the extra command sudo to run this command
as a root user.

Figure 6 sudo airmon-ng start wlan0

3
Step 3: List all the available APs with the command “airodump-ng”.
• In the next step, we are going to use "airodump-ng wlan0mon." Here wlan0mon is the adapter's
name after monitor mode. Try to find available APs and select the target we are going to do the
DOS attack.

Figure 7 airodump-ng wlan0mon

Step4: Find MAC address of the victim.


• Next, we need to find the MAC address of the victim using the command "sudo airodump-ng --
band a wlan0mon." Here we need to find the MAC address of the device Google('s) Pixel 7a. The
BSSID of the victim is E2:B7:BD:EC:62:06.

Figure sudo airodump-ng --bssid E2:B7:BD:EC:62:06

4
Step5: Broadcast De-authenticate users on the specific AP.

Figure 8 aireplay-ng --deauth 1000 -a BSSID -h MAC wlanmon0


• 9E:F3:8D:3B:BA:B4 - BSSID of the AP
• FC:02:96:BE:86:64 – MAC address of the computer.
• 0 is the number of (unlimited) deauthentication frames sent to the AP.

Step6: Try to connect to the Wi-Fi.


• When I try to connect to the network, it fails. So, the deauthentication attack is successful.

Figure 9 Can't connect.

5
Capturing and Cracking WPA/WPA2 Wi-Fi passwords
Using wireless access points as entry points to a network or system is another method attackers may employ.
A thorough understanding of WPA/WPA2 protocols can help enhance the network security of an
organization. This section will explain how attackers capture wireless hashes and crack them into plaintext
to obtain network passwords.

Step1: Wireless NIC in monitor mode.


• Using the command “iwconfig” we can ensure that wireless adapter is in monitored mode.

Figure 10 iwconfig
Step2: Capture the 4 way handshake in the file name “handshake”:
• Using the command “sudo airodump-ng -c 11 –bssid C6:91:9D:95:10:F8 -w handshake wlan0mon”
• 11 – Channel Number
• C6:91:9D:95:10:F8 – BSSID of the target.

Figure 11 store the handshake in the file name "handshake"

Figure 12 Captured handshakes

6
Step3: Create a wordlist called using “Crunch”
• For ease, I created a word list using numbers from 0 to 3 from the letter count from 6 to 8.

Figure 13 Crunch wordlist


Step4: Cracking hashes
• Using the created wordlist names as "wordlist.txt" file and already captured handshake frames
named as "testcapture-01.cap" file, let's crack the password.

Figure 14 Cracking handshake

Figure 15 Key Found

Finally found the password; the password is "11111111."

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy