Ana içeriğe atla

HACKING WPA/WPA2 PASSWORD WITHOUT WORDLIST -- 2018


With tools such as Reaver becoming less and less viable options for penetration testers as ISPs replace vulnerable routers, there becomes fewer certainties about which tools will work against a particular target. If you don't have time to crack the WPA password, or it is unusually strong, it can be hard to figure out your next step. Luckily, nearly all systems have one common vulnerability you can count on—users!
Social engineering goes beyond hardware and attacks the most vulnerable part of any system, and one tool that makes this super easy is Fluxion. Even the most antisocial hacker can hide behind a well-crafted login page, and Fluxion automates the process of creating a fake access point to capture WPA passwords.

How Fluxion Works Its Magic

Fluxion is the future—a blend of technical and social engineering automation that trick a user into handing over the Wi-Fi password in a matter of keystrokes. Specifically, it's a social engineering framework using an evil twin access point (AP), integrated jamming, and handshake capture functions to ignore hardware and focus on the "wetware." Tools such as Wifiphisher execute similar attacks, but lack the ability to verify the WPA passwords supplied.

Image via SADMIN
Fluxion evolved from an advanced social engineering attack named Lindset, where the original tool was written mostly in Spanish and suffered from a number of bugs. Fluxion is a rewritten attack to trick inexperienced users into divulging the password/passphrase of the network.
Fluxion is a unique tool in its use of a WPA handshake to not only control the behavior of the login page, but the behavior of the entire script. It jams the original network and creates a clone with the same name, enticing the disconnected user to join. This presents a fake login page indicating the router needs to restart or load firmware and requests the network password to proceed. Simple as that.
The tool uses a captured handshake to check the password entered and continues to jam the target AP until the correct password is entered. Fluxion uses Aircrack-ng to verify the results live as they are entered, and a successful result means the password is ours.

Checking WPA password capture confirming through Aircrack-ng. Image via SADMIN
Tactically, this attack is only as good as the fake login screen. Many have been added to Fluxion since it was created, and it is possible to create other screens with some research. In general, running this attack with default login screens will immediately call attention from a more experienced user or tech-savvy organization. This attack is most effective when targeted at whoever is the oldest or least tech-savvy in an organization. Sensitive APs with intrusion detection systems may detect and attempt to defend against this attack by blocking your IP in response to the integrated jamming.

System Compatibility & Requirements

Fluxion works on Kali Linux. Just make sure that you are fully updated, or that you're running Kali Rolling, to ensure system and dependencies are current. You may run it on your dedicated Kali install, in a virtual machine. If you're looking for a cheap, handy platform to get started on, check out our Kali Linux Raspberry Pi build using the $35 Raspberry Pi.

A perfect beginner Wi-Fi hacking kit. Image by SADMIN

Image via SADMIN
This tool will not work over SSH since it relies on opening other windows.
For this to work, we'll need to use a compatible wireless network adapter. Check out our 2017 list of Kali Linux and Backtrack compatible wireless network adapters in the link above, or you can grab our most popular adapter for beginners here.

Check out our list of Kali Linux compatible wireless network adapters. Image by SADMIN
Make sure that your wireless adapter capable of monitor mode is plugged in and recognized by Kali and seen when iwconfig or ifconfig is entered.

How to Capture WPA Passwords with Fluxion

Our goal in this article will be to target an organization via its WPA encrypted Wi-Fi connection. We will launch an attack against users attached to the access point "Probe," capture a handshake, set up a cloned (evil twin) AP, jam the target AP, set up a fake login page, and confirm the captured password against the handshake.

Step 1Install Fluxion

To get Fluxion running on our Kali Linux system, clone the git repository with:
git clone https://github.com/wi-fi-analyzer/fluxion
Note: The developer of Fluxion shut down the product recently, but you can get an older version of it using the command above instead (not the URL you see in the image below).

Then, let's check for missing dependencies by navigating to the folder and starting it up for the first time.
cd fluxion
sudo ./fluxion

You'll likely see the following, where some dependencies will be needed.

Run the installer to fetch dependencies and set your board to green with:
sudo ./Installer.sh
A window will open to handle installing the missing packages. Be patient and let it finish installing dependencies.

After all the dependencies are met, our board is green and we can proceed to the attack interface. Run the Fluxion command again with sudo ./fluxion to get hacking.

Step 2Scan Wi-Fi Hotspots

The first option is to select the language. Select your language by typing the number next to it and press enter to proceed to the target identification stage. Then, if the channel of the network you wish to attack is known, you may enter 2 to narrow the scan to the desired channel. Otherwise, select 1 to scan all channels and allow the scan to collect wireless data for at least 20 seconds.

A window will open while this occurs. Press CTRL+C to stop the capture process whenever you spot the wireless network that you want. It is important to let the attack run for at least 30 seconds to reasonably verify if a client is connected to the network.

Step 3Choose Your Target AP

Select a target with active clients for the attack to run on by entering the number next to it. Unless you intend to wait for a client to connect (possibly for a long time), this attack will not work on a network without any clients. Without anyone connected to the network, who would we trick into giving us the password?

Step 4Select Your Attack

Once you've typed the number of the target network, press enter to load the network profile into the attack selector. For our purpose, we will use option 1 to make a "FakeAP" using Hostapd. This will create a fake hotspot using the captured information to clone the target access point. Type 1 and press enter.

Step 5Get a Handshake

In order to verify that the password we receive is working, we will check it against a captured handshake. If we have a handshake, we can enter it at the next screen. If not, we can press enter to force the network to provide a handshake in the next step.
Using the Aircrack-ng method by selecting option 1 ("aircrack-ng"), Fluxion will send deauthentication packets to the target AP as the client and listen in on the resulting WPA handshake. When you see the handshake appear, as it does in the top right of the screenshot below, you have captured the handshake. Type 1 (for "Check handshake") and enter to load the handshake into our attack configuration.

Step 6Create the Fake Login Page

Select option 1, "Web Interface," to use the social engineering tool.

You will be presented with a menu of different fake login pages you can present to the user. These are customizable with some work, but should match the device and language. The defaults should be tested before use, as some are not very convincing.

I chose an English language Netgear attack. This is the final step to arm the attack; At this point, you are ready to fire, so press enter to launch the attack. The attack spawns multiple windows to create a cloned version of their wireless network while simultaneously jamming the normal access point, enticing the user to join the identically named, but unencrypted, network.

Step 7Capture the Password

The user is directed to a fake login page, which is either convincing or not, depending on which you chose.

Perhaps not the most elegant deception, but these files are configurable.
Entering the wrong password will fail the handshake verification, and the user is prompted to try again. Upon entering the correct password, Aircrack-ng verifies and saves the password to a text file while displaying it on the screen. The user is directed to a "thank you" screen as the jamming ceases and the fake access point shuts down.
You can verify your success by checking the readout of the Aircrack-ng screen.

Key captured and verified. The network is ours!
Congratulations, you've succeeded in obtaining and verifying a password, supplied by targeting the "wetware." We've tricked a user into entering the password rather than relying on a preexisting flaw with the security.

Warning: This Technique Could Be Illegal Without Permission

Legally, Fluxion combines scanning, cloning, creating a fake AP, creating a phishing login screen, and using the Aircrack-ng script to obtain and crack WPA handshakes. As such, it leaves signatures in router logs consistent with using these techniques. Most of these practices are illegal and unwelcome on any system you don't have permission to audit.

Bu blogdaki popüler yayınlar

Denial-of-Service (DoS) Tools & Techniques

Denial-of-Service (DoS) Tools & Techniques Welcome back, my fledgling hackers! Over the years, we have examined multiple ways to own, exploit, or compromise a system. On the other hand, we have not spent a lot of time on denial-of-service (DoS) attacks. For those of you who are new here, a denial of service is basically a simple attack that keeps the target system from operating as it should. In its simplest form, it uses up all of the system resources so that others can't connect. More sophisticated attacks will cause the system to crash or create a infinite loop that uses all of the system's CPU cycles. In general, a DoS attack is the easiest and least sophisticated type of attack. Some have gone so far as to say that an eight-year-old could participate in a DoS attack, and there is some truth to that statement since some tools make it as easy as putting in an IP address and hitting "Start." In recent years, DoS and DDoS attacks (the latter of whic...
Devamı

Get Anyone's Wi-Fi Password Without Cracking Using Wifiphisher

Do you need to get a Wi-Fi password but don't have the time to   crack it ? In previous tutorials, I have shown how to crack   WEP ,   WPA2 , and   WPS , but some people have complained that cracking WPA2 takes too long and that not all access points have WPS enabled (even though quite a few do). To help out in these situations, I present to you an almost surefire way to get a Wi-Fi password without cracking— Wifiphisher . Steps in the Wifiphisher Strategy The idea here is to create an  evil twin AP , then de-authenticate or DoS the user from their real AP. When they re-authenticate to your fake AP with the same SSID, they will see a legitimate-looking webpage that requests their password because of a "firmware upgrade." When they provide their password, you capture it and then allow them to use the evil twin as their AP, so they don't suspect a thing. Brilliant! To sum up, Wifiphisher takes the following steps: De-authenticate the user from their legi...
Devamı

How to Install Kali Linux as a Virtual Machine

We're nearly done getting our Mac set up for hacking. If you haven't checked out previous tutorials, I'd recommend you do so first before diving right into this one. While macOS is a powerful POSIX-compliant operating system, some of our Linux tools do not work out of the box on it. In some cases, they can be made to run with a little bit of elbow grease. In other cases, there's a  lot  of work involved. And then there are those tools that simply won't work at all in macOS. For example, anything involving the proc filesystem, or many of the common hacking tools for wireless networks. With a bit of know-how, you maybe able to port a tool that you want, but that's a long process and more of a side project. When we need tools, we need to be able to run them right away. Previously: How to Install RVM to Maintain Ruby Environments in macOS Since you will generally be working with a deadline and can't stop your current project, I recommend a Kali ...
Devamı