Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

WPA wireless hacking


rootDaemon's Avatar
Member
0 0

I'm testing some wireless hacking out. The router is running WPA2-PSK for security. After a deAuth, I have the encrypted router password which i managed to crack. So my question is, now what? I can obviously connect to the router and use their internet, but is there any way i can eavesdrop on the network traffic, ie passwords and such, or am i unable to read the encrypted packets just because i have the router password?


Night_Stalker's Avatar
Member
0 0

There are many ways you could do that. Ettercap or Wireshark could allow you to do a mitma on the network through arp piosoning. Its quite easy to do..

Just google for mitma attacks, you'll find a lot on it.

Ettercap is what i usually use for this, and for monitoring my own network traffic too. :)

It will work the same way with LAN networks as well, however you'd want to be careful if you're doing it on someone's network without permission, because its easy to detect any suspicious arp activity and people sniffing traffic who are using programs like ettercap or wireshark.

I know that ettercap even has a plugin that reports and suspicious arp activity to you as well as searches for other people using ettercap or other sniffers on the network.


ghost's Avatar
0 0

If you have the encryption key you should be able to decrypt all traffic. You could connect to the network using this key and simply run C&A.

I wouldn't be worried about getting detected if its a simple household. If you're running Backtrack or some other linux there are a lot of tools available.


Night_Stalker's Avatar
Member
0 0

Yeah, like he said ^^, most normal people won't monitor it. BackTrack has many tools built in, Pentoo does as well. Russix was made for wifi attacks, its alright if that's all you want to do, but its a bit older, and doesn't support some newer hardware.

You can just PM me on here if you have any questions, and I'll try to give an answer.


rootDaemon's Avatar
Member
0 0

Is a mitm attack really necessary to capture packets across a WLAN or are their other ways to do it?


Night_Stalker's Avatar
Member
0 0

You'll need to probably do some ARP poisoning and have all the packets sent to you first then you send the to the router then back to you and then back to the victim computer. That'd be a mitm attack..

I'm not sure how you'd sniff for login credentials without arp poisoning, but I'm sure its possible, its just arp poisoning is the only way I've done it over wlan/lan.

Check your PMs, I replied to your question saying how to set it up, I also sent a link to another tutorial on it that had pictures of setting it up. Hope it helps. :)


starofale's Avatar
Member
0 0

@rootDaemon: Look into putting your wireless card in promiscuous mode or monitor mode. Unfortunately I didn't succeed when I tried what you are doing a few months ago and I don't have a wireless network to test on any more, so can't guarantee that this will work.

Night_Stalker wrote: its easy to detect any suspicious arp activity and people sniffing traffic who are using programs like ettercap or wireshark. Just to point out - you won't be able to detect people who are only using Wireshark (no ARP poisoning).


Night_Stalker's Avatar
Member
0 0

starofale wrote: @rootDaemon: Look into putting your wireless card in promiscuous mode or monitor mode. Unfortunately I didn't succeed when I tried what you are doing a few months ago and I don't have a wireless network to test on any more, so can't guarantee that this will work.

[quote]Night_Stalker wrote: its easy to detect any suspicious arp activity and people sniffing traffic who are using programs like ettercap or wireshark. Just to point out - you won't be able to detect people who are only using Wireshark (no ARP poisoning).[/quote]

I didn't think you could.

Is it possible for someone to view the info being sent through the network without ARP poisoning? <offtopic> It'd be pretty nasty if someone did that, because I suppose then they could, more easily undetected,redirect traffic to a self-hosted malicious php script to spawn a meterpreter shell or something on the victims computer then bind of to another process to maintain access after the web-browser is closed. </offtopic>

If its possible to view info (urls visited, usernames, passwords, etc..) being passed over it without ARP poisoning or redirect someone to another page (think its called dns spoofing, right? i can't remember now.), how would you defend against something like that over your network?


starofale's Avatar
Member
0 0

Night_Stalker wrote: It'd be pretty nasty if someone did that, because I suppose then they could, more easily undetected,redirect traffic to a self-hosted malicious php script to spawn a meterpreter shell or something on the victims computer then bind of to another process to maintain access after the web-browser is closed. Only if you found a 0-day exploit or if the victim was using un-patched software.

Night_Stalker wrote: how would you defend against something like that over your network?

  • Don't let untrusted people on your network.
  • If you're on someone else's network, only use encrypted protocols.

Night_Stalker's Avatar
Member
0 0

I have WPA (TKIP+PSK) enabled, and a random 10 character password, and mac filtering, so I think I'd be alright on net letting people in, but I'm not sure. Lol.

Before I had mac filtering on, I noticed my creepy redneck neighbour had gotten the password from my little brother… Its interesting watching his web browsing habits, and it was fun to mess with him by sending him to pages that he didn't want to go to. I bet it caused him to him some awkward talks with his mum and dad when they walked in and saw the computer loading up a google search for gay porn. xD

0-Day exploit, that's when you know there's a certain vulnerability in a program that's running on a computer and you use that to attack the computer? Like if they're running windows and they have up some program that's running that is vulnerable to an exploit and you exploit it with a buffer-overflow or whatever it is that the software's flaw is vulnerable to to get an admin command prompt or get control over some other thing that it may allow?


stealth-'s Avatar
Ninja Extreme
0 0

rootDaemon wrote: Is a mitm attack really necessary to capture packets across a WLAN or are their other ways to do it?

If you are asking if it is possible to use your captured key to decrypt everyones traffic over the air, then no, it is not with WPA.

WPA takes the base "key" and uses that to derive a unique key for each connected client, and then they use that key to encrypt/decrypt data. You can connect to the access point, but you can't capture and read the traffic of other clients over the air.

You will have to use a WLAN network MitM method, such as ARP poisoning.

Night_Stalker wrote: I have WPA (TKIP+PSK) enabled, and a random 10 character password, and mac filtering, so I think I'd be alright on net letting people in, but I'm not sure. Lol.

Unless you are worried that someone will dedicate a machine to cracking for around 4274902 years, I don't think you have to be too concerned ;)

0-Day exploit, that's when you know there's a certain vulnerability in a program that's running on a computer and you use that to attack the computer?

An 0-Day vulnerability is just a vulnerability that has no fix. An 0-day exploit is just an exploit that utilizes an 0-day vulnerability to gain access to a host.

starofale wrote: [quote]Night_Stalker wrote: its easy to detect any suspicious arp activity and people sniffing traffic who are using programs like ettercap or wireshark. Just to point out - you won't be able to detect people who are only using Wireshark (no ARP poisoning).[/quote]

If they are using Wireshark on the WLAN without ARP poisoning, they won't be able to see anything but their own traffic (assuming it's a switch). It wouldn't be able to decrypt traffic over the air, either, for reasons mentioned above.


Night_Stalker's Avatar
Member
0 0

stealth- wrote: If you are asking if it is possible to use your captured key to decrypt everyones traffic over the air, then no, it is not with WPA.

So I'm guessing that it is possible to decrypt it over the air if the encryption type is WEP? :right:


starofale's Avatar
Member
0 0

stealth- wrote: WPA takes the base "key" and uses that to derive a unique key for each connected client, and then they use that key to encrypt/decrypt data. You can connect to the access point, but you can't capture and read the traffic of other clients over the air. Well that explains why I couldn't get it to work before :P

stealth- wrote: If they are using Wireshark on the WLAN without ARP poisoning, they won't be able to see anything but their own traffic (assuming it's a switch). It wouldn't be able to decrypt traffic over the air, either, for reasons mentioned above. My point was just that Wireshark doesn't send out anything, so you can't be detected if that is all you are using. With just Wireshark you would still be able to see other people's data on hub based networks and I'd assume on unencrypted wireless networks as well.


stealth-'s Avatar
Ninja Extreme
0 0

Night_Stalker wrote: [quote]stealth- wrote: If you are asking if it is possible to use your captured key to decrypt everyones traffic over the air, then no, it is not with WPA.

So I'm guessing that it is possible to decrypt it over the air if the encryption type is WEP? :right:[/quote]

Yes, WEP uses the same key for encrypting all packets and for all clients. That's actually a large part why WEP can be cracked so easy.

starofale wrote: My point was just that Wireshark doesn't send out anything, so you can't be detected if that is all you are using. With just Wireshark you would still be able to see other people's data on hub based networks and I'd assume on unencrypted wireless networks as well.

Yup, definitely.


rootDaemon's Avatar
Member
0 0

So if the router were running WEP, once you've connected to the router a program like wireshark will sniff and decrypt all the wireless traffic?


ghost's Avatar
0 0

If you have the key. Whatever program you are using uses that key to decrypt traffic and encrypt your traffic.


ghost's Avatar
0 0

Night_Stalker wrote: Before I had mac filtering on, I noticed my creepy redneck neighbour had gotten the password from my little brother… Its interesting watching his web browsing habits, and it was fun to mess with him by sending him to pages that he didn't want to go to. I bet it caused him to him some awkward talks with his mum and dad when they walked in and saw the computer loading up a google search for gay porn. xD

out of curiosity, how did you do that? sending him to other pages i mean, did you somehow change his request header or did you manage to send an redirect in the html?

curious George :D:happy::happy:


Night_Stalker's Avatar
Member
0 0

Shazrah wrote:

out of curiosity, how did you do that? sending him to other pages i mean, did you somehow change his request header or did you manage to send an redirect in the html?

curious George :D:happy::happy:

I used one of the plugins in Ettercap. I think it was the dns spoofing plugin? I remember I had to edit and add on certain URLs manually on a config file and then set to what I wanted them to redirect to.

I just googled and found what looks like a guide on how to do it. :) http://www.brighthub.com/computing/smb-security/articles/17869.aspx


garabaldi's Avatar
Member
0 0

Definitely DNS spoofing, which can be a lot of fun! It's also good for directing users to phishing pages.


ghost's Avatar
0 0

that is very cool thanks :D